Jump to content

New Ducky encoder implementation


Recommended Posts

Tested this little payload for from. The repeat function worked perfectly. Nothing bad happened to the phone except get hot. :)

The far end is not effected much just annoyed most likely. The default android messenger app slows things down a bit due to the lag between text being entered in the input box and the enter/send button being available. This is the case with KK 4.4.4 at least.

REM SMS DDOS TEST (for lack of a better description)
DELAY 500
ESC
DELAY 500
CONTROL ESCAPE
DELAY 500
ESC
DELAY 500
GUI s
DELAY 1000
DOWN
DOWN
LEFT
ENTER
DELAY 500
STRING Robert Motog
DELAY 500
DOWN
ENTER
STRING Starting SMS Slam Test
ENTER
DELAY 1000
STRING RW
DELAY 100
ENTER
DELAY 100
STRING rw
ENTER
REPEAT 25000 2
ESC
REPEAT 3
Link to comment
Share on other sites

  • 2 weeks later...

I am running into an issue where it seems like ENTER is being treated like ESC. I have been experiencing this for a while but am having real trouble getting solid data or a cause on this. I can recreated with a specific payload I am using. This is in an android environment 4.4.4. KK. REPEAT is not used in this scenario. And if I encode with the vanilla encoder it does not happen. If you want some more specific's just ask away and I can try to obtain this for you. I did recreate this on different phones as well. Same build and model just two of the same phone.

Link to comment
Share on other sites

I am running into an issue where it seems like ENTER is being treated like ESC. I have been experiencing this for a while but am having real trouble getting solid data or a cause on this. I can recreated with a specific payload I am using. This is in an android environment 4.4.4. KK. REPEAT is not used in this scenario. And if I encode with the vanilla encoder it does not happen. If you want some more specific's just ask away and I can try to obtain this for you. I did recreate this on different phones as well. Same build and model just two of the same phone.

Hey, that'd be a great bug to fix. Can you post the script that does it? I'll compare the output from the original encoder and my encoder and make sure they're the same.

Link to comment
Share on other sites

My bad... Once I felt like the issue was the encoder I just removed the repeat commands and than re-did it in the original encoder. So here is a little smaller script that does a lot of the same things the other script did. This one works in the original encoder and does not work right when encoded with yours. Now it does encode with no errors though.

----

DELAY 1000
ESC
DELAY 1000
CONTROL ESCAPE
DELAY 3000
STRING c
DELAY 2000
STRING all Blah vz test
ENTER
DELAY 1000
DOWN
DELAY 1000
RIGHT
DELAY 1000
ENTER
DELAY 3000
DOWN
DOWN
LEFT
ENTER
DELAY 10000
UP
ENTER
ESC
DELAY 2000
ESC
REM On-net test call 
DELAY 1000
STRING c
DELAY 1000
STRING all Blah QA
ENTER
DELAY 1000
DOWN
DELAY 1000
RIGHT
DELAY 1000
ENTER
DELAY 4000
DOWN
DOWN
LEFT
ENTER
DELAY 10000
UP
ENTER
ESC
DELAY 2000
ESC
REM Phase Two - WiFi SMS/MMS Test
DELAY 1000
GUI s
DELAY 1000
DOWN
DOWN
LEFT
ENTER
DELAY 2000
STRING R
DELAY 1000
STRING obert vz test
DELAY 1000
DOWN
TAB
DELAY 1000
STRING Starting SMS/MMS Test.
ENTER
DELAY 1000
STRING Char Count 141 
ENTER
DELAY 1000
STRING GixUp0N6mBZj7Q7uWN1G0Vec6XpJl@L2Y0AxQ7150ks9U3Uo3vz5lMdIL7M3R5gEuY7lT79@x5m7OR33Yy8xi4Vr2C190om6icZSSOsH5s2lfV9cAKFH35C0g3i8t21ag6t4AdFuxH61
ENTER
DELAY 1000
STRING Char Count 149
ENTER
DELAY 1000
STRING jk97nnLdjjpH9vbSuE83j6323f6wb9Wnu460Q84R66Kvg5KUTWb46RIvGg0DW4ULnZgg79I1iimsfP4N4n957vK73C5107wJU96kdMfHgj2nGSOJzcybTq74K83aq7VNmdo1V1Xd2aCa80qa@Qby
ENTER
DELAY 1000
STRING Char Count 160+
ENTER
DELAY 1000
STRING jjjjjjjjjsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsffffffffffffffffffffffffffffffsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssddddddddddddddddddddddddddddddddddddddddddddddddasdsdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdsaddasdasdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdadasdasdasdasdasdasdasdadasdsadjjjjjjjjjjjjjjjjjjjjjjjjjjjjjdjdjdjdjdjdjdjdjdjdjdjasjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjjsjsjsjsjsjsjsjsjsjsjsjsjsjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfjfjfjfjfjfjfjfjfjfjfjfjjfjffjjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfsdfsadfsdfasfsdfsdafsdfdsafsdafsdfsdfdsfsdafsadfsdffsdfsdfsdfsdafsdafsadfdsfdsafsdfsdafsadfsafasfdsfdsafsdafsdafsdafsadfsfsdfsdfsfsafsdfsdfsdfsdfsfaj
DELAY 5500
ENTER
STRING Char Digit's
ENTER
DELAY 1000
STRING 1234567890
ENTER
STRING Char Special's
ENTER
DELAY 1000
STRING !@#$%^
ENTER
DELAY 1000
STRING Pipe Char's 
ENTER
DELAY 1000
STRING How about some pipes | maybe? | maybe not?
ENTER
DELAY 2000
REM MMS PART 
STRING MMS Picture
ENTER
DELAY 1000
DOWN
RIGHT
RIGHT
DELAY 1000
ENTER
DELAY 1000
DOWN
ENTER
DELAY 3000
ENTER
DELAY 2000
DOWN
RIGHT
ENTER
DELAY 1000
ENTER
DELAY 4000
TAB
DELAY 1000
TAB
DELAY 1000
TAB 
DELAY 1000
ENTER
DELAY 1000
DOWN
DELAY 500
DOWN
DELAY 500
DOWN
DELAY 500
DOWN
DELAY 1000
ENTER
DELAY 500
ENTER
DELAY 500
TAB
DELAY 500
RIGHT
DELAY 500
ENTER
DELAY 500
ENTER
DELAY 1000
ESC
DELAY 500
ESC
DELAY 500
REM Turn Wifi Off for RWC Test
STRING w
DELAY 2000
STRING ifi off
ENTER
DELAY 1000
DOWN
DOWN
DOWN
RIGHT
ENTER
DELAY 500
UP
RIGHT
ENTER
DELAY 500
ESC
DELAY 500
ESC
REM REM REPEAT 2
REM Phase Three - Cell w/ Data Call Test 
REM Starting Call Test
DELAY 3000
STRING c
DELAY 2000
STRING all Blah vz test
ENTER
DELAY 1000
DOWN
DELAY 1000
RIGHT
DELAY 1000
ENTER
DELAY 3000
DOWN
DOWN
LEFT
ENTER
DELAY 10000
UP
ENTER
ESC
DELAY 2000
ESC
REM On-net test call 
DELAY 1000
STRING c
DELAY 1000
STRING all Blah QA
ENTER
DELAY 1000
DOWN
DELAY 1000
RIGHT
DELAY 1000
ENTER
DELAY 4000
DOWN
DOWN
LEFT
ENTER
DELAY 10000
UP
ENTER
ESC
DELAY 2000
ESC
REM Phase Two - WiFi SMS/MMS Test
DELAY 1000
GUI s
DELAY 1000
DOWN
DOWN
LEFT
ENTER
DELAY 2000
STRING R
DELAY 1000
STRING Blah vz test
DELAY 1000
DOWN
TAB
DELAY 1000
STRING Starting SMS/MMS Test.
ENTER
DELAY 1000
STRING Char Count 141 
ENTER
DELAY 1000
STRING GixUp0N6mBZj7Q7uWN1G0Vec6XpJl@L2Y0AxQ7150ks9U3Uo3vz5lMdIL7M3R5gEuY7lT79@x5m7OR33Yy8xi4Vr2C190om6icZSSOsH5s2lfV9cAKFH35C0g3i8t21ag6t4AdFuxH61
ENTER
DELAY 1000
STRING Char Count 149
ENTER
DELAY 1000
STRING jk97nnLdjjpH9vbSuE83j6323f6wb9Wnu460Q84R66Kvg5KUTWb46RIvGg0DW4ULnZgg79I1iimsfP4N4n957vK73C5107wJU96kdMfHgj2nGSOJzcybTq74K83aq7VNmdo1V1Xd2aCa80qa@Qby
ENTER
DELAY 1000
STRING Char Count 160+
ENTER
DELAY 1000
STRING jjjjjjjjjsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsffffffffffffffffffffffffffffffsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssddddddddddddddddddddddddddddddddddddddddddddddddasdsdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdsaddasdasdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdadasdasdasdasdasdasdasdadasdsadjjjjjjjjjjjjjjjjjjjjjjjjjjjjjdjdjdjdjdjdjdjdjdjdjdjasjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjjsjsjsjsjsjsjsjsjsjsjsjsjsjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfjfjfjfjfjfjfjfjfjfjfjfjjfjffjjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfsdfsadfsdfasfsdfsdafsdfdsafsdafsdfsdfdsfsdafsadfsdffsdfsdfsdfsdafsdafsadfdsfdsafsdfsdafsadfsafasfdsfdsafsdafsdafsdafsadfsfsdfsdfsfsafsdfsdfsdfsdfsfaj
DELAY 5500
ENTER
STRING Char Digit's
ENTER
DELAY 1000
STRING 1234567890
ENTER
STRING Char Special's
ENTER
DELAY 1000
STRING !@#$%^
ENTER
DELAY 1000
STRING Pipe Char's 
ENTER
DELAY 1000
STRING How about some pipes | maybe? | maybe not?
ENTER
DELAY 2000
REM MMS PART 
STRING MMS Picture
ENTER
DELAY 1000
DOWN
RIGHT
RIGHT
DELAY 1000
ENTER
DELAY 1000
DOWN
ENTER
DELAY 3000
ENTER
DELAY 2000
DOWN
RIGHT
ENTER
DELAY 1000
ENTER
DELAY 4000
TAB
DELAY 1000
TAB
DELAY 1000
TAB 
DELAY 1000
ENTER
DELAY 1000
DOWN
DELAY 500
DOWN
DELAY 500
DOWN
DELAY 500
DOWN
DELAY 1000
ENTER
DELAY 500
ENTER
DELAY 500
TAB
DELAY 500
RIGHT
DELAY 500
ENTER
DELAY 500
ENTER
DELAY 1000
ESC
DELAY 500
ESC
DELAY 500
REM REM REPEAT 3
REM Phase Five - Cell w/o Data SMS Test
DELAY 2000
STRING o
DELAY 2000
STRING pen settings
DELAY 2000
ENTER
DELAY 1000
DOWN 
RIGHT
ENTER
DELAY 1000
DOWN
DELAY 1000
DOWN
DELAY 1000
ENTER
DELAY 1000
DOWN
UP
ENTER
DELAY 1000
RIGHT
ENTER
DELAY 1000
ESC
REM REPEAT 2
DELAY 1000
GUI s
DELAY 1000
DOWN
DOWN
LEFT
ENTER
DELAY 3000
STRING R
DELAY 2000
STRING Blah vz test
DELAY 1000
DOWN
TAB
DELAY 1000
STRING Starting Cell No Data SMS Test.
ENTER
DELAY 1000
STRING Char Count 141 
ENTER
DELAY 1000
STRING GixUp0N6mBZj7Q7uWN1G0Vec6XpJl@L2Y0AxQ7150ks9U3Uo3vz5lMdIL7M3R5gEuY7lT79@x5m7OR33Yy8xi4Vr2C190om6icZSSOsH5s2lfV9cAKFH35C0g3i8t21ag6t4AdFuxH61
ENTER
DELAY 1000
STRING Char Count 149
ENTER
DELAY 1000
STRING jk97nnLdjjpH9vbSuE83j6323f6wb9Wnu460Q84R66Kvg5KUTWb46RIvGg0DW4ULnZgg79I1iimsfP4N4n957vK73C5107wJU96kdMfHgj2nGSOJzcybTq74K83aq7VNmdo1V1Xd2aCa80qa@Qby
ENTER
DELAY 1000
STRING Char Count 160+
ENTER
DELAY 1000
STRING jjjjjjjjjsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsfsffffffffffffffffffffffffffffffsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssddddddddddddddddddddddddddddddddddddddddddddddddasdsdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdsaddasdasdasdasdasdasdsadasdasdasdasdasdasdasdasdasdasdadasdasdasdasdasdasdasdadasdsadjjjjjjjjjjjjjjjjjjjjjjjjjjjjjdjdjdjdjdjdjdjdjdjdjdjasjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjsjjsjsjsjsjsjsjsjsjsjsjsjsjsjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfjfjfjfjfjfjfjfjfjfjfjfjjfjffjjjjjjjfffffjfjfjfjfjfjfjfjfjfjfjffjfjfjfjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjdjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjfjffjfjfsdfsadfsdfasfsdfsdafsdfdsafsdafsdfsdfdsfsdafsadfsdffsdfsdfsdfsdafsdafsadfdsfdsafsdfsdafsadfsafasfdsfdsafsdafsdafsdafsadfsfsdfsdfsfsafsdfsdfsdfsdfsfaj
DELAY 5500
ENTER
STRING Char Digit's
ENTER
DELAY 1000
STRING 1234567890
ENTER
STRING Char Special's
ENTER
DELAY 1000
STRING !@#$%^
ENTER
DELAY 1000
STRING Pipe Char's 
ENTER
DELAY 1000
STRING How about some pipes | maybe? | maybe not?
ENTER
DELAY 500
ESC
DELAY 1000
ESC
DELAY 500
ESC
DELAY 500
ESC
REM Phase Six - Turn Cel Data back on and Wifi Back On 
REM Turn Cell Data Back On
DELAY 2000
STRING o
DELAY 500
STRING pen settings
DELAY 1000
ENTER
DELAY 1000
DOWN 
RIGHT
ENTER
DELAY 1000
DOWN
DOWN
ENTER
DELAY 1000
DOWN
DELAY 1000
ENTER
DELAY 1000
ESC
DELAY 1000
ESC
ESC
DELAY 500
ESC
REM Turn Wifi Back On 
DELAY 500
STRING w
DELAY 2000
STRING ifi off
ENTER
DELAY 1000
DOWN
DOWN
DOWN
RIGHT
ENTER
DELAY 500
UP
RIGHT
ENTER
DELAY 500
ESC
DELAY 500
ESC
Link to comment
Share on other sites

Hmm, I got a notification about an instruction limit question you had but I don't see it here. I did a test with 1000, 10000, and 1000000 instructions and they all work as I would expect them so an instruction limit shouldn't be the issue.

I'll take the script you provided and test it locally here and let you know what happens. Thanks!

Link to comment
Share on other sites

I just ran this script through my encoder and the original encoder as a unit test and I got identical output. Both encoders gave me 10,934 bytes of output.

Are you seeing a similar size? Can you send me the header info that my encoder outputs so I can make sure we're working on the same version?

Link to comment
Share on other sites

I conducted a test this morning to try to rule out the possibility of a limitation on the Ducky. I assumed that maybe there was a max instruction limit so I wrote a script that typed out the numbers from 1 to 10000 with an ENTER in between them.

I opened TextEdit and let it run. When it was done I could see that it did get all the way to 9999.

So now I'm a bit stumped. It doesn't seem like an instruction limit. It doesn't seem like a difference in encoders.

My current wild guess is that you may be running into a keyboard buffering issue on the device. It is possible that the Ducky is sending characters too quickly, the buffer fills up, and then ignores the last bunch of commands. However, if that happened I think you'd see a few random instructions towards the end.

I'm happy to help, we just need to keep chipping away at the details.

Link to comment
Share on other sites

Thanks for looking into it. At this point recreating the issue has been difficult for me and with different variables at play it is just hard to say what the problem is. Maybe things are encoded properly but the Phone it's self is having a problem or for all I know things are not written properly to the sd card. So when I have more free time I am going to experiment with different sd cards and phones just see if I can recreate the weirdness.

I will let you know if I find anything.

Link to comment
Share on other sites

BTW, here's the Perl script that generates the Ducky input. Here's the Ducky input itself to type the numbers 1 - 10000.

I conducted a test this morning to try to rule out the possibility of a limitation on the Ducky. I assumed that maybe there was a max instruction limit so I wrote a script that typed out the numbers from 1 to 10000 with an ENTER in between them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...