Didier Stevens

Wednesday 13 July 2011

Teensy PDF Dropper Part 1

Filed under: Hacking,Hardware,PDF — Didier Stevens @ 21:40

Pentesters need to drop files on targets. If a box is not connected to the Internet, and doesn’t accept removable storage, they need to come up with some tricks.

Inputting the file via the keyboard is an option, but typing several millions of bytes is not. This needs automation.

Irongeek uses a Teensy micro-controller to achieve this. My solution is a variation on this. If you need to drop a binary file, you need to find a way to convert the typed ASCII to bytes. There’s a solution with a debugger, but I’m using a PDF Reader.

It’s possible to create a pure ASCII PDF file that embeds a binary file. Here are the steps to drop a binary file:

  • open Notepad,
  • insert the Teensy and let it type the ASCII  PDF file into Notepad
  • save the PDF file
  • open it with a PDF Reader and save the embedded binary file

Writing a program with the Arduino IDE to type an ASCII PDF file is not difficult:

But with the Arduino IDE, your embedded file is limited to a couple of kilobytes. Handling larger files will be described in part 2 of this post.

8 Comments »

  1. Nice !
    why not just embedding the file as base64/ascii85/whatever (+compression, etc…), and a page with javascript to decode, though ?

    Comment by Ange — Thursday 14 July 2011 @ 7:04

  2. @Ange Yes, that’s an option too. But I just wanted to try the PDF road.
    Another option is to type VBA macros in Excel, Word, …

    Comment by Didier Stevens — Thursday 14 July 2011 @ 7:11

  3. [...] Teensy dropper presents itself as a keyboard (HID) to a PC and this is how it can be used to drop files even if you don’t allow removable [...]

    Pingback by Quickpost: Blocking and Detecting a Teensy Dropper « Didier Stevens — Thursday 14 July 2011 @ 9:58

  4. I’ve done exactly this but using a base64 encoded binary inside vbscript. Teensy wrote out the vbscript, saves and executes the script, vbscript takes the base64 blob, decodes it, writes it back as a binary file, and then executes it. Glad to see other people thinking outside the box with the Teensy. Netragard also had an interesting blog about using a Teensy for a pentest http://pentest.snosoft.com/2011/06/24/netragards-hacker-interface-device-hid/

    Comment by Kevin M — Thursday 14 July 2011 @ 15:26

  5. @Kevin M Yes, there are several options to do this, I wanted to highlight the PDF way since it hadn’t been done before.

    Comment by Didier Stevens — Thursday 14 July 2011 @ 16:38

  6. Do you thibj you’ll be publishing part two soon? I am interested in the way to handle larger files.

    Comment by Anonymous — Sunday 7 August 2011 @ 20:09

  7. Maybe next month.

    Comment by Didier Stevens — Monday 8 August 2011 @ 17:37

  8. [...] year I showed how to use a Teensy micro-controller to drop a PDF file with embedded executable. But I was limited to a file of a few kilobytes, because of the Arduino programming language I used [...]

    Pingback by Teensy PDF Dropper Part 2 « Didier Stevens — Monday 27 February 2012 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 234 other followers

%d bloggers like this: