Pentesters need to drop files on targets. If a box is not connected to the Internet, and doesn’t accept removable storage, they need to come up with some tricks.
Inputting the file via the keyboard is an option, but typing several millions of bytes is not. This needs automation.
Irongeek uses a Teensy micro-controller to achieve this. My solution is a variation on this. If you need to drop a binary file, you need to find a way to convert the typed ASCII to bytes. There’s a solution with a debugger, but I’m using a PDF Reader.
It’s possible to create a pure ASCII PDF file that embeds a binary file. Here are the steps to drop a binary file:
- open Notepad,
- insert the Teensy and let it type the ASCII PDF file into Notepad
- save the PDF file
- open it with a PDF Reader and save the embedded binary file
Writing a program with the Arduino IDE to type an ASCII PDF file is not difficult:
But with the Arduino IDE, your embedded file is limited to a couple of kilobytes. Handling larger files will be described in part 2 of this post.
Didier Stevens 
Nice !
why not just embedding the file as base64/ascii85/whatever (+compression, etc…), and a page with javascript to decode, though ?
Comment by Ange — Thursday 14 July 2011 @ 7:04
@Ange Yes, that’s an option too. But I just wanted to try the PDF road.
Another option is to type VBA macros in Excel, Word, …
Comment by Didier Stevens — Thursday 14 July 2011 @ 7:11
[…] Teensy dropper presents itself as a keyboard (HID) to a PC and this is how it can be used to drop files even if you don’t allow removable […]
Pingback by Quickpost: Blocking and Detecting a Teensy Dropper « Didier Stevens — Thursday 14 July 2011 @ 9:58
I’ve done exactly this but using a base64 encoded binary inside vbscript. Teensy wrote out the vbscript, saves and executes the script, vbscript takes the base64 blob, decodes it, writes it back as a binary file, and then executes it. Glad to see other people thinking outside the box with the Teensy. Netragard also had an interesting blog about using a Teensy for a pentest http://pentest.snosoft.com/2011/06/24/netragards-hacker-interface-device-hid/
Comment by Kevin M — Thursday 14 July 2011 @ 15:26
@Kevin M Yes, there are several options to do this, I wanted to highlight the PDF way since it hadn’t been done before.
Comment by Didier Stevens — Thursday 14 July 2011 @ 16:38
Do you thibj you’ll be publishing part two soon? I am interested in the way to handle larger files.
Comment by Anonymous — Sunday 7 August 2011 @ 20:09
Maybe next month.
Comment by Didier Stevens — Monday 8 August 2011 @ 17:37
[…] year I showed how to use a Teensy micro-controller to drop a PDF file with embedded executable. But I was limited to a file of a few kilobytes, because of the Arduino programming language I used […]
Pingback by Teensy PDF Dropper Part 2 « Didier Stevens — Monday 27 February 2012 @ 0:00
[…] technique to drop any file on a machine which has removable storage disabled. The technique used a Teensy to simulate a keyboard and type out a pure ASCII PDF to notepad. The PDF, containing an embedded executable, can then be saved and opened with a PDF […]
Pingback by Bash Bunny PDF Dropper | Didier Stevens — Monday 24 April 2017 @ 0:00