[PAYLOAD] RevShellBack

[uintdev]

Discussion thread for the RevShellBack payload.

I've seen quite a few Rubber Ducky projects to do with getting a reverse shell running on a PC so that the shell can be accessed remotely on a different computer. But what got me thinking is this: the Bash Bunny is a full-on Linux ARM computer, right? It has netcat and it can do HID and ethernet simultaneously. So.. why not use that instead?

At first, this payload will use a bit of HID trickery to hide itself from an observer as best as it can. As soon as it has done executing the final PowerShell command, HID is no longer used. User-defined commands will be sent to the computer in the background.

By default, 4 commands are executed as a demo:

• Write file (with content) to the desktop
• Eject CD/DVD tray (if it exists) -- thank PowerShell for making that possible
• Open calculator application
• Message box -- powered by PowerShell

 

For information about the payload, the payload script itself and how to configure it, it can be found at this GitHub repository: https://github.com/uintdev/RevShellBack

Edited August 16, 2019 by uintdev

[reubadoob]

This is pretty cool. 

I haven't gone through the entire script yet but would this require leaving the bash bunny behind? Sorry I don't own a bunny (yet!)

[Darren Kitchen]

Awesome payload. Neat concept of a powershell reverse shell stager to kick off commands by netcat.

It's a shame the powershell netcat interpreter is 342 characters long - necessitating opening and obfuscating a cmd window. I wonder if it could be whittled down to fit in the run dialog with its 260 max length.

Something like

cmd /c "start /MIN powershell <command goes here>"

 

[reubadoob]

Darren "Ain't nobody got time for that" Kitchen. 

[Dave-ee Jones]

At line 34 onwards you will probably need to (in some cases) increase the time to wait until the UAC box comes open (first time you open it after a reboot is about 3 seconds or so), also you can replace the 'LEFTARROW' then 'ENTER' with 'ALT Y' which immediately chooses the 'Yes' option.

They're not really needed suggestions, as this seems to work fine without. Good job :)

What's with the ADMIN variable though? What's the limitations if I set it to false? Does it just limit what commands I push to the PC or does it change the method it uses to open CMD/PowerShell?

[uintdev]

8 hours ago, reubadoob said:

This is pretty cool. 

I haven't gone through the entire script yet but would this require leaving the bash bunny behind? Sorry I don't own a bunny (yet!)

It would need to remain connected. The LED will indicate once it's done.

8 hours ago, Darren Kitchen said:

Awesome payload. Neat concept of a powershell reverse shell stager to kick off commands by netcat.

It's a shame the powershell netcat interpreter is 342 characters long - necessitating opening and obfuscating a cmd window. I wonder if it could be whittled down to fit in the run dialog with its 260 max length.

Something like

cmd /c "start /MIN powershell <command goes here>"

 

Indeed it sucks for there to be such character limit. I did manage to decrease $sm to 254 characters (without IP and port) but that is definitely not enough still.

I could use SimpleHTTPServer to host the PowerShell file on the Bash Bunny. As for being to be able to execute it as a privileged user (optionally), that could be a bit of a challenge.

EDIT: Hello. Future me here. Dismiss that comment about using a HTTP server. Can't put the variables in the script that way.

6 hours ago, Dave-ee Jones said:

At line 34 onwards you will probably need to (in some cases) increase the time to wait until the UAC box comes open (first time you open it after a reboot is about 3 seconds or so), also you can replace the 'LEFTARROW' then 'ENTER' with 'ALT Y' which immediately chooses the 'Yes' option.

They're not really needed suggestions, as this seems to work fine without. Good job :)

What's with the ADMIN variable though? What's the limitations if I set it to false? Does it just limit what commands I push to the PC or does it change the method it uses to open CMD/PowerShell?

Ah, yes. I heard of that shortcut but kinda forgot about it being a thing. Would speed it up a bit, so thanks for that suggestion.

The ADMIN variable changes the method it would run the CMD. So if it were to be set to false, it won't go through the UAC at all.

Edited October 9, 2017 by NodePoint
Correction

[Dave-ee Jones]

47 minutes ago, NodePoint said:

The ADMIN variable changes the method it would run the CMD. So if it were to be set to false, it won't go through the UAC at all.

Yeah, so how does that affect the payload's functionality? Can you only run non-Admin commands remotely from the Bunny or can you run Admin commands while not in ADMIN mode? Bit more documentation there would be nice :)

[uintdev]

1 minute ago, Dave-ee Jones said:

Yeah, so how does that affect the payload's functionality? Can you only run non-Admin commands remotely from the Bunny or can you run Admin commands while not in ADMIN mode? Bit more documentation there would be nice :)

It should allow commands that would be admin-only sent from the BB to work.

Pushed out v0.1.1. It uses the shortcut @Dave-ee Jones suggested for the UAC, ADMIN is now false by default, CMD background processes created as a result of the payload now close once done and delays have been shortened.

If the newly set delays are too short, let me know and I'll try adjusting it to something reasonable.

If you've used the previous version of the payload on a computer, check task manager and kill "Windows Command Processor" processes that were created by the payload if you want. They use up a little RAM.

[Dave-ee Jones]

24 minutes ago, NodePoint said:

It should allow commands that would be admin-only sent from the BB to work.

Okay, sounds pretty good!

24 minutes ago, NodePoint said:

If you've used the previous version of the payload on a computer, check task manager and kill "Windows Command Processor" processes that were created by the payload if you want. They use up a little RAM.

As someone who loves a minimal amount of programs open at a time..

Noice 

[uintdev]

v0.1.2 is out. 'cmd' is now directly ran by default (avoiding that very noticeable window with a deep blue coloured background).

[Darren Kitchen]

minimum cmd "mode" is 18,1 -- at least on my systems. Also you can pre-load the obfuscation commands on line 39 with this

cmd /K "mode 18,1 & color FE & cd C:\ & title "

Cheers!

[uintdev]

47 minutes ago, Darren Kitchen said:

minimum cmd "mode" is 18,1 -- at least on my systems. Also you can pre-load the obfuscation commands on line 39 with this

cmd /K "mode 18,1 & color FE & cd C:\ & title "

Cheers!

Minimum on mine was 15. Perhaps it's to do with the display configuration.

The changes have been made in v0.1.3. I have to say, this one really gives it a boost.

Thanks. 

[PoSHMagiC0de]

You can trim off a bunch of characters from the run line by putting the cleanup line at the beginning, end or where ever you want in the ncat script to do the cleanup.  Only thing you should need in the stager is the code needed to get the rest of the code so your cleanup can be in the rest of the code that netcat has.  Do not know what the character count will be afterwards.

 

Yeah, since he is using net.sockets, the stager will be bigger than the http stagers because he has to handle the data gathering manually through a stream and then running it.

There is code to make a script hide itself from within the script itself but will pad more code to either the stager script or the script itself, where ever you want the hide code to run.  It involves some c# assembly to expose a function from a native.

The code could actually be used to hide any running process window that you have access to, or minimize, maximize and stuff.  It interacts with the window handler for that process.  Easy to find in a Google search too.  Been asked a lot online.

[Dave-ee Jones]

Could you also convert it to Base64 so it's harder to identify as code for CMD/PS? Not sure if it would shorten it or not but it would probably lengthen the time of the whole payload..

[uintdev]

8 hours ago, Dave-ee Jones said:

Could you also convert it to Base64 so it's harder to identify as code for CMD/PS? Not sure if it would shorten it or not but it would probably lengthen the time of the whole payload..

Having the string encoded with base64 would add on more characters to type out (including the base64 decode function).

If I were to encode the PowerShell part (without the variables becoming an IP and a port number): it would be 458 characters long base64 decoded but 611 if base64 encoded (this includes escaping so it could be slightly shorter). This is without the function required to decode base64.

 

I figured having it harder to read in a small window would be somewhat good enough (won't be in full view, goes by fast, Windows may lock up cursor during keyboard input).

It's not like we're passing over a small binary file via netcat, so my question is if it would be worth adding in the extra steps.