KioskBypases Malduino

Compilation of scripts and resources used for the escape, evasion and bypass of tactile kiosks. There are different cases depending on the specifics of each kiosk device.

Windows Kiosk

BadUSB/FlipperZero Big Evasion

In this repository you can find the same proof of concept, along with other more reduced ones to integrate it into an Arduino Nano / Leonardo. See the files:

• Malduino_kiosk_scape_big1.ino
• Malduino_kiosk_scape_med1.ino //TODO
• Malduino_kiosk_scape_min1.ino //TODO

A trusted binary for kiosk configuration on windows

A nice simple YT video

Simple "Oneliner" (it runs cmd so...)

  cmd /c copy "%SYSTEMROOT%\System32\cmd.exe" "%PUBLIC%\msedge.exe"
  cmd /c copy "%SYSTEMROOT%\System32\cmd.exe" "%PUBLIC%\msedge.exe" & ren "%PUBLIC%\msedge.exe" "msedge.exe"

This would be the example in the CMD of how the bypass that is explained would be performed. This is to understand the PoC, since, as the CMD is blocked, we will not be able to launch this directly emulating the shortcut Win+R. It is more advisable that the Arduino forces the opening of an explorer window and perform the process manually.

• More info here

Android Kiosk

About emulate android touch w/ Arduino

Using BLE Devices to emulate android thinks

The Android_PressOff_BLE.ino file is a test of pressing the off button on an Android device. This uses the external library "Adafruit BluefruitLE nRF51", which allows us to send BLE (Bluetooth Low Energy) commands from the Arduino to other Bluetooth enabled devices. This test assumes that the Bluetooth module has already been configured and connected to the Android device.

This code waits for a button connected to pin 7 of the Arduino to be pressed before sending the BLE command that emulates the power off button press on an Android device. Once the command is sent, it waits for the Arduino button to be released before sending the command again.

Note that this is just an example, and that the pin used and the BLE command sent may vary depending on the Android device and Bluetooth module used. Be sure to properly configure the Bluetooth module and connect to the Android device before running the code.

Manual Kiosk Scape

Tips

• Try to interact with images by holding down until the "Save Image As" option appears. Then, click on the Help blue icon at the top right of the Windows File Manager to spawn a browser.

More

• Mouse and click on the corners of the screen (Useful)

• Malduino_touch_kiosk_scape.ino This POC allows the arduino to simulate touching the corners of a touch screen. It can also be useful if using the Mouse.h library does not work. It also uses the Adafruit_FT6206 library.

Project & references

Videos.

• People di thinks wz Flippe Zero
• MaaS360 - escape from COSU Kiosk Mode
• Build a kiosk
• Old but Gold

Links

• HACKTRICKS "Escaping from gui applications"

• How to exit android kiosk mode in hexnode mdm

• kiosk hacking

• kioskindustry - Tips To Harden Your Kiosk Lockdown Browser

• Exit browser full screen

• Exit Friefox Kiosk mode

• Kiosk breakout cheatsheet

• ATM Kios Hacking

• DEFCON 2016 Hacking Internet Kiosk’s

• ATM Kiosk hacking labs

• Kiosk breakout

• x90x90 Kiosk breakout

• iKAT v3.0 - Paul Craig

• ATM Kiosk hacking phd2022

• Exit kiosk mode android

• Safe Exam Browser CVE-2022-36220

• More

• KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation

• How to configure disable kiosk mode windows 10

• Linux kiosk military trackball

• How to exit Kiosck Linux Mode

• RFID Kiosks