B0rk Posted May 10, 2017 Share Posted May 10, 2017 Is there any way to have the BashBunny safely eject on completion of the payload (on windows)? If so, how? Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted May 10, 2017 Share Posted May 10, 2017 14 minutes ago, B0rk said: Is there any way to have the BashBunny safely eject on completion of the payload (on windows)? If so, how? I recall seeing some powershell command that will eject based on disk labels. Unfortunately I don't have that handy right now, but it might point you in the right direction. Keep in mind that ejection can take a while, so you might need to ensure it was properly ejected before pulling out the Bash Bunny. Quote Link to comment Share on other sites More sharing options...
B0rk Posted May 10, 2017 Author Share Posted May 10, 2017 Thanks Sebkinne, looking forward to my first upload to the github repo here in the near future. Quote Link to comment Share on other sites More sharing options...
Dice Posted May 11, 2017 Share Posted May 11, 2017 One thing i see is that you're trying to eject a device while the device is running your 'eject' script. So windows will tell you the device is in use. 1 ) The moment you tell windows to kill that connection; the script will stop because the source is gone. From https://superuser.com/questions/443162/remove-usb-device-from-command-line They tell Windows to pop up the 'safe removal dialog' by invoking RunDll32.exe shell32.dll,Control_RunDLL hotplug.dll But using a script to touch that 'stop' button would set the first part of my post. (not to mention leaving the dialog screen open) --- https://serverfault.com/questions/130887/dismount-usb-external-drive-using-powershell $driveEject = New-Object -comObject Shell.Application $driveEject.Namespace(17).ParseName("E:").InvokeVerb("Eject") Most solutions after that require the use of diskpart to use the dismount command. However : that would cause the script to stop (see mention 1) and leave The last part would be the nicest (called from powershell) but the cleanup without the BB telling the computer what to do would be nice to have Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 11, 2017 Share Posted May 11, 2017 26 minutes ago, Dice said: -snip- A cleanup script would just be passed to powershell, then (if you need to) open another powershell and eject the device while the cleanup script is running. The cleanup script could just be a few commands as well (that way you wouldn't need to pass a script to the PC). Quote Link to comment Share on other sites More sharing options...
B0rk Posted May 11, 2017 Author Share Posted May 11, 2017 Actually, when you're ejecting the storage, it SHOULD only stop the storage attackmode, leaving HID or any other "non-ejectable" devices (attackmodes) still running from the BB payload. I'll play with this during the day and post said results here. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted May 11, 2017 Share Posted May 11, 2017 5 minutes ago, B0rk said: Actually, when you're ejecting the storage, it SHOULD only stop the storage attackmode, leaving HID or any other "non-ejectable" devices (attackmodes) still running from the BB payload. I'll play with this during the day and post said results here. This is correct. Quote Link to comment Share on other sites More sharing options...
B0rk Posted May 11, 2017 Author Share Posted May 11, 2017 7 hours ago, Dice said: $driveEject = New-Object -comObject Shell.Application $driveEject.Namespace(17).ParseName("E:").InvokeVerb("Eject") Dice, this does work for a Volume Letter (E:, D:, etc.), but I'm unable to get it to recognize a Volume Label such as 'BASHBUNNY'. Any ideas? Quote Link to comment Share on other sites More sharing options...
Dice Posted May 11, 2017 Share Posted May 11, 2017 4 minutes ago, B0rk said: Dice, this does work for a Volume Letter (E:, D:, etc.), but I'm unable to get it to recognize a Volume Label such as 'BASHBUNNY'. Any ideas? I can recall Darren enumerating the associated driveletter by the label. He actually did that for the ducky. Quote Link to comment Share on other sites More sharing options...
rottingsun Posted May 11, 2017 Share Posted May 11, 2017 Here is what I always used for enumerating the duck by the label DUCKY - for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duckydrive=%d Then the ducky can actually be referenced by letter with the env var %duckydrive%. Quote Link to comment Share on other sites More sharing options...
B0rk Posted May 11, 2017 Author Share Posted May 11, 2017 Thank you Dice, your find assisted in the creation of a WORKING ps1 script. $BB = Get-WMIObject Win32_Volume | ? { $_.Label -eq 'BASHBUNNY' } | Select-Object -First 1 -ExpandProperty Driveletter $driveEject = New-Object -comObject Shell.Application $driveEject.Namespace(17).ParseName("$BB").InvokeVerb("Eject") I've tested it with multiple drive letters and it PROPERLY ejects the drive. THANK YOU TO EVERYONE WHO CONTRIBUTED! - I only hope that this helps for future payloads. 1 Quote Link to comment Share on other sites More sharing options...
Dice Posted May 11, 2017 Share Posted May 11, 2017 Clean script, i like it Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted May 15, 2017 Share Posted May 15, 2017 This also works. It also means that if you had called that bit earlier to open a PowerShell script on the Bunny you can call on that same object to eject the Bunny. $bb = (gwmi win32_volume -f 'label=''BASHBUNNY''').Name $driveEject = New-Object -comObject Shell.Application $driveEject.Namespace(17).ParseName("$bb").InvokeVerb("Eject") It's also slightly shorter :P Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.