search

sgxgsx / BlueToolkit

BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices. Could be used in the vulnerability research, penetration testing and bluetooth hacking. We also collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way
MIT License
300 stars 27 forks source link

Exec error and Bluetooth module not found #3

Open Steso871 opened 2 months ago

Steso871 commented 2 months ago

Hello!

When I'm testing a device I get this error "/bin/sh: 1: ./poc_badchoice_cve_2020_12352: Exec format error"

I also get this "ModuleNotFoundError: No module named 'bluetooth'"

I'm using a nethunter device and tried both internal bt and a usb bt and get same error.

Any way to fix that?

Thanks!

sgxgsx commented 2 months ago

Hi, Please show me the following:

Steso871 commented 2 months ago

Hello!

  1. first i type source /usr/share/BlueToolkit/.venv/bin/activate then i run sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -r after that i run sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF
  2. I think its using 3.11 because it shows some attribute error and points to a .venv/lib/python3.11 folder
  3. If i typ python -V it says 3.11.9
  4. .venv is a enviroment right? im kinda new to this

This was in application log file that i could guess is errors

blueborne_CVE_2017_0785', 4, 'Error during extracting information from the regex'],

b'BLUEEXPLOITER DATA: code=1, data=SSP supported, secure cryptography is used, there might be a problem with Message Intergrity\n')

INFO:root:Engine.process_raw_data -> Error during extracting information from the regex 'NoneType' object has no attribute 'group'

File "/usr/share/BlueToolkit/.venv/lib/python3.11/site-packages/scapy/base_classes.py", line 399, in call i.init(*args, **kargs) File "/usr/share/BlueToolkit/.venv/lib/python3.11/site-packages/scapy/packet.py", line 188, in init raise AttributeError(fname) AttributeError: type

File "/usr/share/BlueToolkit/modules/tools/custom_exploits/bluekit_legacy_pairing_second_check.py", line 34, in check_for_legacy_pairing(target=args.target) File "/usr/share/BlueToolkit/modules/tools/custom_exploits/bluekit_legacy_pairing_second_check.py", line 19, in check_for_legacy_pairing if line.strip.startswith("> HCI Event: PIN Code Request"): ^^^^^^^^^^^^^^^^^^^^^ AttributeError: 'builtin_function_or_method' object has no attribute 'startswith'

Thank you

sgxgsx commented 2 months ago

I fixed an issue with bluekit_legacy_pairing_second_check.py But I cannot find a reference to a problem you mentioned when opened an issue.

You get "ModuleNotFoundError: No module named 'bluetooth'" because you don't have pybluez library for some unknown reason.

  1. Could you please try the following command again and share a more detailed log (application.log) which shows how values propagated step by step and how the command looked like (it is logged)

sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e bleedingtooth_badchoice_cve_2020_12352
Steso871 commented 2 months ago

application.log

Hope this helps :)

Thanks

sgxgsx commented 1 month ago

Hi @Steso871 From the application log I see that this specific exploit works fine. I assume you didn't have any errors this time.


INFO:root:Engine.construct_exploit_command -> exploit_command list -> ['./poc_badchoice_cve_2020_12352', 'AA:BB:CC:DD:EE:FF']
INFO:root:Engine.construct_exploit_command -> exploit command together -> ./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF
INFO:root:Engine.execute_command -> chdir to /usr/share/BlueToolkit/modules/tools/bleedingtooth/
INFO:mylogger:Starting the next exploit - name bleedingtooth_badchoice_cve_2020_12352 and command ['./poc_badchoice_cve_2020_12352', 'AA:BB:CC:DD:EE:FF']
INFO:root:Engine.execute_command -> sleeping for 20 seconds
INFO:root:Engine.execute_command -> command.communicate (b'', None)
INFO:root:Engine.execute_command -> data -> (True, b'')
INFO:mylogger:from_directory: false, is not yet implemented
INFO:root:Blueexploiter.test_one_by_one -> done exploits - [['bleedingtooth_badchoice_cve_2020_12352', 1, '0']]
INFO:root:Rport - save_data -> document -> {'code': 1, 'data': '0'}
Steso871 commented 1 month ago

Hi @Steso871 From the application log I see that this specific exploit works fine. I assume you didn't have any errors this time.


INFO:root:Engine.construct_exploit_command -> exploit_command list -> ['./poc_badchoice_cve_2020_12352', 'AA:BB:CC:DD:EE:FF']
INFO:root:Engine.construct_exploit_command -> exploit command together -> ./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF
INFO:root:Engine.execute_command -> chdir to /usr/share/BlueToolkit/modules/tools/bleedingtooth/
INFO:mylogger:Starting the next exploit - name bleedingtooth_badchoice_cve_2020_12352 and command ['./poc_badchoice_cve_2020_12352', 'AA:BB:CC:DD:EE:FF']
INFO:root:Engine.execute_command -> sleeping for 20 seconds
INFO:root:Engine.execute_command -> command.communicate (b'', None)
INFO:root:Engine.execute_command -> data -> (True, b'')
INFO:mylogger:from_directory: false, is not yet implemented
INFO:root:Blueexploiter.test_one_by_one -> done exploits - [['bleedingtooth_badchoice_cve_2020_12352', 1, '0']]
INFO:root:Rport - save_data -> document -> {'code': 1, 'data': '0'}

yes but when im running sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF i still get exec errors on same exploits.. maybe i have to run them one by one instead?

sgxgsx commented 1 month ago

@Steso871 Nope, it means there is an issue, you should be able to run the exploits all one by one with the command you mentioned.

Steso871 commented 1 month ago

application.log

Here is whole log.

What is real reason for hiding mac?

sgxgsx commented 1 month ago

Hi again @Steso871

Could you please delete the log and run the command again till you get an error. (the log doesn't contain execution of that specific exploit at all)

  1. Delete a log 
    sudo rm -rf /usr/share/BlueToolkit/bluekit/.logs/application.log
  2. run your commands again. 
    
source /usr/share/BlueToolkit/.venv/bin/activate
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -r
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF


It's up to you to hide your MAC address, same as some would hide their IP?. Generally it is considered a public information as one can get it from the air for example with Blue's Clues if you have your BT switched on even in non-discoverable mode.
Steso871 commented 1 month ago

application.log terminal.txt

i added what i see in terminal when i run script.

yes but ip is like my home adress and my bluetooth mac is like my pets name ? If someone wants to attack my bluetooth adress they have to know where i live and be close to me to do any bad or am i wrong?

sgxgsx commented 1 month ago

thanks for the info.

I didn't intend the tool to work on the mobile platforms and this might be one of the reasons why some of the exploits fail. First let's check whether it's a binary problem.

I need you to do the following:

/usr/share/BlueToolkit/modules/tools/bleedingtooth
./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF # if needed adjust a format as told by the exploits

If it doesn't look like it's working do the following:

rm -f poc_badchoice_cve_2020_12352 # if needed use sudo
gcc -o poc_badchoice_cve_2020_12352 poc_badchoice_cve_2020_12352.c -lbluetooth
./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF  # if needed adjust a format as told by the exploits
Steso871 commented 1 month ago

Sorry for late reply.

I assume I just typ what you asked (I'm a beginner with this) Output is

/usr/share/BlueToolkit/modules/tools/bleedingtooth ./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF # if needed adjust a format as told by the exploits zsh: exec format error: ./poc_badchoice_cve_2020_12352

Output of last command are

rm -f poc_badchoice_cve_2020_12352 # if needed use sudo gcc -o poc_badchoice_cve_2020_12352 poc_badchoice_cve_2020_12352.c -lbluetooth ./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF # if needed adjust a format as told by the exploits cc1: fatal error: poc_badchoice_cve_2020_12352.c: No such file or directory compilation terminated. zsh: no such file or directory: ./poc_badchoice_cve_2020_12352

@sgxgsx

sgxgsx commented 1 month ago

@Steso871 That would be difficult to debug then as I don't have a nethunter device. I believe the problem is that you have an ARM architecture and binaries were compiled for x64.

You need to experiment by compiling exploits in bleedingtooth

You may git clone the following repo

git clone https://github.com/sgxgsx/bluetoothexploits

Then cd into the directory

cd bluetoothexploits/bleedingtooth

You have to remove poc_badchoice_cve_2020_12352 binary.

rm -f poc_badchoice_cve_2020_12352

You need to compile it

gcc -o poc_badchoice_cve_2020_12352 poc_badchoice_cve_2020_12352.c -lbluetooth

Then run the poc again

./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF

Fix all the problems along the way. If it says there is no library x to compile - install it and try again.

Additionally find out your architecture by running (should be arm****)

uname -a

If you fail, and cannot do that, then the best and fast way to solve your problem is to use a linux device or a VM with vagrant.

Steso871 commented 1 month ago

I got no error at all but it's stuck . I let it go for an hour @sgxgsx root@kali:/bluetoothexploits/bleedingtooth# ./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF [] Resetting hci0 device... [] Opening hci device... [] Connecting to victim... [+] HCI handle: 4b [] Creating AMP channel... [] Configuring to L2CAP_MODE_BASIC... [] Sending malicious AMP info request...

sgxgsx commented 1 month ago

@Steso871 If I remember right this exploit awaits the connection to be established to the device.*

Can you let me know whether you see that the exploit works only when you execute it directly? and not if you execute it via the bluetoolkit?