[原创]如何利用最廉价的设备去打造一个可劫持鼠标键盘的mousejack-智能设备-看雪-安全社区|安全招聘|kanxue.com

[原创]如何利用最廉价的设备去打造一个可劫持鼠标键盘的mousejack

发表于: 2018-7-13 11:03 6238

[原创]如何利用最廉价的设备去打造一个可劫持鼠标键盘的mousejack

open[xgc]

2018-7-13 11:03

6238

如何利用mousejack控制别人的鼠标键盘文章已经有几篇了。在这里就不重复去造轮子。现在说一下如何利用最廉价的设备去打造一个mousejack。从文档上看设备的挑选有三种。第一种是：Crazyradio PA (nRF24LU1P USB) 200元买它不太实际。第二种是：基于nRF24LU1P开发板，是便宜。但还要买烧录器？折腾。第三种是：罗技接收器了，小巧。插在电脑上用也没有人怀疑，就它了。

1、如何挑选符合mousejack罗技接收器。只要是nRF24LU1P 芯片的优联接收器即可。如何找到是nRF24LU1P 芯片的鼠标接收器。查看一下它的固件版本即可。如果版本号12开头的那就是符合条件刷mousejack的(很多24开头的德州芯片)，从官方文档上说是挑个联优版序号为M/N:C-U0007的。(手头上有三个接收器都不符合。2个优联的 M/N:C-U0008(版本是24开头的),1个是M/N:C-U0007 很可惜它是NANO的)。于是某鱼挑了一个优联版M/N:C-U0007 的接收器。(某宝上问了一家。掌柜的说500个里只挑出来17个M/N:C-U0007的。其它版本的如M/N:C-U00010等没看过）

ubuntu下查看:

Unifying [runtime]
  Guid:                 9d131a0c-a606-580f-8eda-80587250b8d6
  UniqueID:             com.logitech.Unifying.RQR12.firmware
  DeviceID:             usb:00:02
  Description:          A Unifying receiver allows you to connect multiple compatible keyboards and mice to a laptop or desktop computer with a single USB receiver. Updating the firmware on your Unifying receiver improves performance, adds new features and fixes security issues.
  Plugin:               unifying
  Flags:                allow-online|supported|needs-bootloader
  DeviceVendor:         Logitech
  Version:              012.001.00019
  VersionBootloader:    BL.002.014
  Created:              2018-07-05
  AppstreamId:          com.logitech.Unifying.RQR12.firmware
  Summary:              Firmware for the Logitech Unifying receiver
  UpdateDescription:    This release addresses an unencrypted keystroke injection issue known as Bastille security issue #11\. The vulnerability is complex to replicate and would require a hacker to be physically close to a target.
  UpdateVersion:        RQR12.07_B0029
  UpdateHash:           d0d33e760ab6eeed6f11b9f9bd7e83820b29e970
  UpdateChecksumKind:   sha1
  License:              Proprietary
  UpdateUri:            https://fwupd.org/downloads/938fec082652c603a1cdafde7cd25d76baadc70d-Logitech-Unifying-RQR12.07_B0029.cab
  UrlHomepage:          http://support.logitech.com/en-us/software/unifying
  Vendor:               Logitech
  Trusted:              none

2、刷入mousejack固件，项目:https://github.com/BastilleResearch/mousejack

~$ lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 003: ID 046d:c52b Logitech, Inc. Unifying Receiver
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 004: ID 17ef:1004 Lenovo Integrated Webcam
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 002: ID 08ff:2810 AuthenTec, Inc. AES2810
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 006: ID 046d:c52f Logitech, Inc. Unifying Receiver
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Bus 006 Device 003: ID 046d:c52b Logitech, Inc. Unifying Receiver （M/N:C-U0007的优联接收器）

Bus 003 Device 006: ID 046d:c52f Logitech, Inc. Unifying Receiver （M/N:C-U0007的NANO接收器）

因为刷固件代码查找的是046d:c52b 所以两者间没有没有冲突

~$ cd mousejack/
~/mousejack$ cd nrf-research-firmware/
~/mousejack/nrf-research-firmware$ sudo make
..................省略......................
~/mousejack/nrf-research-firmware$ sudo make logitech_install 
./prog/usb-flasher/logitech-usb-flash.py bin/dongle.formatted.bin bin/dongle.formatted.ihx
[2018-07-05 14:59:39.009]  Computing the CRC of the firmware image
[2018-07-05 14:59:39.092]  Preparing USB payloads
[2018-07-05 14:59:39.180]  Found Logitech Unifying dongle - HID mode
[2018-07-05 14:59:39.181]  Detaching kernel driver from Logitech dongle - HID mode
[2018-07-05 14:59:39.238]  Putting dongle into firmware update mode
[2018-07-05 14:59:39.244]  10:FF:8F:81:F1:03:00
[2018-07-05 14:59:39.247]  10:FF:81:F1:01:12:01
[2018-07-05 14:59:40.819]  Found Logitech Unifying dongle - firmware update mode
[2018-07-05 14:59:40.819]  Putting dongle into firmware update mode - firmware update mode
[2018-07-05 14:59:40.837]  Initializing firmware update
[2018-07-05 14:59:40.842]  80:00:00:06:00:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.850]  Clearing existing flash memory up to boootloader
[2018-07-05 14:59:40.875]  30:00:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.900]  30:02:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.926]  30:04:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.952]  30:06:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
..................省略......................
[2018-07-05 14:59:42.166]  Transferring the new firmware
[2018-07-05 14:59:42.170]  20:00:01:0F:00:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:42.174]  20:00:10:10:FF:FF:FF:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:42.178]  20:00:20:10:FF:FF:FF:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
..................省略......................
[2018-07-05 14:59:48.902]  Mark firmware update as completed
[2018-07-05 14:59:49.285]  20:00:00:01:02:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:49.285]  Restarting dongle into research firmware mode
[2018-07-05 14:59:49.289]  70:00:00:00:02:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE

到这里成功刷写成功

再查看一下：

~/mousejack/nrf-research-firmware$ lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 006: ID 1915:0102 Nordic Semiconductor ASA 
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 004: ID 17ef:1004 Lenovo Integrated Webcam
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 002: ID 08ff:2810 AuthenTec, Inc. AES2810
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 006: ID 046d:c52f Logitech, Inc. Unifying Receiver
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

之前：Bus 006 Device 003: ID 046d:c52b Logitech, Inc. Unifying Receiver

改变为：Bus 006 Device 006: ID 1915:0102 Nordic Semiconductor ASA

ID 1915:0102 为刷写功攻后唯一的ID

测试结果如下：

~/mousejack/nrf-research-firmware/tools$ sudo ./nrf24-scanner.py 
[2018-07-05 15:08:26.043]  41  10  45:CD:9A:91:08  00:C2:00:00:00:20:00:00:00:1E
[2018-07-05 15:08:26.079]  41   0  45:CD:9A:91:08  
[2018-07-05 15:08:34.494]  41  10  45:CD:9A:91:08  00:C2:00:00:07:D0:FF:00:00:68
[2018-07-05 15:08:34.502]  41  10  45:CD:9A:91:08  00:C2:00:00:07:B0:FF:00:00:88
[2018-07-05 15:08:34.542]  41  10  45:CD:9A:91:08  00:C2:00:00:04:A0:FF:00:00:9B
[2018-07-05 15:08:34.573]  41  10  45:CD:9A:91:08  00:C2:00:00:04:80:FF:00:00:BB
[2018-07-05 15:08:34.925]  45  10  45:CD:9A:91:08  00:C2:00:00:FC:1F:00:00:00:23
[2018-07-05 15:08:35.000]  45   0  45:CD:9A:91:08  
[2018-07-05 15:08:43.425]  45  10  45:CD:9A:91:08  00:C2:00:00:F9:DF:00:00:00:66
[2018-07-05 15:08:51.431]  41  10  45:CD:9A:91:08  00:C2:00:00:F8:8F:FF:00:00:B8
[2018-07-05 15:08:51.462]  41  10  45:CD:9A:91:08  00:C2:00:00:FF:8F:FF:00:00:B1
[2018-07-05 15:08:51.483]  41  10  45:CD:9A:91:08  00:C2:00:00:04:60:FF:00:00:DB
[2018-07-05 15:08:51.897]  45   0  45:CD:9A:91:08