COMMAND SPACE not working with new Rubber Ducky on Mac

[cooltone]

Hi,

I have the newest version Rubber Ducky and am testing it out on Mac. I'm trying to use one of the demo payloads to open Spotlight, then launch TextEdit to type a message. I'm compiling the following code using Payload Studio:

REM Mac string typing test
DELAY 3000
ATTACKMODE HID STORAGE VID_05AC PID_0201 MAN_HAK5 PROD_DUCKY SERIAL_1337
DELAY 2000
REM Open Spotlight Search
COMMAND SPACE
REM Open the text editor
STRING TextEdit
ENTER
DELAY 2000
COMMAND n
DELAY 2000
STRING Hello, World!

It seems like the COMMAND SPACE line doesn't work because Spotlight never opens. But if I plug in the Ducky with TextEdit already launched, it types the "TextEdit" string and then launches a new document with COMMAND n. So the keystrokes are being transmitted (including COMMAND) but it's the SPACE part which is not working.

Does anyone know what could be causing this?

[dark_pyrro]

What tool do you use to encode the inject.bin file? The JS Encoder or Payload Studio? At least for JS Encoder, you might need to change the code since it cuts things making it not run/encode properly. If so, check this thread and try that edit in the JS encoder html file.

 

[cooltone]

Thanks for replying – I'm using Payload Studio through the Hak5 site, not the JS encoder.

One bit of progress I've made is getting the F4 keystroke to work, which I also couldn't use before. That required setting a different keyboard PID (0220) but this doesn't fix the COMMAND SPACE issue. But perhaps another PID will get that working.

[dark_pyrro]

I'm no Mac person, have you tried PID_021E

[rexmoxpaw]

I'm having the same issue while using the DuckyScript provided here. Hope to see a solution 🙂

[iamthedevil]

I'm having this exact same issue. I am also using the Hak5 Payload Studio for crafting my payloads.

[dark_pyrro]

I guess the Payload Studio may suffer from the same issue as the JS Encoder does. I generated a payload containing only

COMMAND SPACE

and encoded it with both Payload Studio and the JS Encoder. I then opened the two different inject.bin files in a hex editor and the contents were the same. But, after adjusting the JS Encoder in the way that eliminates the issues that multiple combinations of words/commands gets cut (linked in a post above), the JS Encoder produced a different output. Since the modified JS Encoder should produce a correct output that works, I assume that something is broken in Payload Studio.

[dark_pyrro]

I reported it on Discord. It should now be looked at to see if it's the above or any other issue that creates this problem.

[Korben]

Will report back here when its fixed and live 🙂

Sorry for the inconvenience everyone

[user1829]

For now this workaround works for me.

INJECT_MOD
HOLD COMMAND
SPACE
RESET

I also had issues with the RELEASE COMMAND not working so I had to use RESET.

[istone]

That doesn't work for me.

[Darren Kitchen]

30 minutes ago, istone said:

That doesn't work for me.

@Korben will be releasing a new version of PayloadStudio shortly which addresses this issue. It's fixed in the beta version for anyone using that version for testing now. I have confirmed `COMMAND SPACE` working on my mac. 

[Korben]

PayloadStudio 1.1.0 is out and addresses this issue.