Index

Description

“I just got this new keyboard from Vodaphone Portugal, but it looks like something fishy is going on. Could you help me?”

Solving

  • Opening the pcap file It turns out to be a USB communication capture

image

  • The file was small and had USB_INTERRUPT events that encode key presses

  • After a little bit of google fu, I found that the Leftover Capture Data field has a series of 8 bytes strung together (the third byte is the Usage ID for the key pressed)

  • So one way to decode this was to look at Leftover Capture Data and convert the key presses to human readable output

  • Knowing this I extracted all Leftover Capture Data from the pcap file (tshark -r dump.pcapng -T fields -e usb.capdata | grep .) and created a python script to help me decode the dumped data

  • Output from the tshark command

01000900
01000000
01000f00
01000000
01000400
01000000
01000a00
01000000
01202f00
...
01000000
01203000
01200000
01002800
01000000

#!/usr/bin/python3
import sys

lower_case_key = {
    1:None,	2:None,	3:None,	4:"a",	5:"b",	6:"c", 
    7:"d", 	8:"e",	9:"f", 	10:"g",	11:"h",	12:"i", 
    13:"j",	14:"k",	15:"l",	16:"m",	17:"n",	18:"o",
    19:"p",	20:"q",	21:"r",	22:"s",	23:"t",	24:"u", 
    25:"v",	26:"w",	27:"x",	28:"y",	29:"z",	30:"1", 
    31:"2",	32:"3",	33:"4",	34:"5",	35:"6",	36:"7", 
    37:"8",	38:"9",	39:"0",	40:"Enter",	41:"esc",42:"del", 
    43:"tab", 44:"space",	45:"-", 
    46:":", 47:"[", 48:"]", 49:"\\",50:" ", 51:",", 
    52:"'", 53:"`", 54:",", 55:".", 56:"/", 57:"CapsLock",
    79:"RightArrow",80:"LeftArrow", 84:"/", 85:"*", 86:"-",	
    87:"+", 88:"Enter", 89:"1", 90:"2", 91:"3", 92:"4",	93:"5",
    94:"6",	95:"7", 96:"8", 97:"9", 98:"0", 99:"."
}


upper_case_key = {
    1:None, 2:None, 3:None,5:"B", 6:"C",7:"D",8:"E",
    9:"F",10:"G",11:"H",12:"I",13:"J",14:"K",
    15:"L",	16:"M",	17:"N",	18:"O",	19:"P",	20:"Q",
    21:"R",	22:"S",	23:"T",	24:"U",	25:"V",	26:"W",
    27:"X",	28:"Y",	29:"Z",	30:"!",	31:"@",	32:"#",
    33:"$",	34:"%",	35:"^",	36:"&",	37:"*",	38:"(",
    39:")",	40:"Enter",41:"esc",42:"del",43:"tab",44:"space",
    45:"_",	46:"+",	47:"{",	48:"}",	49:"|",	50:" ",
    51:":",	52:"\"",53:"~",54:"<",55:">",	56:"?",
    57:"CapsLock",79:"RightArrow",80:"LeftArrow",
    84:"/",	85:"*",	86:"-",	87:"+",	88:"Enter",	89:"1",
    90:"2",	91:"3",	92:"4",	93:"5",	94:"6",	95:"7",
    96:"8",	97:"9",	98:"0",99:"."
}

def replace(res : str)-> str:
    return res.replace("[","{").replace("]","}").replace("-","_")
    

def main() -> str:
    res = ""
    if len(sys.argv) == 2:
        # open file with "Leftover Capture Data" field from pcap
        with open(sys.argv[1]) as keycodes:
            for line in keycodes:
                # convert string to bytearray
                bytesArray = bytearray.fromhex(line.strip())
                # see if a key was pressed(range goes from 4 to 99)
                key_press = int(bytesArray[2])
                if key_press > 3 and key_press < 100:
                    # see if left shift or right shift was presses
                    if bytesArray[0] == 0x02 or bytesArray[0] == 0x20 :
                        res += upper_case_key[key_press]
                    else:
                        res += lower_case_key[key_press]
    else:
        print("python3 exploit.py file")
    
    return replace(res)


if __name__ == "__main__":
    print(main())

flag{usb_sniff_sniff}

References