[原创]如何利用最廉价的设备去打造一个可劫持鼠标键盘的mousejack-智能设备-看雪-安全社区|安全招聘|kanxue.com

[原创]如何利用最廉价的设备去打造一个可劫持鼠标键盘的mousejack

发表于: 2018-7-13 11:03 6388

[原创]如何利用最廉价的设备去打造一个可劫持鼠标键盘的mousejack

open[xgc]

2018-7-13 11:03

6388

如何利用mousejack控制别人的鼠标键盘文章已经有几篇了。在这里就不重复去造轮子。现在说一下如何利用最廉价的设备去打造一个mousejack。从文档上看设备的挑选有三种。第一种是：Crazyradio PA (nRF24LU1P USB) 200元买它不太实际。第二种是：基于nRF24LU1P开发板，是便宜。但还要买烧录器？折腾。第三种是：罗技接收器了，小巧。插在电脑上用也没有人怀疑，就它了。

1、如何挑选符合mousejack罗技接收器。只要是nRF24LU1P 芯片的优联接收器即可。如何找到是nRF24LU1P 芯片的鼠标接收器。查看一下它的固件版本即可。如果版本号12开头的那就是符合条件刷mousejack的(很多24开头的德州芯片)，从官方文档上说是挑个联优版序号为M/N:C-U0007的。(手头上有三个接收器都不符合。2个优联的 M/N:C-U0008(版本是24开头的),1个是M/N:C-U0007 很可惜它是NANO的)。于是某鱼挑了一个优联版M/N:C-U0007 的接收器。(某宝上问了一家。掌柜的说500个里只挑出来17个M/N:C-U0007的。其它版本的如M/N:C-U00010等没看过）

ubuntu下查看:

Unifying [runtime]
  Guid:                 9d131a0c-a606-580f-8eda-80587250b8d6
  UniqueID:             com.logitech.Unifying.RQR12.firmware
  DeviceID:             usb:00:02
  Description:          A Unifying receiver allows you to connect multiple compatible keyboards and mice to a laptop or desktop computer with a single USB receiver. Updating the firmware on your Unifying receiver improves performance, adds new features and fixes security issues.
  Plugin:               unifying
  Flags:                allow-online|supported|needs-bootloader
  DeviceVendor:         Logitech
  Version:              012.001.00019
  VersionBootloader:    BL.002.014
  Created:              2018-07-05
  AppstreamId:          com.logitech.Unifying.RQR12.firmware
  Summary:              Firmware for the Logitech Unifying receiver
  UpdateDescription:    This release addresses an unencrypted keystroke injection issue known as Bastille security issue #11\. The vulnerability is complex to replicate and would require a hacker to be physically close to a target.
  UpdateVersion:        RQR12.07_B0029
  UpdateHash:           d0d33e760ab6eeed6f11b9f9bd7e83820b29e970
  UpdateChecksumKind:   sha1
  License:              Proprietary
  UpdateUri:            16dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6X3N6%4g2H3k6q4)9J5k6h3!0J5k6#2)9J5c8X3c8G2N6$3&6D9L8$3q4V1M7#2)9J5c8U0V1K6z5r3k6W2j5K6l9^5x3U0j5#2x3X3x3$3x3o6y4S2x3h3y4V1j5h3k6V1k6e0N6U0k6o6t1#2k6o6M7$3j5X3q4S2k6r3x3%4x3r3c8Q4x3X3c8x3L8$3N6A6N6r3g2U0K9q4)9J5k6q4g2F1K9h3k6&6K9h3&6Y4i4K6u0V1f1W2q4d9x3e0u0Q4x3X3f1H3y4#2)9#2k6V1t1H3x3o6t1&6i4K6u0W2j5$3q4T1
  UrlHomepage:          2e1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4#2M7s2m8G2M7Y4c8Q4x3X3g2D9L8$3N6A6N6r3g2U0K9q4)9J5k6h3y4G2L8g2)9J5c8X3g2F1i4K6u0V1N6i4y4Q4x3V1k6K6L8$3k6@1N6$3q4J5k6g2)9J5c8Y4g2F1K9h3k6&6K9h3&6Y4
  Vendor:               Logitech
  Trusted:              none

2、刷入mousejack固件，项目:ee4K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6n7j5i4y4@1K9h3I4D9k6g2u0W2M7$3g2S2M7X3y4Z5i4K6u0r3L8h3!0#2M7$3g2B7j5h3y4C8

~$ lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 003: ID 046d:c52b Logitech, Inc. Unifying Receiver
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 004: ID 17ef:1004 Lenovo Integrated Webcam
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 002: ID 08ff:2810 AuthenTec, Inc. AES2810
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 006: ID 046d:c52f Logitech, Inc. Unifying Receiver
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Bus 006 Device 003: ID 046d:c52b Logitech, Inc. Unifying Receiver （M/N:C-U0007的优联接收器）

Bus 003 Device 006: ID 046d:c52f Logitech, Inc. Unifying Receiver （M/N:C-U0007的NANO接收器）

因为刷固件代码查找的是046d:c52b 所以两者间没有没有冲突

~$ cd mousejack/
~/mousejack$ cd nrf-research-firmware/
~/mousejack/nrf-research-firmware$ sudo make
..................省略......................
~/mousejack/nrf-research-firmware$ sudo make logitech_install 
./prog/usb-flasher/logitech-usb-flash.py bin/dongle.formatted.bin bin/dongle.formatted.ihx
[2018-07-05 14:59:39.009]  Computing the CRC of the firmware image
[2018-07-05 14:59:39.092]  Preparing USB payloads
[2018-07-05 14:59:39.180]  Found Logitech Unifying dongle - HID mode
[2018-07-05 14:59:39.181]  Detaching kernel driver from Logitech dongle - HID mode
[2018-07-05 14:59:39.238]  Putting dongle into firmware update mode
[2018-07-05 14:59:39.244]  10:FF:8F:81:F1:03:00
[2018-07-05 14:59:39.247]  10:FF:81:F1:01:12:01
[2018-07-05 14:59:40.819]  Found Logitech Unifying dongle - firmware update mode
[2018-07-05 14:59:40.819]  Putting dongle into firmware update mode - firmware update mode
[2018-07-05 14:59:40.837]  Initializing firmware update
[2018-07-05 14:59:40.842]  80:00:00:06:00:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.850]  Clearing existing flash memory up to boootloader
[2018-07-05 14:59:40.875]  30:00:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.900]  30:02:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.926]  30:04:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:40.952]  30:06:00:01:FF:00:67:FF:02:00:46:C6:B6:FF:9E:7E:81:48:4A:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
..................省略......................
[2018-07-05 14:59:42.166]  Transferring the new firmware
[2018-07-05 14:59:42.170]  20:00:01:0F:00:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:04:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:42.174]  20:00:10:10:FF:FF:FF:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:42.178]  20:00:20:10:FF:FF:FF:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
..................省略......................
[2018-07-05 14:59:48.902]  Mark firmware update as completed
[2018-07-05 14:59:49.285]  20:00:00:01:02:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE
[2018-07-05 14:59:49.285]  Restarting dongle into research firmware mode
[2018-07-05 14:59:49.289]  70:00:00:00:02:6B:32:FF:FF:FF:FF:FF:FF:FF:32:FF:FF:FF:FF:FF:6F:6F:6E:BC:09:4A:00:00:E4:3E:BF:FE

到这里成功刷写成功

再查看一下：

~/mousejack/nrf-research-firmware$ lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 006: ID 1915:0102 Nordic Semiconductor ASA 
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 004: ID 17ef:1004 Lenovo Integrated Webcam
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 002: ID 08ff:2810 AuthenTec, Inc. AES2810
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 006: ID 046d:c52f Logitech, Inc. Unifying Receiver
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

之前：Bus 006 Device 003: ID 046d:c52b Logitech, Inc. Unifying Receiver

改变为：Bus 006 Device 006: ID 1915:0102 Nordic Semiconductor ASA

ID 1915:0102 为刷写功攻后唯一的ID

测试结果如下：

~/mousejack/nrf-research-firmware/tools$ sudo ./nrf24-scanner.py 
[2018-07-05 15:08:26.043]  41  10  45:CD:9A:91:08  00:C2:00:00:00:20:00:00:00:1E
[2018-07-05 15:08:26.079]  41   0  45:CD:9A:91:08  
[2018-07-05 15:08:34.494]  41  10  45:CD:9A:91:08  00:C2:00:00:07:D0:FF:00:00:68
[2018-07-05 15:08:34.502]  41  10  45:CD:9A:91:08  00:C2:00:00:07:B0:FF:00:00:88
[2018-07-05 15:08:34.542]  41  10  45:CD:9A:91:08  00:C2:00:00:04:A0:FF:00:00:9B
[2018-07-05 15:08:34.573]  41  10  45:CD:9A:91:08  00:C2:00:00:04:80:FF:00:00:BB
[2018-07-05 15:08:34.925]  45  10  45:CD:9A:91:08  00:C2:00:00:FC:1F:00:00:00:23
[2018-07-05 15:08:35.000]  45   0  45:CD:9A:91:08  
[2018-07-05 15:08:43.425]  45  10  45:CD:9A:91:08  00:C2:00:00:F9:DF:00:00:00:66
[2018-07-05 15:08:51.431]  41  10  45:CD:9A:91:08  00:C2:00:00:F8:8F:FF:00:00:B8
[2018-07-05 15:08:51.462]  41  10  45:CD:9A:91:08  00:C2:00:00:FF:8F:FF:00:00:B1
[2018-07-05 15:08:51.483]  41  10  45:CD:9A:91:08  00:C2:00:00:04:60:FF:00:00:DB
[2018-07-05 15:08:51.897]  45   0  45:CD:9A:91:08

官方的只是给了测试代码没有完善。

别一个项目:acdK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6A6j5h3#2U0K9$3&6Q4x3V1k6E0L8%4g2K6k6h3A6S2j5$3E0Q4y4h3k6@1M7X3q4F1M7$3#2A6N6l9`.`.

mousejack组件：

扫描器：nrf24-scanner.py

嗅探器：nrf24-sniffer.py

重放/传输：nrf24-replay.py

网络映射器：nrf24-network-mapper.py

连调测试：nrf24-continuous-tone-test.py

数据包生成器脚本：keymapper.py

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・4

免费・0

支持