-
Notifications
You must be signed in to change notification settings - Fork 61
/
Copy pathstickyKeysHunter.sh
executable file
·159 lines (133 loc) · 4.24 KB
/
stickyKeysHunter.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#!/bin/bash
#
# stickyKeysHunter.sh
# Copyright (c) 2015 Zach Grace
# License: GPLv3
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
if [ -z $1 ]; then
echo "Usage: $0 target.ip"
exit 1
fi
# Configurable options
output="output"
stickyKeysSleep=7
timeout=60
timeoutStep=2
host=$1
blue="\e[34m[*]\e[0m"
red="\e[31m[*]\e[0m"
green="\e[32m[*]\e[0m"
temp="/tmp/${host}.png"
function screenshot {
screenshot=$1
window=$2
echo -e "${blue} Saving screenshot to ${screenshot}"
import -window ${window} "${screenshot}"
}
function moveMouse {
xdotool mousemove 0 0
xdotool mousemove 100 100
}
function isAlive {
pid=$1
kill -0 $pid 2>/dev/null
if [ $? -eq 1 ]; then
echo -e "${red} Process died, failed to connect to ${host}"
exit 1
fi
}
function isTimedOut {
t=$1
if [ $t -ge $timeout ]; then
echo -e "${red} Timed out connecting to ${host}"
kill $!
exit 1
fi
}
export DISPLAY=:0
moveMouse
# Launch rdesktop in the background
echo -e "${blue} Initiating rdesktop connection to ${host}"
rdesktop -u "" -a 16 $host &
pid=$!
# Get window id
window=
timer=0
while true; do
# Check to see if we timed out
isTimedOut $(printf "%.0f" $timer)
# Check to see if the process is still alive
isAlive $pid
window=$(xdotool search --name ${host})
if [ ! "${window}" = "" ]; then
echo -e "${blue} Got window id: ${window}"
break
fi
timer=$(echo "$timer + 0.1" | bc)
sleep 0.1
done
# Set our focus to the RDP window
echo -e "${blue} Setting window focus to ${window}"
xdotool windowfocus "${window}"
# If the screen is all black delay timeoutStep seconds
timer=0
while true; do
# Make sure the process didn't die
isAlive $pid
isTimedOut $timer
# Screenshot the window and if the only one color is returned (black), give it chance to finish loading
screenshot "${temp}" "${window}"
colors=$(convert "${temp}" -colors 5 -unique-colors txt:- | grep -v ImageMagick)
if [ $(echo "${colors}" | wc -l) -eq 1 ]; then
echo -e "${blue} Waiting on desktop to load"
sleep $timeoutStep
else
# Many colors should mean we've got a console loaded
echo -e "${green} Console Loaded for ${host}"
break
fi
timer=$((timer + timeoutStep))
done
rm ${temp}
# Some systems seemed to need a bit more time to load before they accepted input
sleep 2
# Send Windows key + p to trigger displayswitch.exe
echo -e "${blue} Attempting to trigger displayswitch.exe backdoor"
xdotool key --window ${window} super+p
# Send Windows key + = to trigger magnifier.exe, also Windows Key + - to reverse magnify effect
echo -e "${blue} Attempting to trigger magnifier.exe backdoor"
xdotool key --window ${window} super+equal
xdotool key --window ${window} super+minus
# Send Windows key + Enter to trigger narrator.exe
echo -e "${blue} Attempting to trigger narrator.exe backdoor"
xdotool key --window ${window} super+Return
# Send Windows key + u to trigger utilman.exe
echo -e "${blue} Attempting to trigger utilman.exe backdoor"
xdotool key --window ${window} super+u
# Send shift key 5 times to trigger sethc.exe
echo -e "${blue} Attempting to trigger sethc.exe backdoor"
xdotool key --window ${window} shift shift shift shift shift
# Seems to be a delay if cmd.exe is set as the debugger this probably needs some tweaking
echo -e "${blue} Waiting ${stickyKeysSleep} seconds for the backdoors to trigger"
sleep $stickyKeysSleep
# Screenshot the window using imagemagick
if [ ! -d "${output}" ]; then
mkdir "${output}"
fi
afterScreenshot="${output}/${host}.png"
screenshot "${afterScreenshot}" "${window}"
# Close the rdesktop window
kill $pid
# TODO OCR recognition