Type Bash Bunny Payloads using BunnyType

During an engagement a long time ago, I had the need to type Bash Bunny payloads. I wasn’t able to finish this by then, but hopefully someone else is looking for something like this.

Type Bash Bunny Payloads – Introducing BunnyType

If you read my DIY rubber ducky post, then this will be in a similar vein.

The original idea for this payload was a restricted Citrix environment. We were unable to escape this environment, but wanted a way to transfer in large files.

In this case, we ended up e-mailing and/or downloading the files. That said, the ability to type the files directly would have left even less of a forensic trail.

In the end, I created a Bash Bunny payload to type out files up to ~8GB.

Hardware and Setup

For this payload, I’ll obviously use my Bash Bunny.

Type Bash Bunny Payloads - Bash Bunny

Other than that, an optional application and required file to type need to be located in the payload directory.

Also, a quick note. I had some issues with my first payloads, but once I replaced all of my CRLF with LF, then it typed successfully.

The Code

You can find the code for this payload below.

This payload will open up the specified application, check to see if the local file exists, and then manually type it out. Note that I had to manually replace white-space characters, as “Q STRING” wasn’t working for these.

# Title:         BunnyType
# Author:        doylersec
# Version:       1.0
# Target:        Windows
# Types the contents of a file into the application of your choosing.
# Best used for environments where copy and paste isn't available, or for large
# files that you cannot access over the internet/local network/mass storage devices.
# Blue   --- Setup and opening the application
# Yellow --- Typing the contents
# Green  --- Done



# Gets the switch position

mytab=`echo -e "\t"`
newline=`echo -e "\n"`

# Checks to see if file.txt is present, and if so, reads it into a variable
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/file.txt" ] ; then
    exit 1

# Open the application
Q STRING ${application}


# Type out the payload, including white-space replacement
while read -n1 c; do
    if [ "$c" == "$newline" ] ; then
        Q ENTER
    elif [ "$c" == "$mytab" ] ; then
        Q TAB
    elif [ "$c" == " " ] ; then
        Q SPACE
        Q STRING "$c"
done < "$file"


As usual, you can find the code and any updates in my GitHub repository.

Please feel free to submit any pull requests, if you use this for anything else, especially offensive related.

The Execution

For a demonstration, I used my BofA Forensics post to type out.

As you can see, the payload successfully opens up notepad, and begins to type the post.

I apologize for the brief blurriness, as my phone decided to try to auto-focus during this recording.

Type Bash Bunny Payloads – Conclusion

While this is not the most complicated payload, I’m glad to finally release it.

This was my first Bash Bunny payload, but I’m hoping to release a few more in the future.

In the meantime, let me know if you have any ideas for payloads, or uses for existing one!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.