Jump to content
Hak5 Forums
jjd

HID Escaping Special Characters Not Working

Recommended Posts

I cant get this to work! I found another thread when searching for how to escape special char, but it seem to not work for me. copying that code

 
Q STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)

in my bunny outputs this to notepad

 
$Bunny = (gwmi win32_volume -f <label=<<BashBunny<<< ~ Select-Object -ExpandProperty DriveLetter)

the code from the WiPassDump payload

Q STRING '.((gwmi win32_volume -f '"'"'label='"''"'BashBunny'"'''"').Name+'"'"'payloads/'

outputs

.((gwmi win32_volume -f <label=<<BashBunny<<<).Name+<payloads#)

and this

 
Q STRING '$a = Get-WmiObject -Class Win32_Volume -Filter "Label='BashBunny'" | select -expand Name'

outputs

 
$a = Get-WmiObject -Class Win32_Volume -Filter @Label=BashBunny@ ~ select -expand Name

this is what made me realize that i needed to escape them

This works the same on both windows and mac clients, I am in Canada (not french Canada) and my language (on pc) is set to English US.

anyone have any ideas? I have tried setting 

QUACK SET_LANGUAGE us

but it does not seem to help, us.json is all thats in my languages folder.

 

any ideas?

Edited by jjd

Share this post


Link to post
Share on other sites

One thing that i noticed that may or may not be relevent here is that sometime editing a payload in something like wordpad will change normal quotations to the slanted ones.. (forgetting what thats called) . I had to manually paste in the " 

Share this post


Link to post
Share on other sites

That would do it but I have only used nano, notepad++ and Brackets (a mac programing editor)

Share this post


Link to post
Share on other sites

this is driving me crazy! it seemed to work for about 15 minutes tonight, then trying again it didn't..... 

it would be great to get an official response about how escaping should work so I could know if it's me or the hardware.

some things seem to escape with ' some with \ 

none of the payloads that use any sort of special char work for me at all.... maybe that means it's not me but rather the hardware? i would think it should work with the payloads from the git?

Share this post


Link to post
Share on other sites
Just now, illwill said:

use backslashes instead of doublequotes to escape

yeah i tried that... from my first post:

 
 STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)

in my bunny outputs this to notepad

$Bunny = (gwmi win32_volume -f <label=<<BashBunny<<< ~ Select-Object -ExpandProperty DriveLetter)

 

 

if you see anything wrong with the escaping please tell me because I have no ideas

Share this post


Link to post
Share on other sites

yeah... computer language is set to English US though :( and haven't changed language on the bash bunny

Share this post


Link to post
Share on other sites

Still not sure what the issue was but I got so frustrated I did a firmware recovery and after resetting up the bunny the exact same was as last time it seems to work now...... I like the bunny more today

Edited by jjd

Share this post


Link to post
Share on other sites
On 3/24/2017 at 6:05 PM, jjd said:

yeah i tried that... from my first post:



 

 STRING \$Bunny \= \(gwmi win32_volume -f \'label\=\'\'BashBunny\'\'\' \|  Select-Object -ExpandProperty DriveLetter\)

in my bunny outputs this to notepad


$Bunny = (gwmi win32_volume -f <label=<<BashBunny<<< ~ Select-Object -ExpandProperty DriveLetter)

 

 

if you see anything wrong with the escaping please tell me because I have no ideas

Hmm, try this.

 

In your Notepad++, make sure your encoding is UTF8, located in the lower right just left on the INS or OVR indicator.  Linux likes UTF8.

Right to the left of the the encoding, I would make use the Window CR LF is Unix LF. (I do most of my editing in Linux).

Last, try doing this to lessen how much escaping you have to do, encapsulate you quacked string in double quotes.  When you do that you only have the escape the $'s and any addition double quotes you want to use in your string before the ending double quote.  So, your quack string should look like this:

STRING "\$Bunny = (gwmi win32_volume -f \"label='BashBunny'\" |  Select-Object -ExpandProperty DriveLetter)"

I changed it a little bit to remove all the extra single quotes you had and stuff.  This should work as intended.  Try it,

 

 

Share this post


Link to post
Share on other sites

I was having a similar problem and found a non-elegant knuckle dragger work around.
let's say you want to inject keystrokes <keystrokes that I want to inject> into cmd or powershell.
If there are double quotes and a pair of single quotes somewhere between the double quotes then everything else is injected as is. Your line could look like
Q STRING "<keystrokes that I want to inject> & '' "
the two ticks directly to the right of the ampersand are two single quotes
This does cause an error as '' is rightfully interpreted as garbage but it will execute whatever is on the left of the ampersand correctly and will simply complain then ready for the next command.

Share this post


Link to post
Share on other sites

Your computer's language (not the BB's) - is it set to US-International by any chance? Or some other US variant? If so, swap it to US. If your already on US, swap it to US-International.

EDIT: Also, update to the latest firmware (1.2) and edit the config.txt folder that magically appeared in your BB's main folder. You can set the language in there using DUCKY_LANG us (already setup by default, though).

 

Edited by Dave-ee Jones

Share this post


Link to post
Share on other sites
On 4/26/2017 at 1:34 AM, PoSHMagiC0de said:

Hmm, try this.

 

In your Notepad++, make sure your encoding is UTF8, located in the lower right just left on the INS or OVR indicator.  Linux likes UTF8.

Right to the left of the the encoding, I would make use the Window CR LF is Unix LF. (I do most of my editing in Linux).

Last, try doing this to lessen how much escaping you have to do, encapsulate you quacked string in double quotes.  When you do that you only have the escape the $'s and any addition double quotes you want to use in your string before the ending double quote.  So, your quack string should look like this:


STRING "\$Bunny = (gwmi win32_volume -f \"label='BashBunny'\" |  Select-Object -ExpandProperty DriveLetter)"

I changed it a little bit to remove all the extra single quotes you had and stuff.  This should work as intended.  Try it,

 

 

The UTF8 thing saved my day :-)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×