base on 🚨 CVE-2023-45866 - BlueDucky Implementation (Using DuckyScript) 🔓 Unauthenticated Peering Leading to Code Execution (Using HID Keyboard) # BlueDucky Ver 2.1 (Android) 🦆 Thanks to all the people at HackNexus. Make sure you come join us on VC ! https://discord.gg/HackNexus NOTES: I will not be able to run this on a laptop or other device outside of a raspberry pi for testing. Due to this, any issues you have will need to be resolved amonsgt each other as I do not have the spare funds to buy an adapter. 1. [saad0x1's GitHub](https://github.com/saad0x1) 2. [spicydll's GitHub](https://github.com/spicydll) 3. [lamentomori's GitHub](https://github.com/lamentomori) <p align="center"> <img src="./images/duckmenu.png"> </p> 🚨 CVE-2023-45866 - BlueDucky Implementation (Using DuckyScript) 🔓 Unauthenticated Peering Leading to Code Execution (Using HID Keyboard) [This is an implementation of the CVE discovered by marcnewlin](https://github.com/marcnewlin/hi_my_name_is_keyboard) <p align="center"> <img src="./images/BlueDucky.gif"> </p> ## Introduction 📢 BlueDucky is a powerful tool for exploiting a vulnerability in Bluetooth devices. By running this script, you can: 1. 📡 Load saved Bluetooth devices that are no longer visible but have Bluetooth still enabled. 2. 📂 Automatically save any devices you scan. 3. 💌 Send messages via ducky script format to interact with devices. I've successfully run this on a Raspberry Pi 4 using the default Bluetooth module. It works against various phones, with an interesting exception for a New Zealand brand, Vodafone. ## Installation and Usage 🛠️ ### Setup Instructions for Debian-based ```bash # update apt sudo apt-get update sudo apt-get -y upgrade # install dependencies from apt sudo apt install -y bluez-tools bluez-hcidump libbluetooth-dev \ git gcc python3-pip python3-setuptools \ python3-pydbus # install pybluez from source git clone https://github.com/pybluez/pybluez.git cd pybluez sudo python3 setup.py install # build bdaddr from the bluez source cd ~/ git clone --depth=1 https://github.com/bluez/bluez.git gcc -o bdaddr ~/bluez/tools/bdaddr.c ~/bluez/src/oui.c -I ~/bluez -lbluetooth sudo cp bdaddr /usr/local/bin/ ``` ### Setup Instructions for Arch-based ```bash # update pacman & packages sudo pacman -Syyu # install dependencies # since arch doesn't separate lib packages: libbluetooth-dev included in bluez package sudo pacman -S bluez-tools bluez-utils bluez-deprecated-tools \ python-setuptools python-pydbus python-dbus git gcc python-pip \ # install pybluez from source git clone https://github.com/pybluez/pybluez.git cd pybluez sudo python3 setup.py install # build bdaddr from the bluez source cd ~/ git clone --depth=1 https://github.com/bluez/bluez.git gcc -o bdaddr ~/bluez/tools/bdaddr.c ~/bluez/src/oui.c -I ~/bluez -lbluetooth sudo cp bdaddr /usr/local/bin/ ``` ## Running BlueDucky ```bash git clone https://github.com/pentestfunctions/BlueDucky.git cd BlueDucky sudo hciconfig hci0 up python3 BlueDucky.py ``` alternatively, ```bash pip3 install -r requirements.txt ``` ## Operational Steps 🕹️ 1. On running, it prompts for the target MAC address. 2. Pressing nothing triggers an automatic scan for devices. 3. Devices previously found are stored in known_devices.txt. 4. If known_devices.txt exists, it checks this file before scanning. 5. Executes using payload.txt file. 6. Successful execution will result in automatic connection and script running. ## Duckyscript 💻 🚧 Work in Progress: - Suggest me ideas ## Version 2.1 🐛 - Updated UI - Improved User Experience - Bluetooth Debugger; Checks your bluetooth adapters, and installed dependancies before allowing access to the application, this is to prevent devices that are not supported. - Please Note: Numerous Changes have been made,please reference the commit history for specific changes. ## What's Planned for the Next Release? - Integrated DuckyScript Console for attacks that want to maintain persistance, after a payload has been ran - Suggest What Should be added next! Join https://discord.gg/HackNexus #### 📝 Example payload.txt: ```bash REM Title of the payload STRING ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()_-=+\|[{]};:'",<.>/? GUI D ``` ```bash REM Opens a private browser to hackertyper.net DELAY 200 ESCAPE GUI d ALT ESCAPE GUI b DELAY 700 REM PRIVATE_BROWSER is equal to CTRL + SHIFT + N PRIVATE_BROWSER DELAY 700 CTRL l DELAY 300 STRING hackertyper.net DELAY 300 ENTER DELAY 300 ``` ## Enjoy experimenting with BlueDucky! 🌟 ", Assign "at most 3 tags" to the expected json: {"id":"8926","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"