(Better) USB Injection with Rawcoon

Introduction

For those of us who are not already familiar with USB keystroke injection, the concept is pretty simple: a USB device resembling a common flash drive, but acting as a keyboard sends a sequence of keystrokes when plugged in. This allows triggering some actions on any computer it’s plugged into, without requiring any user interaction.

A few devices have emerged on the market which allow this such as Malduino or RubberDucky, typically allowing the user to configure or “program” a sequence of keystrokes into the device.

I have always been amazed and intrigued by this technology and its ability to deliver payloads to unlocked computers in such a “discreet” manner - just plugging a device into a USB port and then walking away.

This is all very nice, but unfortunately this is not magic and there are some important drawbacks:

  • the keystroke sequence must be adapted to the targeted operating system
  • because the device is functionally a keyboard, it is subjected to the OS’s current keyboard layout (the keystrokes sent will be translated into different characters depending on which keyboard layout is being used)

To make matters worse, re-configuring such a device for a specific target (OS / keyboard layout combination) requires physically connecting it to a computer, which in certain situations can be difficult.

The Rawcoon

I wanted to create a different kind of USB injection tool, one that would not be limited by these considerations. I decided to call it the Rawcoon.

General idea

The idea came up to host a payload script somewhere in the cloud, and have the USB device download and execute it on the target computer. By executing a script (from a file) we would no longer have to worry about the keyboard layout, and having the script in the cloud would allow us to update it quickly without having to use a computer to connect the USB device to - a simple smartphone with internet access could suffice. Also, using a widely standard script such as sh removes most of the need to specifically target a particular operating system - it becomes possible to script things in an OS-agnostic manner.

This would therefore eliminate all of the problems mentioned above. However there were still some challenges.

Ok, we can put whatever we want in the “payload script” (since it will be interpreted from a file and not “typed” by the device), but we still need the device to actually download the script and execute it - and for this we still need to send keystrokes.

Solving the keyboard layout issue

First, to circumvent the keyboard layout problem, I decided that the Rawcoon would have to work with only the “universal” keys - those which never change across different keyboard layouts (well, most of them at least). Luckily, there are just enough of those to run curl with all the necessary arguments to download stuff from the internet. But the URLs that we curl also need to be limited to these “universal” characters. This guided the choice for the ‘rc0.ch’ domain. [1]

Going OS-agnostic

Next, the operating system problem. To go around this, Rawcoon starts by sending some keyboard shortcuts to open up a terminal in most operating systems. For Windows, we open the Start menu and start typing ‘cmd’. For MacOS, CMD+Space opens the search feature, where we type ‘terminal’ [2]. For Linux, we use the common ‘CTRL+ALT+Space’ / ‘CTRL-ALT-T’ shortcuts. Once a terminal is open, a curl command is issued to download the bootstrap - this is not the actual payload, but a script that will run in both sh shells and cmd.exe. From this point on the Rawcoon is pretty much done, it finished by typing an ‘exit’ command and tries to minimize the terminal window - the bootstrap script now takes over. It starts by creating a ‘.r’ directory and enters it. The bootstrap script then uses the ‘rem’ comment marker from cmd.exe to selectively perform different actions [3] depending on the shell type (sh / cmd.exe). If the shell is cmd.exe, we download a small zip file containing lightweight binaries for sh, grep, sed, and a bunch of other basic shell utilities. In any case, we also download the intermediate loader (as “.i”) and the actual payload script (as “.r”). We then run the intermediate loader, which is OS-dependent. For sh shells, it simply starts executing the payload in a background process. For cmd.exe, it first unpacks the zip containing sh and other utilities, then creates a powershell background process to execute the payload script file through sh.

At this point our payload is running in a sh shell (regardless of the OS) in a background process.

Current status

A few days ago I started selling these Rawcoons on Ebay for the price of $16.49. The website is https://www.rawcoon.ch/.

How to use

First things first, we need to login on https://rawcoon.ch/login. A Google/Gmail account is required for this. Nothing about you is stored in our database.

login

Once we are logged in, we can register our first device. Every Rawcoon device is shipped with a unique device key, which we can use to register the device into our account. We can give a “display name” to each device when registering (this can be changed later on).

register_device

In the examples below, I registered my device as ‘TrashPanda’. After registering, the device appears in the menu on the left. When we select it we can start writing our payload script in the main text editor.

If our script is made to collect assets (see https://rawcoon.ch/faq.html for details on how to do this), these will appear in the list at the bottom of the page. Each asset is shown with the date/time of collection as well as the public IP address from where it was collected.

Notes

[1] Actually, some character keys are still quite problematic. Specifically, numbers cannot be reliably typed using their usual keys. Indeed, the French keyboard layout for example requires ‘Shift’ to be pressed to access the numbers. The solution to this was for the Rawcoon to detect the state of the ‘NumLock’ indicator (reported by the host to the keyboard) and enable it if needed. The numbers accessible through the numeric keypad are in fact “universal”. Another major issue is the dot (’.’) character, which can be typed using the numeric keypad on most keyboards, with the exception of the German layout on which it produces a comma instead (’,’). To circumvent this problem, the curl requests are actually performed twice - once with the numpad dot, then a second time with the “classic” dot key. Whatever the keyboard layout, at least one of these is bound to succeed.

[2] Because not all computers are equal, some may take more time than others to actually open the terminal and get the OS’s windowing system to switch the user input focus to it. Rawcoon therefore introduces voluntary delays after certain keys - for example in Windows, a few milliseconds of delay are added after pressing the ‘Start’ key before starting to type ‘cmd’. This gives the OS enough time to actually open the menu and start registering input. The delays however are “blind” in the sense that the Rawcoon has no feedback from the host computer and cannot “know” when to continue typing. These delays have therefore been made purposefully “long enough” to accommodate for as many systems as possible, while not being so long as to become a disadvantage. This basically means that Rawcoon wil definitely not work everywhere - it is a “best effort” device, meant to run on as many systems as possible but without any guarantees that it will in fact succeed every time.

[3] Using the ‘alias’ command has no effect in cmd.exe, but allows us to redefine the ‘rem’ cmd.exe comment marker in sh shells. The sample below shows this:

alias rem="" 2> nul
rem rm nul

Doing this allows us to write lines that will only execute in sh shells, but will be considered comments in cmd.exe. We can even create an ‘if’ statement that will allow us to selectively run things in either cmd.exe or sh:

rem echo This is an sh shell
rem if uname | grep -q 'not_linux'; then
echo This is cmd.exe
rem fi

:raccoon:

11 Likes