theonewhoknocks Posted March 18, 2017 Posted March 18, 2017 (edited) I got annoyed pretty quickly by the amount of times I had to re-plug the Bash Bunny in order to test a complicated payload of some sort, so I threw together this rather rudimentary payload that spins up a flask server. Given that you can see the bunny via IP, you can test your payloads with ease by POSTing some text to it. The post data type should be JSON and look like: {"text": "cat "hello.txt";commands here;"} I recommend putting a sleep in there so you have time to tab out of Postman or whatever you use to test APIs with I just wanted to get the idea out there, but I think I'll clean it up soon enough. I can imagine some more advanced things with this, related to data exfil or even remote administration.... And yeah.. I know.. this is suceptible to RCE, but whatever, it's testing! ---------------------- I ran these commands from https://blog.miguelgrinberg.com/post/designing-a-restful-api-with-python-and-flask NOTE: Requires you have ICS on the bunny in order to "apt-get install python-pip" so that you can get flask from pip repo $ mkdir app-name-whatever $ cd app-name-whatever $ virtualenv flask $ flask/bin/pip install flask ------------------------------ Python app.py code below: #change to whatever folder it is in relative to /root/ #ex: app-name-whatever/flask/bin/python #!apiserver/flask/bin/python from flask import Flask, jsonify, abort, request import subprocess app = Flask(__name__) @app.route('/api/test', methods=['POST']) def getapi(): try: with open('data.txt', 'w') as outfile: cmd = request.json.get("text","") outfile.write(cmd) subprocess.call(['/bin/bash', "data.txt"]) subprocess.call(['/root/ATTACKMODE', "RNDIS_ETHERNET"]) subprocess.call(['LED', "R", "100"]) return jsonify("OK") except: abort(500) if __name__ == '__main__': app.run(debug=True) The LED will flash red once the server is accessible again (because you probably changed attackmodes when testing) Edited March 18, 2017 by theonewhoknocks Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.