[PAYLOAD] HoppEye - 8x Mobile Payload Chooser

[H8.to]

I came up with the idea to "misuse" the LED colors (8 payload possiblilties) as payload indicator.

This allows to use switch position 2 to select the payload (it copies the payload content to switch1) and make your selection with moving the switch to position 1. Pluggin in the stick with position 1 will execute your payload and indicate the payload color for 1 sec. 

The project is hosted on Github: https://github.com/H8to/HoppEye

Strange to explain, but cool if you get the hang of it.

Folder structure looks like the following:

payloads/
	payload_B_BluePayload/
	payload_G_Green/
	payload_OFF_empty/
	payload_W_network/
	payload_C_empty/  
	payload_M_PoisonBunnyTap/
	payload_R_ReverseShellEmpire/
	payload_Y_empty/
	switch1/
	switch2/
		payload.txt <-- This is where the magic happens

Please see the Github for further info.

[korang]

This looks very interesting...

[Just_a_User]

Nice, very nice.

EDIT - tested, I like this a lot. Just need a power source to change payloads, Power bank or Mobile phone adapter.

The one change i would make @H8.to would be to add a "copy complete" indication for the payload changing process. Just to confirm you can unplug. Maybe a fast flash of same color? I didn't read all the code so maybe you already do this and the payloads I tried it on are to small to register. Either way its a very nice addition, thanks for sharing!

[HeavyVin]

Could this be ported to the Packet Squirrel?

I may need to make at least one flowchart...

[H8.to]

1 hour ago, Just_a_User said:

Nice, very nice.

EDIT - tested, I like this a lot. Just need a power source to change payloads, Power bank or Mobile phone adapter.

The one change i would make @H8.to would be to add a "copy complete" indication for the payload changing process. Just to confirm you can unplug. Maybe a fast flash of same color? I didn't read all the code so maybe you already do this and the payloads I tried it on are to small to register. Either way its a very nice addition, thanks for sharing!

@Just_a_User

During the copy process it will flash and after completion the LED will stay on to indicate completion :)

[Just_a_User]

53 minutes ago, H8.to said:

after completion the LED will stay on to indicate completion

Mine seems stuck on flashing, with a 1.3kB payload, been flashing for 5+ mins thats why i thought there was no completion pattern.

 EDIT  - I changed the end of the switch 2 payload to get the desired effect. thanks again!

done
LED $i 100
rm -rf /root/udisk/payloads/switch1/*
cp -R /root/udisk/payloads/payload_${i}_*/* /root/udisk/payloads/switch1/

echo "LED $i 100;sleep 2" > /tmp/tmp && cat /root/udisk/payloads/switch1/payload.txt >> /tmp/tmp && mv /tmp/tmp /root/udisk/payloads/switch1/payload.txt

sync
sleep 2
LED $i

 

[H8.to]

Whoops, yeah it's implemented the other way round :D 

Ergo: Solid during copy - Flashing when finished copying :)

[Just_a_User]

36 minutes ago, H8.to said:

Whoops, yeah it's implemented the other way round :D 

Ergo: Solid during copy - Flashing when finished copying :)

lol funny, i will put mine back to original :) thanks again!

[InfoSecREDD]

On 11/1/2017 at 10:32 AM, H8.to said:

@Just_a_User

During the copy process it will flash and after completion the LED will stay on to indicate completion :)

I added the fix for your code on your github, just waiting on your pull authority. 

Also I added a option to add 

CUCUMBER ENABLE

to the script to limit how hot the BashBunny gets while keeping it with enough power to do the copy and verify of the payload. :)

 

-Ar1k88

[InfoSecREDD]

On 11/1/2017 at 8:50 AM, HeavyVin said:

Could this be ported to the Packet Squirrel?

I may need to make at least one flowchart...

This can be ported, just honestly don't have a Packet Squirrel to test it.

[H8.to]

17 hours ago, Ar1k88 said:

I added the fix for your code on your github, just waiting on your pull authority. 

-Ar1k88

Merged 

[InfoSecREDD]

17 minutes ago, H8.to said:

Merged 

Keep a eye out on the Github, I'll be suggesting a few features I've already tested..  ?

 

(This payload has alot of potential.)

[PoSHMagiC0de]

@H8.to

Just letting you know I am going to rob you like Milli Vanilli's management did to their career.

I thought that switch was some how hard wired in code to mess with stuff but I see now it is only seen on first boot to select the right folder and then from that point it would only become an issue of messing with it if you have additional checks for the switch position.  Seeing your code, after the boot process and the system selects the folder, you can screw with it as long as you adapt for it in your code if you have switch checks.  I can see adapting this to a payload group selection for the BBTPS.  I'm coming at your idea like a villain.

[H8.to]

@PoSHMagiC0de

To say it in the words of the Chaos Computer Club:

Don't forget to place a thanks somewhere :D

[InfoSecREDD]

5 minutes ago, PoSHMagiC0de said:

@H8.to

Just letting you know I am going to rob you like Milli Vanilli's management did to their career.

I thought that switch was some how hard wired in code to mess with stuff but I see now it is only seen on first boot to select the right folder and then from that point it would only become an issue of messing with it if you have additional checks for the switch position.  Seeing your code, after the boot process and the system selects the folder, you can screw with it as long as you adapt for it in your code if you have switch checks.  I can see adapting this to a payload group selection for the BBTPS.  I'm coming at your idea like a villain.

Oh yeah, you can do ALOT with the fact you can switch the switch position to start a 2nd payload also if you have it set up right.. I've been playing with this method for the last 4 weeks.. I was skeptical too, but after seeing this payload, I've verified it works for even PasswordGrabber payload then use a FTP payload if the prior payload succeeds to start a FTP script back to a remote machine to push the credentials.

 

[InfoSecREDD]

1 hour ago, H8.to said:

Merged 

Check now, I have added my few fixes, add them as you see fit.

• Fixed adding blink of prior LED indicator to append to 2nd line of new Payload.
• Added Shutdown/CPU Throttling Script to prevent overheating of any kind.

Cheers.. 

[H8.to]

Good additions :) Always merging good ideas!

I must been really sleepy not using sed there lol 

Btw, if you have time, I did not test the "OFF" feature and I'm pretty sure LED $i 100 <- $i in this case equals OFF; this might need a short if condition if this didn't work.

The last weeks I haven't had time to look into it 

[H8.to]

Yeah.. but it's EIGHT possible payloads!!!11 haha  There might be even more like "stroboscope white" =D

[InfoSecREDD]

2 minutes ago, H8.to said:

Yeah.. but it's EIGHT possible payloads!!!11 haha  There might be even more like "stroboscope white" =D

Honestly I could think about 38 different combos... Due to flashing different patterns while seperating by "OFF" for 2 seconds.. But it's your creation... I'm just trying to help with the simple stuff.. 

[StampeRnator]

For me its not working. In switch2 all the colours are blinking when plugged in. If i want to select (go to switch 1 when plugged in it still keeps blinking in every color). Firmware v1.4

[InfoSecREDD]

5 minutes ago, StampeRnator said:

For me its not working. In switch2 all the colours are blinking when plugged in. If i want to select (go to switch 1 when plugged in it still keeps blinking in every color). Firmware v1.4

Your Bashbunny Payloads folder should look like this:

 

payloads--
-extensions
-library
-switch1
-switch2
-payload_R_empty
-payload-G_empty

etc etc...

Make sure you have the correct folders, and when you add a payload to the selected folder, please rename the folder also... 

example:
 payload_R_PasswordGrabber
 payload_G_Locker

Hope that helps..

 

[PoSHMagiC0de]

1 hour ago, H8.to said:

Yeah.. but it's EIGHT possible payloads!!!11 haha  There might be even more like "stroboscope white" =D

My idea was to snake the switch idea you had and adapter it to BBTPS which runs more than one payload asynchronously and stuff.  Pretty much same 8 but use the results to set what config to run from the bbtps..no copying.  Now you have 8 different payload pack types.  Each pack can have as many scripts as you want.  :-P  BBTPS will go from manually selecting payload packs to selecting on the fly.  :-P

[Dave-ee Jones]

This is pretty good. Do you need to plug the Bunny in every time you swap the switch back to switch 1, or do you just toggle through all 8? Be quite nice.

With WabbitWeb on a Bunny you can get 4 payloads going (not including WabbitWeb itself).

• WabbitWeb has 3 'switches' you can program (can easily add more too, like infinite?)
• Plus the other switch
• Plus the CLI in-browser

[H8.to]

@Dave-ee Jones

I thought of it as fire and go. You take a power bank with you and chose the payload on the walk to your location. Once you arrive you can directly run the payload with switch1.

I could change it to execute the correct payload directly, however this would be a problem if you select your payload at your own computer e.g. 

[Dave-ee Jones]

On 11/14/2017 at 6:27 PM, H8.to said:

@Dave-ee Jones

I thought of it as fire and go. You take a power bank with you and chose the payload on the walk to your location. Once you arrive you can directly run the payload with switch1.

I could change it to execute the correct payload directly, however this would be a problem if you select your payload at your own computer e.g. 

Yeah, that can be ideal and can be a bit annoying, depending on the situation.

I'm currently remastering WabbitWeb for the Packet Squirrel. With the PS' WiFi capabilities I'll give the new WabbitWeb (now called WebNut - nuts for webs?) the ability to remotely launch payloads and commands. With the VPN payload mixed in you could access WebNut from anywhere.

Pretty neat. Thinking about adding other functionalities like remotely launching the TCPDump payload within WebNut as well (if I can find out how to read the .pcap files live then I could even have a textbox in WabbitWeb to show a live view of the network dump), and maybe even DNS settings for DNS spoofing.

All kinds of possibilities - far more than the Bunny anyway :P