Arduboy keyboard emulation to deploy exploits

Hi guys. So I converted one of the USB rubber ducky keyboard payloads into something the Arduboy can run. It works but I believe with the talent we’ve seen in the community this idea can really grow!
Ways I think this can be developed and would make it superior to the USB rubber ducky is it’s innocuous, It has a display which you could use to make decisions as, or before the, payload is delivered i.e. adapting to OS versions or defining IP address of listening device, entering other information like choosing from a list of FTP or email addresses to exfil to or choosing which file types form a list you want to run a search for then exfil?

I hope the real developers here have fun imagining the possibilities for this and I look forward to learning from you :smiley:

Here’s what I made:
https://mega.nz/#!rBFwGAqA!qet83PAOfzUGSg76UE-mRCFGM2UGwx3VZo3YRzRDYYs

Here’s the other payloads that you can use for inspiration:
http://ducktoolkit-411.rhcloud.com/ScriptSelection.jsp

And here’s a video of it in action - The really long delays in the delivery are A: to allow my sluggish VM not to miss keystrokes and B: Because I intend to do a live demo of this at a job interview and am happy to trade-off time for reliability:

2 Likes

OK, I won’t be able to see the video until later, but if you want to step up the “innocuous”, build a really simple game at the startup, with a secret button password to control entry to the interesting bits.

Something like a pong variant should consume very limited resources while remaining playable, but serve as a distraction to anyone who wants to see it powered on.

Alternatively, there is the “good Arduboy” variant of this, where the game is still the distraction, but once you password down to the lower level, it serves to act as your password manager over the USB keyboard connection.

Hey Shotgunscott,

First-off, that’s super cool. For some background, I’m a malware reverse-engineer/data security analyst.

Looks like you’re dumping a bunch of VBscript to a command line, then kicking it off. Looks like your command line is starting at C:\Windows\System32, which will happen if you start with admin privileges. If you’re talking about employing an exploit (and don’t mind splitting some hairs with me), you’re technically not. Unless your IEuser user isn’t originally an admin profile. In which case, that’s a crazy vuln that I’ve heard absolutely nothing about (Is that the case?)

What it looks like you’re really doing is opening a reverse shell on a remote host (which was installed with valid admin privileges.) Dumping a Base-64 encoded PE file is pretty tricky. Still cool, mind you. All you’d have to change is what code you’re kicking off to be correct (Again, unless I misunderstand your IEuser’s legit privileges).

Two things:

  1. This sounds like something I’ll have to think about for the corporate environment. This and anything that can act as a USB keyboard…
  2. We should have an ethics discussion before we help you out. Not to be a jerk or anything. If it’s for your own education, that’s 100% awesome and I totally get it.

So let’s talk - what is this for? Just impressing a potential employer?

(Ninja edit: According to the Duck Toolkit site, it does look like you need admin privileges to run these.)

rawsome

I wouldn’t be too hard on the guy for not including a privilege escalation on top of the code injection : P

What is it with all us security specialists in this forum!?!?!

My recollection is that Windows permanently records all enumerated USB devices. (Device Manager / View>Show Hidden Devices). So, start looking for machines with “too many” keyboards.

Haha, shotgunscott gets a free security audit though! I think it’s an awesome use of the device. Not trying to capture the arduboy as a deployment device would be a shame. One day it may have enough storage to be one too!

Hi rawsome,

First off yes you’re right in your understanding of what this does, A VB script to decode a B64 string and save as binary executable and then the B64 string itself - Which I understand is just netcat.
So the CMD starting at C:\Windows\System32\ is as a result of starting it by hitting CTRL+SHIFT+ENTER, Which is the same as right clicking and “Run as Administrator” - You’re absolutely right though with the implementation of least privilege typically seen in the corporate environment the user should not be able to do this.

Ethics wise there is zero interest for me to use this maliciously since my employability depends on maintaining a standard of trust. I share this because I know you guys can do it better and it’s a vector I don’t think is considered when securing our systems.

Thanks for the comments :smile:

1 Like

Yeah its a shame about storage but there are payloads that are designed to connect to external storage to exfil assuming there is access to the internet on the target machine. Or even share every drive on the machine, disable firewall then spring up an access point using the targets own wifi card. You could then ex-filtrate whatever you wanted from a stand off position.

1 Like

… and the whole time the Arduboy correctly says it is “charging”.

1 Like

Shotgunscott,

OK awesome! I don’t mind talking about it then :smile: I was a bit worried that I’d totally shot you down, I always hate when people are like that :confused:

So I don’t think that the arduboy would be helpful for exfiltration, and punching in a script with the keyboard won’t likely work because of the privileges.

However, what about a tiny privilege escalation exploit, maybe written in assembly? That’d probably be small enough. Deploy that and push a small bot? Or your reverse shell/netcat.

That could most certainly be entered via keyboard, especially if you can get a hex-editor type piece of software on the machine you want to compromise.

And honestly, check out this malware (Kovter): http://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update

Essentially you use file-less persistence by living in the user’s registry, and abusing Windows’ native javascript execution engine.

You might not even need to get admin privs! You could always write this into the user’s registry hives and just push remotely push software over a botnet like infrastructure.

Long story short, this is still totally viable as an attack vector…

The use of the registry to store and execute malware is ingenious! Also somthing which could be delivered in this way. I’ll look into it, Thanks :smiley: