[Python] Convert binary to ascii

[frog]

So as you all know the rave for the last ~7 years has been hobbyist micro-controllers. If you have one that acts like a human interface device(i.e. a keyboard or mouse) then you can inject text into a modern operating system and make it do stuff(hands-free) -> https://www.youtube.com/watch?v=RZiVwJG5HeE.

The purpose of my script is to encode a binary to a text format(base64) so that it can be used by another script later on. If you understand what is special about the Arduino Leonardo or the Teensy micro-controller boards, then you understand why you would want to do this. These particular micro-controllers can act like a keyboard & mouse.

Later on, the newly created script(created on the fly, using programmed keystrokes from the microcontroller) will write out and decode the encoded text from my script into bytes, write those bytes to a binary file, and run the file. For Windows, this would be Powershell or VBscript; for Linux, you can use whatever is available from the command line(I'm thinking Python b/c I know that it has Base64 decoding in it's standard lib).

The goal is to use a native scripting environment to decode and run the encoded binary provided by my script. Surprisingly, VBscript has native reading and writing of binary files; this is called an ADODB Stream object and this functionality can disabled in the registry. If the 'decode-and-run' script is made in Powershell, you would have to remove Powershell to mitigate this. Powershell does not use ADODB Stream objects but rather .NET class libraries(System.IO.*).

I do note that in the above video the guy is running the encoded script as such:
powershell.exe -noprofile -windowstyle hidden -encodedcommand <base64 powershell commands>

This suggests that he is in fact using an encoded powershell script that types out an already encoded binary, decodes it into bytes, writes it to a file, and runs it. I know the sequence of events is confusing but it is worth noting that there are a few different ways to accomplish this, some of which involve using the micro-controller as a hard disk or reading data from an attached sd card.

Note that '-encodedcommand' will not run base64 encoded binary files. Only base64 encoded powershell scripts. Anyways enough with the side tracking, here's my helper script.

Code: (Python) [Select]

#!/usr/bin/env python
##
### ascii-encode.py - ascii encode a binary file
##
#
import base64,sys

def banner():
    print "   ascii-encode.py - ascii encode a binary file"
    print "    usage: python ascii-encode.py <filename>"
    print ""
   
def main():
    if len(sys.argv) < 2:
        banner()
        exit()
   
    filename = sys.argv[1]
   
    try:
        inFile = open(filename, "rb")
    except IOError:
        banner()
        print "[!] Error: no such file or directory"
        exit()
       
    banner()
    data = inFile.read()
    inFile.close()
    encoded = base64.b64encode(data)
    print "[+] " + str(len(encoded)) + " bytes encoded"
    print "[-] Writing file 'encoded.txt'.."   
    outFile = open("encoded.txt", "w")
    outFile.write(encoded)
    outFile.close()
    print "[+] Done"
    exit()
   
if __name__ == "__main__":
    main()


[frog]

Here are the various representations:

[str0be]

That. Is. Awesome.


But I don't think going with Python is best. I put together a package that will
create a keyboard-friendly payload deployable to any *nix (no dependencies).


To build and run the example payload:

Code: [Select]

$ make run


[frog]

I'm only using Python for the encoding process. This is independent of the decode/execution process of the payload(because the encoded binary is stored inside Arduino or C code that runs on the micro-controller(so the encoding must take place before we write code for the micro-controller). Problem is, you can only transfer your binary from the micro-controller in a 'typeable' form(hence the need for another encoding; I didn't think of hex, but that will work for sure).

You certainly demonstrate the encoding/decoding/execution process all in one script(nicely I might add). In the case of your script, where is your binary coming from? How are you going to get this from the micro-controller's program memory to your script without mounting a drive? It's because the encode and the decode/execute process are separate, and they need to be. We are working with text and interfacing two completely separate environments(an AVR micro-controller & our x86/64 PC).

As in your example, you could use a hex-encoded binary and 'type' this out using the micro-controller. You see where I'm going with this? The only portion which needs to be native is the decoding process. The decoder script will be 'typed' out in a Linux/Windows native scripting environment and the micro-controller will be 'typing' the whole thing(including our hex/ascii encoded binary; which is inside our arduino/c code in the form of a character array).

In theory the decoding sequence should go like this:
 - Plug in pre-programmed micro-controller via USB
 - The micro-controller 'types' out a shell script(including our array of encoded bytes) that does a base64 decode and writes the decoded bytes to a binary file.
 - The micro-controller runs the file by 'typing' out the proper commands.

Code: (bash) [Select]

#!/bin/bash
base64 -d (this is where our encoding goes, if you used base64) > assembled.bin
chmod u+x assembled.bin
./assembled.bin

I will post the working Arduino/C code that types out the decode script and runs our stored bytes. Just haven't gotten that far yet. It will become much more clear once you see the code that is running on the micro-controller.

[str0be]

The 'payload' file that gets generated from 'encoder.sh' is what you'd have it type out and execute.

[frog]

I see. I'm not paying attention. I thought for some reason on line 22 you were executing..

[str0be]

Writing it was a bit of a mindfuck too. I'd like to see the rest of your code so I can see how it'd work out. 

[frog]

For sure. I'll post the code when I get to it.

Btw, what's printf doing exactly on line 19?

Code: (bash) [Select]

/usr/bin/printf '\"\\x\$\B\"' >> $ENAME;


[str0be]

Nothing. That's actually just part of the generated code. The crazy quoting is so it will output properly to payload and the full path to printf is specified to bypass the shell builtin. Ultimately, in the payload, it outputs a single byte ($B) at a time. Doing it this way instead of using bash/base64 is much slower but also portable. Initially I tried to write a base64 implementation in sh so it would work with your encoder but gave up and went with this.

[frog]

Yea base64 in bash would be hard to implement. I found out that there is a native command for this is Linux(at least with a ubuntu variant I'm using). The command is base64 -e or base64 -d to encode or decode.

[Alin]

I saw something similar to this during a session at Hacktivity 2012 at Budapest. His implementation supported both reading and writing using the fact that on most system HID are being auto mounted


You can see the slides here
https://hacktivity.com/en/downloads/archives/195/

[frog]

Yes, this is exactly what I'm talking about. You can see the VBscript using the base64 decode and binary write functions native to windows on slide 9; however they don't go into much detail.

That is cool that you can flash an AVR micro-processor(what the teensy and arduinos use) to act like a usb hid device w/o a dedicated chip. With the teensy for example, there is a dedicated IC on board for this functionality. The perk is that you don't need a firmware update, just a client-side software HID implementation to get data where it needs to go using a standard protocol.

Thankfully somebody has made a C library for this and there is also arduino libraries for those who don't like messing with C. I'm all about speed so I will probably write my client-side script in arduino and then convert it to C later on once I get the design solidified.

Worth mentioning: There's a hack for the arduino uno(which is not designed for use as a USB hid device) which involves flashing the firmware and soldering a resister inline, but I didn't want to use my UNO for that so I bought a teensy.