From c0093748930ce9479b0b96ced142884f9a60421e Mon Sep 17 00:00:00 2001 From: arrase Date: Sat, 1 Apr 2017 22:26:36 +0200 Subject: [PATCH 1/2] Mass Storage --- hid-gadget-test | Bin 15004 -> 0 bytes hid.sh | 21 +++++++++++++++++++-- install.sh | 30 ++++++++++++++++++++++++++++++ raspiducky.conf | 2 ++ 4 files changed, 51 insertions(+), 2 deletions(-) delete mode 100644 hid-gadget-test create mode 100644 install.sh create mode 100644 raspiducky.conf diff --git a/hid-gadget-test b/hid-gadget-test deleted file mode 100644 index 6100079752d4e119e8c5d8da42a0c3a5efcc27c8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15004 zcmeI3e{h_|dB^v3XGfN0I2#d!EaDds!2zFqHi8J^1lg929m`;h(vm=WKIu-@S*N?> z?quZP1c6E76jEGpI}Rn4(zvwE(240JjVCo33Z!AEGea9PVcN8nWDbmR0!f_&5)$?E zecyMbS7*~qXVU*z`_Xrw-DjWOefHTO@4oNdxvpz{C=@a_)R?74+^V@D(*~Zr(wLfv znbT$*Q%l}^%wpvi_ANGM-{O!sY|5t%9V_9L^Uq$rNVuX>Qz3errr_NxO5y|q%VWfakBQ#f%@;h^)H`#0AVz11UUxY-I7yAN<+w6^HL$u;uH29sT5w7M}g1|9r4n)O!5~ ze}3(oQ%Bl=dT+D2_|1cl|9IcCi9da?IeN##yT5yF{a0^!=mTd@oxG>v@Z|&NuHO8` z-JZsozXxWbZl5m=@M=T0ieFR3KTyTDR`K#J8>H_8mI1|&RPnb}@d^07@2zp|yU;Y6 zjaB(es`y=1d{Y%4w7Kf#A$znM%n9StN?Zr$vP5So1e9li#nCrSWu34K{ z+3F8R4L9n8v^F6vX%{l7RtcF{9YPx0DP$6F z5Hgu+J7TYFHs;mZk;jim#$%Pp_-N&<@%zVXU;kERjCIlc)BTeRpS^E#>{mxBHhv%w z-xrAQ4a7$R@!>$c5Qz5&;@bl8n*;GJf%t|%ydw~A55(hv_|ib!3B(%%@u=d5#*Ufs zv15_w7hhc9j7>xw>|kP*=o6!r$P=+jy&0|4$44vAO-;S}BWO1RyCE7fjbH=m4bEsK z9KV0O#(D5%W40c9&(!kJGgDJ1vP~g#Geh5uOfx#d@onRC%}vVx<0xsyi-*pcT0U_v zej;B{Xo-$iT96M#w~en}I5zR6C3lVgWAxC3^j4Qs8Cx#OST=T`H~zeTE}ab*${gra_IAu z&U2e58_oPmb98>iaX_=U(!6N2GDcmsq#Nq1k9!yeS$9szvsfyN|d}kD;{`Rb%mp26YB!Hm^w`=8*=tc*3&n&D~wMxl2+sF8SkWS zul(3VIDXf7B>p}6`(%YFhV3Yayy|KW)T4f4+osy8G={p4J>i6H-+9E3J68Wp`z{Ey zkENtZZ86UGDo5~>>b8XAcTbd@*Ix2uo;s~vdjtB_u1VTeu1Zt8SfZwFI0qYc%U|OU zR>Ed%qKkTKoyC=N)h;u3%z?j@r|n!S%7KXiV`d<{AbJpqle z2HgzFf1iPm;$OA+R}22-psOW1zp|7uXknb{@vmCyh>|XQHDF_5BRC}6BXg3m`Pbjf z_?Gn>_DwhcIr5(kecS`6E=%r{wIvuT$h*C5^G%jX|cJMmlD z$i(lixOw<=1NKz?@@ciJren{z`eveh z`>3oW=Wc`^?+#4%z z4GQ{Kd!T-e-M?YOmZ~)Q*ZXPfZ}YFEzJJxA=MwzueD&jP{Oj#}>&L(LZ05E1=}N7& zh3{J&kLvaY{9?rSi(gSL=v&kJ&)`=Z0_8jX@~^61->-f_Jm^<{h)p7I<5%rfK4tg6 zDC?8PenEVby9R0BS`fdbGJtL3jOp&sXyr+-ugAPS&78<$cddoVcaeAPtF6}e6 zJu3SOb=6^`zdy8<#+uVmB6*}bMqXD{}aey{*(uQ>odtT^;2q&4Fi@O4OI z9npE$KjX~*kIj>ZYvxyuEINI^(Y~hf(p-Z;Q(5OW#4d z{GbMXKhrp&FM=-Zmkq4*_`|X1E*`C1Oj~q@bJq(~VqG;&%3nyj*4dXRd-;bpO*Z@e z)R{(WcQgK`^tlzokLp;$8mFT02#ZPa_vYoB|b<}vWZ=az4p)cI8Ql7BQHBRf8XoO^D?cXaly$Br$MGg~KE zN4}}K{ddTCm zj-Tx8T(ow2UR3M8A3fE6EdORbX}WjGrb+efVtmeyo5p;CGCEhjoBFEDY7YEwWq07q zDyy^k+vz{$%ed<(KB2y~ATR!2+M{ui52-C_+Cm>Elqb958+Dp9outpfH}rfF*Sx1) zJi<3s_x}d<jQ zjob)@N2UJ z8i3RW&SfSC<)H$kdoyyP!`%E1;Fo6;K;=C3F?UdC9axoXZXS zJ-1Qip&}KebLF)3rc1q|WPyhD^bV8?G_)tFNU~RLEhl@7jSq77s&=H3B{kioZyQQx zNpKN9+f$?@cVL8KAnxkRdWHJ^vbmwb9yOqp9?bOSv)q%>*P%Q&US9n+Ue07wO6$!J z4$78X%4PBxvQ*B?Jf`I9r3a-LcW$zy;(pZhVVFJ)(}!XDFianY>BBI67^V-y^kJC3 z6>(?e@a?;yd%xANnMlbGZEF_1x!DHNVr8HN7rawO@))bQ4(?hhVuw8$#Q93J1 zt3&Br%FR#ZZ&x>w@nWvO!OM4)Zu6x9``GR%?p8ifh@~<+Gp;>|4-RF^nL>7#QQRLI z#S2+R3A973xE*%I2j#5yj@b;QekgmNLF+(;-_62^VBL!vZySdxW8HsjxZ z7V@{deny^k7s*+d!RA*$ZP1m_RnYsPcIaxxjd5AYxU5_WA-A&4q=(bJLm0I`optRz zn9gZR*o#@lKG%!s@$;0XkQvH(NFjWvpy|R`lw3dS%P=s6K`A8c%x8xN(=m4d{kS_M z4tX&Snzs#Q+;Qs9XWeo`xq%!*>f{T$=)K0dq*RAok85AhwJ+$}Hx~0s$6{XTHOZ8- zGnpMqUvudtrAys%uKmeRmeJrM8eBw!i%7VbOAnQcNi7#<-avX+Pd-^p`K>5jQ#Ws( z-@tkE)FKxC86meySLT*v>=Pe%@qc%+^&J-{A7t`r#1)k-ca^CT7&yD#= ziOD8&JE`=}Tyik&xb4_&O|jdmrbFI^{nGcTFU554PN$eIaCd)=c;}M%O0A)fo|w9m zZRnlwjs@Paz&jTBf49K0cZEy@QqW&fJ=8uYWO#lyBfP6QAJn^cUctNXOnLS)5%^}G z|JiS*^80y@J_mk(IOM+T?yL#9YxrZN&4;4UxsU?qa&wCEHQ)iL0a^&12aQESZhRlO z2wvsRfp}gqznPlK7f7E1)y~(!_3;1Kpzi`~=%k;&E3!I;_hC1+>;R}f90XPCAJ@_c6A0#!~gIeE@C5m0+)EhxL!gBs5$ zsPSw7&jK4k?p;hXsP;La#-Ih1-Is#0`!Z1D69+YZZQ#4Xc2MKB3Ty;BK>0~0DF4_1 z%3r!b`N0lv3*aSS8GJ7|3|mWxW^A^aF z$VATbupZ=SWEw#oo*Ynz*JVDofjY#l0(FS(^sx)nVYVC8VRoC3Sx^Uq0;umB%HS$+ z82li(8~hMB0$vN=19pIW!PVe>;2LlrxE9PF`dhj549eBvcBj5)3r@@Wj zQSigy^WY}%hd#atcEKO_@pW)B{3-By&@_5j3*G=51-B>}yb*N3tzZjy6Bzfg9qfkh z1U~|90e=s?75sfL1>Ou6eB2Fw6#gFYW8i%tcPwT0=1L9hkX zgV$0}4+YD>0vHEx1KYqN*bbJ!RbUzH1c$&ba3|Oe-VWXh4udIh7nlV<0hYl#z+rGV zI0AkW+zWmR+y~wX9sozcgWz4D4L^hr!Mq68fG5F-%>3XY23LVWeb=pBdyTVnYqC`6$s}`5TkF-WD`P9-@AG2jwCwiQw%7{g5;3ba zGn46LPsW6_ILx`q%$-{snis08Srj=Z)DSv1bY8eIbbhF*W^uSVbP-d$v};h;39b5W z#>IXc<4c%yv0z$rTmZDLUb8V)PHy+P?YW`Wo*`}lVwsd_73W?dw5E3D&}UpM7rmUF z>0(Kr+_+*slOV5{&PvXU6u7);&E$BLYb~dT`O9NqhOB%lSx%bP)mt~WriU}BVbhxK zPxKXeyzs;m$zn0N%M-Wp9ldBrbCOF8YR#j~)6!EanO5Cd@DT3lOqR>VOb<_*^03o` zzR6PvyCcUOoaQxx%)Mz|BgtHw=DiWs-megLcP#Hr;PG?abh~GV-5m^l{vICob~2;A z-;>vl=A8*VUOSt2Ht~4vaLf(%aD}kD)8SiuyXf)S@$h~2NQJPw^DzgedF_DA1@8M4 z!mdX%C#HGrhy=&$ci7z-y|a&!!~WNF_B)TTyHm0zOv`J>^v*iMu)A|&&kLNiWQI+h@naFdmQiIRdM{qe}iBf4n6B zT9y1S;jR63Qc-;m2kO_+*7CM}PXzKMe>A{1BX4;t|3)BR_UR7TN9FDLS@v8`dCS}K zOa1e;^4F2CZ;1e?(Y3eE(q1^nbgR72>jWnKI-`4Gfw_aI<*oi(1Nmy7^;dmu_*oU5 z*0;#5PxX7D(L7>RlVJTxXIC$H{-F1PUO3MjCQH1|2s!~i4zG8F!%ThgYHzBlJqLL~ z=Y<94Nuqjx=#XILpAO`!{io*7$bW~Z-Z9D#t$eh8CSUShXU*_#{Q+M2QNB6z!UDH_ z`UcJN%73e2hCgbfq+5T~_i91;a)4KT`mW99SNo^*+x0|GIWHh;d7ZeGZ~a$KLNAeT zdGF-ys|M7bpOSC=L*pA}XzY5U6MDUdYTBO`nI-Ug)>6>PUG25&B_-YZyQk+{y_YrBjMe<*G*}oeU|1nRs)Wfs3RPmn*@DBM8!Q1uE!C(F|kgxLJfS>*@kNNTK zs{HT6@ALgPO8)pP`SZ-nRq}7b+x2D<>&H}8`T5=!M$KOPFMwD5>aV^HUJh^D8>PLg zs^q(>_)LIz&@mj~)xW*)cKujbbDsGVc&)!)eP^44Rr23}m;a?GD|>&ZDqkFUPgmuS!fQR~^852xAYb~PuHwHBZ}*o)Jn{Z}RsKo%6zjo@%p0}OEFUTr-4FP; z_x3L5+kO8lehzawKlb-6=jge-wblQBCV}2!c|~j9w4_W+@^_;ygSy^iHk-ITog7H? z<$gC>bJAKYm&!wZeXYHGz5U^}TN7OyZ|Y7YcpX$sZ_n`Rp_nKSCb-PbaTYv7QX-Mc zC$?wvJ;`h$Rn8YniR93*UVs(!Iw{q9bv)jN<}(N-bd>eZrU?$7#a+fdza~;cgM+&$ z65tX#0nZZc&!l48ld0|La*RW2nbr>s@}_No>v=P%*beZ(7%#=w7|1Yn{}& zAH?^ThTL8md#4Y_pn13W{>Sqj9W$TByWiwzgDHuP-J26Lw(s7&R+jHh_GHt%$t)+m zZ|l7me|@tGCOE}Ue|fLZ_-ExRlQ(iwo5DC7MyAeh3? z2AajM4`ydp{Z3$Z=BytJ=ywLQvs0yfqCc5S(e=c}8|YgqlS}Y^CuM(*Fk5_j1T1ZC~3msz9Z{URbLCWG1EQp`&CJi-0R!>n{`;hCW@?vEqfVIG(z`r)04t^WL4 z%S+)BlPi&6w5@x}4eV^2&!+3C`5R>Qf(T zp*@h~)*STy0f7+Uwd8P`(Y4Q}`@o<-9v>?up$T?~mj}4?tE< zd;cmFcY2S)uAtSYwpclxp+fd4r%iwXygAt{47Xg?4Eg@nLH&~x$h8H_avvYbHtg+BWYUhd&E_* zB}szb_=om6M$&AgfPj@KX-=b)?y#_K9ACteno8TQ1Z% zTdA3PPm(0Ps#j;Iz3=sSD{05(CnQK;+|Q7l?u>0vo=DHm=qlLsZzHF9CahavF632|bYds(B!v59)iJhW^qH7I{|R{{Z7IZBhUL diff --git a/hid.sh b/hid.sh index 42ad106..8f72e84 100644 --- a/hid.sh +++ b/hid.sh @@ -1,8 +1,7 @@ #!/bin/bash -# modprobe libcomposite +. /etc/raspiducky/raspiducky.conf -# KEYBOARD cd /sys/kernel/config/usb_gadget/ mkdir -p g1 cd g1 @@ -15,6 +14,8 @@ echo "fedcba9876543210" > strings/0x409/serialnumber echo "Parasite Team" > strings/0x409/manufacturer echo "Raspiducky" > strings/0x409/product N="usb0" + +# KEYBOARD mkdir -p functions/hid.$N echo 1 > functions/hid.usb0/protocol echo 1 > functions/hid.usb0/subclass @@ -27,5 +28,21 @@ echo 250 > configs/c.$C/MaxPower ln -s functions/hid.$N configs/c.$C/ # End KEYBOARD +# STORAGE +if [ -e $STORAGE_FILE ] +then + [ -d $STORAGE_MOUNT ] || mkdir $STORAGE_MOUNT + mount -o loop,rw -t vfat $STORAGE_FILE $STORAGE_MOUNT + mkdir -p functions/mass_storage.usb0 + echo 1 > functions/mass_storage.usb0/stall + echo 0 > functions/mass_storage.usb0/lun.0/removable + echo 0 > functions/mass_storage.usb0/lun.0/cdrom + echo 0 > functions/mass_storage.usb0/lun.0/ro + echo 0 > functions/mass_storage.usb0/lun.0/nofua + echo $STORAGE_FILE > functions/mass_storage.usb0/lun.0/file + ln -s functions/mass_storage.usb0 configs/c.$C/ +fi +# End STORAGE + ls /sys/class/udc > UDC diff --git a/install.sh b/install.sh new file mode 100644 index 0000000..1f440b1 --- /dev/null +++ b/install.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +INSTALL_DIR=/home/pi + +gcc hid-gadget-test.c -o $INSTALL_DIR/hid-gadget-test +cp usleep $INSTALL_DIR/ +cp duckpi.sh $INSTALL_DIR/ +cp hid.sh $INSTALL_DIR/ +cp run_payload.sh $INSTALL_DIR + +chmod 777 $INSTALL_DIR/hid-gadget-test +chmod 777 $INSTALL_DIR/usleep +chmod 777 $INSTALL_DIR/duckpi.sh +chmod 777 $INSTALL_DIR/hid.sh +chmod 777 $INSTALL_DIR/run_payload.sh + +[ -d /etc/raspiducky ] || sudo mkdir /etc/raspiducky +[ -f /etc/raspiducky/raspiducky.conf ] || sudo cp raspiducky.conf /etc/raspiducky/raspiducky.conf + +sudo echo "dtoverlay=dwc2" >> /boot/config.txt +sudo echo "dwc2" >> /etc/modules +sudo echo "libcomposite" >> /etc/modules + +cat /etc/rc.local | awk '/exit\ 0/ && c == 0 {c = 0; print "\n/home/pi/hid.sh\nsleep 3\n/home/pi/run_payload.sh\n"}; {print}' /etc/rc.local + +if ! [ -e /home/pi/usbdisk.img ] +then + dd if=/dev/zero of=/home/pi/usbdisk.img bs=1024 count=10000 + mkfs.vfat /home/pi/usbdisk.img +fi diff --git a/raspiducky.conf b/raspiducky.conf new file mode 100644 index 0000000..d171553 --- /dev/null +++ b/raspiducky.conf @@ -0,0 +1,2 @@ +STORAGE_FILE=/home/pi/usbdisk.img +STORAGE_MOUNT=/media/storage From f6a47e413900b05ca6f5c5b105938e4a508451e2 Mon Sep 17 00:00:00 2001 From: arrase Date: Sat, 1 Apr 2017 22:32:41 +0200 Subject: [PATCH 2/2] README --- README.md | 52 +++++++++++++--------------------------------------- 1 file changed, 13 insertions(+), 39 deletions(-) diff --git a/README.md b/README.md index 854300a..91484ff 100644 --- a/README.md +++ b/README.md @@ -1,51 +1,25 @@ # Raspiducky -Credits to Original Authors: +A Keyboard emulator like Rubber Ducky build over Raspberry Pi Zero -* Duckberry Pi: Jeff L. (Renegade_R - renegade_r65@hotmail.com) -* DroidDucky by Andrej Budincevic (https://github.com/anbud/DroidDucky) -* hardpass by girst (https://github.com/girst/hardpass) - -### Install: - -1) Flash the latest Raspbian Jessie image to an SD card - -2) Copy all the files (hid-gadget-test.c, duckpi.sh, usleep.c, run_payload.sh, hid.sh) to /home/pi - -3) Compile the hid-gadget-test program, this handles moving the text to the Human Interface Device driver: - - gcc hid-gadget-test.c -o hid-gadget-test - -4) Compile usleep, this is a basic function which is not natively supported in Raspbian and is used to account for delays in the program: - - make usleep - -5) Ensure all files and scripts are executable (chmod 755 ) +### Configuration -6) Activate the dwc2 drivers which allows the device to function in host mode when not connected to a PC: +* Run install script - echo "dtoverlay=dwc2" | sudo tee -a /boot/config.txt + chmod 777 install.sh + ./install.sh -9) Place dwc2 and libcomposite in the modules file to boot with the OS: +* Install a payload - echo "dwc2" | sudo tee /etc/modules - echo "libcomposite" | sudo tee /etc/modules - -10) Copy the following into your /etc/rc.local file. This allows you to place a "payload.dd" script in the "boot" drive that appears when you plug the SD card into a computer, it will then copy the file and format it for Unix (because Windows machines format the text differently): - - /home/pi/hid.sh - sleep 3 - /home/pi/run_payload.sh - -11) Copy the actual payload into /boot, this directory can also be accessed in Windows by simply placing your micro SD card into a card reader and copying it to the drive that appears. - - cat payloads/open_terminal/open_mint_terminal.dd payloads/backdoor/bind_shell.dd > /boot/payload.dd - -12) Place SD card into the Raspberry Pi Zero, plug it into the target host machine via USB cable in the peripheral micro USB port, NOT THE POWER PORT. A power cord is not required as the Pi Zero will take power directly from the host machine. - -13) Watch the script execute on the host machine + cat payloads/open_terminal/open_mint_terminal.dd payloads/backdoor/bind_shell.dd > /boot/payload.dd ### Resources: * Premade Ducky Scripts: https://github.com/hak5darren/USB-Rubber-Ducky/wiki * Original USB Rubber Ducky: http://usbrubberducky.com/#!index.md + +### Credits: + +* Duckberry Pi: Jeff L. (Renegade_R - renegade_r65@hotmail.com) +* DroidDucky by Andrej Budincevic (https://github.com/anbud/DroidDucky) +* hardpass by girst (https://github.com/girst/hardpass)