PsuFan Posted November 28, 2013 Share Posted November 28, 2013 Hello, Does anyone know how to do this? I'm trying to bypass anti duck security measures... Thanks Quote Link to comment Share on other sites More sharing options...
no42 Posted November 28, 2013 Share Posted November 28, 2013 you have to do it from source and recompile the firmware using atmel studio v5/6. Quote Link to comment Share on other sites More sharing options...
PsuFan Posted November 29, 2013 Author Share Posted November 29, 2013 Crap, does every firmware have the same serial and device strings? Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 29, 2013 Share Posted November 29, 2013 I think it would be cool to make some kind of script that could take a firmware hex file, and change the firmware and device strings automatedly. If there were a way to do this we could probably put a whole bunch of these firmware files online. Would probably run into space limitations on whatever site we posted them though. Anyone know how to do this? Is it just as simple as looking for a string in the hex file and changing it? If so we could probably use some command line code to find and replace. Changing the strings and serial number in visual studio would generate way too many project files. Quote Link to comment Share on other sites More sharing options...
PsuFan Posted November 29, 2013 Author Share Posted November 29, 2013 I had the same question. Seems like you should be able to change it if you know where it is and don't change the length. Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 29, 2013 Share Posted November 29, 2013 (edited) I guess you would have to also convert the number to .hex file format, so we might need an algorithm for that. But yeah, so long as the format is the same and the length is the same it should work. Until we can script this you will have to recompile yourself, and change the settings in the 'conf_usb.h' file. This file is imported in the main, so you will be able to use the right click, go to implementation command. Apparently you can open these hex files in notepad, but you get a bunch of incomprehensible code. I found a website that has a Bin-Hex Encoder/Decoder. http://bin-hex-converter.online-domain-tools.com/ If you leave the string the same, then it is the only match in the file. Serial name: 123123123123 -> 313233313233313233313233 This next one is not so unique, I get two hits: Manufacturer Name: Ducky -> 4475636b79 Don't even know if a find and replace will work yet. ... Please Disregard all I just wrote, Apparently the file has to be checksumed during compilation. Compiling in Visual Studio/Amtel is the only way. At least we know now. I tried just swapping out the string and the Firmware flashing program failed. Edited November 30, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
PsuFan Posted November 30, 2013 Author Share Posted November 30, 2013 (edited) Can someone point me in the right direction for where are these strings are located in the code? Its commented out of config_usb.h // #define USB_DEVICE_SERIAL_NAME "12...EF" Edit: I need to change anything that would identify a duck. Edited November 30, 2013 by PsuFan Quote Link to comment Share on other sites More sharing options...
no42 Posted November 30, 2013 Share Posted November 30, 2013 Bang on! It is in config_usb.h Its currently commented out as its currently not overriding the current value, so the default should be in effect. Quote Link to comment Share on other sites More sharing options...
overwraith Posted November 30, 2013 Share Posted November 30, 2013 (edited) I was looking for some of these strings in the device manager on some of my home computers. Could not find the product name and device serial name, but did find manufacturer name. Some of my other keyboards use "(Standard Keyboard)" as the manufacturer name. It seems sufficiently vague for our purposes. Anyone else have some sufficiently vague data? Also, anyone else know how to find the serial name and manufacturer name? Edited November 30, 2013 by overwraith Quote Link to comment Share on other sites More sharing options...
PsuFan Posted November 30, 2013 Author Share Posted November 30, 2013 How long does it have to be? It's in hex? Are there any other identifiers that distinguish the duck? Thanks Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 1, 2013 Share Posted December 1, 2013 Here is the code from the C program that is the duck's firmware. //! USB Device string definitions (Optional) #define USB_DEVICE_MANUFACTURE_NAME "Ducky" #define USB_DEVICE_PRODUCT_NAME "HID Keyboard and MSC" #define USB_DEVICE_SERIAL_NAME "123123123123" // Disk SN for MSC As you can see no hex. I was only interested in modifying the .hex file that is compiled from this, because if one wanted to make a whole bunch of these covert firmware types, and randomly flash them to the duck, then it would take a really long time to make a substantial firmware repository using the compiler we are using. The stuff we need to modify to change the firmware though is just regular C strings. If everybody compiles their own firmware, then we probably don't have to do the scripting like what I was saying. There are also a few more variables I found in the config file, don't know if we need to change them too. #define USB_DEVICE_MAJOR_VERSION 1 #define USB_DEVICE_MINOR_VERSION 0 Quote Link to comment Share on other sites More sharing options...
no42 Posted December 1, 2013 Share Posted December 1, 2013 (edited) How long does it have to be? It's in hex? Are there any other identifiers that distinguish the duck? Thanks For the Device Strings : Trying to remember, you are limited (i think) to 64 characters. For Serial Numbers I have been using the recommended length of 12 digits, you might be allowed more??? But due to past buffer overflow and format string vulnerabilities in older Windows /Unix OS I think you are now further limited in length by the OS drivers/kernel modules. Edited December 1, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
PsuFan Posted December 1, 2013 Author Share Posted December 1, 2013 (edited) Well I'm about to give up, seems like it helped a little bit, but something is still blocking me. Im losing random keystrokes. The first couple I would get 3 numbers, possibly only the zeros, and when it typed the last number it is ignored (0001, 0002). But then the enters start getting ignored as well... Edit: forgot this wasnt the same post, I'm getting blocked by the Apple EFI. It still doesn't seem possible that they can block the duck, at some point the computer must not be able to figure out the difference. //! USB Device string definitions (Optional) #define USB_DEVICE_MANUFACTURE_NAME "DELL" #define USB_DEVICE_PRODUCT_NAME "HID Keyboard" #define USB_DEVICE_SERIAL_NAME "123123123123" Edited December 1, 2013 by PsuFan Quote Link to comment Share on other sites More sharing options...
overwraith Posted December 1, 2013 Share Posted December 1, 2013 Might want to change the USB_DEVICE_SERIAL_NAME to something else, it is commented out in our publicly available code after all, the AV companies/Apple probably know to screen that one. Choose a random 12 character serial number. Also, you could try to mimic some of the settings that some other device on your system uses. The hardest part would be figuring out how to view the relevant information in the apple GUI. Also, if stuff is getting ignored, you may need extra long delays in between keystrokes. If you needed this extra delay between every character, including STRING statements, then you could use the 'random delay' firmware's method of delaying, only with a preset value instead of a random one. Another option would be creating a specially crafted duckscript payload. Don't work out of the random delay firmware's folder though, I think it might be missing vid/pid setting code. Quote Link to comment Share on other sites More sharing options...
no42 Posted December 1, 2013 Share Posted December 1, 2013 So far I know the serial number is used to confirm valid/allowed devices by the following DLP/AV companies: Lumension McAfee Sophos Checkpoint If anyone knows of any others, I would like to know. Quote Link to comment Share on other sites More sharing options...
PsuFan Posted December 1, 2013 Author Share Posted December 1, 2013 Yeah I can't use the rand delay firmware, it gets blocked because of the vid/pid. I guess I'll try another serial number. Midnightsnake: is there anything else used to determine the duck? Other than keystroke uniformity and vid/pid. Quote Link to comment Share on other sites More sharing options...
no42 Posted December 2, 2013 Share Posted December 2, 2013 potential lies in fingerprinting the type of stack e.g. ATMEL, VUSB, MICROCHIP etc Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.