Jump to content

[PAYLOAD] WabbitWeb


Dave-ee Jones

Recommended Posts

WabbitWeb
The ultimate payload-handling tool!

Hey guys, I finally got around to uploading my first payload, after many weeks of tinkering with it - trying to get it to work.

So, what did I spend hours upon days upon multiple weeks making? This.
A tool that focuses mainly on handling payloads.

With this tool, you have to know that payloads are referred to as Letters, as the payloads are saved as letters (A, B and C).

Target:

Windows 7, 8, 8.1, 10

Dependencies:

Impacket
	- For SMB server
	- WabbitWeb will still work without Impacket, but won't start the SMB server

Directory 'ww'
	- Holds everything, basically

Features:

BashBunny-hosted python webserver
	- Handles all of the events, commands and pages!
	- Beautiful, user-friendly web interface that scales with your screen!

File Command System (FCS - makes it sound a bit fancier)
	- Uses the BashBunny's file system to handle commands and functions!
    - If there is a file called COMMAND.sh in the 'ww' directory, it will instantly source and delete it!
    	- Allows WabbitWeb to have a CLI interface in the website itself!

Payload Launcher
	- Website app (handled by FCS)
	- Launch a Letter you just created using the Payload Editor!

Payload Editor
	- Website app (handled by FCS)
	- Create a Letter, a payload saved to a letter (A, B or C) that is runnable almost instantly!
	- Doesn't handle existing payloads, only allows you to create new ones (future feature, maybe?)
    
Command Line
    - Pass commands straight to the Bunny!
    - Logs and saves all commands to WabbitWeb!

SMB Launcher
	- Website app (handled by FCS)
	- Launches a SMB server at WabbitWeb's payload folder - giving you access to all it's code DURING RUNTIME!
	- Automagically starts up a Windows Explorer window pointed straight at the SMB server!
	- Edit your Letters in your own editor (e.g. Notepad++) or copy your own payload to the folder, then use the Payload Launcher to run them!

Shutdown (yes..this is a feature!)
	- Website app (handled by FCS)
	- Shuts down WabbitWeb (...what did you expect?)
	- Uses ATTACKMODE OFF to hide, thanks to firmware 1.3!

Known bugs:

Payload Editor
	- LED commands return a usage error
	- Sleep functions don't register
	- Swapping ATTACKMODEs isn't wise (doable, but it doesn't like it too much)

Github:

Link to Github page

I will be updating this quite a bit in the background, so stay tuned if you are interested in keeping this up-to-date. I will only upload versions that are working properly, so don't worry if you think that its main features (Letters - Payload Launcher and Payload Editor) might not be working and therefore not update. 

Currently the files are in their own Github (master), so if anyone could give me a rundown of how to get Darren to put them in the payloads folder, shout at me in the comments or PM me.

Usage:

To use WabbitWeb, just copy the contents of the Github repo to a switch, plug the Bunny in with that switch ready and let it fly. Once it is flashing blue, you can open up Chrome (preferably Chrome, but most web browsers should work fine) and go to: 172.16.64.1:80 which will take you to the WabbitWeb's home page! From there, you can create payloads (known as Letters), launch the Letters you make, start up an SMB server so you can edit the Letters firsthand and edit the webpages if you really want..or just see the code as it is running.

Okay, that's cool. How do I edit a Letter from the SMB server's folder?

All you need to do is go to the 'scripts' folder and you should see 3 script files (among a few other files) there, la.shlb.sh and lc.sh. They are your A, B and C letters. If you create a payload using the Payload Editor, you will see the scripts update. If you create a script using Notepad++ or another program like that (e.g. Notepad - ew..) and save it as one of those letters, you can launch it using the Payload Launcher!

Keep in mind that any output you make goes straight to a log file in the usual logs folder, so don't bother manually making a log file unless you want it somewhere specific.

Screenshots:

Link to Imgur post

Updates:

Updated to 1.0.1 on 5/05/17
Updated to 1.0.2 on 5/05/17
Updated to 1.0.3 on 8/05/17
Updated to 1.0.4 on 10/05/17
Updated to 1.0.5 on 10/05/17
Updated to 1.0.6 on 11/05/17
Updated to 1.1.0 on 22/05/17
Updated to 1.1.1 on 23/05/17

Feel free to give me lots of constructive feedback!

Also, if you can think of anything that may fix any of the bugs above, feel free to comment/PM me!

If you find any more bugs, comment below - I'll check this post most days.

This payload is open-source and editable as you like, but please do not post a copy of this as your own work, as it isn't nice and it isn't your own work!

Edited by Dave-ee Jones
  • Like 1
  • Upvote 3
Link to comment
Share on other sites

This looks good, I'll check it out soon :)

 

11 minutes ago, Dave-ee Jones said:

This payload is open-source and editable as you like, but please do not post a copy of this as your own work, as it isn't nice and it isn't your own work!

May I suggest that you add a LICENSE on Github to prevent this? MIT / Apache / BSD might be good choices if you want to be very permissive. Otherwise GPL will do too :)

  • Upvote 1
Link to comment
Share on other sites

32 minutes ago, Sebkinne said:

This looks good, I'll check it out soon :)

 

May I suggest that you add a LICENSE on Github to prevent this? MIT / Apache / BSD might be good choices if you want to be very permissive. Otherwise GPL will do too :)

Yep. Went with MIT, seemed simple enough. :P

Btw, when you have time, can you have a look at the way I'm calling the SMB server? Doesn't seem to want to start, even if I make a separate payload to test it (means I have done something wrong, not the SMB server..)

Edited by Dave-ee Jones
  • Upvote 1
Link to comment
Share on other sites

Thanks to @Sebkinne for fixing an infinitesimal puzzle for me!
Saved me writing a workaround (already had one just about implemented and the Sebkinne tells me of a way to get by it - with a single line...classic).

Anyhow, this means that the SMB server works and a Windows Explorer window pops up to that path once the SMB server has started!
Updating the fix to Github shortly!

  • Like 1
Link to comment
Share on other sites

Hey man, my other project may borrow this idea.  The idea of a management system that is.  Will have a manual and auto feature.  I could see this project doing the same.  Think about it.  One switch is the management and manual run.  Use the management console to also be able to build a payload.txt for the other switch that has multiple quack commands to pull payloads.  I could see this being done in Python.

My whole project is NodeJS so it will stay NodeJS.  Just a way to simplify the BBTPS after I get to 1.0.  If I am feeling adventurous, the interface may be Angular2.  I need the practice.  I been Pythoning it a lot lately.

Link to comment
Share on other sites

1 hour ago, PoSHMagiC0de said:

Hey man, my other project may borrow this idea.  The idea of a management system that is.  Will have a manual and auto feature.  I could see this project doing the same.  Think about it.  One switch is the management and manual run.  Use the management console to also be able to build a payload.txt for the other switch that has multiple quack commands to pull payloads.  I could see this being done in Python.

My whole project is NodeJS so it will stay NodeJS.  Just a way to simplify the BBTPS after I get to 1.0.  If I am feeling adventurous, the interface may be Angular2.  I need the practice.  I been Pythoning it a lot lately.

So you mean making one manager that runs on a switch that can push multiple payloads to the other switch, manually or auto?

I think I can see what you're getting at, and it could be quite powerful yes. With it, you wouldn't need an arming mode either, you could manage everything within a payload.

Link to comment
Share on other sites

5 hours ago, Dave-ee Jones said:

So you mean making one manager that runs on a switch that can push multiple payloads to the other switch, manually or auto?

I think I can see what you're getting at, and it could be quite powerful yes. With it, you wouldn't need an arming mode either, you could manage everything within a payload.

Now you are feeling me.  The manual mode will be the same switch as the manager.  If you are doing delivery via http api you could still start up the delivery server, just make sure it is on a different port and in the background.  So essentially the manager will have access to doctor the payloads for the server running along side it to do manual delivery (make sure you add a url to make the payload server reinitialize its payload list so when you update its list file it knows the new list).  You could use the same server you are using on the auto launch switch just with difference parameters.  An idea I had was have it pull its config from environment variables I export via the switch perspective payload.txt, so one switch has a different config for auto than the other for manual.

 The ending result would look something like this in summary (this is all coming from the BBTPS point of view but is adaptable):

Lets make switch 1 the new system arming/manual mode.  You can log into it via the web to manage.  From there you can upload your script files with corresponding job manifest (in json) or create it right there in the web interface in the manager.  That manifest is appended to the job list and script added to jobs file.

When done, you let manager know you want a launcher to run that job list manually and it gives you a commandline to copy and paste to run, or download bat/sh file to run to launch them.  In the case of BBTPS it would be the agent to talk to that job server to serve the jobs.

There will also an automatic section in the manager web interface where you build jobs for the other switch, switch 2 in this case.  This iss our autolaunch switch.  Switch 2 you can configure to launch for the different OSes via exports to change the quack commands that the manager can manipulate when specified.  Jobs and manifests are done the same.  Difference is when done and you write the config, it is saved to the switch 2 folders and job lists.  You can pull the bunny and switch to switch 2 and then it will quack out the keystrokes to download and launch the agent on switch 2 to start downloading and running jobs.

I was thinking Angular2 for the web interface for me because I need the practice and it turns your browser into the app so I can do whatever flairs and whistles and it will mostly happen in your browser though I want to keep it minimum but interactive.

I was up late last night when all this popped in my head.  I seem to get the most ideas when I am dead tired.

  • Upvote 1
Link to comment
Share on other sites

6 hours ago, PoSHMagiC0de said:

-snip-

Okay, so how would the switch know which payload to run when you plug it in?

I'm not following completely, still don't understand how you can manage multiple payloads for a single switch.

I was thinking what I could do with WabbitWeb is add more switches, and instead of handling payloads it could handle switches.

E.g. switch1, switch2, switch3, switch4, switch5, switch6 etc.

And WabbitWeb can launch any of them. However, this isn't ideal if you don't want to touch the victim PC, so it isn't the greatest of ideas (unless you are setting up a payload environment on your own PC/laptop for the other run switch before you start attacking a victim PC).

@Sebkinne for the Arming mode switch, is it possible for you to check if there is a directory called 'switch3' in the payloads directory before launching Arming mode? Just an idea.

Link to comment
Share on other sites

6 hours ago, Dave-ee Jones said:

 

@Sebkinne for the Arming mode switch, is it possible for you to check if there is a directory called 'switch3' in the payloads directory before launching Arming mode? Just an idea.

I was almost onboard until I thought of a possible issue with this.  If someone messed up and make a payload.txt in that switch3 folder that switches attackmode to HID and all the other modes are HID then you essentially locked yourself out of your BB.  hehe.

 

6 hours ago, Dave-ee Jones said:

Okay, so how would the switch know which payload to run when you plug it in?

I'm not following completely, still don't understand how you can manage multiple payloads for a single switch.

In my case of the BBTPS I did what the other exploit frameworks are doing.  I built a node server to serve multiple payload scripts that in a folder.  They are selected by a job file that is in json that lists the jobs are json arrays.  So right now you build your list there and place the corresponding script in the script folder in the encoding you specified in the job list.  That is loaded on the node server startup.

I also build a corresponding job agent in Powershell that is downloaded from the node server by a Quacked command to pull it and execute it with parameters.  It then kicks off and begins downloading the jobs that are in the list from the server and running them and returning their text results to the node server.  If you enable smbserver.py then scripts that return files can use that to return files to the BB.

Right now you configure everything manually with the joblist file and dropping scripts in script folder in regular format, base64 or compressed base64.  I figured out zlib so pretty soon you will just put your scripts in the script folder in normal format and the node server will compress, base64 encode it always while the agent decodes, decompresses and runs script as job.

So, I built a server and agent to handle all this.  I plan on expanding it for multiple OS support by allowing other agent and script types like python since it is installed on pretty much all distros of linux and exists on MAC.  Right now the Powershell one works and has a debug mode so the output is verbose on the victim in this mode in case you want to test and troubleshoot else it is silent.

I was thinking in your case you could quack out the pull commands for your jobs but forgot for that to work you will need to be in HID and one of the ethernet attack modes which is problematic at this time for Windows so only way I can see is a server client type of setup.

For the website thing to configure, it is an idea to simplify configuring like switch1 is the mode that will serve the web management to manage setting up payloads for both the automatic attack mode (switch2) which is just the BBTPS functioning normally and the manual mode (switch1) which is the website running on one port and BBTPS running on another but no HID to auto quack out the command to pull and run agent.  This would be manual mode where you can configure also through the web console and then get the launcher command from the web console when ready (similar to metasploit or Empire building you a launcher) that you can copy and paste it in the console of the machine to run.

Link to comment
Share on other sites

1 hour ago, PoSHMagiC0de said:

I was almost onboard until I thought of a possible issue with this.  If someone messed up and make a payload.txt in that switch3 folder that switches attackmode to HID and all the other modes are HID then you essentially locked yourself out of your BB.  hehe.

Yeah, that's what I was thinking. But then I thought, what if you started the Bunny in switch3 (Arming mode) and did a recovery thing (take it out, put it back in, take it out, put it back in) and that tells the Bunny to use Arming mode instead of the switch3 payload's (or just bypasses the 'if switch3 launch switch3 payload.txt').

I still don't understand what you are trying to do with the other bit though, but it sounds interesting (NodeJS isn't my eggs and ham, though).

Link to comment
Share on other sites

Probably easier to just point you you to the project so you can inspect/try it yourself.  :-P

Remember, it doesn't have to be done in Node.  I just chose Node to be different.  There are frameworks in Python and Ruby, figured I will give Node some love.  The server and everything I am done can be done in Python too.  Right now it only has a Powershell agent for Windows and it currently works under a payload switch automatically and has a verbose mode which is determined by the DEBUG variable in the payload.txt.  Good for testing.

Link to comment
Share on other sites

Minor update - 1.0.3 was just released.

Swapped port from 8080 to 80, making it simpler to access the Bunny (just use 172.16.64.1 in browser now :grin:), and made it so the mounted directory actually accesses the root folder, ('/'), not just the udisk drive.

Some minor bugs were fixed here and there also.

 

7 hours ago, PoSHMagiC0de said:

Probably easier to just point you you to the project so you can inspect/try it yourself.  :-P

Remember, it doesn't have to be done in Node.  I just chose Node to be different.  There are frameworks in Python and Ruby, figured I will give Node some love.  The server and everything I am done can be done in Python too.  Right now it only has a Powershell agent for Windows and it currently works under a payload switch automatically and has a verbose mode which is determined by the DEBUG variable in the payload.txt.  Good for testing.

I'll try it at some point :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...