首页
社区
课程
招聘
[原创]如何利用最廉价的设备去打造一个可劫持鼠标键盘的mousejack
发表于: 2018-7-13 11:03 5999

[原创]如何利用最廉价的设备去打造一个可劫持鼠标键盘的mousejack

2018-7-13 11:03
5999
        如何利用mousejack控制别人的鼠标键盘文章已经有几篇了。在这里就不重复去造轮子。现在说一下如何利用最廉价的设备去打造一个mousejack。从文档上看设备的挑选有三种。第一种是:Crazyradio PA (nRF24LU1P USB) 200元 买它不太实际。第二种是:基于nRF24LU1P开发板,是便宜。但还要买烧录器?折腾。第三种是:罗技接收器了,小巧。插在电脑上用也没有人怀疑,就它了。
      1、如何挑选符合mousejack罗技接收器。只要是nRF24LU1P 芯片的优联接收器即可。如何找到是nRF24LU1P 芯片的鼠标接收器。查看一下它的固件版本即可。如果版本号12开头的那就是符合条件刷mousejack的(很多24开头的德州芯片),从官方文档上说是挑个联优版序号为M/N:C-U0007的。(手头上有三个接收器都不符合。2个优联的 M/N:C-U0008(版本是24开头的),1个是M/N:C-U0007 很可惜它是NANO的)。于是某鱼挑了一个 优联版M/N:C-U0007 的接收器。(某宝上问了一家。掌柜的说500个里只挑出来17个M/N:C-U0007的。其它版本的如M/N:C-U00010等没看过)
ubuntu下查看:
Unifying [runtime]
  Guid:                 9d131a0c-a606-580f-8eda-80587250b8d6
  UniqueID:             com.logitech.Unifying.RQR12.firmware
  DeviceID:             usb:00:02
  Description:          A Unifying receiver allows you to connect multiple compatible keyboards and mice to a laptop or desktop computer with a single USB receiver. Updating the firmware on your Unifying receiver improves performance, adds new features and fixes security issues.
  Plugin:               unifying
  Flags:                allow-online|supported|needs-bootloader
  DeviceVendor:         Logitech
  Version:              012.001.00019
  VersionBootloader:    BL.002.014
  Created:              2018-07-05
  AppstreamId:          com.logitech.Unifying.RQR12.firmware
  Summary:              Firmware for the Logitech Unifying receiver
  UpdateDescription:    This release addresses an unencrypted keystroke injection issue known as Bastille security issue #11\. The vulnerability is complex to replicate and would require a hacker to be physically close to a target.
  UpdateVersion:        RQR12.07_B0029
  UpdateHash:           d0d33e760ab6eeed6f11b9f9bd7e83820b29e970
  UpdateChecksumKind:   sha1
  License:              Proprietary
  UpdateUri:            https://fwupd.org/downloads/938fec082652c603a1cdafde7cd25d76baadc70d-Logitech-Unifying-RQR12.07_B0029.cab
  UrlHomepage:          http://support.logitech.com/en-us/software/unifying
  Vendor:               Logitech
  Trusted:              none
 2、刷入mousejack固件,项目:https://github.com/BastilleResearch/mousejack
~$ lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 003: ID 046d:c52b Logitech, Inc. Unifying Receiver
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 004: ID 17ef:1004 Lenovo Integrated Webcam
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 002: ID 08ff:2810 AuthenTec, Inc. AES2810
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 006: ID 046d:c52f Logitech, Inc. Unifying Receiver
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 003: ID 046d:c52b Logitech, Inc. Unifying Receiver (M/N:C-U0007的优联接收器)
Bus 003 Device 006: ID 046d:c52f Logitech, Inc. Unifying Receiver (M/N:C-U0007的NANO接收器)
因为刷固件代码查找的是046d:c52b 所以两者间没有没有冲突
~$ cd mousejack/
~/mousejack$ cd nrf-research-firmware/
~/mousejack/nrf-research-firmware$ sudo make
..................省略......................
~/mousejack/nrf-research-firmware$ sudo make logitech_install 
./prog/usb-flasher/logitech-usb-flash.py bin/dongle.formatted.bin bin/dongle.formatted.ihx
[2018-07-05 14:59:39.009]  Computing the CRC of the firmware image
[2018-07-05 14:59:39.092]  Preparing USB payloads
[2018-07-05 14:59:39.180]  Found Logitech Unifying dongle - HID mode
[2018-07-05 14:59:39.181]  Detaching kernel driver from Logitech dongle - HID mode
[2018-07-05 14:59:39.238]  Putting dongle into firmware update mode
[2018-07-05 14:59:39.244]  10:FF:8F:81:F1:03:00
[2018-07-05 14:59:39.247]  10:FF:81:F1:01:12:01
[2018-07-05 14:59:40.819]  Found Logitech Unifying dongle - firmware update mode
[2018-07-05 14:59:40.819]  Putting dongle into firmware update mode - firmware update mode
[2018-07-05 14:59:40.837]  Initializing firmware update
[2018-07-05 14:59:40.842]  80:00:00:06:00:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.850]  Clearing existing flash memory up to boootloader
[2018-07-05 14:59:40.875]  30:00:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.900]  30:02:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.926]  30:04:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.952]  30:06:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
..................省略......................
[2018-07-05 14:59:42.166]  Transferring the new firmware
[2018-07-05 14:59:42.170]  20:00:01:0F:00:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:42.174]  20:00:10:10:FF:FF:FF:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:42.178]  20:00:20:10:FF:FF:FF:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
..................省略......................
[2018-07-05 14:59:48.902]  Mark firmware update as completed
[2018-07-05 14:59:49.285]  20:00:00:01:02:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:49.285]  Restarting dongle into research firmware mode
[2018-07-05 14:59:49.289]  70:00:00:00:02:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
到这里成功刷写成功
再查看一下:
~/mousejack/nrf-research-firmware$ lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 006: ID 1915:0102 Nordic Semiconductor ASA 
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 004: ID 17ef:1004 Lenovo Integrated Webcam
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 002: ID 08ff:2810 AuthenTec, Inc. AES2810
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 006: ID 046d:c52f Logitech, Inc. Unifying Receiver
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
之前:Bus 006 Device 003: ID 046d:c52b Logitech, Inc. Unifying Receiver 
改变为:Bus 006 Device 006: ID 1915:0102 Nordic Semiconductor ASA 
ID 1915:0102 为刷写功攻后唯一的ID
测试结果如下:
~/mousejack/nrf-research-firmware/tools$ sudo ./nrf24-scanner.py 
[2018-07-05 15:08:26.043]  41  10  45:CD:9A:91:08  00:C2:00:00:00:20:00:00:00:1E
[2018-07-05 15:08:26.079]  41   0  45:CD:9A:91:08  
[2018-07-05 15:08:34.494]  41  10  45:CD:9A:91:08  00:C2:00:00:07:D0:FF:00:00:68
[2018-07-05 15:08:34.502]  41  10  45:CD:9A:91:08  00:C2:00:00:07:B0:FF:00:00:88
[2018-07-05 15:08:34.542]  41  10  45:CD:9A:91:08  00:C2:00:00:04:A0:FF:00:00:9B
[2018-07-05 15:08:34.573]  41  10  45:CD:9A:91:08  00:C2:00:00:04:80:FF:00:00:BB
[2018-07-05 15:08:34.925]  45  10  45:CD:9A:91:08  00:C2:00:00:FC:1F:00:00:00:23
[2018-07-05 15:08:35.000]  45   0  45:CD:9A:91:08  
[2018-07-05 15:08:43.425]  45  10  45:CD:9A:91:08  00:C2:00:00:F9:DF:00:00:00:66
[2018-07-05 15:08:51.431]  41  10  45:CD:9A:91:08  00:C2:00:00:F8:8F:FF:00:00:B8
[2018-07-05 15:08:51.462]  41  10  45:CD:9A:91:08  00:C2:00:00:FF:8F:FF:00:00:B1
[2018-07-05 15:08:51.483]  41  10  45:CD:9A:91:08  00:C2:00:00:04:60:FF:00:00:DB
[2018-07-05 15:08:51.897]  45   0  45:CD:9A:91:08
官方的只是给了测试代码没有完善。
别一个项目:https://github.com/iamckn/mousejack_transmit
mousejack组件:
扫描器:nrf24-scanner.py
嗅探器:nrf24-sniffer.py
重放/传输:nrf24-replay.py
网络映射器:nrf24-network-mapper.py
连调测试:nrf24-continuous-tone-test.py
数据包生成器脚本:keymapper.py


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
打赏 + 1.00雪花
打赏次数 1 雪花 + 1.00
 
赞赏  junkboy   +1.00 2018/07/13
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//