Check Bunny storage prior to payload execution

[mkmk]

Hey All,

Something that might help with payloads that use the Bunny storage.
This will check if the storage is mounted by the target machine and is great to replace the DELAY timeout commonly used at the start of a payload:

until dmesg | grep -q "sunxi_usb"; do sleep 3; done

May need to experiment with the sleep value to reach the desired effect but i've tested it on several machines and it works well so far.

[C1PH3R]

8 hours ago, m3t4lk3y said:

Hey All,

Something that might help with payloads that use the Bunny storage.
This will check if the storage is mounted by the target machine and is great to replace the DELAY timeout commonly used at the start of a payload:

until dmesg | grep -q "sunxi_usb"; do sleep 3; done

May need to experiment with the sleep value to reach the desired effect but i've tested it on several machines and it works well so far.

Gonna give this a try! Would be great if this worked!

[mkmk]

Awesome! Please let me know how it goes. Also, i'm using the following attack mode settings:

ATTACKMODE STORAGE HID SERIAL

And i'm working on OS detection by checking how different OS's interact with the bunny by grepping dmesg, etc... Would be really interested to work with anyone who has any ideas or would like to collaborate. If anyone's interested, please pm me or we can even start a thread?

[mkmk]

Apologies, i forgot to add. I did a bit of testing last night on Mac and it appears the "sunxi_usb" related strings do not appear until the bb is interacted with by attempting to login via Serial Mode.
On the upside we know if the device is a Mac, so this can help with ultra-fast OS detection. On the downside, we may have to use something like this to wait for the bb to be mounted (may also need to add an additional sleep on the end):

until dmesg | grep -q "high-speed config"; do sleep 3; done

 

[mkmk]

This has worked well on the Mac systems i've tested:

until ls -halt /dev | head -n 5 | grep -q "nandf"; do sleep 1;