SPy109 Posted January 12, 2015 Share Posted January 12, 2015 Tested this little payload for from. The repeat function worked perfectly. Nothing bad happened to the phone except get hot. :) The far end is not effected much just annoyed most likely. The default android messenger app slows things down a bit due to the lag between text being entered in the input box and the enter/send button being available. This is the case with KK 4.4.4 at least. REM SMS DDOS TEST (for lack of a better description) DELAY 500 ESC DELAY 500 CONTROL ESCAPE DELAY 500 ESC DELAY 500 GUI s DELAY 1000 DOWN DOWN LEFT ENTER DELAY 500 STRING Robert Motog DELAY 500 DOWN ENTER STRING Starting SMS Slam Test ENTER DELAY 1000 STRING RW DELAY 100 ENTER DELAY 100 STRING rw ENTER REPEAT 25000 2 ESC REPEAT 3 Quote Link to comment Share on other sites More sharing options...
SPy109 Posted January 20, 2015 Share Posted January 20, 2015 Any new updates or idea's? Quote Link to comment Share on other sites More sharing options...
timmattison Posted January 21, 2015 Author Share Posted January 21, 2015 Any new updates or idea's? The code is still working for you right? The new stuff is in the issues list on Github - https://github.com/timmattison/USB-Rubber-Ducky/issues - but none of it is done yet. BACKSPACE support should be easy but I haven't had time to tackle it. Quote Link to comment Share on other sites More sharing options...
SPy109 Posted January 21, 2015 Share Posted January 21, 2015 Ah ok I will keep an eye out. I noticed in a fresh git - pull a lot of changes and so was just wondering. Quote Link to comment Share on other sites More sharing options...
SPy109 Posted January 23, 2015 Share Posted January 23, 2015 I am running into an issue where it seems like ENTER is being treated like ESC. I have been experiencing this for a while but am having real trouble getting solid data or a cause on this. I can recreated with a specific payload I am using. This is in an android environment 4.4.4. KK. REPEAT is not used in this scenario. And if I encode with the vanilla encoder it does not happen. If you want some more specific's just ask away and I can try to obtain this for you. I did recreate this on different phones as well. Same build and model just two of the same phone. Quote Link to comment Share on other sites More sharing options...
timmattison Posted January 27, 2015 Author Share Posted January 27, 2015 I am running into an issue where it seems like ENTER is being treated like ESC. I have been experiencing this for a while but am having real trouble getting solid data or a cause on this. I can recreated with a specific payload I am using. This is in an android environment 4.4.4. KK. REPEAT is not used in this scenario. And if I encode with the vanilla encoder it does not happen. If you want some more specific's just ask away and I can try to obtain this for you. I did recreate this on different phones as well. Same build and model just two of the same phone. Hey, that'd be a great bug to fix. Can you post the script that does it? I'll compare the output from the original encoder and my encoder and make sure they're the same. Quote Link to comment Share on other sites More sharing options...
timmattison Posted January 29, 2015 Author Share Posted January 29, 2015 This script has REPEAT instructions in it. I can remove them and try it without them but I just want to make sure that this script definitely shows the issue and works on the original encoder. Once I know that for sure I can quickly see what's going on. Quote Link to comment Share on other sites More sharing options...
SPy109 Posted January 29, 2015 Share Posted January 29, 2015 My bad... Once I felt like the issue was the encoder I just removed the repeat commands and than re-did it in the original encoder. So here is a little smaller script that does a lot of the same things the other script did. This one works in the original encoder and does not work right when encoded with yours. Now it does encode with no errors though. ---- DELAY 1000 ESC DELAY 1000 CONTROL ESCAPE DELAY 3000 STRING c DELAY 2000 STRING all Blah vz test ENTER DELAY 1000 DOWN DELAY 1000 RIGHT DELAY 1000 ENTER DELAY 3000 DOWN DOWN LEFT ENTER DELAY 10000 UP ENTER ESC DELAY 2000 ESC REM On-net test call DELAY 1000 STRING c DELAY 1000 STRING all Blah QA ENTER DELAY 1000 DOWN DELAY 1000 RIGHT DELAY 1000 ENTER DELAY 4000 DOWN DOWN LEFT ENTER DELAY 10000 UP ENTER ESC DELAY 2000 ESC REM Phase Two - WiFi SMS/MMS Test DELAY 1000 GUI s DELAY 1000 DOWN DOWN LEFT ENTER DELAY 2000 STRING R DELAY 1000 STRING obert vz test DELAY 1000 DOWN TAB DELAY 1000 STRING Starting SMS/MMS Test. ENTER DELAY 1000 STRING Char Count 141 ENTER DELAY 1000 STRING GixUp0N6mBZj7Q7uWN1G0Vec6XpJl@L2Y0AxQ7150ks9U3Uo3vz5lMdIL7M3R5gEuY7lT79@x5m7OR33Yy8xi4Vr2C190om6icZSSOsH5s2lfV9cAKFH35C0g3i8t21ag6t4AdFuxH61 ENTER DELAY 1000 STRING Char Count 149 ENTER DELAY 1000 STRING jk97nnLdjjpH9vbSuE83j6323f6wb9Wnu460Q84R66Kvg5KUTWb46RIvGg0DW4ULnZgg79I1iimsfP4N4n957vK73C5107wJU96kdMfHgj2nGSOJzcybTq74K83aq7VNmdo1V1Xd2aCa80qa@Qby ENTER DELAY 1000 STRING Char Count 160+ ENTER DELAY 1000 STRING jjjjjjjjjsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsffffffffffffffffffffffffffffffsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssddddddddddddddddddddddddddddddddddddddddddddddddasdsdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdsaddasdasdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdadasdasdasdasdasdasdasdadasdsadjjjjjjjjjjjjjjjjjjjjjjjjjjjjjdjdjdjdjdjdjdjdjdjdjdjasjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjjsjsjsjsjsjsjsjsjsjsjsjsjsjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfjfjfjfjfjfjfjfjfjfjfjfjjfjffjjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfsdfsadfsdfasfsdfsdafsdfdsafsdafsdfsdfdsfsdafsadfsdffsdfsdfsdfsdafsdafsadfdsfdsafsdfsdafsadfsafasfdsfdsafsdafsdafsdafsadfsfsdfsdfsfsafsdfsdfsdfsdfsfaj DELAY 5500 ENTER STRING Char Digit's ENTER DELAY 1000 STRING 1234567890 ENTER STRING Char Special's ENTER DELAY 1000 STRING !@#$%^ ENTER DELAY 1000 STRING Pipe Char's ENTER DELAY 1000 STRING How about some pipes | maybe? | maybe not? ENTER DELAY 2000 REM MMS PART STRING MMS Picture ENTER DELAY 1000 DOWN RIGHT RIGHT DELAY 1000 ENTER DELAY 1000 DOWN ENTER DELAY 3000 ENTER DELAY 2000 DOWN RIGHT ENTER DELAY 1000 ENTER DELAY 4000 TAB DELAY 1000 TAB DELAY 1000 TAB DELAY 1000 ENTER DELAY 1000 DOWN DELAY 500 DOWN DELAY 500 DOWN DELAY 500 DOWN DELAY 1000 ENTER DELAY 500 ENTER DELAY 500 TAB DELAY 500 RIGHT DELAY 500 ENTER DELAY 500 ENTER DELAY 1000 ESC DELAY 500 ESC DELAY 500 REM Turn Wifi Off for RWC Test STRING w DELAY 2000 STRING ifi off ENTER DELAY 1000 DOWN DOWN DOWN RIGHT ENTER DELAY 500 UP RIGHT ENTER DELAY 500 ESC DELAY 500 ESC REM REM REPEAT 2 REM Phase Three - Cell w/ Data Call Test REM Starting Call Test DELAY 3000 STRING c DELAY 2000 STRING all Blah vz test ENTER DELAY 1000 DOWN DELAY 1000 RIGHT DELAY 1000 ENTER DELAY 3000 DOWN DOWN LEFT ENTER DELAY 10000 UP ENTER ESC DELAY 2000 ESC REM On-net test call DELAY 1000 STRING c DELAY 1000 STRING all Blah QA ENTER DELAY 1000 DOWN DELAY 1000 RIGHT DELAY 1000 ENTER DELAY 4000 DOWN DOWN LEFT ENTER DELAY 10000 UP ENTER ESC DELAY 2000 ESC REM Phase Two - WiFi SMS/MMS Test DELAY 1000 GUI s DELAY 1000 DOWN DOWN LEFT ENTER DELAY 2000 STRING R DELAY 1000 STRING Blah vz test DELAY 1000 DOWN TAB DELAY 1000 STRING Starting SMS/MMS Test. ENTER DELAY 1000 STRING Char Count 141 ENTER DELAY 1000 STRING GixUp0N6mBZj7Q7uWN1G0Vec6XpJl@L2Y0AxQ7150ks9U3Uo3vz5lMdIL7M3R5gEuY7lT79@x5m7OR33Yy8xi4Vr2C190om6icZSSOsH5s2lfV9cAKFH35C0g3i8t21ag6t4AdFuxH61 ENTER DELAY 1000 STRING Char Count 149 ENTER DELAY 1000 STRING jk97nnLdjjpH9vbSuE83j6323f6wb9Wnu460Q84R66Kvg5KUTWb46RIvGg0DW4ULnZgg79I1iimsfP4N4n957vK73C5107wJU96kdMfHgj2nGSOJzcybTq74K83aq7VNmdo1V1Xd2aCa80qa@Qby ENTER DELAY 1000 STRING Char Count 160+ ENTER DELAY 1000 STRING jjjjjjjjjsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsffffffffffffffffffffffffffffffsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssddddddddddddddddddddddddddddddddddddddddddddddddasdsdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdsaddasdasdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdadasdasdasdasdasdasdasdadasdsadjjjjjjjjjjjjjjjjjjjjjjjjjjjjjdjdjdjdjdjdjdjdjdjdjdjasjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjjsjsjsjsjsjsjsjsjsjsjsjsjsjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfjfjfjfjfjfjfjfjfjfjfjfjjfjffjjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfsdfsadfsdfasfsdfsdafsdfdsafsdafsdfsdfdsfsdafsadfsdffsdfsdfsdfsdafsdafsadfdsfdsafsdfsdafsadfsafasfdsfdsafsdafsdafsdafsadfsfsdfsdfsfsafsdfsdfsdfsdfsfaj DELAY 5500 ENTER STRING Char Digit's ENTER DELAY 1000 STRING 1234567890 ENTER STRING Char Special's ENTER DELAY 1000 STRING !@#$%^ ENTER DELAY 1000 STRING Pipe Char's ENTER DELAY 1000 STRING How about some pipes | maybe? | maybe not? ENTER DELAY 2000 REM MMS PART STRING MMS Picture ENTER DELAY 1000 DOWN RIGHT RIGHT DELAY 1000 ENTER DELAY 1000 DOWN ENTER DELAY 3000 ENTER DELAY 2000 DOWN RIGHT ENTER DELAY 1000 ENTER DELAY 4000 TAB DELAY 1000 TAB DELAY 1000 TAB DELAY 1000 ENTER DELAY 1000 DOWN DELAY 500 DOWN DELAY 500 DOWN DELAY 500 DOWN DELAY 1000 ENTER DELAY 500 ENTER DELAY 500 TAB DELAY 500 RIGHT DELAY 500 ENTER DELAY 500 ENTER DELAY 1000 ESC DELAY 500 ESC DELAY 500 REM REM REPEAT 3 REM Phase Five - Cell w/o Data SMS Test DELAY 2000 STRING o DELAY 2000 STRING pen settings DELAY 2000 ENTER DELAY 1000 DOWN RIGHT ENTER DELAY 1000 DOWN DELAY 1000 DOWN DELAY 1000 ENTER DELAY 1000 DOWN UP ENTER DELAY 1000 RIGHT ENTER DELAY 1000 ESC REM REPEAT 2 DELAY 1000 GUI s DELAY 1000 DOWN DOWN LEFT ENTER DELAY 3000 STRING R DELAY 2000 STRING Blah vz test DELAY 1000 DOWN TAB DELAY 1000 STRING Starting Cell No Data SMS Test. ENTER DELAY 1000 STRING Char Count 141 ENTER DELAY 1000 STRING GixUp0N6mBZj7Q7uWN1G0Vec6XpJl@L2Y0AxQ7150ks9U3Uo3vz5lMdIL7M3R5gEuY7lT79@x5m7OR33Yy8xi4Vr2C190om6icZSSOsH5s2lfV9cAKFH35C0g3i8t21ag6t4AdFuxH61 ENTER DELAY 1000 STRING Char Count 149 ENTER DELAY 1000 STRING jk97nnLdjjpH9vbSuE83j6323f6wb9Wnu460Q84R66Kvg5KUTWb46RIvGg0DW4ULnZgg79I1iimsfP4N4n957vK73C5107wJU96kdMfHgj2nGSOJzcybTq74K83aq7VNmdo1V1Xd2aCa80qa@Qby ENTER DELAY 1000 STRING Char Count 160+ ENTER DELAY 1000 STRING jjjjjjjjjsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsffffffffffffffffffffffffffffffsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssddddddddddddddddddddddddddddddddddddddddddddddddasdsdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdsaddasdasdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdadasdasdasdasdasdasdasdadasdsadjjjjjjjjjjjjjjjjjjjjjjjjjjjjjdjdjdjdjdjdjdjdjdjdjdjasjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjjsjsjsjsjsjsjsjsjsjsjsjsjsjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfjfjfjfjfjfjfjfjfjfjfjfjjfjffjjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfsdfsadfsdfasfsdfsdafsdfdsafsdafsdfsdfdsfsdafsadfsdffsdfsdfsdfsdafsdafsadfdsfdsafsdfsdafsadfsafasfdsfdsafsdafsdafsdafsadfsfsdfsdfsfsafsdfsdfsdfsdfsfaj DELAY 5500 ENTER STRING Char Digit's ENTER DELAY 1000 STRING 1234567890 ENTER STRING Char Special's ENTER DELAY 1000 STRING !@#$%^ ENTER DELAY 1000 STRING Pipe Char's ENTER DELAY 1000 STRING How about some pipes | maybe? | maybe not? ENTER DELAY 500 ESC DELAY 1000 ESC DELAY 500 ESC DELAY 500 ESC REM Phase Six - Turn Cel Data back on and Wifi Back On REM Turn Cell Data Back On DELAY 2000 STRING o DELAY 500 STRING pen settings DELAY 1000 ENTER DELAY 1000 DOWN RIGHT ENTER DELAY 1000 DOWN DOWN ENTER DELAY 1000 DOWN DELAY 1000 ENTER DELAY 1000 ESC DELAY 1000 ESC ESC DELAY 500 ESC REM Turn Wifi Back On DELAY 500 STRING w DELAY 2000 STRING ifi off ENTER DELAY 1000 DOWN DOWN DOWN RIGHT ENTER DELAY 500 UP RIGHT ENTER DELAY 500 ESC DELAY 500 ESC Quote Link to comment Share on other sites More sharing options...
timmattison Posted January 30, 2015 Author Share Posted January 30, 2015 Hmm, I got a notification about an instruction limit question you had but I don't see it here. I did a test with 1000, 10000, and 1000000 instructions and they all work as I would expect them so an instruction limit shouldn't be the issue. I'll take the script you provided and test it locally here and let you know what happens. Thanks! Quote Link to comment Share on other sites More sharing options...
timmattison Posted January 30, 2015 Author Share Posted January 30, 2015 I just ran this script through my encoder and the original encoder as a unit test and I got identical output. Both encoders gave me 10,934 bytes of output. Are you seeing a similar size? Can you send me the header info that my encoder outputs so I can make sure we're working on the same version? Quote Link to comment Share on other sites More sharing options...
timmattison Posted January 30, 2015 Author Share Posted January 30, 2015 I conducted a test this morning to try to rule out the possibility of a limitation on the Ducky. I assumed that maybe there was a max instruction limit so I wrote a script that typed out the numbers from 1 to 10000 with an ENTER in between them. I opened TextEdit and let it run. When it was done I could see that it did get all the way to 9999. So now I'm a bit stumped. It doesn't seem like an instruction limit. It doesn't seem like a difference in encoders. My current wild guess is that you may be running into a keyboard buffering issue on the device. It is possible that the Ducky is sending characters too quickly, the buffer fills up, and then ignores the last bunch of commands. However, if that happened I think you'd see a few random instructions towards the end. I'm happy to help, we just need to keep chipping away at the details. Quote Link to comment Share on other sites More sharing options...
SPy109 Posted January 30, 2015 Share Posted January 30, 2015 Thanks for looking into it. At this point recreating the issue has been difficult for me and with different variables at play it is just hard to say what the problem is. Maybe things are encoded properly but the Phone it's self is having a problem or for all I know things are not written properly to the sd card. So when I have more free time I am going to experiment with different sd cards and phones just see if I can recreate the weirdness. I will let you know if I find anything. Quote Link to comment Share on other sites More sharing options...
timmattison Posted January 30, 2015 Author Share Posted January 30, 2015 BTW, here's the Perl script that generates the Ducky input. Here's the Ducky input itself to type the numbers 1 - 10000. I conducted a test this morning to try to rule out the possibility of a limitation on the Ducky. I assumed that maybe there was a max instruction limit so I wrote a script that typed out the numbers from 1 to 10000 with an ENTER in between them. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.