overwraith Posted June 30, 2013 Share Posted June 30, 2013 I saw a topic in the USB hacks section that was about making a USB spammer. The ducky kinda fits the bill, but I was thinking, wouldn't it be cool if some of the firmware on the duck could replay itself in a loop, and be an actual USB spammer. Quote Link to comment Share on other sites More sharing options...
DrDinosaur Posted June 30, 2013 Share Posted June 30, 2013 What does a USB spammer do? Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 1, 2013 Author Share Posted July 1, 2013 Sorry, basically floods the system with keystrokes, and maybe later mouse movement. I am just thinking, with the given state of the ducky we cant easily loop input so it is inputting perpetually. Quote Link to comment Share on other sites More sharing options...
DrDinosaur Posted July 1, 2013 Share Posted July 1, 2013 What would the purpose of that be? Would it just crash the system? Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 2, 2013 Author Share Posted July 2, 2013 (edited) No, would not crash the system. Somebody else suggested it, the point would be an office prank, random keystrokes, or scripts etc. If you wanted to crash the system I could code a nasty batch payload to accomplish that. I suppose it could be used to shut down the computer though. :BEGINNING GUI RIGHTARROW ENTER GOTO :BEGINNING Edited July 2, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
overwraith Posted July 19, 2013 Author Share Posted July 19, 2013 (edited) So, I have been working on some firmware code, and have been getting some strange results. Right now, the code that should be delaying the code for 1 minute is firing every 20 seconds or so. This is strange, because the small C example I coded times it exactly right, only when I move the code over into the firmware does it behave erratically. Here is the example code that does work, just a regular C project: /*Author: overwraith*/ #include <stdio.h> #include <time.h> const int SECONDS_IN_MINUTE = 60; const int NUM_MINUTES = 1; // Compares two times. //------------------------------------------------------------------- int timeIsLess(struct tm *time1_t, struct tm *time2_t){ if(time1_t->tm_hour < time2_t->tm_hour) return 1; else if(time1_t->tm_hour == time2_t->tm_hour && time1_t->tm_min < time2_t->tm_min) return 1; else if(time1_t->tm_min == time2_t->tm_min && time1_t->tm_sec < time2_t->tm_sec) return 1; else return 0; }//end function // updates the next time the ducky activates. //------------------------------------------------------------------- void updateNextRun(time_t *nextRun, struct tm *nextRun_t, struct tm *now_t){ printf( "%s\n", asctime( now_t)); //*state = state_START_INJECT; //get next time to start injecting. //get the current time *nextRun = time(NULL); *nextRun_t = *localtime(nextRun); //add specified amount of time to the next run time. nextRun_t->tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES; mktime(nextRun_t);//normalize it }//end function int main() { //time related variables static time_t nextRun; static struct tm nextRun_t; time_t now; struct tm now_t; static int firstRun = 1; //put the stuff outside the loop at the state //in the program that the ducky starts off in. //probably won't need the next two lines in the final program. //now = time(NULL); //now_t = *localtime(&now); //updateNextRun(&nextRun, &nextRun_t, &now_t); while(1){ //loop represents calling the process_frame method //each time the computer recieves a packet. //time related code if(firstRun){ //get next time to start injecting. //get the current time nextRun = time(NULL); nextRun_t = *localtime(&nextRun); //add specified amount of time to the next run time. nextRun_t.tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES; mktime(&nextRun_t);//normalize it firstRun = 0; } now = time(NULL); now_t = *localtime(&now); if(timeIsLess(&nextRun_t, &now_t)){ updateNextRun(&nextRun, &nextRun_t, &now_t); } }//end loop system("pause"); return 0; } Now here is the code for the firmware, which doesn't work correctly. I am mostly tweaking midnight snake's code for the Ducky_HID project. //_____ M A I N ___________________________________________________________//// Module : Ducky// Description : Simple USB HID Keyboard injection// Date : April 1, 2012// Author : Snake// Credit : ATMEL, Jason Applebaum keyscan's method. //Modifications: by overwraith//__________________________________________________________________________//_____ I N C L U D E S ___________________________________________________#include#include#include "compiler.h"#include "main.h"#include "preprocessor.h"#include "board.h"#include "ctrl_access.h"#include "power_clocks_lib.h"#include "gpio.h"#include "spi.h"#include "conf_sd_mmc_spi.h"#include "fat.h"#include "file.h"#include "navigation.h"#include "conf_usb.h"#include "udc.h"#include "udd.h"#include "led.h"#include "udi_hid_kbd.h"#include "sysclk.h"#include "sleepmgr.h"//_____ D E C L A R A T I O N S ____________________________________________// filenamechar *injectFile = "A:\\inject.bin";// state machine enumtypedef enum injectState {state_IDLE,state_START_INJECT,state_INJECTING,state_KEY_DOWN,state_KEY_UP,state_MOD_DOWN,state_MOD_KEY_DOWN,state_MOD_KEY_UP,state_MOD_UP,state_WAIT} injectState_t;//_____ F U N C T I O N S __________________________________________________// initializes the SD/MMC memory resources: GPIO, SPI and MMC//-------------------------------------------------------------------static void sd_mmc_resources_init(long pba_hz) {// GPIO pins used for SD/MMC interfacestatic const gpio_map_t SD_MMC_SPI_GPIO_MAP = {{SD_MMC_SPI_SCK_PIN, SD_MMC_SPI_SCK_FUNCTION }, // SPI Clock.{SD_MMC_SPI_MISO_PIN, SD_MMC_SPI_MISO_FUNCTION}, // MISO.{SD_MMC_SPI_MOSI_PIN, SD_MMC_SPI_MOSI_FUNCTION}, // MOSI.{SD_MMC_SPI_NPCS_PIN, SD_MMC_SPI_NPCS_FUNCTION} // Chip Select NPCS.};// SPI options.spi_options_t spiOptions = {.reg = SD_MMC_SPI_NPCS,.baudrate = SD_MMC_SPI_MASTER_SPEED, // Defined in conf_sd_mmc_spi.h..bits = SD_MMC_SPI_BITS, // Defined in conf_sd_mmc_spi.h..spck_delay = 0,.trans_delay = 0,.stay_act = 1,.spi_mode = 0,.modfdis = 1};// assign I/Os to SPI.gpio_enable_module(SD_MMC_SPI_GPIO_MAP,sizeof(SD_MMC_SPI_GPIO_MAP) / sizeof(SD_MMC_SPI_GPIO_MAP[0]));// initialize as master.spi_initMaster(SD_MMC_SPI, &spiOptions);// set SPI selection mode: variable_ps, pcs_decode, delay.spi_selectionMode(SD_MMC_SPI, 0, 0, 0);// enable SPI module.spi_enable(SD_MMC_SPI);// Initialize SD/MMC driver with SPI clock (PBA).sd_mmc_spi_init(spiOptions, pba_hz);}const int SECONDS_IN_MINUTE = 60;const int NUM_MINUTES = 1;// Compares two times.//-------------------------------------------------------------------int timeIsLess(struct tm *time1_t, struct tm *time2_t){if(time1_t->tm_hour < time2_t->tm_hour)return 1;else if(time1_t->tm_hour == time2_t->tm_hour && time1_t->tm_min < time2_t->tm_min)return 1;else if(time1_t->tm_min == time2_t->tm_min && time1_t->tm_sec < time2_t->tm_sec)return 1;elsereturn 0;}//end function// updates the next time the ducky activates.//-------------------------------------------------------------------void updateNextRun(time_t *nextRun, struct tm *nextRun_t, struct tm *now_t, injectState_t *state){//printf( "%s\n", asctime( now_t));*state = state_START_INJECT;//get next time to start injecting.//get the current time*nextRun = time(NULL);*nextRun_t = *localtime(nextRun);//add specified amount of time to the next run time.nextRun_t->tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES;mktime(nextRun_t);//normalize it}//end function// process a USB frame//-------------------------------------------------------------------void process_frame(uint16_t framenumber){static uint8_t cpt_sof = 0;static injectState_t state = state_START_INJECT;static uint8_t wait = 0;static uint16_t debounce = 0;static uint16_t injectToken = 0x0000;//time related variablesstatic time_t nextRun;static struct tm nextRun_t;time_t now;struct tm now_t;static int firstRun = 1;// scan process running each 2mscpt_sof++;if( 2 > cpt_sof )return;cpt_sof = 0;// pulse ledLED_Set_Intensity( LED0, framenumber >> 1 );// debounce switchif( debounce > 0 ) --debounce;// injection state machineswitch(state) {case state_IDLE:// check switchif( gpio_get_pin_value(GPIO_JOYSTICK_PUSH) == GPIO_JOYSTICK_PUSH_PRESSED ) {// debounceif( debounce == 0 ) {state = state_START_INJECT;debounce = 250;}}if(firstRun){//this here to initialize the next run variable.//get next time to start injecting.//get the current timenextRun = time(NULL);nextRun_t = *localtime(&nextRun);//add specified amount of time to the next run time.nextRun_t.tm_sec += SECONDS_IN_MINUTE * NUM_MINUTES;mktime(&nextRun_t);//normalize itfirstRun = 0;}now = time(NULL);now_t = *localtime(&now);if(timeIsLess(&nextRun_t, &now_t)){updateNextRun(&nextRun, &nextRun_t, &now_t, &state);}//A previous attempt to make a USB Spammer.//static uint16_t packet_delay = 0;//packet_delay++;////if(packet_delay == 1000){//packet_delay = 0;//state = state_START_INJECT;//}break;case state_START_INJECT:file_open(FOPEN_MODE_R);state = state_INJECTING;break;case state_INJECTING:if( file_eof() ) {file_close();state = state_IDLE;break;}injectToken = ( file_getc() | ( file_getc() << 8 ) );if( ( injectToken&0xff ) == 0x00 ) {wait = injectToken>>8;state = state_WAIT;}else if( ( injectToken>>8 ) == 0x00 ) {state = state_KEY_DOWN;}else {state = state_MOD_DOWN;}break;case state_KEY_DOWN:udi_hid_kbd_down(injectToken&0xff);state = state_KEY_UP;break;case state_KEY_UP:udi_hid_kbd_up(injectToken&0xff);state = state_INJECTING;break;case state_MOD_DOWN:udi_hid_kbd_modifier_down(injectToken>>8);state = state_MOD_KEY_DOWN;break;case state_MOD_KEY_DOWN:udi_hid_kbd_down(injectToken&0xff);state = state_MOD_KEY_UP;break;case state_MOD_KEY_UP:udi_hid_kbd_up(injectToken&0xff);state = state_MOD_UP;break;case state_MOD_UP:udi_hid_kbd_modifier_up(injectToken>>8);state = state_INJECTING;break;case state_WAIT:if( --wait == 0 ) {state = state_INJECTING;}break;default:state = state_IDLE;}}// Main Method - IRQ, CLCK, INIT setup//-------------------------------------------------------------------int main(void) {uint32_t sizeTemp;// init cpuirq_initialize_vectors();cpu_irq_enable();// init boardsleepmgr_init();sysclk_init();board_init();// initialize SD/MMC resources: GPIO, SPI.sd_mmc_resources_init(FOSC0);// test if the memory is ready - using the control access memory abstraction layer (/SERVICES/MEMORY/CTRL_ACCESS/)if (mem_test_unit_ready(LUN_ID_SD_MMC_SPI_MEM) == CTRL_GOOD) {// Get and display the capacitymem_read_capacity(LUN_ID_SD_MMC_SPI_MEM, &sizeTemp);}else {// error - we can't proceed - sit and spin...while(true) { LED_On( LED1 ); }}nav_reset();if( !nav_setcwd( injectFile, true, false ) ) {while(true) {LED_On( LED1 );for (int i=0; i<10000; i++){}LED_Off(LED1);}}// Start USB stackudc_start();udc_attach();while(true) {//do nothing - handle interrupts and events//sleepmgr_enter_sleep();}}//-------------------------------------------------------------------void main_suspend_action(void){LED_Off(LED0);LED_Off(LED1);}//-------------------------------------------------------------------void main_resume_action(void){}//-------------------------------------------------------------------void main_sof_action(void){process_frame( udd_get_frame_number() );}//-------------------------------------------------------------------// If remote wakeup enable/disable is supported insert code belowvoid main_remotewakeup_enable(void){}//-------------------------------------------------------------------void main_remotewakeup_disable(void){}//-------------------------------------------------------------------bool main_kbd_enable(void){//main_b_kbd_enable = true;return true;}//-------------------------------------------------------------------bool main_kbd_disable(void){//main_b_kbd_enable = false; modreturn false;}//-------------------------------------------------------------------void main_kbd_change(uint8_t value){//no use in this firmware} Edited July 19, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.