Jump to content

misteriously behaving new bunny


LGee

Recommended Posts

I have recently started playing around with my new bashbunny, and payloads. Can't figure out what I see when running my first basic payloads on Win7. Take this for example...:

Here is a payload I wrote, where I am trying to use ducky script commands and at the same time use the storage on the bunny, e.g. to store stuff on it later while running ducky commands.

Here is my payload for switch1:

#!/bin/bash
# Set LED Red while setting up attack
LED R
ATTACKMODE HID STORAGE
Q DELAY 10000
LED R G
Q GUI r
Q DELAY 2000
Q STRING cmd
Q DELAY 4000
Q ENTER
Q DELAY 5000
Q STRING e:
Q ENTER
Q DELAY 5000
Q STRING dir
Q ENTER
Q DELAY 2000
# Light turns green - trap is clean.
LED R G B

 

And this results in a single command given in GUI+r:

powershell .))gwmi win32?volume +f ælabel\ææBashBunnyæææ=.Name`æpayloads'switch2'd.cmdæ=

I have flashed the bunny to latest (1.3) firmware.

What am I doing wrong?

I can't seem to get my new bunny hopping. :(

 

 

Link to comment
Share on other sites

sorry for the bad formatting. here it goes:

powershell .))gwmi win32?volume +f ælabel\ææBashBunnyæææ=.Namepayloads'switch2'd.cmdæ=

so, the error is, I am not getting any of the expected behavior per my ducky script above.

instead, when I insert the bunny with switch in pos. 1.,  I only get this powershell-like line in the Run window and an ENTER after. nothing else happens.

really cannot see where this line is coming from. not to mention why my actual commands are not executing...

 

BTW, I also struggle with the ATTACKMODE setting.

no matter what payload I use, and what ATTACKMODE I configure in payload.txt, I am always getting the bunny mounted as storage, no matter which setting the hardware switch is in.

I could not find any forum entry related to that, but please point me to one if this has been observed before.

 

Link to comment
Share on other sites

Do not know if you are using a different language keyboard but that is some wierd formatted text so will attempt to see if that is the issue.

One thing you are doing in your ducky script is your are assuming the ducky wiill be on drive e: when it may not be on every machine.  Your script will know but not the BashBunny.  This is the reason why the BB Ducky commands you see in most of the payloads are just enough to run a script that does the rest.  Now if you know on your test machine that drive is e: then you are all good for that test machine.

Next, your script still looks strangely formatted so I will redo the duck command for it at how it should probably look.

 

Q STRING "powershell -C \".((gwmi -class win32_volume -f {label='BashBunny'}).Name + 'payloads\\$SWITCH_POSITION\\d.cmd'\")"

Of course I do not have enough info to see what you are really accomplishing except running the file called d.cmd on the BB and then getting a dir of e: drive.

Link to comment
Share on other sites

I am using Norwegian keyboard conf. So, that explains the æææ's. But it does not explain why the powershell command shows up when I don't have any powershell commands in my script.

 

Also, I've  tried the bunny under linux, and ATTACKMODE seemed to work correctly, whereas when I tried to plug it in under Win7 (tried two different win machines) it always turns up as storage, accessible. No matter what switch position or payload I use.

 

 

Link to comment
Share on other sites

Well you clearly do have Powershell lines in your script lol. Looks like your firmware has broken so much it only wants to run one payload. You can try some "udisk" commands in the serial console, see if that helps (1 or 2 of those commands will probably wipe everything, but maybe it'll help you get back on your feet). E.g. "udisk reformat".

Link to comment
Share on other sites

If you have access to your Bash Bunny, the correct way to perform a factory reset is the following:

  1. Boot the device in ARMING mode
  2. Serial into the device and execute "udisk reformat". The storage partition will now be formatted and the device will reboot
  3. Serial into the device and execute "factory_reset_bunny". The Bash Bunny will reboot and be restored to firmware v1.0
  4. Download and upgrade your Bash Bunny to the latest firmware version

You should be ready to go after this.

  • Upvote 2
Link to comment
Share on other sites

On 7/17/2017 at 9:56 PM, Sebkinne said:

If you have access to your Bash Bunny, the correct way to perform a factory reset is the following:

  1. Boot the device in ARMING mode
  2. Serial into the device and execute "udisk reformat". The storage partition will now be formatted and the device will reboot
  3. Serial into the device and execute "factory_reset_bunny". The Bash Bunny will reboot and be restored to firmware v1.0
  4. Download and upgrade your Bash Bunny to the latest firmware version

You should be ready to go after this.

Sebkinne,

I appreciate the vast wealth of knowledge that you guys posses and I appreciate the help that all of you guys give to guys like me.

I tried to factory reset my Bunny following your instructions above, I immediately got the "Police" LED patter and then it stopped blinking. I removed the Bunny and tried to reboot it. I get a green light for about 2 seconds then nothing. I think my bunny just died.

 

Link to comment
Share on other sites

  • 2 months later...

did you leave it plugged in for the 18 minutes? I am having the same exact issue and have reformated  a bunch of times only to see it go dead. I haven't waited any specific amount of time though, so i guess that will be my next move. I tried plugging it in with the pineapple cord thinking maybe it needed extra power but that just failed to. What a damn shame.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...