Jump to content

BashBunny Safely Eject on End of Script


B0rk

Recommended Posts

14 minutes ago, B0rk said:

Is there any way to have the BashBunny safely eject on completion of the payload (on windows)? If so, how?

I recall seeing some powershell command that will eject based on disk labels. Unfortunately I don't have that handy right now, but it might point you in the right direction. 

Keep in mind that ejection can take a while, so you might need to ensure it was properly ejected before pulling out the Bash Bunny. 

Link to comment
Share on other sites

One thing i see is that you're trying to eject a device while the device is running your 'eject' script.

So windows will tell you the device is in use.

1 ) The moment you tell windows to kill that connection; the script will stop because the source is gone.


From https://superuser.com/questions/443162/remove-usb-device-from-command-line

They tell Windows to pop up the 'safe removal dialog' by invoking

RunDll32.exe shell32.dll,Control_RunDLL hotplug.dll

But using a script to touch that 'stop' button would set the first part of my post. (not to mention leaving the dialog screen open)

 

---

 

https://serverfault.com/questions/130887/dismount-usb-external-drive-using-powershell

 

$driveEject = New-Object -comObject Shell.Application
$driveEject.Namespace(17).ParseName("E:").InvokeVerb("Eject")

 

 

Most solutions after that require the use of diskpart to use the dismount command. However : that would cause the script to stop (see mention 1) and leave 

 

 

The last part would be the nicest (called from powershell) but the cleanup without the BB telling the computer what to do would be nice to have

Link to comment
Share on other sites

26 minutes ago, Dice said:

-snip-

A cleanup script would just be passed to powershell, then (if you need to) open another powershell and eject the device while the cleanup script is running. The cleanup script could just be a few commands as well (that way you wouldn't need to pass a script to the PC).

Link to comment
Share on other sites

Actually, when you're ejecting the storage, it SHOULD only stop the storage attackmode, leaving HID or any other "non-ejectable" devices (attackmodes) still running from the BB payload. I'll play with this during the day and post said results here.

Link to comment
Share on other sites

5 minutes ago, B0rk said:

Actually, when you're ejecting the storage, it SHOULD only stop the storage attackmode, leaving HID or any other "non-ejectable" devices (attackmodes) still running from the BB payload. I'll play with this during the day and post said results here.

This is correct.

Link to comment
Share on other sites

7 hours ago, Dice said:

$driveEject = New-Object -comObject Shell.Application
$driveEject.Namespace(17).ParseName("E:").InvokeVerb("Eject")

 

Dice, this does work for a Volume Letter (E:, D:, etc.), but I'm unable to get it to recognize a Volume Label such as 'BASHBUNNY'. Any ideas?

Link to comment
Share on other sites

4 minutes ago, B0rk said:

Dice, this does work for a Volume Letter (E:, D:, etc.), but I'm unable to get it to recognize a Volume Label such as 'BASHBUNNY'. Any ideas?

I can recall Darren enumerating the associated driveletter by the label. He actually did that for the ducky.

Link to comment
Share on other sites

Here is what I always used for enumerating the duck by the label DUCKY - 

for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duckydrive=%d

Then the ducky can actually be referenced by letter with the env var %duckydrive%. 

Link to comment
Share on other sites

Thank you Dice, your find assisted in the creation of a WORKING ps1 script.

$BB = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BASHBUNNY' } | Select-Object -First 1 -ExpandProperty Driveletter
$driveEject = New-Object -comObject Shell.Application
$driveEject.Namespace(17).ParseName("$BB").InvokeVerb("Eject")

I've tested it with multiple drive letters and it PROPERLY ejects the drive. 

THANK YOU TO EVERYONE WHO CONTRIBUTED! - I only hope that this helps for future payloads.

  • Upvote 1
Link to comment
Share on other sites

This also works. It also means that if you had called that bit earlier to open a PowerShell script on the Bunny you can call on that same object to eject the Bunny.

$bb = (gwmi win32_volume -f 'label=''BASHBUNNY''').Name
$driveEject = New-Object -comObject Shell.Application
$driveEject.Namespace(17).ParseName("$bb").InvokeVerb("Eject")

It's also slightly shorter :P

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...