[PAYLOAD] StickyBunny

[Squibs]

Hey I am super new to this, so forgive me if there is another payload like this, I looked around but could not find anything like it just yet.

The payload copies CMD.exe to sethc.exe allowing you to press the shift key 5 times to open up a cmd line. Though the attack must be carried out when the user is logged in, you can still open the cmd line the same way even on the login screen. Let me know what you guys think, It's my first payload so I would appreciate any constructive criticism and any idea on how to make it better.

https://github.com/InvaderSquibs/BashBunny/tree/master/payloads/library/StickyBunny

[PoSHMagiC0de]

Cool.  I actually implemented a powershell version of this in the BBTPS project.  It does something similar.

Checks for a backup of sethc.exe, if exists it exits assuming you already ran it.

If no backup it moves it to sethc.bak and then copies cmd.exe to sethc.bak.

I called us Handicapped backdoor though hehe.  Cool standalone payload though.

If you do want to see some code for this in Powershell, check out the BBTPS.

[Squibs]

I just took a look at BBTPS that is some awesome stuff in there! I will have to play around with that. Thanks for the feedback, I'll have to try implementing that check for the backup file that could save time. Thanks again.

[ccollins]

Very cool. However, I would suggest modifying your #Open Admin Powershell block. I'm not sure what SHIFT-ENTER or LEFTARROW does but here's an example of what you could do,

#Open Admin Powershell 
ATTACKMODE HID
LED B 200
Q GUI d # minimize all open windows
Q DELAY 100
Q GUI r # open run prompt
Q DELAY 500
Q STRING powershell -Command "Start-Process Powershell -Verb RunAs"
Q ENTER
Q DELAY 1000
Q ALT Y # if UAC is enabled there will be a pop-up and ALT Y selects "yes"
Q DELAY 500
Q ENTER # if UAC was NOT enabled then now you have an extra Y in your powershell so press enter to clear that up
Q DELAY 1200

# if everything above works then you should be running an Administrator Powershell at the location C:\Windows\system32\ where the sethc.exe is located and the rest of you're code should run fine. 

 

[Squibs]

Thanks for the advice @ccollins I will look in to trying it that way. The CTRL-SHIFT ENTER opens it as admin then the left arrow then enter gets you through the prompt that windows throws at you. But your way would avoid that completely and is probably way quicker. Thanks again.

On another note, I am new to all of this and was wondering what the correct way to try to add your payload to the hak5 git repo would be, It looks like it would simply be doing a Merge Request for your fork, is that all though or is there anything else that I would need to do? Thanks in advance.

[jordanlg30]

I need some help here. How does this work? Do I need PowerShell to use this payload? I just wanted to know on how to run this sticky bunny correctly so that I can get the CMD Prompt at login screen. But I’m not sure on how to run this. Is this a .sh file? Like what extension should I save the payload as? Just let me know because I want to start using this. So just let me know. And get back to me soon on this. So thanks a lot.

[kuyaya]

9 hours ago, jordanlg30 said:

I need some help here. How does this work? Do I need PowerShell to use this payload? I just wanted to know on how to run this sticky bunny correctly so that I can get the CMD Prompt at login screen. But I’m not sure on how to run this. Is this a .sh file? Like what extension should I save the payload as? Just let me know because I want to start using this. So just let me know. And get back to me soon on this. So thanks a lot.

Just click on the github link and copy it into the switch positions. That's all you have to do. Save the file as .txt, you don't need to configure anthing.

When you take a look on the payload.txt, you see that it opens powershell. So yes, powershell needs to be installed on the victim computer (but that's default in win10 and win7).

 

[jordanlg30]

Okay. So do I save it as a text file? Is that right? But how do I get it to run at the login screen and make the CMD Prompt come up? Can you let me know on how to do that? So I save the txt file and run it? And how do I open up PowerShell? So I can run this the login screen? Is that right? Just let me know if that’s right. So just let me know if that’s correct. So thanks a lot.

[kuyaya]

11 hours ago, jordanlg30 said:

Okay. So do I save it as a text file?

Read what I said above.

11 hours ago, jordanlg30 said:

But how do I get it to run at the login screen and make the CMD Prompt come up?

Read the payload...After the payload successfully ran, press shift five times and CMD comes up.

11 hours ago, jordanlg30 said:

So I save the txt file and run it?

READ.MY.TEXT.ABOVE

11 hours ago, jordanlg30 said:

And how do I open up PowerShell?

The payload does that for you. You don't have to configure anything. But I also said that above. Read. My. Texts.

16 hours ago, jordanlg30 said:

So I can run this the login screen? Is that right?

No, the payload only works when the computer is unlocked. But that is written in the readme.txt. Read. The. Fucking. Manual. After the payload is executed, you can "spawn" a cmd shell even when the comptuer is locked.

Please inform yourself what a product does before buying it. And read the manuals. https://docs.hak5.org

[jordanlg30]

Thanks for that. Unfortunately I can’t buy this because I don’t have the money. But is there a way to send the payload without the bash bunny stick? How about a usb drive? Or downloading the drivers onto the usb flash drive? Will that work? Because I can’t buy the bash bunny, it’s too much. So I’m sorry about that. Can I buy a cheap one online somewhere maybe? Just let me know. Because I want to see if that’s correct. So just let me know if I can run the payloads without the bash bunny. So maybe that’s possible. So just let me know if I can do that. So just get back to me and let me know. So thanks a lot.

[kuyaya]

Ah, that's why u asked. 

You cannot run these payloads on an ordinary USB drive, and there are no drivers which will make it work. 

The BB is a Linux machine. It's not a ordinary USB drive, it's a Linux system inside a USB drive. You could maybe recreate it with a raspberry pi, but that would take a lot of time and effort.