Jump to content

$SWITCH_POSITION


frankace

Recommended Posts

When using the following command 

".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\a.cmd')"

It errors out

. : The term 'E:\payloads\\a.cmd' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2
+ .((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\a.cmd' ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (E:\payloads\\a.cmd:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

It is not grabbing the variable for $SWITCH_POSITION

What am I missing?

 

Thanks

Link to post
Share on other sites

Are you calling this line with a QUACK command?

If so, try doing this:

".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\"

"$SWITCH_POSITION"

"\a.cmd')"

Use 3 separate commands, one after the other, to write them instead of all in one line. Sometimes it misinterprets something and gets confused.

Link to post
Share on other sites

Remember to add your

QUACK STRING <line>

to actually use the HID injection. Just using that line/those lines without a command in front of them won't do anything. It will just come up with similar errors.

Link to post
Share on other sites

I did notice the bunny_helpers is missing this bit of code:

check_switch() {
switch1=`cat /sys/class/gpio_sw/PA8/data`
switch2=`cat /sys/class/gpio_sw/PL4/data`
switch3=`cat /sys/class/gpio_sw/PL3/data`
echo "--- switch1 = $switch1, switch2 = $switch2, switch3 = $switch3"
if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then
SWITCH_POSITION="switch1"
elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then
SWITCH_POSITION="switch2"
elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then
SWITCH_POSITION="switch3"
else
SWITCH_POSITION="invalid"
fi
}
 
check_switch

export SWITCH_POSITION

Is it as simple as editing the file and adding the missing code?

Link to post
Share on other sites
8 hours ago, frankace said:

 

I did notice the bunny_helpers is missing this bit of code:

 

@frankace

please use only the actual versions from GitHub! There are a lot of improvements already done...

Link to post
Share on other sites
21 hours ago, frankace said:

To clarify this is the bunny_helpers.sh that is located in the library folder

The back-up/original version of bunny_helpers.sh does not include the switch_position variable. You'll have to pull the latest version from the repo (or add it yourself manually) to be able to use that variable. To make updating the payloads easier, I have created a payload (with @audibleblink) that will clone the repo directly to the bunny.  Check it out:

https://github.com/hak5/bashbunny-payloads/tree/master/payloads/library/GitBunnyGit 

Link to post
Share on other sites

@Draxiom I was not able to get your payload to work properly.  I am sure it is something i missed.  Your suggestion did lead me to the post from Just_a_User.  I downloaded to the zip from his post, extracted the bunny_helpers.sh and copied to my bash bunny. 

Thanks for the help

Link to post
Share on other sites
1 hour ago, frankace said:

@Draxiom I was not able to get your payload to work properly.  I am sure it is something i missed.  Your suggestion did lead me to the post from Just_a_User.  I downloaded to the zip from his post, extracted the bunny_helpers.sh and copied to my bash bunny. 

Thanks for the help

np. Out of curiosity, how did the payload fail? 

Link to post
Share on other sites

So I was having the same issue and I found that the placement of the "source bunny_helpers.sh" matters. It must be placed after the ATTACKMODE command:

LED R 50
ATTACKMODE HID STORAGE
source bunny_helpers.sh
Q DELAY 6000

This fixed the issue with not being able to read the "$SWITCH_POSITION" variable.

Hope this helps,

NightStalker

 

Link to post
Share on other sites

I am having this issue as well, and the SWITCH_POSITION variable is just not working in any of the payloads I try.

Here is an example payload.txt I have setup

ATTACKMODE HID

source bunny_helpers.sh

QUACK GUI r
QUACK DELAY 100
QUACK STRING Testing Switch Position, Switch Position is ${SWITCH_POSITION}

And this is the output I get

XnvIW82.png

And this is the contents of the bunny_helper.sh that is present under payloads/library on the bunny itself

#!/bin/bash

################################################################################
# Get target ip address and hostname from dhcp lease.
# This is for the attack mode of ETHERNET specified.
# Without ETHERNET specified, below environment variables will be empty.
#
# How this works?
# 1) ATTACKMODE waits until:
#    a) target ip address is negotiated by dhcp
#    b) time out
# 2) After ATTACKMODE, we can get target ip address and hostname.
################################################################################
leasefile="/var/lib/dhcp/dhcpd.leases"
export TARGET_IP=$(cat $leasefile | grep ^lease | awk '{ print $2 }' | sort | uniq)
export TARGET_HOSTNAME=$(cat $leasefile | grep hostname | awk '{print $2 }' \
		| sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})

################################################################################
# Get switch position
# Taken from bash_bunny.sh
################################################################################

check_switch() {
	switch1=`cat /sys/class/gpio_sw/PA8/data`
	switch2=`cat /sys/class/gpio_sw/PL4/data`
	switch3=`cat /sys/class/gpio_sw/PL3/data`
	echo "--- switch1 = $switch1, switch2 = $switch2, switch3 = $switch3"
	if [ "x$switch1" = "x0" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x1" ]; then
		SWITCH_POSITION="switch1"
	elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x0" ] && [ "x$switch3" = "x1" ]; then
		SWITCH_POSITION="switch2"
	elif [ "x$switch1" = "x1" ] && [ "x$switch2" = "x1" ] && [ "x$switch3" = "x0" ]; then
		SWITCH_POSITION="switch3"
	else
		SWITCH_POSITION="invalid"
	fi
}

check_switch
export SWITCH_POSITION

Not really sure what I am doing wrong, and any help would be greatly appreciated.

Link to post
Share on other sites
26 minutes ago, trumpet7347 said:

 

I am having this issue as well, and the SWITCH_POSITION variable is just not working in any of the payloads I try.

Here is an example payload.txt I have setup


ATTACKMODE HID

source bunny_helpers.sh

QUACK GUI r
QUACK DELAY 100
QUACK STRING Testing Switch Position, Switch Position is ${SWITCH_POSITION}

And this is the output I get

XnvIW82.png

You need to escape the special characters... look at the examples here:

 

Link to post
Share on other sites
On 3/21/2017 at 2:27 PM, GermanNoob said:

You need to escape the special characters... look at the examples here:

 

 

That would actually print out "$SWITCH_POSITION" to the run command though wouldn't it, what I am wanting it for it to print out either "switch1" or "switch2" from the bunny_helpers.sh variable

Link to post
Share on other sites
6 minutes ago, trumpet7347 said:

That would actually print out "$SWITCH_POSITION" to the run command though wouldn't it, what I am wanting it for it to print out either "switch1" or "switch2" from the bunny_helpers.sh variable

Sorry, @trumpet7347!

Obviously I didn't read your post correctly... Having a look again to your code the problem is the brackets: ${SWITCH_POSITION}

just try this:

QUACK STRING Testing Switch Position, Switch Position is $SWITCH_POSITION

 

Link to post
Share on other sites
23 minutes ago, GermanNoob said:

Sorry, @trumpet7347!

Obviously I didn't read your post correctly... Having a look again to your code the problem is the brackets: ${SWITCH_POSITION}

just try this:


QUACK STRING Testing Switch Position, Switch Position is $SWITCH_POSITION

 

Its ok @GermanNoob, thanks for the help, but unfortunatly I still get the same result.

I have been doing some more testing and it defenetly seems to be something with my bunny_helpers.sh file. Here is the new payload I was trying out

ATTACKMODE HID RNDIS_ETHERNET

source bunny_helpers.sh

QUACK DELAY 1000
QUACK STRING Testing Switch Position, Switch Position is $SWITCH_POSITION
QUACK ENTER

QUACK STRING Testing Target IP, IP is $TARGET_IP
QUACK ENTER

ATTACKMODE RNDIS_ETHERNET

source bunny_helpers.sh

echo "Target Ip is " >> /root/udisk/test.txt
echo $TARGET_IP >> /root/udisk/test.txt
sync

Here I am trying to see if I can access the $TARGET_IP variable that is also located in the bunny helper file. Unfortunatly I can not, below is the output of the HID section.

Testing Switch Position, Switch Position is
Testing Target IP, IP is

You can also see that I also just tried to see if it was some issue with using HID and Ethernet attacks together, so I made a seperate ATTACKMODE section just using ethernet, and just tried to echo the IP out to a file, which unfortunatly also failed. Here is the contents of the test.txt file

Target Ip is 

So it looks like those variables just are not getting populate for some reason, and I am really not sure why.

Link to post
Share on other sites

That's really weird as I tested your first payload on my BashBunny & Computer and it works just fine...

Have you tested the bunny_helpers.sh "offline" meaning without using in a payload?

  1. Just connect your Bunny and connect to it with screen or ssh
  2. Mount the payload drive to /root/udisk with 
mount -o sync /dev/nandf /root/udisk

3. goto /root/udisk/payloads/library

4. type "source bunny_helpers.sh"

5. type "echo $SWITCH_POSITION"

That should work and tests your bunny_helpers.sh

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...