diff --git a/modules/hid/build_microsoft.go b/modules/hid/build_microsoft.go index 1f32e308..746dab0b 100644 --- a/modules/hid/build_microsoft.go +++ b/modules/hid/build_microsoft.go @@ -36,6 +36,10 @@ func (b MicrosoftBuilder) frameFor(template []byte, cmd *Command) []byte { } func (b MicrosoftBuilder) BuildFrames(dev *network.HIDDevice, commands []*Command) error { + if dev == nil { + return fmt.Errorf("the microsoft frame injection requires the device to be visible") + } + tpl := ([]byte)(nil) dev.EachPayload(func(p []byte) bool { if len(p) == 19 { diff --git a/modules/hid/builders.go b/modules/hid/builders.go index b48f8d90..d89fc9a7 100644 --- a/modules/hid/builders.go +++ b/modules/hid/builders.go @@ -16,3 +16,22 @@ var FrameBuilders = map[network.HIDType]FrameBuilder{ network.HIDTypeAmazon: AmazonBuilder{}, network.HIDTypeMicrosoft: MicrosoftBuilder{}, } + +func availBuilders() []string { + return []string{ + "logitech", + "amazon", + "microsoft", + } +} + +func builderFromName(name string) FrameBuilder { + switch name { + case "amazon": + return AmazonBuilder{} + case "microsoft": + return MicrosoftBuilder{} + default: + return LogitechBuilder{} + } +} diff --git a/modules/hid/hid.go b/modules/hid/hid.go index bf28899d..81ca9349 100644 --- a/modules/hid/hid.go +++ b/modules/hid/hid.go @@ -5,6 +5,7 @@ package hid import ( "fmt" + "strings" "sync" "time" @@ -29,6 +30,7 @@ type HIDRecon struct { writeLock *sync.Mutex sniffAddrRaw []byte sniffAddr string + sniffType string pingPayload []byte inSniffMode bool inPromMode bool @@ -121,6 +123,13 @@ func NewHIDRecon(s *session.Session) *HIDRecon { "500", "Time in milliseconds to automatically sniff payloads from a device, once it's detected, in order to determine its type.")) + builders := availBuilders() + + mod.AddParam(session.NewStringParameter("hid.force.type", + "logitech", + fmt.Sprintf("(%s)", strings.Join(builders, "|")), + fmt.Sprintf("If the device is not visible or its type has not being detected, force the device type to this value. Accepted values: %s", strings.Join(builders, ", ")))) + mod.parser = DuckyParser{mod} mod.selector = utils.ViewSelectorFor(&mod.SessionModule, "hid.show", []string{"mac", "seen"}, "mac desc") diff --git a/modules/hid/hid_inject.go b/modules/hid/hid_inject.go index 4ebe70ce..d8dd1363 100644 --- a/modules/hid/hid_inject.go +++ b/modules/hid/hid_inject.go @@ -46,19 +46,30 @@ func errNoKeyMap(layout string) error { } func (mod *HIDRecon) prepInjection() (error, *network.HIDDevice, []*Command) { - // we can only inject onto visible connections - dev, found := mod.Session.HID.Get(mod.sniffAddr) - if found == false { - return errNoDevice(mod.sniffAddr), nil, nil + var err error + + if err, mod.sniffType = mod.StringParam("hid.force.type"); err != nil { + return err, nil, nil } - // get the device specific protocol handler - builder, found := FrameBuilders[dev.Type] + dev, found := mod.Session.HID.Get(mod.sniffAddr) if found == false { - if dev.Type == network.HIDTypeUnknown { - return errNoType(mod.sniffAddr), nil, nil + mod.Warning("device %s is not visible, will use HID type %s", tui.Yellow(mod.sniffType)) + } + + var builder FrameBuilder + if found { + // get the device specific protocol handler + builder, found = FrameBuilders[dev.Type] + if found == false { + if dev.Type == network.HIDTypeUnknown { + return errNoType(mod.sniffAddr), nil, nil + } + return errNotSupported(dev), nil, nil } - return errNotSupported(dev), nil, nil + } else { + // get the device protocol handler from the hid.force.type parameter + builder = builderFromName(mod.sniffType) } // get the keymap from the selected layout @@ -102,11 +113,16 @@ func (mod *HIDRecon) doInjection() { } } + devType := mod.sniffType + if dev != nil { + devType = dev.Type.String() + } + mod.Info("sending %d (%s) HID frames to %s (type:%s layout:%s) ...", numFrames, humanize.Bytes(uint64(szFrames)), tui.Bold(mod.sniffAddr), - tui.Yellow(dev.Type.String()), + tui.Yellow(devType), tui.Yellow(mod.keyLayout)) for i, cmd := range cmds {