Type Bash Bunny Payloads using BunnyType

During an engagement a long time ago, I had the need to type Bash Bunny payloads. I wasn't able to finish this by then, but hopefully someone else is looking for something like this.

Type Bash Bunny Payloads - Introducing BunnyType

If you read my DIY rubber ducky post, then this will be in a similar vein.

The original idea for this payload was a restricted Citrix environment. We were unable to escape this environment, but wanted a way to transfer in large files.

In this case, we ended up e-mailing and/or downloading the files. That said, the ability to type the files directly would have left even less of a forensic trail.

In the end, I created a Bash Bunny payload to type out files up to ~8GB.

Hardware and Setup

For this payload, I'll obviously use my Bash Bunny.

Type Bash Bunny Payloads - Bash Bunny

Other than that, an optional application and required file to type need to be located in the payload directory.

Also, a quick note. I had some issues with my first payloads, but once I replaced all of my CRLF with LF, then it typed successfully.

The Code

You can find the code for this payload below.

This payload will open up the specified application, check to see if the local file exists, and then manually type it out. Note that I had to manually replace white-space characters, as "Q STRING" wasn't working for these.

#!/bin/bash
#
# Title:         BunnyType
# Author:        doylersec
# Version:       1.0
# Target:        Windows
#
# Types the contents of a file into the application of your choosing.
# Best used for environments where copy and paste isn't available, or for large
# files that you cannot access over the internet/local network/mass storage devices.
#
#
# Blue   --- Setup and opening the application
# Yellow --- Typing the contents
# Green  --- Done
#

ATTACKMODE HID

LED B

# Gets the switch position
GET SWITCH_POSITION

application="notepad"
file="/root/udisk/payloads/${SWITCH_POSITION}/file.txt"
mytab=`echo -e "\t"`
newline=`echo -e "\n"`

# Checks to see if file.txt is present, and if so, reads it into a variable
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/file.txt" ] ; then
    LED FAIL
    exit 1
fi

# Open the application
Q GUI r
Q DELAY 100
Q STRING ${application}
Q ENTER

LED Y

# Type out the payload, including white-space replacement
IFS=''
while read -n1 c; do
    if [ "$c" == "$newline" ] ; then
        Q ENTER
    elif [ "$c" == "$mytab" ] ; then
        Q TAB
    elif [ "$c" == " " ] ; then
        Q SPACE
    else
        Q STRING "$c"
    fi
done < "$file"

LED G

As usual, you can find the code and any updates in my GitHub repository.

Please feel free to submit any pull requests, if you use this for anything else, especially offensive related.

The Execution

For a demonstration, I used my BofA Forensics post to type out.

As you can see, the payload successfully opens up notepad, and begins to type the post.

I apologize for the brief blurriness, as my phone decided to try to auto-focus during this recording.

Type Bash Bunny Payloads - Conclusion

While this is not the most complicated payload, I'm glad to finally release it.

This was my first Bash Bunny payload, but I'm hoping to release a few more in the future.

In the meantime, let me know if you have any ideas for payloads, or uses for existing one!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.