BadUsb

Zet

hst.tw

About

  • AV byapss
  • PWN
  • Loser

blog.zet.tw

一些廢話

  • 沒有太多的技術成分
  • 一些資料的整理

badusb

  • usb rubber ducky
  • teensy
  • kali-nethunter

HID(Human Interface Device)

USB Rubber Ducky

teensy

  • Social-Engineer Toolkit (SET)
  • Kautilya

kali-nethunter

  • Nexus 5,7,10
  • BadUSB MITM attacks
  • USB HID Keyboard attacks

想督哪就督哪

Make a badusb

8051 CPU

firmware

Mass storage 

Bootloader 

PS2251-03

Reprogramming

  • Find leaked firmware and flash tool on the net 
  • Load into disassembler 
  • Add hooks to firmware to add/change  functionality  
  • Custom linker script compiles C and assembly code and injects it into unused areas of original firmware

Supported Devices

  • Patriot 8GB Supersonic Xpress*
  • Kingston DataTraveler 3.0 T111 8GB
  • Silicon power marvel M60 64GB
  • Patriot Stellar 64 Gb Phison

Firmware+Burner

PS2251-03 flash chip

Burner   :   BN03V104M.BIN

T00ls



>tools\DriveCom.exe /drive=D /action=GetInfo

Action specified: GetInfo
Gathering information...
Reported chip type: 2303
Reported chip ID: 98-DE-84-93-72-D7
Reported firmware version: 1.01.10
Mode: BootMode

Get Info

Custom Firmware

payload

inject

USB

Flashing

Payload

java -jar encoder.jar -i code.txt -o inject.bin
DELAY 3000
GUI r
DELAY 200
STRING notepad
ENTER
DELAY 200
STRING hello
ENTER
STRING hack stuff
ENTER

Code.txt

Custom Firmware

payload

inject

USB

Flashing

Build Firmware

  • firmware\build.bat
  • tools\EmbedPayload.exe inject.bin fw.bin

inject

Custom Firmware

payload

inject

USB

Flashing

tools\DriveCom.exe /drive=D /action=SetBootMode
tools\DriveCom.exe /drive=D /action=SendExecutable /burner=bn.bin
tools\DriveCom.exe /drive=D /action=SendFirmware /burner=bn.bin /firmware=fw.bin

SendFirmware

完成

Demo

MPALL v3.71.0A_03 MLC

overwrite and restore 

Other

  • powershell
  • shellcode
  • metasploit
  • SET

Demo

powershell+shellcode

http://www.hst.tw/2013/06/powershellshellcode.html

bad-usb

By Zet Tain

Made with Slides.com

bad-usb

  • 18,129