Jump to content

Check Bunny storage prior to payload execution


mkmk
 Share

Recommended Posts

Hey All,

Something that might help with payloads that use the Bunny storage.
This will check if the storage is mounted by the target machine and is great to replace the DELAY timeout commonly used at the start of a payload:

until dmesg | grep -q "sunxi_usb"; do sleep 3; done

May need to experiment with the sleep value to reach the desired effect but i've tested it on several machines and it works well so far.

  • Upvote 1
Link to comment
Share on other sites

8 hours ago, m3t4lk3y said:

Hey All,

Something that might help with payloads that use the Bunny storage.
This will check if the storage is mounted by the target machine and is great to replace the DELAY timeout commonly used at the start of a payload:


until dmesg | grep -q "sunxi_usb"; do sleep 3; done

May need to experiment with the sleep value to reach the desired effect but i've tested it on several machines and it works well so far.

Gonna give this a try! Would be great if this worked!

Link to comment
Share on other sites

Awesome! Please let me know how it goes. Also, i'm using the following attack mode settings:

ATTACKMODE STORAGE HID SERIAL

And i'm working on OS detection by checking how different OS's interact with the bunny by grepping dmesg, etc... Would be really interested to work with anyone who has any ideas or would like to collaborate. If anyone's interested, please pm me or we can even start a thread?

Link to comment
Share on other sites

Apologies, i forgot to add. I did a bit of testing last night on Mac and it appears the "sunxi_usb" related strings do not appear until the bb is interacted with by attempting to login via Serial Mode.
On the upside we know if the device is a Mac, so this can help with ultra-fast OS detection. On the downside, we may have to use something like this to wait for the bb to be mounted (may also need to add an additional sleep on the end):

until dmesg | grep -q "high-speed config"; do sleep 3; done

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...