[Question] USB Spammer

[overwraith]

I saw a topic in the USB hacks section that was about making a USB spammer. The ducky kinda fits the bill, but I was thinking, wouldn't it be cool if some of the firmware on the duck could replay itself in a loop, and be an actual USB spammer.

[DrDinosaur]

What does a USB spammer do?

[overwraith]

Sorry, basically floods the system with keystrokes, and maybe later mouse movement. I am just thinking, with the given state of the ducky we cant easily loop input so it is inputting perpetually.

[DrDinosaur]

What would the purpose of that be? Would it just crash the system?

[overwraith]

No, would not crash the system. Somebody else suggested it, the point would be an office prank, random keystrokes, or scripts etc. If you wanted to crash the system I could code a nasty batch payload to accomplish that.

I suppose it could be used to shut down the computer though.

:BEGINNING
GUI
RIGHTARROW
ENTER
GOTO :BEGINNING 

Edited July 2, 2013 by overwraith

[overwraith]

So, I have been working on some firmware code, and have been getting some strange results. Right now, the code that should be delaying the code for 1 minute is firing every 20 seconds or so. This is strange, because the small C example I coded times it exactly right, only when I move the code over into the firmware does it behave erratically. Here is the example code that does work, just a regular C project:

/*Author: overwraith*/
#include <stdio.h>
#include <time.h>

const int SECONDS_IN_MINUTE = 60;
const int NUM_MINUTES = 1;

// Compares two times. 
//-------------------------------------------------------------------
int timeIsLess(struct tm *time1_t, struct tm *time2_t){
    if(time1_t->tm_hour < time2_t->tm_hour)
         return 1;
    else if(time1_t->tm_hour == time2_t->tm_hour && time1_t->tm_min < time2_t->tm_min)
         return 1;
    else if(time1_t->tm_min == time2_t->tm_min && time1_t->tm_sec < time2_t->tm_sec)
         return 1;
    else
        return 0;
}//end function

// updates the next time the ducky activates. 
//-------------------------------------------------------------------
void updateNextRun(time_t *nextRun, struct tm *nextRun_t, struct tm *now_t){
     printf( "%s\n", asctime( now_t));
     
     //*state = state_START_INJECT;
     
     //get next time to start injecting.
     
     //get the current time
     *nextRun = time(NULL);
     *nextRun_t = *localtime(nextRun);
     
     //add specified amount of time to the next run time.
     nextRun_t->tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES;
     
     mktime(nextRun_t);//normalize it
}//end function

int main()
{
    //time related variables
    static time_t nextRun;
    static struct tm nextRun_t;
    time_t now;
    struct tm now_t;
    static int firstRun = 1;
    
    //put the stuff outside the loop at the state 
    //in the program that the ducky starts off in. 
    
    //probably won't need the next two lines in the final program. 
    //now = time(NULL);
    //now_t = *localtime(&now);

    //updateNextRun(&nextRun, &nextRun_t, &now_t);
    

    
    while(1){
         //loop represents calling the process_frame method 
         //each time the computer recieves a packet. 
         
         //time related code
         
         if(firstRun){
             //get next time to start injecting.
     
             //get the current time
             nextRun = time(NULL);
             nextRun_t = *localtime(&nextRun);
     
             //add specified amount of time to the next run time.
             nextRun_t.tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES;
     
             mktime(&nextRun_t);//normalize it
             firstRun = 0;
         }
         
         now = time(NULL);
         now_t = *localtime(&now);
         
         if(timeIsLess(&nextRun_t, &now_t)){
             updateNextRun(&nextRun, &nextRun_t, &now_t);
         }
    }//end loop
    
    system("pause");
    return 0;
}

Now here is the code for the firmware, which doesn't work correctly. I am mostly tweaking midnight snake's code for the Ducky_HID project.

//_____ M A I N ___________________________________________________________
//
// Module : Ducky
// Description : Simple USB HID Keyboard injection
// Date : April 1, 2012
// Author : Snake
// Credit : ATMEL, Jason Applebaum keyscan's method.

//Modifications: by overwraith
//__________________________________________________________________________

//_____ I N C L U D E S ___________________________________________________
#include
#include
#include "compiler.h"
#include "main.h"
#include "preprocessor.h"
#include "board.h"
#include "ctrl_access.h"
#include "power_clocks_lib.h"
#include "gpio.h"
#include "spi.h"
#include "conf_sd_mmc_spi.h"
#include "fat.h"
#include "file.h"
#include "navigation.h"
#include "conf_usb.h"
#include "udc.h"
#include "udd.h"
#include "led.h"
#include "udi_hid_kbd.h"
#include "sysclk.h"
#include "sleepmgr.h"

//_____ D E C L A R A T I O N S ____________________________________________

// filename
char *injectFile = "A:\\inject.bin";

// state machine enum
typedef enum injectState {
state_IDLE,
state_START_INJECT,
state_INJECTING,
state_KEY_DOWN,
state_KEY_UP,
state_MOD_DOWN,
state_MOD_KEY_DOWN,
state_MOD_KEY_UP,
state_MOD_UP,
state_WAIT
} injectState_t;

//_____ F U N C T I O N S __________________________________________________

// initializes the SD/MMC memory resources: GPIO, SPI and MMC
//-------------------------------------------------------------------
static void sd_mmc_resources_init(long pba_hz) {

// GPIO pins used for SD/MMC interface
static const gpio_map_t SD_MMC_SPI_GPIO_MAP = {
{SD_MMC_SPI_SCK_PIN, SD_MMC_SPI_SCK_FUNCTION }, // SPI Clock.
{SD_MMC_SPI_MISO_PIN, SD_MMC_SPI_MISO_FUNCTION}, // MISO.
{SD_MMC_SPI_MOSI_PIN, SD_MMC_SPI_MOSI_FUNCTION}, // MOSI.
{SD_MMC_SPI_NPCS_PIN, SD_MMC_SPI_NPCS_FUNCTION} // Chip Select NPCS.
};

// SPI options.
spi_options_t spiOptions = {
.reg = SD_MMC_SPI_NPCS,
.baudrate = SD_MMC_SPI_MASTER_SPEED, // Defined in conf_sd_mmc_spi.h.
.bits = SD_MMC_SPI_BITS, // Defined in conf_sd_mmc_spi.h.
.spck_delay = 0,
.trans_delay = 0,
.stay_act = 1,
.spi_mode = 0,
.modfdis = 1
};

// assign I/Os to SPI.
gpio_enable_module(SD_MMC_SPI_GPIO_MAP,
sizeof(SD_MMC_SPI_GPIO_MAP) / sizeof(SD_MMC_SPI_GPIO_MAP[0]));

// initialize as master.
spi_initMaster(SD_MMC_SPI, &spiOptions);

// set SPI selection mode: variable_ps, pcs_decode, delay.
spi_selectionMode(SD_MMC_SPI, 0, 0, 0);

// enable SPI module.
spi_enable(SD_MMC_SPI);

// Initialize SD/MMC driver with SPI clock (PBA).
sd_mmc_spi_init(spiOptions, pba_hz);
}

const int SECONDS_IN_MINUTE = 60;
const int NUM_MINUTES = 1;

// Compares two times.
//-------------------------------------------------------------------
int timeIsLess(struct tm *time1_t, struct tm *time2_t){
if(time1_t->tm_hour < time2_t->tm_hour)
return 1;
else if(time1_t->tm_hour == time2_t->tm_hour && time1_t->tm_min < time2_t->tm_min)
return 1;
else if(time1_t->tm_min == time2_t->tm_min && time1_t->tm_sec < time2_t->tm_sec)
return 1;
else
return 0;
}//end function

// updates the next time the ducky activates.
//-------------------------------------------------------------------
void updateNextRun(time_t *nextRun, struct tm *nextRun_t, struct tm *now_t, injectState_t *state){
//printf( "%s\n", asctime( now_t));

*state = state_START_INJECT;

//get next time to start injecting.

//get the current time
*nextRun = time(NULL);
*nextRun_t = *localtime(nextRun);

//add specified amount of time to the next run time.
nextRun_t->tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES;

mktime(nextRun_t);//normalize it
}//end function

// process a USB frame
//-------------------------------------------------------------------
void process_frame(uint16_t framenumber)
{
static uint8_t cpt_sof = 0;
static injectState_t state = state_START_INJECT;
static uint8_t wait = 0;
static uint16_t debounce = 0;
static uint16_t injectToken = 0x0000;

//time related variables
static time_t nextRun;
static struct tm nextRun_t;
time_t now;
struct tm now_t;
static int firstRun = 1;

// scan process running each 2ms
cpt_sof++;
if( 2 > cpt_sof )
return;
cpt_sof = 0;

// pulse led
LED_Set_Intensity( LED0, framenumber >> 1 );

// debounce switch
if( debounce > 0 ) --debounce;

// injection state machine
switch(state) {

case state_IDLE:
// check switch
if( gpio_get_pin_value(GPIO_JOYSTICK_PUSH) == GPIO_JOYSTICK_PUSH_PRESSED ) {

// debounce
if( debounce == 0 ) {
state = state_START_INJECT;
debounce = 250;
}
}

if(firstRun){//this here to initialize the next run variable.
//get next time to start injecting.

//get the current time
nextRun = time(NULL);
nextRun_t = *localtime(&nextRun);

//add specified amount of time to the next run time.
nextRun_t.tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES;

mktime(&nextRun_t);//normalize it
firstRun = 0;
}

now = time(NULL);
now_t = *localtime(&now);

if(timeIsLess(&nextRun_t, &now_t)){
updateNextRun(&nextRun, &nextRun_t, &now_t, &state);
}

//A previous attempt to make a USB Spammer.
//static uint16_t packet_delay = 0;
//packet_delay++;
//
//if(packet_delay == 1000){
//packet_delay = 0;
//state = state_START_INJECT;
//}

break;

case state_START_INJECT:
file_open(FOPEN_MODE_R);
state = state_INJECTING;
break;

case state_INJECTING:

if( file_eof() ) {
file_close();
state = state_IDLE;
break;
}

injectToken = ( file_getc() | ( file_getc() << 8 ) );

if( ( injectToken&0xff ) == 0x00 ) {
wait = injectToken>>8;
state = state_WAIT;
}
else if( ( injectToken>>8 ) == 0x00 ) {
state = state_KEY_DOWN;
}
else {
state = state_MOD_DOWN;
}
break;

case state_KEY_DOWN:
udi_hid_kbd_down(injectToken&0xff);
state = state_KEY_UP;
break;

case state_KEY_UP:
udi_hid_kbd_up(injectToken&0xff);
state = state_INJECTING;
break;

case state_MOD_DOWN:
udi_hid_kbd_modifier_down(injectToken>>8);
state = state_MOD_KEY_DOWN;
break;

case state_MOD_KEY_DOWN:
udi_hid_kbd_down(injectToken&0xff);
state = state_MOD_KEY_UP;
break;

case state_MOD_KEY_UP:
udi_hid_kbd_up(injectToken&0xff);
state = state_MOD_UP;
break;

case state_MOD_UP:
udi_hid_kbd_modifier_up(injectToken>>8);
state = state_INJECTING;
break;

case state_WAIT:
if( --wait == 0 ) {
state = state_INJECTING;
}
break;

default:
state = state_IDLE;
}
}

// Main Method - IRQ, CLCK, INIT setup
//-------------------------------------------------------------------
int main(void) {

uint32_t sizeTemp;

// init cpu
irq_initialize_vectors();
cpu_irq_enable();

// init board
sleepmgr_init();
sysclk_init();
board_init();

// initialize SD/MMC resources: GPIO, SPI.
sd_mmc_resources_init(FOSC0);

// test if the memory is ready - using the control access memory abstraction layer (/SERVICES/MEMORY/CTRL_ACCESS/)
if (mem_test_unit_ready(LUN_ID_SD_MMC_SPI_MEM) == CTRL_GOOD) {
// Get and display the capacity
mem_read_capacity(LUN_ID_SD_MMC_SPI_MEM, &sizeTemp);
}
else {
// error - we can't proceed - sit and spin...
while(true) { LED_On( LED1 ); }
}

nav_reset();
if( !nav_setcwd( injectFile, true, false ) ) {

while(true) {
LED_On( LED1 );
for (int i=0; i<10000; i++){}
LED_Off(LED1);
}
}
// Start USB stack
udc_start();
udc_attach();

while(true) {
//do nothing - handle interrupts and events
//sleepmgr_enter_sleep();
}
}

//-------------------------------------------------------------------
void main_suspend_action(void)
{
LED_Off(LED0);
LED_Off(LED1);
}

//-------------------------------------------------------------------
void main_resume_action(void)
{
}

//-------------------------------------------------------------------
void main_sof_action(void)
{
process_frame( udd_get_frame_number() );

}

//-------------------------------------------------------------------
// If remote wakeup enable/disable is supported insert code below
void main_remotewakeup_enable(void)
{
}

//-------------------------------------------------------------------
void main_remotewakeup_disable(void)
{
}

//-------------------------------------------------------------------
bool main_kbd_enable(void)
{
//main_b_kbd_enable = true;
return true;
}

//-------------------------------------------------------------------
bool main_kbd_disable(void)
{
//main_b_kbd_enable = false; mod
return false;
}

//-------------------------------------------------------------------
void main_kbd_change(uint8_t value)
{
//no use in this firmware
}

Edited July 19, 2013 by overwraith