During an engagement a long time ago, I had the need to type Bash Bunny payloads. I wasn’t able to finish this by then, but hopefully someone else is looking for something like this.
Type Bash Bunny Payloads – Introducing BunnyType
If you read my DIY rubber ducky post, then this will be in a similar vein.
The original idea for this payload was a restricted Citrix environment. We were unable to escape this environment, but wanted a way to transfer in large files.
In this case, we ended up e-mailing and/or downloading the files. That said, the ability to type the files directly would have left even less of a forensic trail.
In the end, I created a Bash Bunny payload to type out files up to ~8GB.
Hardware and Setup
For this payload, I’ll obviously use my Bash Bunny.
Other than that, an optional application and required file to type need to be located in the payload directory.
Also, a quick note. I had some issues with my first payloads, but once I replaced all of my CRLF with LF, then it typed successfully.
The Code
You can find the code for this payload below.
This payload will open up the specified application, check to see if the local file exists, and then manually type it out. Note that I had to manually replace white-space characters, as “Q STRING” wasn’t working for these.
#!/bin/bash
#
# Title: BunnyType
# Author: doylersec
# Version: 1.0
# Target: Windows
#
# Types the contents of a file into the application of your choosing.
# Best used for environments where copy and paste isn't available, or for large
# files that you cannot access over the internet/local network/mass storage devices.
#
#
# Blue --- Setup and opening the application
# Yellow --- Typing the contents
# Green --- Done
#
ATTACKMODE HID
LED B
# Gets the switch position
GET SWITCH_POSITION
application="notepad"
file="/root/udisk/payloads/${SWITCH_POSITION}/file.txt"
mytab=`echo -e "\t"`
newline=`echo -e "\n"`
# Checks to see if file.txt is present, and if so, reads it into a variable
if [ ! -f "/root/udisk/payloads/${SWITCH_POSITION}/file.txt" ] ; then
LED FAIL
exit 1
fi
# Open the application
Q GUI r
Q DELAY 100
Q STRING ${application}
Q ENTER
LED Y
# Type out the payload, including white-space replacement
IFS=''
while read -n1 c; do
if [ "$c" == "$newline" ] ; then
Q ENTER
elif [ "$c" == "$mytab" ] ; then
Q TAB
elif [ "$c" == " " ] ; then
Q SPACE
else
Q STRING "$c"
fi
done < "$file"
LED G
As usual, you can find the code and any updates in my GitHub repository.
Please feel free to submit any pull requests, if you use this for anything else, especially offensive related.
The Execution
For a demonstration, I used my BofA Forensics post to type out.
As you can see, the payload successfully opens up notepad, and begins to type the post.
I apologize for the brief blurriness, as my phone decided to try to auto-focus during this recording.
Type Bash Bunny Payloads – Conclusion
While this is not the most complicated payload, I’m glad to finally release it.
This was my first Bash Bunny payload, but I’m hoping to release a few more in the future.
In the meantime, let me know if you have any ideas for payloads, or uses for existing one!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here.