Owning what you touch: exploiting trust in Human Interface Devices with SET, Teensy, and general skidish-ness :D
There are a lot of good videos showing how to generate a .pde file with SET. My video shows everything after that (shaky phone video, I know, sorry). You can see, so long as no one is there to question whats flying across the screen for ~30 seconds, you can take over a fully patched, AV-protected Win7 box with little to no skill.
Here’s where I’m going next with this:
With dip switches connecting some of the Teensy pins to a common ground, you can select which block of code to execute “on the fly”, ie, “if switch 1 is down, use this PowerShell reverse shell, if switch 2 is down, use this MSF exploit binary, if switch 3 is down, we’re on a nix box, so wget netcat from here and run it…” and so forth. I think this ability is infinitely valuable.
Any DIY-er with minimal scripting competency will be able to use the original irongeek tutorial to accomplish this:
http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongleThere are various enclosures that would fit the Teensy with some low-profile or pcb-mount dip switches attached (again, see irongeek blog above), but personally I prefer the cable for potentially awkward reaches and angles.
There is a lot to be learned from the overall ease of this attack - notice how often you see exposed USB ports in retail stores, restaurants, etc. As always, if you are targeted, you will be owned.
More:
Anonymous brings you #OpUkraine
Greetings Citizens of the world,
We are Anonymous.
It has come to our Attention that the UEFA Football EURO 2012 & Ukrainian Government have been engaging in one of the most brutal, bloody systematic slaughters of animals the world has ever seen. So far 80,000 dogs have been killed in the cities of Ukraine to “clean-up” the streets for a week long football event. Over 1 Million people have signed various petitions addressed directly to the UEFA and Ukrainian Government calling for an end to these inhumane acts, yet they ignore every complaint. Even worse: The Ukrainian Government censors these events with lies and fabricated media reports. Why do you ask? The answer is clear, money. UEFA makes millions of Euros with this event, as does Ukraine for hosting the event. 250,000 more dogs lives will be lost leading up to the UEFA EURO 2012 and UEFA continue to deny having any involvement with the Ukraine’s slaughter, stating they cannot interfere with matters not directly related to football, even though they ARE directly related. UEFA has donated on two occasions 8,000 Euros for the Sterilization of stray Dogs, as well as cats in the city of Ukraine, as well as giving away 196 Million Euros in bonuses for the whole event. Who is to blame? Who do we point the finger at? It’s easy.
UEFA President Michel Franswah Platini & Ukraine President Viktor Yanukohvich, You are both solely responsible for this massacre on animals. When Several foreign animal organizations offered their knowledge and help to rescue the stray animals in the cities of Ukraine, you showed absolutely no interest. You claim there is not enough money to start an animal-rescue program, yet you have enough money to buy a 20,000 dollar mobile crematorium? Your actions contradict European Animal rights Convention and any adequate humans moral principles!
We Anonymous give you, Operation Ukraine. We will fight against your violation of human, and animal rights. We will not forgive your Canine Holocaust, and We will not forget the Censorship you impose upon the people. To the Ukraine Government & UEFA
We are Legion.
We do not Forgive.
We Do not Forget.
You should have expected US.
