MouseJack: From Mouse to Shell – Part 1

What is MouseJack?

MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are ‘connected’ to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim’s computer by transmitting specially-crafted radio signals using a device which costs as little as $15.

An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform rapidly malicious activities without being detected.

https://www.mousejack.com/

Here’s a few other articles on MouseJack:

MouseJack was publicly disclosed February 23rd 2016 and in 2017 an exploit for this vulnerability was released named JackIt. JackIt is publicly available on GitHub for anyone to download. JackIt and a $34 device allows the attacker to run commands on your computer up to 100 meters away. Yes, this means someone can take over your computer sitting in a nearby parking lot or on the side of the road.

In actual testing I was able to complete attacks from 30-40 meters away when going through multiple walls and I have not yet tested line of sight distance.

Are you Affected?

Did you buy your mouse/keyboard before 2017? If so, you’re probably impacted. I have 3 wireless mice and all of them were vulnerable and at least one isn’t fixable. Of all the mice I tested that were currently being used by friends and coworkers only one was not vulnerable. This is a real threat because users do not replace mice until they die which could be 5+ years. There is a list of impacted devices here on Bastille’s site. Here is another list from the JackIt GitHub page:

We have successfully tested with the following hardware:
Microsoft Wireless Keyboard 800 (including keystroke logging)
Microsoft Wireless Mouse 1000
Microsoft Wireless Mobile Mouse 3500
Microsoft All-In-One Media Keyboard
Microsoft Sculpt Ergonomic Mouse
Logitech Wireless Touch Keyboard K400r
Logitech Marathon M705 Mouse
Logitech Wave M510 Mouse
Logitech Wireless Gaming Mouse G700s
Logitech Wireless M325 Mouse
Logitech K750 Wireless Keyboard
Logitech K320 Wireless Keyboard
Dell KM636 Wireless Mouse and Keyboard
AmazonBasics MG-0975 Wireless Mouse


Known to not work with:
Logitech M185 and M187 mice (red unifying dongle C-U0010)
All older 27MHz devices, such as:Microsoft Wireless Optical Mouse 2.0
Microsoft Wireless Notebook Optical Mouse 3000
Dell KM632 (on the roadmap)
HP wireless devices (on the roadmap)
Lenovo wireless devices (on the roadmap)

JackIt GitHub

What to do

If you are affected or think you are affected go to the vendors website and look for a way to update/patch the firmware in your mouse. This can be tricky depending on the vendor, especially because some mice/keyboards do not have updated firmware which means you have to accept the risk or buy a new mouse. You can always submit a support ticket with your vendor to get proper guidance. Worst case scenario use a corded mouse & keyboard. If you were able to fix your mouse and I do not have a link to the fix below please let me know.

Here’s a starting place for a couple vendors:

Logitech Unifying – This should fix most, if not all Logitech Unifying adapters

Microsoft

What are organizations doing about this vulnerability?

I was talking about this with a few of my colleagues and remediating this issue on a large scale is expensive and most options don’t guarantee success. What are you doing at your organization to remediate this risk or are you accepting the risk based on mitigating controls such as EDR/AV/IDS/IPS/etc? Please leave a comment below or contact me directly.

From Mouse to Shell

  • Download Kali
  • Purchase a Crazyradio PA
  • Flash the Crazyradio PA with Bastille’s MouseJack firmware – GitHub
  • Install JackIt – GitHub
  • Create a Ducky script – JackIt uses Ducky scripts to execute code. Not sure what a Ducky Script is? Check here
  • Download unicorn – GitHub
  • Run JackIt, rain shells

Ducky Script Example – This will pop notepad then type in the string

JackIt Execution – You can execute the Ducky script against all or chose by key

Here’s a video of the exploit

Download and run Unicorn

Choose your attack

I’ll use the PS Example attack

Move the powershell_attack.txt file to /var/www/html, start apache and start the listener

Create Ducky script

Start JackIt

JackIt Execution + Unicorn Reverse Shell

The End

And there we have it, reverse shell using the JackIt exploit. If Defender is enabled it will catch this and you will not get a shell. That goes for most of, if not all of the out of the box Unicorn shells. If your AV tool of choice detects this try a regular PowerShell reverse shell. That works surprisingly well on some vendors.

During Part 2 I’ll use this exploit with another tool to bypass Defender. Pen testers/hackers can literally sit in their car and rain shells up to 100 meters away. Stay tuned for more!

If you have any questions or feedback please post below or contact me directly.

Update: Part 2 came out on 3/10/19 and can be found here.

Sources:

toshellandback

BastilleResearch GitHub

MouseJack.com

JackIt GitHub

Featured Image – Bastille

Leave a Reply