Jump to content

Archived

This topic is now archived and is closed to further replies.

AndrewFaulds

[Version 1] Uploading Executables?

Recommended Posts

In the USB Rubber Ducky Part 1 video, Darren says that you could potentially upload an executable payload from the HID.

How would you do this?

As even the smallest 10KB payload would take a long time to "type" into the PC, even automatically.

As mentioned elsewhere in this forum, with no delay, max speed would be around 500 chr/s. Now, uploading a binary via keystrokes would be slow, as binaries would have to be simulated as Alt+XXX key combinations to make it possible to enter the full range of 8-bit values. As a result, this 500 chr/s would become around 150 chr/s with no delay. At a rate of 150 bps, a 10KB (10240B) payload would take around 70 seconds to upload. That's way over a minute, and very inefficient.

Emulating a USB Flash Drive might work, but then the exploit could be blocked just as easily as the USB Switchblade.

Oh and Darren, if you're reading this: 1,1 is 1 pixel away from the very top-left corner of the screen. 0,0 would be correct.

Share this post


Link to post
Share on other sites

Firstly, yes, that would be VERY slow to type the payload.

Secondly, the part that was blocked was the auto run, there is not much stopping us from using the HID emulation to run the payload, the issue then would be reliability.

Finally, 0,0 on a Mac would activate a hot corner if one was present, 1,1 is in the hit box in some resolutions on the Mac for the Apple logo, for a better result, you would need to compare the hit boxes and find a point that it will activate the menu on almost all resolutions.

Share this post


Link to post
Share on other sites
Emulating a USB Flash Drive might work, but then the exploit could be blocked just as easily as the USB Switchblade.

Correct me if I'm wrong, but the USB Switchblade fails only because Vista and 7 (Don't own these operating systems, everything is just assumption) have a screen prompt to allow or block flashdrives. Why not just make the HID press enter when it gets to this screen? :lol:

Share this post


Link to post
Share on other sites

Having a payload of something like AutoIT or AutoHotkey for Windows would be a great early project for package uploading. It'd open the development up to a lot of users who don't want to reflash their teensy to change up behavior if it could act as a bootstrap into a higher level utility which could then worry about things like the GUI and mouse emulation in its own scripts.

Share this post


Link to post
Share on other sites
Why not just make the HID press enter when it gets to this screen? :lol:

USB hub with your ducky and a flashdrive maybe?

Share this post


Link to post
Share on other sites

I think LSB is on the right track with the Autohotkey idea. Autohotkey can basically do anything you want it to do. i'm sure you can code it to run commands and do other mouse inputs, and then you can compile the script into an .exe.

Share this post


Link to post
Share on other sites

It would probably be easiest to get the Ducky to FTP to your server and download and execute your payload of happiness.

Share this post


Link to post
Share on other sites

interwebs sendage via code / bat ? duh lols

sorry i never read this

It would probably be easiest to get the Ducky to FTP to your server and download and execute your payload of happiness.

my point exactly

would be awkward if they didnt have a net connection

but who doesnt @ some point go on the web / another network

does anoyone know if a .bat file can run as a service or added to currentversion\run ? this would be handy :D

access to regedit & search prompt would be easy and creating a reg value by kybd entry

you could even code the bat file via cmd and use sc.exe to make a service :)

Share this post


Link to post
Share on other sites
I think LSB is on the right track with the Autohotkey idea. Autohotkey can basically do anything you want it to do. i'm sure you can code it to run commands and do other mouse inputs, and then you can compile the script into an .exe.

Interesting idea, though only for Windows. Autohotkey is programmed in C++, so you could take the quickest (least efficient) way, leaving a lot of tracks.

Edit: I take that back. AutoHotKey has been ported to mac and linux. Hmmm..

http://www.autohotkey.com/forum/topic54494.html

Also, remember that you will need to initiate transfer somehow before you execute the proggy.

Share this post


Link to post
Share on other sites

BTW, nxt471: 1,1 on *all* resolutions will trigger the Apple menu.

Share this post


Link to post
Share on other sites

Could you possibly solder the teensy to a usb hub with a thumbdrive attached? With that configuration you could cut the 5v line to the drive and either put an i/o line to it to power it or solder on a transistor and use the i/o line to flip it on if the line can't supply enough amperage. With that you could set the usb to turn on when the teensy wants it on. From there you could load code off of the usb.

EDIT:

http://www.radioshack.com/product/index.js...rodsInSession=1

http://www.radioshack.com/product/index.js...rodsInSession=1

http://www.radioshack.com/product/index.js...rodsInSession=1

Something like these could be popped open and have the peripherals soldered right on.

Share this post


Link to post
Share on other sites
Could you possibly solder the teensy to a usb hub with a thumbdrive attached? With that configuration you could cut the 5v line to the drive and either put an i/o line to it to power it or solder on a transistor and use the i/o line to flip it on if the line can't supply enough amperage. With that you could set the usb to turn on when the teensy wants it on. From there you could load code off of the usb.

EDIT:

http://www.radioshack.com/product/index.js...rodsInSession=1

http://www.radioshack.com/product/index.js...rodsInSession=1

http://www.radioshack.com/product/index.js...rodsInSession=1

Something like these could be popped open and have the peripherals soldered right on.

There is already a method to solder a MicroSD to a Teensy - a link is somewhere in this forum.. I'd find it for you if my mouse was working..

Share this post


Link to post
Share on other sites
There is already a method to solder a MicroSD to a Teensy - a link is somewhere in this forum.. I'd find it for you if my mouse was working..

But will the pc see that as a mass storage device and see the Teensy?

Share this post


Link to post
Share on other sites
BTW, nxt471: 1,1 on *all* resolutions will trigger the Apple menu.

Ok, I could not check at the time of posting, I guess my payload writing got quite a bit easier.

My current payload (Untested on duck, works when ported to AppleScript) uses spotlight to launch a terminal and create a new folder on the desktop called Pwn3d and closes, the only problem I'm facing is the time spotlight takes to return the terminal entry.

Share this post


Link to post
Share on other sites
But will the pc see that as a mass storage device and see the Teensy?

A future version (hopefully soon) of Teensyduino will make this very easy.

It is possible but difficult using C, if you want to give it a try now.

Share this post


Link to post
Share on other sites

What's wrong with what wheeee said? A small usb hub with a flash drive would work wouldn't it? Then use irongeek's script to find the drive and execute from it...

Share this post


Link to post
Share on other sites
It would probably be easiest to get the Ducky to FTP to your server and download and execute your payload of happiness.

Sounds exactly how botnets and such work. This kind of a thing is called a dropper. The dropper is a lightweight piece of code which is less likely to be noticed by countermeasures. This code the surreptitiously fetches your bigger payloads from the net.

Share this post


Link to post
Share on other sites

If the USB HID works as I expect it will then why not just hardcode the executable into the programming of the Teensy. Just have the executable that you want to transfer and then run...

xxd -i /input/executable/path /output/c/array/path.c

This will convert the hex of the program to C arrays. Then copy the C arrays into your own Teensy code. Then make the main() function of the program just copy the hex to a file and execute it.

Share this post


Link to post
Share on other sites

Actually, thats a good idea, I will take a look at that in a bit.

Problem could potentially be space though?

Seb

Share this post


Link to post
Share on other sites
Actually, thats a good idea, I will take a look at that in a bit.

Problem could potentially be space though?

Seb

You're right space could potentially be a problem but I know that Poison Ivy Rat server executables are only about 20KB depending on what you put in them. The Teensy documentation is woefully inaccurate on how much flash memory you get, it doesn't tell you whether the flash memory it contains is bits or bytes. My guess is it's bytes in which case you'll get approx 32 bytes. This should be more than enough for a Poison Ivy Rat installation, or a TCP backdoor, or any other small application.

Share this post


Link to post
Share on other sites
You're right space could potentially be a problem but I know that Poison Ivy Rat server executables are only about 20KB depending on what you put in them. The Teensy documentation is woefully inaccurate on how much flash memory you get, it doesn't tell you whether the flash memory it contains is bits or bytes. My guess is it's bytes in which case you'll get approx 32 bytes. This should be more than enough for a Poison Ivy Rat installation, or a TCP backdoor, or any other small application.

Yeah, thats why I was a little unsure but bytes sounds right, otherwise we have a problem. ;)

I guess we can then tie in metasploit reverse shells, they are below the 32 bytes I think... although I think the reverse vnc is 36 bytes, but still, this method should help a lot.

Maybe we should start a thread with a compilation of ideas or methods such as this?

Share this post


Link to post
Share on other sites
I guess we can then tie in metasploit reverse shells, they are below the 32 bytes I think... although I think the reverse vnc is 36 bytes, but still, this method should help a lot.

First I reckon it would be better todo a bind_tcp instead of reverse cause if you IP address changes you won't be able to get back in the system unless you update the payload with your new IP address and then Ducky them again. Second I don't think these payloads will work if you have them coded straight into the C program and then execute them, usually you have to inject the payload into a running process. Not too sure about that, should probably check it out.

Maybe we should start a thread with a compilation of ideas or methods such as this?

This is a good idea :P

Share this post


Link to post
Share on other sites
reverse_tcp + dyndns?

S'pose that would work, problem is they might be able to find out your contact details from the dyndns account and then from their, your facebook, twitter, myspace, hak5 account :P and then they know who you are.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...