[PAYLOAD] BrowserBunny

[Draxiom]

I am working on a new payload that will act as a web gui for standard BashBunny functions. The idea is that you keep this payload in one switch folder, and run it from a non-target. The BB will spin up a php server, and serve a local website at http://172.16.64.1 With the gui up, you can execute daisy chained shell commands in the 'console', or quickly swap out payloads found in the git repo, to the other switch folder. The repository url can easily be swapped out for your own fork, so you can quickly pull down changes, and make debugging payloads easier. Check out the repository and tell me what you think.

To do (I might submit the pull request before these tasks are done, and make them a future enhancement):

• Write help page (or leave it as is)
• integrate existing terminal emulator in place of custom 'console' 

https://github.com/mathew-fleisch/bashbunny-payloads/tree/master/payloads/library/BrowserBunny

 

Edited March 29, 2017 by Draxiom

[Just_a_User]

Nice work, I like it a lot.

[Draxiom]

1 hour ago, Just_a_User said:

Nice work, I like it a lot.

Thanks dad.

[Dave-ee Jones]

Clever. I like the idea of it booting a webpage on a local server so you can access it and have a nice looking Web GUI to change out your payloads or run a payload. What would be awesome is if you could get this running in Arming mode...

Does it work with the library folder? Like, seeing all the different payload folders in the library and swapping them out in the switches?

 

[Draxiom]

Thanks @Dave-ee Jones. I agree that it would be best if you could run this payload from any computer, and not have to have internet sharing set up. However, I don't see a way of making it work in arming mode :/ Any suggestions? If you are in arming mode, you could probably just swap out payloads with the standard file browser, the normal way.

It does indeed work by copying payloads out of the library folder. I use git to clone the payloads directly to the mass storage, and then simple cp commands to move them to the available switch directory. 

[Dave-ee Jones]

17 minutes ago, Draxiom said:

Thanks @Dave-ee Jones. I agree that it would be best if you could run this payload from any computer, and not have to have internet sharing set up. However, I don't see a way of making it work in arming mode :/ Any suggestions? If you are in arming mode, you could probably just swap out payloads with the standard file browser, the normal way.

It does indeed work by copying payloads out of the library folder. I use git to clone the payloads directly to the mass storage, and then simple cp commands to move them to the available switch directory. 

Sounds good! I'm making my own webserver via Powershell on a localhost. I will probably finish it out and then modify it to be compatible with a BB, so that it can run a webserver for any clients on it.

Not exactly sure what it is gonna be used for yet...Lol.

EDIT: I wonder if you can get a working serial terminal inside the webpage straight to the BB...

Edited March 30, 2017 by Dave-ee Jones

[Decoy]

8 hours ago, Draxiom said:

Thanks dad.

Is he really your Dad?

[Draxiom]

1 hour ago, Decoy said:

Is he really your Dad?

Yea. Hacking runs in the family.

[Draxiom]

2 hours ago, Dave-ee Jones said:

Sounds good! I'm making my own webserver via Powershell on a localhost. I will probably finish it out and then modify it to be compatible with a BB, so that it can run a webserver for any clients on it.

Not exactly sure what it is gonna be used for yet...Lol.

EDIT: I wonder if you can get a working serial terminal inside the webpage straight to the BB...

Interesting. The web server I set up, should be able to run on arming mode, but you only get an ip if you share the internet with a host computer. Perhaps one could pipe the webpages through serial to lynx on the host. 

[Dave-ee Jones]

30 minutes ago, Draxiom said:

Interesting. The web server I set up, should be able to run on arming mode, but you only get an ip if you share the internet with a host computer. Perhaps one could pipe the webpages through serial to lynx on the host. 

Yeah, it will be similar to what you are doing basically. The BB will run a web server that allows computers connected to it to access it with a web GUI. This could allow someone to change payloads, update the library, etc.

Making an SSH/Serial terminal inside a webpage is very tricky without embedding someone else's program. 

[Draxiom]

1 hour ago, Dave-ee Jones said:

Yeah, it will be similar to what you are doing basically. The BB will run a web server that allows computers connected to it to access it with a web GUI. This could allow someone to change payloads, update the library, etc.

Making an SSH/Serial terminal inside a webpage is very tricky without embedding someone else's program. 

 I am confused. That is exactly what my payload does. The web GUI runs on the bb and you can swap out payloads or run commands. How is different from what you want to make?

[Dave-ee Jones]

23 minutes ago, Draxiom said:

 I am confused. That is exactly what my payload does. The web GUI runs on the bb and you can swap out payloads or run commands. How is different from what you want to make?

Oh. Well RIP. I thought it was different...

Well, similar can also mean the same virtually, I guess.

I cannot run commands on it, if that makes you feel any better! 

I do have a question though...For some reason any devices connected to the same network as the webserver cannot connect to the webserver. May have to wait until I port it to the BB.

Oh, another question, how did you get the Bunny to take commands? Or is it just a web-based console that the webserver acts on, not the BB?

[Draxiom]

9 hours ago, Dave-ee Jones said:

Oh. Well RIP. I thought it was different...

Well, similar can also mean the same virtually, I guess.

I cannot run commands on it, if that makes you feel any better! 

I do have a question though...For some reason any devices connected to the same network as the webserver cannot connect to the webserver. May have to wait until I port it to the BB.

Oh, another question, how did you get the Bunny to take commands? Or is it just a web-based console that the webserver acts on, not the BB?

No worries. I thought I was missing something from your explanation. The web server is hosted on the bb, and requires you to share the internet connection with the host computer. You won't be able to access the site from any other devices, because they are not also sharing their internet (no route to that ip address). As for the commands section, the web server is already running as root, so it has full privs to do anything. I am actually a php dev by day, and that was the quickest way (for me) to get this project done. In php there is an exec() function an I am essentially just passing raw strings (from the user) to that function, to execute commands. However, a future enhancement that I want to make, would be to incorporate a full terminal emulator like GateOne, to have the full set of commands and features in the browser. For now, it is just simple commands sent to exec() and the response parroted back to the browser. 

[Dave-ee Jones]

Yeah, exec() seems to be the easiest way to go, and in some ways the nicest.

In regards to connecting to the BBs webserver, the computers that are being hosted by the BB can, right? As in, if you had a 3-way USB port from the BB to the computers (DHCP server giving them the 172.16.64.10-12) all of them could access it via 172.16.64.64:8080 (or whatever port you are using, I am assuming it's 80 or 8080) right?

[Draxiom]

5 minutes ago, Dave-ee Jones said:

Yeah, exec() seems to be the easiest way to go, and in some ways the nicest.

In regards to connecting to the BBs webserver, the computers that are being hosted by the BB can, right? As in, if you had a 3-way USB port from the BB to the computers (DHCP server giving them the 172.16.64.10-12) all of them could access it via 172.16.64.64:8080 (or whatever port you are using, I am assuming it's 80 or 8080) right?

Yes the web server is hosted on the bb and is on port 80. Not sure if a 3 way usb port would route the traffic though. LMK if you get that working.

[Dave-ee Jones]

6 hours ago, Draxiom said:

Yes the web server is hosted on the bb and is on port 80. Not sure if a 3 way usb port would route the traffic though. LMK if you get that working.

I would try it but I don't have a spare 3-way USB port handy, let alone 3 devices...

Well, I guess I could use 2 Android phones connected on OTG...

Also, anyone got any ideas as to how I would download a GitHub repository of the payloads and replace the current library folder with the downloaded library folder inside the whole GitHub repo? Would be much simpler if Darren made the folders in the repo zips...

Edited March 31, 2017 by Dave-ee Jones

[Draxiom]

6 hours ago, Dave-ee Jones said:

Also, anyone got any ideas as to how I would download a GitHub repository of the payloads and replace the current library folder with the downloaded library folder inside the whole GitHub repo? Would be much simpler if Darren made the folders in the repo zips...

Are you messing with me? Cause that is the other only functionality of this payload. The console will git clone directly to the device, and the payloads page helps you swap out the payloads from the git repository.

[Dave-ee Jones]

2 minutes ago, Draxiom said:

Are you messing with me? Cause that is the other only functionality of this payload. The console will git clone directly to the device, and the payloads page helps you swap out the payloads from the git repository.

Pfft, messing with you, yeah why would I-why would-pfft-no. 

Seriously though, it is a pretty big issue to get around. You more than likely incorporated your own GitBunnyGit which means you didn't do it the way I want to do it 
I was hoping there was a way to do it all with JavaScript but atm all I have it do is download the repo and not do anything with it. Extracting a ZIP is far easier with PHP but then if you want to move files or anything like that you would need to use JavaScript or something else other than PHP.

Easiest thing I can think of is make JavaScript run Powershell which can then do anything you need it to, but you have to make sure it is all client side and not run by the Bunny (otherwise it be like "What is this .zip you keep speaking of? I don't have anything like that!").

Swapping out Payloads is probably not going to happen with my webserver though, if that makes you feel any better...

 

[Draxiom]

1 minute ago, Dave-ee Jones said:

Pfft, messing with you, yeah why would I-why would-pfft-no. 

Seriously though, it is a pretty big issue to get around. You more than likely incorporated your own GitBunnyGit which means you didn't do it the way I want to do it 
I was hoping there was a way to do it all with JavaScript but atm all I have it do is download the repo and not do anything with it. Extracting a ZIP is far easier with PHP but then if you want to move files or anything like that you would need to use JavaScript or something else other than PHP.

Easiest thing I can think of is make JavaScript run Powershell which can then do anything you need it to, but you have to make sure it is all client side and not run by the Bunny (otherwise it be like "What is this .zip you keep speaking of? I don't have anything like that!").

Swapping out Payloads is probably not going to happen with my webserver though, if that makes you feel any better...

 

Have you tried this payload? The main function is swapping out payloads and no zips are necessary. Also, I did incorporate GitBunnyGit, because I wrote that payload too... thanks for the plug ;). Using php and ajax calls, BrowserBunny copies each payload from the library folder, to the available switch directory. So the first step clones the repository on the bunny so all payloads are stored locally. The second step uses a command like:

exec("cp -r /root/udisk/payloads/library/BunnyTap/* /root/udisk/payloads/switch2/.");

Isn't that what you are describing?

[Dave-ee Jones]

22 hours ago, Draxiom said:

Have you tried this payload? The main function is swapping out payloads and no zips are necessary. Also, I did incorporate GitBunnyGit, because I wrote that payload too... thanks for the plug ;). Using php and ajax calls, BrowserBunny copies each payload from the library folder, to the available switch directory. So the first step clones the repository on the bunny so all payloads are stored locally. The second step uses a command like:

exec("cp -r /root/udisk/payloads/library/BunnyTap/* /root/udisk/payloads/switch2/.");

Isn't that what you are describing?

Yes that's all well and good..with PHP. JavaScript doesn't allow you to do half of that. Only way to really do it is run a powershell script from JS and do the copies that way. 

What I might do is use your GitBunnyGit to update the repo.