From 8cad8b4e2ac0b2cccbf623c0c66c360bf8f661f1 Mon Sep 17 00:00:00 2001
From: Mathew Fleisch <mathew.fleisch@gmail.com>
Date: Wed, 29 Mar 2017 00:31:07 -0700
Subject: [PATCH] =?UTF-8?q?Stripped=20out=20=E2=80=9Cquick-commands?=
 =?UTF-8?q?=E2=80=9D=20from=20main=20script=20and=20introduced=20switch-at?=
 =?UTF-8?q?tack-mode?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 payloads/library/BrowserBunny/inc/actions.php | 16 +++-
 .../library/BrowserBunny/inc/css/style.css    |  1 +
 .../BrowserBunny/inc/js/quick_commands.js     | 57 ++++++++++++
 .../library/BrowserBunny/inc/js/script.js     | 92 +++++++------------
 payloads/library/BrowserBunny/index.php       |  9 +-
 5 files changed, 110 insertions(+), 65 deletions(-)
 create mode 100644 payloads/library/BrowserBunny/inc/js/quick_commands.js

diff --git a/payloads/library/BrowserBunny/inc/actions.php b/payloads/library/BrowserBunny/inc/actions.php
index 20fd951b..dc0a1609 100644
--- a/payloads/library/BrowserBunny/inc/actions.php
+++ b/payloads/library/BrowserBunny/inc/actions.php
@@ -43,6 +43,7 @@ if($_POST) {
 		case 'move_payload':
 			
 			$payload = strip_tags($_POST['payload']);
+			$attack_modes = json_decode(strip_tags($_POST['attack_modes']));
 			$valid = $BrowserBunny->is_valid_payload($payload);
 			if($valid) {
 				//pwd is run where ever the BrowserBunny is called from, so remove all trailing chars, but the "webroot"
@@ -59,7 +60,20 @@ if($_POST) {
 					if(count($out)) { 
 						echo json_encode(array('success'=>false,'payload'=>$payload,'debug'=>$cmd."\n".implode("\n", $out)));
 					} else {
-						echo json_encode(array('success'=>true,'payload'=>$payload));
+
+						$path_to_file = $BrowserBunny->root.'/'.$target_dir.'/payload.txt';
+						$file_contents = file_get_contents($path_to_file);
+						foreach($attack_modes as $attack_mode=>$is_active) {
+							if($is_active) {
+								$file_contents = str_replace("#".$attack_mode,$attack_mode,$file_contents);
+							} else { 
+								$file_contents = str_replace($attack_mode,"#".$attack_mode,$file_contents);
+								$file_contents = str_replace("##".$attack_mode,"#".$attack_mode,$file_contents);
+							}
+						}
+						file_put_contents($path_to_file,$file_contents);
+
+						echo json_encode(array('success'=>true,'payload'=>$payload,'attack_modes'=>$attack_modes));
 					}
 				}
 			} else {				
diff --git a/payloads/library/BrowserBunny/inc/css/style.css b/payloads/library/BrowserBunny/inc/css/style.css
index 4943d650..0bd66281 100644
--- a/payloads/library/BrowserBunny/inc/css/style.css
+++ b/payloads/library/BrowserBunny/inc/css/style.css
@@ -40,6 +40,7 @@ pre {
 	float:left; 
 	width: 25%;
 }
+.is_active_true, .is_active_false { cursor: pointer; }
 #readme-target {
 	float:left;
 	width:75%;
diff --git a/payloads/library/BrowserBunny/inc/js/quick_commands.js b/payloads/library/BrowserBunny/inc/js/quick_commands.js
new file mode 100644
index 00000000..96289b00
--- /dev/null
+++ b/payloads/library/BrowserBunny/inc/js/quick_commands.js
@@ -0,0 +1,57 @@
+var git_repo = 'https://github.com/hak5/bashbunny-payloads.git';
+var git_log = '/var/log/git.log';
+var bunny_root = ''+bunny_root+'';
+var quick_commands = [
+    {
+        name:"Clone git repository",
+        command:'if [ ! -d '+bunny_root+'/.git ]; then '  
+                    +'cd '+bunny_root+'; '
+                    +'echo ""; '
+                    +'pwd; '
+                    +'mv '+bunny_root+'/payloads '+bunny_root+'/orig-payloads; '
+                    +'echo "Clone Git Repo..."; '
+                    +'git init; '
+                    +'echo "payloads/switch*" >> .gitignore; '
+                    +'git remote add origin '+git_repo+';  '
+                    +'echo "Git repository selected: '+git_repo+';"; '
+                    +'git config core.sparsecheckout true; '
+                    +'echo "Git configuration change: sparse-checkout=true."; '
+                    +'echo "payloads" >> '+bunny_root+'/.git/info/sparse-checkout; '
+                    +'echo "Sparse checkout: payloads directory selected"; '
+                    +'git pull origin master; '
+                    +'echo "Git repository cloned."; '
+                    +'cp -fr '+bunny_root+'/orig-payloads/switch* '+bunny_root+'/payloads/.; '
+                +'else '
+                    +'echo "Repository already exists..."; '
+                +'fi',
+    },{
+        name:"Update git repository",
+        command:'if [ -d '+bunny_root+'/.git ]; '
+                    +'then cd '+bunny_root+'/payloads/; '
+                    +'echo ""; '
+                    +'pwd; '
+                    +'echo "Update Git Repo..."; '
+                    +'git pull origin master; '
+                +'else '
+                    +'echo "Repository does not exist..."; '
+                +'fi'
+    },{
+        name:"Tools Installer",
+        command:'if [ -d '+bunny_root+'/payloads/library/tools_installer ]; then '
+                +'if [ -d /pentest ]; then '
+                    +'echo "/pentest already exists..."; '
+                +'else '
+                    +'mkdir -r /pentest; '
+                    +'cp -r '+bunny_root+'/payloads/library/tools_installer/tools_to_install/* /pentest/.; '
+                    +'if [ -d /pentest/impacket ]; then '
+                        +'cd /pentest/impacket; '
+                        +'python ./setup.py install; '
+                    +'else '
+                        +'echo "Missing /pentest/impacket folder."; '
+                    +'fi '
+                +'fi '
+            +'else '
+                +'echo "Cannot run tools installer: Missing git repository"; '
+            +'fi '
+    }
+];
\ No newline at end of file
diff --git a/payloads/library/BrowserBunny/inc/js/script.js b/payloads/library/BrowserBunny/inc/js/script.js
index 913c136b..b486afd3 100644
--- a/payloads/library/BrowserBunny/inc/js/script.js
+++ b/payloads/library/BrowserBunny/inc/js/script.js
@@ -1,62 +1,5 @@
 $(document).ready(function() {
 
-    var git_repo = 'https://github.com/hak5/bashbunny-payloads.git';
-    var git_log = '/var/log/git.log';
-    var quick_commands = [
-        {
-            name:"Clone git repository",
-            command:'if [ ! -d /root/udisk/.git ]; then '  
-                        +'cd /root/udisk; '
-                        +'echo ""; '
-                        +'pwd; '
-                        +'mv /root/udisk/payloads /root/udisk/orig-payloads; '
-                        +'echo "Clone Git Repo..."; '
-                        +'git init; '
-                        +'echo "payloads/switch*" >> .gitignore; '
-                        +'git remote add origin '+git_repo+';  '
-                        +'echo "Git repository selected: '+git_repo+';"; '
-                        +'git config core.sparsecheckout true; '
-                        +'echo "Git configuration change: sparse-checkout=true."; '
-                        +'echo "payloads" >> /root/udisk/.git/info/sparse-checkout; '
-                        +'echo "Sparse checkout: payloads directory selected"; '
-                        +'git pull origin master; '
-                        +'echo "Git repository cloned."; '
-                        +'cp -fr /root/udisk/orig-payloads/switch* /root/udisk/payloads/.; '
-                    +'else '
-                        +'echo "Repository already exists..."; '
-                    +'fi',
-        },{
-            name:"Update git repository",
-            command:'if [ -d /root/udisk/.git ]; '
-                        +'then cd /root/udisk/payloads/; '
-                        +'echo ""; '
-                        +'pwd; '
-                        +'echo "Update Git Repo..."; '
-                        +'git pull origin master; '
-                    +'else '
-                        +'echo "Repository does not exist..."; '
-                    +'fi'
-        },{
-            name:"Tools Installer",
-            command:'if [ -d /root/udisk/payloads/library/tools_installer ]; then '
-                    +'if [ -d /pentest ]; then '
-                        +'echo "/pentest already exists..."; '
-                    +'else '
-                        +'mkdir -r /pentest; '
-                        +'cp -r /root/udisk/payloads/library/tools_installer/tools_to_install/* /pentest/.; '
-                        +'if [ -d /pentest/impacket ]; then '
-                            +'cd /pentest/impacket; '
-                            +'python ./setup.py install; '
-                        +'else '
-                            +'echo "Missing /pentest/impacket folder."; '
-                        +'fi '
-                    +'fi '
-                +'else '
-                    +'echo "Cannot run tools installer: Missing git repository"; '
-                +'fi '
-        }
-    ];
-
     for(var id in quick_commands) { 
         $('#qc-container').html($('#qc-container').html()
             +'<button class="btn btn-default quick-command" id="qc-'+id+'">'+quick_commands[id].name+'</button>'
@@ -84,7 +27,8 @@ $(document).ready(function() {
                 var response = JSON.parse(res);
                 // console.log(response);
                 var btn = '<button class="btn btn-success btn-group-justified move-payload" id="move-'+response.payload+'">Activate this payload!</button><br />';
-                $('#readme-target').html(btn+(response.readme.length ? response.readme : '<strong>Missing Read-Me file</strong>'));
+                var attack_mode = '<div id="attack-mode-switcher"></div><br />';
+                $('#readme-target').html(btn+attack_mode+(response.readme.length ? response.readme : '<strong>Missing Read-Me file</strong>'));
 
                 $.ajax({
                     url: 'inc/actions.php',
@@ -93,13 +37,32 @@ $(document).ready(function() {
                         'action':'get_attackmode',
                         'payload':id
                     },
-                    success: function(res1) { 
-                        console.log(res1);
+                    success: function(get_response) { 
+                        get_response = JSON.parse(get_response);
+                        var attack_modes = get_response.attackmodes.split(/,/);
+                        console.log(attack_modes);
+                        for(var am in attack_modes) {
+                            var is_active = (attack_modes[am].match(/^#/) ? false : true);
+                            var name = attack_modes[am].replace(/^#/, '').replace(/\ /g, '-');
+                            $('#attack-mode-switcher').append('<div id="'+name+'" class="attack-mode is_active_'+(is_active ? 'true' : 'false')+'">'+attack_modes[am]+'</div>');
+                        }
                     }
                 });
             }
         });
     });
+    $(document).on('click', '.attack-mode', function() {
+        var active = ($(this).attr('class').match(/is_active_true/) ? true : false);
+        if(active) {
+            //Turn it off
+            $(this).removeClass('is_active_true').addClass('is_active_false');
+            $(this).html('#'+$(this).html());
+        } else { 
+            //Turn it on
+            $(this).removeClass('is_active_false').addClass('is_active_true');
+            $(this).html($(this).html().replace(/^#/, ''));
+        }
+    });
     $(document).on('click', '.target-switch', function() {
         var id = $(this).attr("id");
         $.ajax({
@@ -119,11 +82,20 @@ $(document).ready(function() {
     $(document).on('click', '.move-payload', function() {
         $(this).prop("disabled", true);
         var id = $(this).attr("id").replace(/move-/, '');
+        var attack_modes = {};
+        $('.attack-mode').each(function(i, that) {
+            var this_attack_mode = $(that).attr('id').replace(/-/g, ' ');
+            var this_is_active   = ($(that).attr('class').match(/is_active_true/) ? true : false);
+            // console.log('attack-mode: '+this_attack_mode+':'+this_is_active);
+            attack_modes[this_attack_mode] = this_is_active;
+        });
+        // console.log('attack_modes: ',attack_modes);
         $.ajax({
             url: 'inc/actions.php',
             type: 'POST',
             data: {
                 'action':'move_payload',
+                'attack_modes': JSON.stringify(attack_modes),
                 'payload':id
             },
             success: function(res) {
diff --git a/payloads/library/BrowserBunny/index.php b/payloads/library/BrowserBunny/index.php
index 6c9c5568..58881076 100644
--- a/payloads/library/BrowserBunny/index.php
+++ b/payloads/library/BrowserBunny/index.php
@@ -54,8 +54,9 @@
     </div>
 </div>
 
-    <script src="inc/js/jquery.min.js"></script>
-    <script src="inc/js/bootstrap.min.js"></script>
-    <script src="inc/js/script.js"></script>
+    <script type="text/javascript" src="inc/js/jquery.min.js"></script>
+    <script type="text/javascript" src="inc/js/bootstrap.min.js"></script>
+    <script type="text/javascript" src="inc/js/quick_commands.js"></script>
+    <script type="text/javascript" src="inc/js/script.js"></script>
 </body>
-</html>
+</html>
\ No newline at end of file