DocRock3r/pico-ducky
1
0
Fork 0
mirror of https://github.com/dbisu/pico-ducky.git synced 2025-12-06 02:41:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adds Keystroke Reflection Exfoliation (#335)

Browse Source 
* Adds Hak5's Keystroke Reflection Exfoliation

Adds a way to read in caps, scroll, and num lock so that you can export information from the attack into a loot.bin. Has some caveats on how it works

* Fixed programing status bug
This commit is contained in:
Cheesy
2025-11-16 17:15:54 -08:00
committed by GitHub
parent ca88c6c159
commit d730a804e0
3 changed files with 154 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
boot.py
View File

@@ -7,7 +7,20 @@ from board import *
import board import board
import digitalio import digitalio
import storage import storage
import os
def is_exfil_enabled(payload_path="payload.dd"):
try:
with open(payload_path, "r") as f:
for line in f:
if "$_EXFIL_MODE_ENABLED" in line and "TRUE" in line.upper():
return True
except OSError:
pass
return False
exfil_enabled = is_exfil_enabled()
loot_exists = "loot.bin" in os.listdir("/")
noStorage = False noStorage = False
noStoragePin = digitalio.DigitalInOut(GP15) noStoragePin = digitalio.DigitalInOut(GP15)
noStoragePin.switch_to_input(pull=digitalio.Pull.UP) noStoragePin.switch_to_input(pull=digitalio.Pull.UP)
@@ -23,7 +36,9 @@ noStorageStatus = noStoragePin.value
# Pico W: # Pico W:
# GP15 not connected == USB NOT visible # GP15 not connected == USB NOT visible
# GP15 connected to GND == USB visible # GP15 connected to GND == USB visible
if exfil_enabled:
if not loot_exists:
storage.disable_usb_drive()
if(board.board_id == 'raspberry_pi_pico' or board.board_id == 'raspberry_pi_pico2'): if(board.board_id == 'raspberry_pi_pico' or board.board_id == 'raspberry_pi_pico2'):
# On Pi Pico, default to USB visible # On Pi Pico, default to USB visible
noStorage = not noStorageStatus noStorage = not noStorageStatus
@@ -39,3 +54,5 @@ if(noStorage == True):
else: else:
# normal boot # normal boot
print("USB drive enabled") print("USB drive enabled")

34
code.py
View File

@@ -5,8 +5,8 @@
import supervisor import supervisor
import os
import pwmio
import time import time
import digitalio import digitalio
from board import * from board import *
@@ -47,20 +47,22 @@ elif(board.board_id == 'raspberry_pi_pico_w' or board.board_id == 'raspberry_pi_
led = digitalio.DigitalInOut(board.LED) led = digitalio.DigitalInOut(board.LED)
led.switch_to_output() led.switch_to_output()
async def run_payload_on_startup():
progStatus = False progStatus = False
progStatus = getProgrammingStatus() progStatus = getProgrammingStatus()
print("progStatus", progStatus) print("progStatus", progStatus)
if(progStatus == False): if(progStatus == False):
print("Finding payload") print("Finding payload")
# not in setup mode, inject the payload if "loot.bin" in os.listdir("/"):
print("loot.bin exists, skipping payload execution.")
else:
payload = selectPayload() payload = selectPayload()
print("Running ", payload) await asyncio.sleep(0.1)
runScript(payload) print("Running")
awaitrunScript(payload)
else:
print("Done") print("Done")
else:
print("Update your payload")
led_state = False led_state = False
@@ -68,15 +70,17 @@ async def main_loop():
global led,button1 global led,button1
button_task = asyncio.create_task(monitor_buttons(button1)) button_task = asyncio.create_task(monitor_buttons(button1))
payload_task = asyncio.create_task(run_payload_on_startup())
led_task = asyncio.create_task(monitor_led_changes())
if(board.board_id == 'raspberry_pi_pico_w' or board.board_id == 'raspberry_pi_pico2_w'): if(board.board_id == 'raspberry_pi_pico_w' or board.board_id == 'raspberry_pi_pico2_w'):
pico_led_task = asyncio.create_task(blink_pico_w_led(led)) pico_led_task = asyncio.create_task(blink_pico_w_led(led))
print("Starting Wifi") print("Starting Wifi")
startWiFi() startWiFi()
print("Starting Web Service") print("Starting Web Service")
webservice_task = asyncio.create_task(startWebService()) webservice_task = asyncio.create_task(startWebService())
await asyncio.gather(pico_led_task, button_task, webservice_task) await asyncio.gather(pico_led_task, button_task, webservice_task, payload_task, led_task)
else: else:
pico_led_task = asyncio.create_task(blink_pico_led(led)) pico_led_task = asyncio.create_task(blink_pico_led(led))
await asyncio.gather(pico_led_task, button_task) await asyncio.gather(pico_led_task, button_task, payload_task, led_task )
asyncio.run(main_loop()) asyncio.run(main_loop())

96
duckyinpython.py
View File

@@ -5,7 +5,6 @@
# TODO: ADD support for the following: # TODO: ADD support for the following:
# Add jitter # Add jitter
# Add LED functionality # Add LED functionality
import re import re
import time import time
import random import random
@@ -14,7 +13,6 @@ from digitalio import DigitalInOut, Pull
from adafruit_debouncer import Debouncer from adafruit_debouncer import Debouncer
import board import board
from board import * from board import *
import pwmio
import asyncio import asyncio
import usb_hid import usb_hid
from adafruit_hid.keyboard import Keyboard from adafruit_hid.keyboard import Keyboard
@@ -39,6 +37,24 @@ def _numOn():
def _scrollOn(): def _scrollOn():
return kbd.led_on(Keyboard.LED_SCROLL_LOCK) return kbd.led_on(Keyboard.LED_SCROLL_LOCK)
def pressLock(key):
kbd.press(key)
kbd.release(key)
def SaveKeyboardLedState():
variables["$_INITIAL_SCROLLLOCK"] = _scrollOn()
variables["$_INITIAL_NUMLOCK"] = _numOn()
variables ["$_INITIAL_CAPSLOCK"] = _capsOn()
def RestoreKeyboardLedState():
if(variables["$_INITIAL_CAPSLOCK"] != _capsOn()):
pressLock(Keycode.CAPS_LOCK)
if(variables["$_INITIAL_NUMLOCK"] != _numOn()):
pressLock(Keycode.NUM_LOCK)
if(variables["$_INITIAL_SCROLLLOCK"] != _scrollOn()):
pressLock(Keycode.SCROLL_LOCK)
duckyKeys = { duckyKeys = {
'WINDOWS': Keycode.GUI, 'RWINDOWS': Keycode.RIGHT_GUI, 'GUI': Keycode.GUI, 'RGUI': Keycode.RIGHT_GUI, 'COMMAND': Keycode.GUI, 'RCOMMAND': Keycode.RIGHT_GUI, 'WINDOWS': Keycode.GUI, 'RWINDOWS': Keycode.RIGHT_GUI, 'GUI': Keycode.GUI, 'RGUI': Keycode.RIGHT_GUI, 'COMMAND': Keycode.GUI, 'RCOMMAND': Keycode.RIGHT_GUI,
'APP': Keycode.APPLICATION, 'MENU': Keycode.APPLICATION, 'SHIFT': Keycode.SHIFT, 'RSHIFT': Keycode.RIGHT_SHIFT, 'APP': Keycode.APPLICATION, 'MENU': Keycode.APPLICATION, 'SHIFT': Keycode.SHIFT, 'RSHIFT': Keycode.RIGHT_SHIFT,
@@ -71,7 +87,7 @@ duckyConsumerKeys = {
'MK_PP': ConsumerControlCode.PLAY_PAUSE, 'MK_STOP': ConsumerControlCode.STOP 'MK_PP': ConsumerControlCode.PLAY_PAUSE, 'MK_STOP': ConsumerControlCode.STOP
} }
variables = {"$_RANDOM_MIN": 0, "$_RANDOM_MAX": 65535} variables = {"$_RANDOM_MIN": 0, "$_RANDOM_MAX": 65535,"$_EXFIL_MODE_ENABLED": False,"$_EXFIL_LEDS_ENABLED": False,"$_INITIAL_SCROLLLOCK": False, "$_INITIAL_NUMLOCK": False, "$_INITIAL_CAPSLOCK": False}
internalVariables = {"$_CAPSLOCK_ON": _capsOn, "$_NUMLOCK_ON": _numOn, "$_SCROLLLOCK_ON": _scrollOn} internalVariables = {"$_CAPSLOCK_ON": _capsOn, "$_NUMLOCK_ON": _numOn, "$_SCROLLLOCK_ON": _scrollOn}
defines = {} defines = {}
functions = {} functions = {}
@@ -181,6 +197,9 @@ def evaluateExpression(expression):
expression = expression.replace("&&", "and") expression = expression.replace("&&", "and")
expression = expression.replace("||", "or") expression = expression.replace("||", "or")
expression = expression.replace("TRUE", "True")
expression = expression.replace("FALSE", "False")
return eval(expression, {}, variables) return eval(expression, {}, variables)
def deepcopy(List): def deepcopy(List):
@@ -238,7 +257,7 @@ def replaceDefines(line):
line = line.replace(define, value) line = line.replace(define, value)
return line return line
def parseLine(line, script_lines): async def parseLine(line, script_lines):
global defaultDelay, variables, functions, defines global defaultDelay, variables, functions, defines
line = line.strip() line = line.strip()
line = line.replace("$_RANDOM_INT", str(random.randint(int(variables.get("$_RANDOM_MIN", 0)), int(variables.get("$_RANDOM_MAX", 65535))))) line = line.replace("$_RANDOM_INT", str(random.randint(int(variables.get("$_RANDOM_MIN", 0)), int(variables.get("$_RANDOM_MAX", 65535)))))
@@ -257,6 +276,7 @@ def parseLine(line, script_lines):
commandKeycode = duckyKeys.get(key, None) commandKeycode = duckyKeys.get(key, None)
if commandKeycode: if commandKeycode:
kbd.press(commandKeycode) kbd.press(commandKeycode)
else: else:
print(f"Unknown key to HOLD: <{key}>") print(f"Unknown key to HOLD: <{key}>")
elif line.startswith("RELEASE"): elif line.startswith("RELEASE"):
@@ -403,6 +423,17 @@ def parseLine(line, script_lines):
sendString(random.choice(letters + letters.upper() + numbers + specialChars)) sendString(random.choice(letters + letters.upper() + numbers + specialChars))
elif line == "RESET": elif line == "RESET":
kbd.release_all() kbd.release_all()
elif line == "SAVE_HOST_KEYBOARD_LOCK_STATE":
SaveKeyboardLedState()
elif line == "RESTORE_HOST_KEYBOARD_LOCK_STATE":
RestoreKeyboardLedState()
elif line == "WAIT_FOR_SCROLL_CHANGE":
last_scroll_state = _scrollOn()
while True:
current_scroll_state = _scrollOn()
if current_scroll_state != last_scroll_state:
break
await asyncio.sleep(0.01)
elif line in functions: elif line in functions:
updated_lines = [] updated_lines = []
inside_while_block = False inside_while_block = False
@@ -454,7 +485,7 @@ def getProgrammingStatus():
defaultDelay = 0 defaultDelay = 0
def runScript(file): async def runScript(file):
global defaultDelay global defaultDelay
duckyScriptPath = file duckyScriptPath = file
@@ -479,7 +510,7 @@ def runScript(file):
restart = False restart = False
break break
else: else:
parseLine(line, script_lines) await parseLine(line, script_lines)
previousLine = line previousLine = line
time.sleep(float(defaultDelay) / 1000) time.sleep(float(defaultDelay) / 1000)
except OSError as e: except OSError as e:
@@ -524,10 +555,14 @@ async def blink_led(led):
elif(board.board_id == 'raspberry_pi_pico_w' or board.board_id == 'raspberry_pi_pico2_w'): elif(board.board_id == 'raspberry_pi_pico_w' or board.board_id == 'raspberry_pi_pico2_w'):
blink_pico_w_led(led) blink_pico_w_led(led)
async def blink_pico_led(led): async def blink_pico_led(led):
print("starting blink_pico_led") print("starting blink_pico_led")
led_state = False led_state = False
while True: while True:
if(variables.get("$_EXFIL_LEDS_ENABLED")):
led.duty_cycle = 65535
else:
if led_state: if led_state:
#led_pwm_up(led) #led_pwm_up(led)
#print("led up") #print("led up")
@@ -552,6 +587,9 @@ async def blink_pico_w_led(led):
print("starting blink_pico_w_led") print("starting blink_pico_w_led")
led_state = False led_state = False
while True: while True:
if(variables.get("$_EXFIL_LEDS_ENABLED")):
led.value = 1
else:
if led_state: if led_state:
#print("led on") #print("led on")
led.value = 1 led.value = 1
@@ -564,6 +602,7 @@ async def blink_pico_w_led(led):
led_state = True led_state = True
await asyncio.sleep(0.5) await asyncio.sleep(0.5)
async def monitor_buttons(button1): async def monitor_buttons(button1):
global inBlinkeyMode, inMenu, enableRandomBeep, enableSirenMode,pixel global inBlinkeyMode, inMenu, enableRandomBeep, enableSirenMode,pixel
print("starting monitor_buttons") print("starting monitor_buttons")
@@ -588,8 +627,51 @@ async def monitor_buttons(button1):
# Run selected payload # Run selected payload
payload = selectPayload() payload = selectPayload()
print("Running ", payload) print("Running ", payload)
runScript(payload) await runScript(payload)
print("Done") print("Done")
button1Down = False button1Down = False
await asyncio.sleep(0) await asyncio.sleep(0)
async def monitor_led_changes():
print("starting monitor_led_changes")
while True:
if variables.get("$_EXFIL_MODE_ENABLED"):
try:
bit_list = []
last_caps_state = _capsOn()
last_num_state = _numOn()
last_scroll_state = _scrollOn()
with open("loot.bin", "ab") as file:
while variables.get("$_EXFIL_MODE_ENABLED"):
caps_state = _capsOn()
num_state = _numOn()
scroll_state = _scrollOn()
if caps_state != last_caps_state:
bit_list.append(0)
last_caps_state = caps_state
elif num_state != last_num_state:
bit_list.append(1)
last_num_state = num_state
if len(bit_list) == 8:
byte = 0
for b in bit_list:
byte = (byte << 1) | b
file.write(bytes([byte]))
bit_list = []
if scroll_state != last_scroll_state:
variables["$_EXFIL_LEDS_ENABLED"] = False
break
await asyncio.sleep(0.001)
except Exception as e:
print(f"Error occurred: {e}")
await asyncio.sleep(0.0)