Jump to content

[Question] USB Spammer


overwraith
 Share

Recommended Posts

I saw a topic in the USB hacks section that was about making a USB spammer. The ducky kinda fits the bill, but I was thinking, wouldn't it be cool if some of the firmware on the duck could replay itself in a loop, and be an actual USB spammer.

Link to comment
Share on other sites

No, would not crash the system. Somebody else suggested it, the point would be an office prank, random keystrokes, or scripts etc. If you wanted to crash the system I could code a nasty batch payload to accomplish that.

I suppose it could be used to shut down the computer though.

:BEGINNING
GUI
RIGHTARROW
ENTER
GOTO :BEGINNING 
Edited by overwraith
Link to comment
Share on other sites

  • 3 weeks later...

So, I have been working on some firmware code, and have been getting some strange results. Right now, the code that should be delaying the code for 1 minute is firing every 20 seconds or so. This is strange, because the small C example I coded times it exactly right, only when I move the code over into the firmware does it behave erratically. Here is the example code that does work, just a regular C project:

/*Author: overwraith*/
#include <stdio.h>
#include <time.h>

const int SECONDS_IN_MINUTE = 60;
const int NUM_MINUTES = 1;

// Compares two times. 
//-------------------------------------------------------------------
int timeIsLess(struct tm *time1_t, struct tm *time2_t){
    if(time1_t->tm_hour < time2_t->tm_hour)
         return 1;
    else if(time1_t->tm_hour == time2_t->tm_hour && time1_t->tm_min < time2_t->tm_min)
         return 1;
    else if(time1_t->tm_min == time2_t->tm_min && time1_t->tm_sec < time2_t->tm_sec)
         return 1;
    else
        return 0;
}//end function

// updates the next time the ducky activates. 
//-------------------------------------------------------------------
void updateNextRun(time_t *nextRun, struct tm *nextRun_t, struct tm *now_t){
     printf( "%s\n", asctime( now_t));
     
     //*state = state_START_INJECT;
     
     //get next time to start injecting.
     
     //get the current time
     *nextRun = time(NULL);
     *nextRun_t = *localtime(nextRun);
     
     //add specified amount of time to the next run time.
     nextRun_t->tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES;
     
     mktime(nextRun_t);//normalize it
}//end function

int main()
{
    //time related variables
    static time_t nextRun;
    static struct tm nextRun_t;
    time_t now;
    struct tm now_t;
    static int firstRun = 1;
    
    //put the stuff outside the loop at the state 
    //in the program that the ducky starts off in. 
    
    //probably won't need the next two lines in the final program. 
    //now = time(NULL);
    //now_t = *localtime(&now);

    //updateNextRun(&nextRun, &nextRun_t, &now_t);
    

    
    while(1){
         //loop represents calling the process_frame method 
         //each time the computer recieves a packet. 
         
         //time related code
         
         if(firstRun){
             //get next time to start injecting.
     
             //get the current time
             nextRun = time(NULL);
             nextRun_t = *localtime(&nextRun);
     
             //add specified amount of time to the next run time.
             nextRun_t.tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES;
     
             mktime(&nextRun_t);//normalize it
             firstRun = 0;
         }
         
         now = time(NULL);
         now_t = *localtime(&now);
         
         if(timeIsLess(&nextRun_t, &now_t)){
             updateNextRun(&nextRun, &nextRun_t, &now_t);
         }
    }//end loop
    
    system("pause");
    return 0;
}

Now here is the code for the firmware, which doesn't work correctly. I am mostly tweaking midnight snake's code for the Ducky_HID project.

//_____ M A I N ___________________________________________________________
//
// Module : Ducky
// Description : Simple USB HID Keyboard injection
// Date : April 1, 2012
// Author : Snake
// Credit : ATMEL, Jason Applebaum keyscan's method.

//Modifications: by overwraith
//__________________________________________________________________________

//_____ I N C L U D E S ___________________________________________________
#include
#include
#include "compiler.h"
#include "main.h"
#include "preprocessor.h"
#include "board.h"
#include "ctrl_access.h"
#include "power_clocks_lib.h"
#include "gpio.h"
#include "spi.h"
#include "conf_sd_mmc_spi.h"
#include "fat.h"
#include "file.h"
#include "navigation.h"
#include "conf_usb.h"
#include "udc.h"
#include "udd.h"
#include "led.h"
#include "udi_hid_kbd.h"
#include "sysclk.h"
#include "sleepmgr.h"

//_____ D E C L A R A T I O N S ____________________________________________

// filename
char *injectFile = "A:\\inject.bin";

// state machine enum
typedef enum injectState {
state_IDLE,
state_START_INJECT,
state_INJECTING,
state_KEY_DOWN,
state_KEY_UP,
state_MOD_DOWN,
state_MOD_KEY_DOWN,
state_MOD_KEY_UP,
state_MOD_UP,
state_WAIT
} injectState_t;

//_____ F U N C T I O N S __________________________________________________

// initializes the SD/MMC memory resources: GPIO, SPI and MMC
//-------------------------------------------------------------------
static void sd_mmc_resources_init(long pba_hz) {

// GPIO pins used for SD/MMC interface
static const gpio_map_t SD_MMC_SPI_GPIO_MAP = {
{SD_MMC_SPI_SCK_PIN, SD_MMC_SPI_SCK_FUNCTION }, // SPI Clock.
{SD_MMC_SPI_MISO_PIN, SD_MMC_SPI_MISO_FUNCTION}, // MISO.
{SD_MMC_SPI_MOSI_PIN, SD_MMC_SPI_MOSI_FUNCTION}, // MOSI.
{SD_MMC_SPI_NPCS_PIN, SD_MMC_SPI_NPCS_FUNCTION} // Chip Select NPCS.
};

// SPI options.
spi_options_t spiOptions = {
.reg = SD_MMC_SPI_NPCS,
.baudrate = SD_MMC_SPI_MASTER_SPEED, // Defined in conf_sd_mmc_spi.h.
.bits = SD_MMC_SPI_BITS, // Defined in conf_sd_mmc_spi.h.
.spck_delay = 0,
.trans_delay = 0,
.stay_act = 1,
.spi_mode = 0,
.modfdis = 1
};

// assign I/Os to SPI.
gpio_enable_module(SD_MMC_SPI_GPIO_MAP,
sizeof(SD_MMC_SPI_GPIO_MAP) / sizeof(SD_MMC_SPI_GPIO_MAP[0]));

// initialize as master.
spi_initMaster(SD_MMC_SPI, &spiOptions);

// set SPI selection mode: variable_ps, pcs_decode, delay.
spi_selectionMode(SD_MMC_SPI, 0, 0, 0);

// enable SPI module.
spi_enable(SD_MMC_SPI);

// Initialize SD/MMC driver with SPI clock (PBA).
sd_mmc_spi_init(spiOptions, pba_hz);
}

const int SECONDS_IN_MINUTE = 60;
const int NUM_MINUTES = 1;

// Compares two times.
//-------------------------------------------------------------------
int timeIsLess(struct tm *time1_t, struct tm *time2_t){
if(time1_t->tm_hour < time2_t->tm_hour)
return 1;
else if(time1_t->tm_hour == time2_t->tm_hour && time1_t->tm_min < time2_t->tm_min)
return 1;
else if(time1_t->tm_min == time2_t->tm_min && time1_t->tm_sec < time2_t->tm_sec)
return 1;
else
return 0;
}//end function

// updates the next time the ducky activates.
//-------------------------------------------------------------------
void updateNextRun(time_t *nextRun, struct tm *nextRun_t, struct tm *now_t, injectState_t *state){
//printf( "%s\n", asctime( now_t));

*state = state_START_INJECT;

//get next time to start injecting.

//get the current time
*nextRun = time(NULL);
*nextRun_t = *localtime(nextRun);

//add specified amount of time to the next run time.
nextRun_t->tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES;

mktime(nextRun_t);//normalize it
}//end function

// process a USB frame
//-------------------------------------------------------------------
void process_frame(uint16_t framenumber)
{
static uint8_t cpt_sof = 0;
static injectState_t state = state_START_INJECT;
static uint8_t wait = 0;
static uint16_t debounce = 0;
static uint16_t injectToken = 0x0000;

//time related variables
static time_t nextRun;
static struct tm nextRun_t;
time_t now;
struct tm now_t;
static int firstRun = 1;

// scan process running each 2ms
cpt_sof++;
if( 2 > cpt_sof )
return;
cpt_sof = 0;

// pulse led
LED_Set_Intensity( LED0, framenumber >> 1 );

// debounce switch
if( debounce > 0 ) --debounce;

// injection state machine
switch(state) {

case state_IDLE:
// check switch
if( gpio_get_pin_value(GPIO_JOYSTICK_PUSH) == GPIO_JOYSTICK_PUSH_PRESSED ) {

// debounce
if( debounce == 0 ) {
state = state_START_INJECT;
debounce = 250;
}
}

if(firstRun){//this here to initialize the next run variable.
//get next time to start injecting.

//get the current time
nextRun = time(NULL);
nextRun_t = *localtime(&nextRun);

//add specified amount of time to the next run time.
nextRun_t.tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES;

mktime(&nextRun_t);//normalize it
firstRun = 0;
}

now = time(NULL);
now_t = *localtime(&now);

if(timeIsLess(&nextRun_t, &now_t)){
updateNextRun(&nextRun, &nextRun_t, &now_t, &state);
}

//A previous attempt to make a USB Spammer.
//static uint16_t packet_delay = 0;
//packet_delay++;
//
//if(packet_delay == 1000){
//packet_delay = 0;
//state = state_START_INJECT;
//}

break;

case state_START_INJECT:
file_open(FOPEN_MODE_R);
state = state_INJECTING;
break;

case state_INJECTING:

if( file_eof() ) {
file_close();
state = state_IDLE;
break;
}

injectToken = ( file_getc() | ( file_getc() << 8 ) );

if( ( injectToken&0xff ) == 0x00 ) {
wait = injectToken>>8;
state = state_WAIT;
}
else if( ( injectToken>>8 ) == 0x00 ) {
state = state_KEY_DOWN;
}
else {
state = state_MOD_DOWN;
}
break;

case state_KEY_DOWN:
udi_hid_kbd_down(injectToken&0xff);
state = state_KEY_UP;
break;

case state_KEY_UP:
udi_hid_kbd_up(injectToken&0xff);
state = state_INJECTING;
break;

case state_MOD_DOWN:
udi_hid_kbd_modifier_down(injectToken>>8);
state = state_MOD_KEY_DOWN;
break;

case state_MOD_KEY_DOWN:
udi_hid_kbd_down(injectToken&0xff);
state = state_MOD_KEY_UP;
break;

case state_MOD_KEY_UP:
udi_hid_kbd_up(injectToken&0xff);
state = state_MOD_UP;
break;

case state_MOD_UP:
udi_hid_kbd_modifier_up(injectToken>>8);
state = state_INJECTING;
break;

case state_WAIT:
if( --wait == 0 ) {
state = state_INJECTING;
}
break;

default:
state = state_IDLE;
}
}

// Main Method - IRQ, CLCK, INIT setup
//-------------------------------------------------------------------
int main(void) {

uint32_t sizeTemp;

// init cpu
irq_initialize_vectors();
cpu_irq_enable();

// init board
sleepmgr_init();
sysclk_init();
board_init();

// initialize SD/MMC resources: GPIO, SPI.
sd_mmc_resources_init(FOSC0);

// test if the memory is ready - using the control access memory abstraction layer (/SERVICES/MEMORY/CTRL_ACCESS/)
if (mem_test_unit_ready(LUN_ID_SD_MMC_SPI_MEM) == CTRL_GOOD) {
// Get and display the capacity
mem_read_capacity(LUN_ID_SD_MMC_SPI_MEM, &sizeTemp);
}
else {
// error - we can't proceed - sit and spin...
while(true) { LED_On( LED1 ); }
}

nav_reset();
if( !nav_setcwd( injectFile, true, false ) ) {

while(true) {
LED_On( LED1 );
for (int i=0; i<10000; i++){}
LED_Off(LED1);
}
}
// Start USB stack
udc_start();
udc_attach();

while(true) {
//do nothing - handle interrupts and events
//sleepmgr_enter_sleep();
}
}

//-------------------------------------------------------------------
void main_suspend_action(void)
{
LED_Off(LED0);
LED_Off(LED1);
}

//-------------------------------------------------------------------
void main_resume_action(void)
{
}

//-------------------------------------------------------------------
void main_sof_action(void)
{
process_frame( udd_get_frame_number() );

}

//-------------------------------------------------------------------
// If remote wakeup enable/disable is supported insert code below
void main_remotewakeup_enable(void)
{
}

//-------------------------------------------------------------------
void main_remotewakeup_disable(void)
{
}

//-------------------------------------------------------------------
bool main_kbd_enable(void)
{
//main_b_kbd_enable = true;
return true;
}

//-------------------------------------------------------------------
bool main_kbd_disable(void)
{
//main_b_kbd_enable = false; mod
return false;
}

//-------------------------------------------------------------------
void main_kbd_change(uint8_t value)
{
//no use in this firmware
}

Edited by overwraith
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...