Jump to content

SET_LANGUAGE option


elkentaro

Recommended Posts

So I started to work on the Bash Bunny to be able to handle non-US keyboard layout attacks for ATTACKMODE HID.

To enable the SET_LANGUAGE option you need to add a [LanguageDescription].json under /root/tools/language.
I used the default  "us.json" as a working template. (you wanna back it up and copy it and not work of the original file)

Here is an example of Japanese keyboard layout description file: (i.e.:ja.json , however you can make it ja_win.json for specific environments.)

---ja.json (created under /root/tools/languages/ )---

{
   "__comment":  "All numbers here are in hex format and 0x is ignored.",
   "__comment":  " ",
   "__comment":  "This list is in ascending order of 3rd byte (HID Usage ID).",
   "__comment":  "  See section 10 Keyboard/Keypad Page (0x07)",
   "__comment":  "  of document USB HID Usage Tables Version 1.12.",
   "__comment":  " ",
   "__comment":  "Definition of these 3 bytes can be found",
   "__comment":  "  in section B.1 Protocol 1 (Keyboard)",
   "__comment":  "  of document Device Class Definition for HID Version 1.11",
   "__comment":  "  - byte 1: Modifier keys",
   "__comment":  "  - byte 2: Reserved",
   "__comment":  "  - byte 3: Keycode 1",
   "__comment":  " ",
   "__comment":  "Both documents can be obtained from link here",
   "__comment":  " http://www.usb.org/developers/hidpage/",
   "__comment":  " ",
   "__comment":  "A = LeftShift + a, { = LeftShift + [",
   "__comment":  " ",
   "CTRL":       "01,00,00",
   "CONTROL":    "01,00,00",
   "SHIFT":      "02,00,00",
   "ALT":        "04,00,00",
   "GUI":        "08,00,00",
   "WINDOWS":    "08,00,00",
   "CTRL-ALT":   "05,00,00",
   "CTRL-SHIFT": "03,00,00",
   "ALT-SHIFT":  "06,00,00",
   "__comment":             "Below 5 key combinations are for Mac OSX",
   "__comment":             "Example: (COMMAND-OPTION SHIFT t) to open terminal",
   "COMMAND":               "08,00,00",
   "COMMAND-CTRL":          "09,00,00",
   "COMMAND-CTRL-SHIFT":    "0B,00,00",
   "COMMAND-OPTION":        "0C,00,00",
   "COMMAND-OPTION-SHIFT":  "0E,00,00",
   "a":          "00,00,04",
   "A":          "02,00,04",
   "b":          "00,00,05",
   "B":          "02,00,05",
   "c":          "00,00,06",
   "C":          "02,00,06",
   "d":          "00,00,07",
   "D":          "02,00,07",
   "e":          "00,00,08",
   "E":          "02,00,08",
   "f":          "00,00,09",
   "F":          "02,00,09",
   "g":          "00,00,0a",
   "G":          "02,00,0a",
   "h":          "00,00,0b",
   "H":          "02,00,0b",
   "i":          "00,00,0c",
   "I":          "02,00,0c",
   "j":          "00,00,0d",
   "J":          "02,00,0d",
   "k":          "00,00,0e",
   "K":          "02,00,0e",
   "l":          "00,00,0f",
   "L":          "02,00,0f",
   "m":          "00,00,10",
   "M":          "02,00,10",
   "n":          "00,00,11",
   "N":          "02,00,11",
   "o":          "00,00,12",
   "O":          "02,00,12",
   "p":          "00,00,13",
   "P":          "02,00,13",
   "q":          "00,00,14",
   "Q":          "02,00,14",
   "r":          "00,00,15",
   "R":          "02,00,15",
   "s":          "00,00,16",
   "S":          "02,00,16",
   "t":          "00,00,17",
   "T":          "02,00,17",
   "u":          "00,00,18",
   "U":          "02,00,18",
   "v":          "00,00,19",
   "V":          "02,00,19",
   "w":          "00,00,1a",
   "W":          "02,00,1a",
   "x":          "00,00,1b",
   "X":          "02,00,1b",
   "y":          "00,00,1c",
   "Y":          "02,00,1c",
   "z":          "00,00,1d",
   "Z":          "02,00,1d",
   "1":          "00,00,1e",
   "!":          "02,00,1e",
   "2":          "00,00,1f",
   "\"":         "02,00,1f",
   "#":          "02,00,20",
   "4":          "00,00,21",
   "$":          "02,00,21",
   "5":          "00,00,22",
   "%":          "02,00,22",
   "6":          "00,00,23",
   "&":          "02,00,23",
   "7":          "00,00,24",
   "'":          "02,00,24",
   "8":          "00,00,25",
   "(":          "02,00,25",
   "9":          "00,00,26",
   ")":          "02,00,26",
   "0":          "00,00,27",
   "ENTER":      "00,00,28",
   "ESC":        "00,00,29",
   "ESCAPE":     "00,00,29",
   "BACKSPACE":  "00,00,2a",
   "TAB":        "00,00,2b",
   "ALT-TAB":    "04,00,2b",
   "SPACE":      "00,00,2c",
   " ":          "00,00,2c",
   "-":          "00,00,2d",
   "=":          "02,00,2d",
   "^":          "00,00,2e",
   "~":          "02,00,2e",
   "@":          "00,00,2f",
   "`":          "02,00,2f",
   "[":          "00,00,30",
   "{":          "02,00,30",
   "]":          "00,00,32",
   "}":          "02,00,32",
   ";":          "00,00,33",
   "+":          "02,00,33",
   ":":          "00,00,34",
   "*":          "02,00,34",
   ",":          "00,00,36",
   "<":          "02,00,36",
   ".":          "00,00,37",
   ">":          "02,00,37",
   "\/":         "00,00,38",
   "?":          "02,00,38",
   "CAPSLOCK":   "00,00,39",
   "F1":         "00,00,3a",
   "F2":         "00,00,3b",
   "F3":         "00,00,3c",
   "F4":         "00,00,3d",
   "F5":         "00,00,3e",
   "F6":         "00,00,3f",
   "F7":         "00,00,40",
   "F8":         "00,00,41",
   "F9":         "00,00,42",
   "F10":        "00,00,43",
   "F11":        "00,00,44",
   "F12":        "00,00,45",
   "PRINTSCREEN":"00,00,46",
   "SCROLLLOCK": "00,00,47",
   "PAUSE":      "00,00,48",
   "BREAK":      "00,00,48",
   "INSERT":     "00,00,49",
   "HOME":       "00,00,4a",
   "PAGEUP":     "00,00,4b",
   "DELETE":     "00,00,4c",
   "DEL":        "00,00,4c",
   "END":        "00,00,4d",
   "PAGEDOWN":   "00,00,4e",
   "RIGHTARROW": "00,00,4f",
   "RIGHT":      "00,00,4f",
   "LEFTARROW":  "00,00,50",
   "LEFT":       "00,00,50",
   "DOWNARROW":  "00,00,51",
   "DOWN":       "00,00,51",
   "UPARROW":    "00,00,52",
   "UP":         "00,00,52",
   "NUMLOCK":    "00,00,53",
   "MENU":       "00,00,65”,
   "APP":        "00,00,65",
   "\\":         "00,00,87",
   "_":          "02,00,87",
   "\\":         "00,00,89",
   "|":          "02,00,89"
}

There are still some caveats I need to work out, somehow I can't get " ¥,| "(USB HID Keycode 87) and " ¥_ "(USB HID Keycode 89) to work but the rest seems fine. (I suspect that this is due to the fact these keys do not exist on a regular 101-US keyboard and there are no modifier combinations to trigger it neither, which is gonna be problematic since they are used as a backslash in file paths. But I'll work some more to figure it out.)

Workaround for Windows:

For Windows you can use powershell to set the layout to a US keyboard by using "New-WinUserLanguageList en-US", which installs a US-keyboard layout then issue a "Set-WinUserLanguageList -LanguageList en-US" to set the default layout to a US keyboard , its a bit slower but if you have the time, this way is easier, you do need to reset the settings with issuing another Set-WinUserLanguageList -LanguageList [WHATEVERLANGUAGE] it was, otherwise the compromise will be detected. 

----sample payload.txt---

#!/bin/bash
ATTACKMODE HID VID 0x45E PID 0x07B3
Q SET_LANGUAGE ja
Q DELAY 5000
Q STRING starting with ja language option
Q ENTER
Q switch1/quack.txt
Q ENTER
Q DELAY 200
Q ENTER
STRING done
LED R

---quack.txt( to test basic and special characters.)---

STRING quacking
DELAY 2000
ENTER
DELAY 750
STRING abcdefghijklmnop
DELAY 500
ENTER
STRING ABCDEFGHIJKLMNOP
DELAY 500
ENTER
STRING 1234567890-^\ 
DELAY 500
ENTER
STRING !"#$%&'()0=~|
DELAY 500
ENTER
STRING @[;:],./
DELAY 500
ENTER
STRING `{+*}<>?
DELAY 500
ENTER 

 

 

 

 

 

 

Link to post
Share on other sites

Nice tutorial, I will surely will take use of it since I already have a fairly good enough mapping for german from my Ducky2Digi transpiler. (Since a ducky was to expensive / not worth it for me, I once bought a small crappy arduino alternative and were to lazy to translate all ducky payloads by hand so I took the definetly smaller effort of writing a small compiler :P)

Link to post
Share on other sites

So if the case your target is a Windows operating system with powershell, you could setup 2 Set-WinUserLanguageList payloads.

1.To set the keyboard layout to the en-US. (US keyboard layout)

2.To set it back to whatever layout you want.

--------Example payload.txt---

#!/bin/bash
ATTACKMODE HID VID_0x45E PID_0x0061
Q DELAY 4000
Q switch1/setUS.txt   <-------- This sets the layout to en-US
Q DELAY 2000
Q switch1/quack.txt  <------ Actual payload script
Q ENTER
Q DELAY 500
Q switch1/setJP.txt  <-------- Reset it back to default layout. 
LED R

 

------Example SetUS.txt -----

GUI r
DELAY 500
STRING powershell -windowstyle hidden Set-WinUserLanguageList -LanguageList en-US -force
ENTER

------quack.txt (character testing payload) -----

GUI r
DELAY 1000
STRING notepad.exe
ENTER
DELAY 2000

STRING quacking
DELAY 2000
ENTER
DELAY 750
STRING abcdefghijklmnopqrstuvwxyz
DELAY 1000
ENTER
STRING ABCDEFGHIJKLMNOPQRSTUVWXYZ
DELAY 1000
ENTER
STRING 1234567890-^\\
DELAY 500

ENTER

STRING !"#$%&'()0=~|
DELAY 500
ENTER
STRING @[;:],./
DELAY 500
ENTER
STRING `{+*}<>?
DELAY 500
ENTER 

 

the powershell parameters "-windowstyle hidden" and "-force" will run the powershell without any need for confirmation. 

 

 

 

Link to post
Share on other sites
  • 4 weeks later...

So yea, I think the issue is with basic keys that don't exist on a US keyboard. (which could include media keys like Volume UP etc) .

I assume this is due to the HID descriptor being passed, however not  sure if modifying the HID descriptor is the way to go...
 

so for now using powershell to remap the default keyboard layout seems the safest way to go.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...