From f8a442e66dc60ae47c6a4584ccdfcd5b901a386d Mon Sep 17 00:00:00 2001
From: Thorsten Sick <thorsten.sick@email.de>
Date: Tue, 12 Dec 2017 09:12:36 +0100
Subject: [PATCH] Proof-of-concept added: EICAR of bash bunny HID simulation
 for Linux (#298)

---
 payloads/library/poc/LINUX_HID/README.md   | 25 ++++++++++++++
 payloads/library/poc/LINUX_HID/payload.txt | 38 ++++++++++++++++++++++
 payloads/library/poc/README.md             | 12 +++++++
 3 files changed, 75 insertions(+)
 create mode 100644 payloads/library/poc/LINUX_HID/README.md
 create mode 100644 payloads/library/poc/LINUX_HID/payload.txt
 create mode 100644 payloads/library/poc/README.md

diff --git a/payloads/library/poc/LINUX_HID/README.md b/payloads/library/poc/LINUX_HID/README.md
new file mode 100644
index 00000000..0d32faee
--- /dev/null
+++ b/payloads/library/poc/LINUX_HID/README.md
@@ -0,0 +1,25 @@
+# Linux HID poc
+
+Author: Thorsten Sick
+
+Version: 0.9
+
+OS: Linux
+
+Attackmode: HID
+
+IOC: gedit started, file created ('/tmp/owned')
+
+Category: POC
+
+## Description
+
+Uses HID (keyboard) to start an xterm and create the file '/tmp/owned'. After that it starts gedit and writes 'Gotcha'
+
+## Status
+
+|LED|Status|
+|-|-|
+|SETUP (Magenta solid)|Not much setup needed|
+|ATTACK (Yellow single blink)|attack: start xterm and gedit|
+|FINISH (Green 1000ms VERYFAST blink followed by SOLID)|Done|
diff --git a/payloads/library/poc/LINUX_HID/payload.txt b/payloads/library/poc/LINUX_HID/payload.txt
new file mode 100644
index 00000000..8f3421ca
--- /dev/null
+++ b/payloads/library/poc/LINUX_HID/payload.txt
@@ -0,0 +1,38 @@
+#!/bin/bash
+#
+# Title: LINUX HID POC
+# Description: Payload to test protection technology
+# Original Author: Thorsten Sick
+# Version: 0.9
+# Category: POC
+# Target: Linux
+# Attackmodes: HID
+#
+#
+# To test detection technolgy a malware-simulator is needed.
+# Criteria:
+# - one trick pony - no side effects
+# - simple to test with (ui and file system markers left)
+# - non-destructive/invasive
+# "This is the eicar for bash bunny"
+
+
+#init
+LED SETUP
+ATTACKMODE HID
+
+# attack
+LED ATTACK
+RUN UNITY xterm
+Q DELAY 1000
+Q STRING touch /tmp/owned
+Q ENTER
+Q STRING exit
+Q ENTER
+RUN UNITY gedit
+Q DELAY 1000
+Q STRING Gotcha
+
+# finish
+
+LED FINISH
diff --git a/payloads/library/poc/README.md b/payloads/library/poc/README.md
new file mode 100644
index 00000000..539401ad
--- /dev/null
+++ b/payloads/library/poc/README.md
@@ -0,0 +1,12 @@
+# Proof of concepts and malware simulators
+
+The payloads contained in here are to test protection technology.
+
+"The Eicar of BashBunny attacks"
+
+Criteria:
+- one trick pony, as simple as possible
+- the essence of one attack
+- no side effects
+- simple to test with (ui and file system markers left by attack)
+- non-destructive/invasive