aleff-github / my-flipper-shits

Free and libre source BadUSB payloads for Flipper Zero. [Windows, GNU/Linux, iOS]
https://aleff-github.github.io/my-flipper-shits/
GNU General Public License v3.0
1.18k stars 81 forks source link

How to insert a link to an external resource and why? #6

Closed aleff-github closed 1 year ago

aleff-github commented 1 year ago

> DM from a Discord user

hello Aleff im sorry to oportunate you im a french guy (sorry for my english) who have see your "flipper shits badusb" i love what you have do but i dont understand how to put a .py link in a .txt can you help me please ? I'm brand new to this sort of thing thats why i dont undersdtand haha

> Response

Why don't I directly insert the link to the script?

"Staged payloads" are like packages that fetch code from an external source instead of containing all the code themselves. This practice is often used in software distribution or within the realm of cybersecurity to provide additional functionality or updates efficiently. However, it's crucial to consider cybersecurity when using staged payloads.

Using staged code in these packages can be helpful in reducing package sizes and simplifying updates, but it must be done securely. Here are some cybersecurity considerations regarding "staged payloads":

  1. Trust in the external source: When a system accesses an external source to retrieve code, it's essential to ensure that this source is trustworthy and secure. Using code from unverified or compromised sources could introduce vulnerabilities into the target system.

  2. Code integrity: Ensuring that code obtained from external sources hasn't been tampered with or compromised is crucial. Using digital signatures or code integrity verification mechanisms can help ensure that the downloaded software is genuine and hasn't been altered by malicious third parties.

  3. Secure communication channels: During the process of fetching code from an external source, it's important to encrypt and secure the communication between the target system and the source. This prevents interception or manipulation of the code during transit.

  4. Monitoring and control: Having a monitoring and control mechanism is crucial to track the use of staged payloads. This helps detect any anomalies or suspicious activity in the target system.

  5. Secure hosting: When deciding to host staged code on a server, it's important to ensure the server's security. Keeping the server up to date with security patches and applying best security practices is essential to protect the hosted code.

Regarding the use of platforms like GitHub for code distribution, it's important to note that these platforms are primarily designed for code development and sharing among developers and authorized users. Relying on such platforms for the direct distribution of staged payloads may pose security risks since access and code security control might not be suitable for cybersecurity distribution purposes.

In conclusion, using staged payloads is a valid practice, but cybersecurity must be a primary consideration. Ensure you follow cybersecurity best practices to ensure that code from external sources is trustworthy and doesn't pose a threat to the target systems.

How to do?

Suppose you want to utilize the The_Mouse_Moves_By_Itself payload. In this case, you'll need to have the Python script hosted somewhere because, as you can see by opening the payload.txt file, there's a configuration that needs to be made on lines 16-17.

The description of the SCRIPT-PY-LINK variable states, Set your Python script link, which means you'll need to download the script.py file and upload it to a location of your choice. Then, obtain the corresponding link to this script and replace the text example.com with this link.

To provide a practical example, in this specific case, you could use a link like "https://raw.githubusercontent.com/aleff-github/my-flipper-shits/main/Windows/Prank/The_Mouse_Moves_By_Itself/script.py.", so, all you would need to do is replace this link with the example.com link to make the payload functional.

Sources