Exec error and Bluetooth module not found

[Steso871]

Hello!

When I'm testing a device I get this error "/bin/sh: 1: ./poc_badchoice_cve_2020_12352: Exec format error"

I also get this "ModuleNotFoundError: No module named 'bluetooth'"

I'm using a nethunter device and tried both internal bt and a usb bt and get same error.

Any way to fix that?

Thanks!

[sgxgsx]

Hi, Please show me the following:

• How you run a tool?
• Python3 version you run it with
• Do python3.10 and python3.11 available on the system?
• Do you run it in an environment?
• There is also a log file under /usr/share/BlueToolkit/bluekit/.logs/application.log that might help with investigation. The log might leak information about your system/targets, so I'd recommend running a command again and showing only a small snippet of the issue. Also, anonymize MAC addresses and secrets if there any.

[Steso871]

Hello!

1. first i type source /usr/share/BlueToolkit/.venv/bin/activate then i run sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -r after that i run sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF
2. I think its using 3.11 because it shows some attribute error and points to a .venv/lib/python3.11 folder
3. If i typ python -V it says 3.11.9
4. .venv is a enviroment right? im kinda new to this

This was in application log file that i could guess is errors

blueborne_CVE_2017_0785', 4, 'Error during extracting information from the regex'],

b'BLUEEXPLOITER DATA: code=1, data=SSP supported, secure cryptography is used, there might be a problem with Message Intergrity\n')

INFO:root:Engine.process_raw_data -> Error during extracting information from the regex 'NoneType' object has no attribute 'group'

File "/usr/share/BlueToolkit/.venv/lib/python3.11/site-packages/scapy/base_classes.py", line 399, in call i.init(*args, **kargs) File "/usr/share/BlueToolkit/.venv/lib/python3.11/site-packages/scapy/packet.py", line 188, in init raise AttributeError(fname) AttributeError: type

File "/usr/share/BlueToolkit/modules/tools/custom_exploits/bluekit_legacy_pairing_second_check.py", line 34, in check_for_legacy_pairing(target=args.target) File "/usr/share/BlueToolkit/modules/tools/custom_exploits/bluekit_legacy_pairing_second_check.py", line 19, in check_for_legacy_pairing if line.strip.startswith("> HCI Event: PIN Code Request"): ^^^^^^^^^^^^^^^^^^^^^ AttributeError: 'builtin_function_or_method' object has no attribute 'startswith'

Thank you

[sgxgsx]

I fixed an issue with bluekit_legacy_pairing_second_check.py But I cannot find a reference to a problem you mentioned when opened an issue.

You get "ModuleNotFoundError: No module named 'bluetooth'" because you don't have pybluez library for some unknown reason.

1. Could you please try the following command again and share a more detailed log (application.log) which shows how values propagated step by step and how the command looked like (it is logged)

sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -e bleedingtooth_badchoice_cve_2020_12352

[Steso871]

application.log

Hope this helps :)

Thanks

[sgxgsx]

Hi @Steso871 From the application log I see that this specific exploit works fine. I assume you didn't have any errors this time.

INFO:root:Engine.construct_exploit_command -> exploit_command list -> ['./poc_badchoice_cve_2020_12352', 'AA:BB:CC:DD:EE:FF']
INFO:root:Engine.construct_exploit_command -> exploit command together -> ./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF
INFO:root:Engine.execute_command -> chdir to /usr/share/BlueToolkit/modules/tools/bleedingtooth/
INFO:mylogger:Starting the next exploit - name bleedingtooth_badchoice_cve_2020_12352 and command ['./poc_badchoice_cve_2020_12352', 'AA:BB:CC:DD:EE:FF']
INFO:root:Engine.execute_command -> sleeping for 20 seconds
INFO:root:Engine.execute_command -> command.communicate (b'', None)
INFO:root:Engine.execute_command -> data -> (True, b'')
INFO:mylogger:from_directory: false, is not yet implemented
INFO:root:Blueexploiter.test_one_by_one -> done exploits - [['bleedingtooth_badchoice_cve_2020_12352', 1, '0']]
INFO:root:Rport - save_data -> document -> {'code': 1, 'data': '0'}

[Steso871]

Hi @Steso871 From the application log I see that this specific exploit works fine. I assume you didn't have any errors this time.

INFO:root:Engine.construct_exploit_command -> exploit_command list -> ['./poc_badchoice_cve_2020_12352', 'AA:BB:CC:DD:EE:FF']
INFO:root:Engine.construct_exploit_command -> exploit command together -> ./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF
INFO:root:Engine.execute_command -> chdir to /usr/share/BlueToolkit/modules/tools/bleedingtooth/
INFO:mylogger:Starting the next exploit - name bleedingtooth_badchoice_cve_2020_12352 and command ['./poc_badchoice_cve_2020_12352', 'AA:BB:CC:DD:EE:FF']
INFO:root:Engine.execute_command -> sleeping for 20 seconds
INFO:root:Engine.execute_command -> command.communicate (b'', None)
INFO:root:Engine.execute_command -> data -> (True, b'')
INFO:mylogger:from_directory: false, is not yet implemented
INFO:root:Blueexploiter.test_one_by_one -> done exploits - [['bleedingtooth_badchoice_cve_2020_12352', 1, '0']]
INFO:root:Rport - save_data -> document -> {'code': 1, 'data': '0'}

yes but when im running sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF i still get exec errors on same exploits.. maybe i have to run them one by one instead?

[sgxgsx]

@Steso871 Nope, it means there is an issue, you should be able to run the exploits all one by one with the command you mentioned.

• Could you share the application log after you executed that command? sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF

[Steso871]

application.log

Here is whole log.

What is real reason for hiding mac?

[sgxgsx]

Hi again @Steso871

Could you please delete the log and run the command again till you get an error. (the log doesn't contain execution of that specific exploit at all)

1. Delete a log

sudo rm -rf /usr/share/BlueToolkit/bluekit/.logs/application.log

2. run your commands again.

source /usr/share/BlueToolkit/.venv/bin/activate
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -r
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF

It's up to you to hide your MAC address, same as some would hide their IP?. Generally it is considered a public information as one can get it from the air for example with Blue's Clues if you have your BT switched on even in non-discoverable mode.

[Steso871]

application.log terminal.txt

i added what i see in terminal when i run script.

yes but ip is like my home adress and my bluetooth mac is like my pets name ? If someone wants to attack my bluetooth adress they have to know where i live and be close to me to do any bad or am i wrong?

[sgxgsx]

thanks for the info.

I didn't intend the tool to work on the mobile platforms and this might be one of the reasons why some of the exploits fail. First let's check whether it's a binary problem.

I need you to do the following:

/usr/share/BlueToolkit/modules/tools/bleedingtooth
./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF # if needed adjust a format as told by the exploits

• Do you have the binary poc_badchoice_cve_2020_12352?
• Is the output looks like the PoC is working? If yes then the problem might be in how Bluekit executed a command through Python3 Popen.

If it doesn't look like it's working do the following:

rm -f poc_badchoice_cve_2020_12352 # if needed use sudo
gcc -o poc_badchoice_cve_2020_12352 poc_badchoice_cve_2020_12352.c -lbluetooth
./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF  # if needed adjust a format as told by the exploits

[Steso871]

Sorry for late reply.

I assume I just typ what you asked (I'm a beginner with this) Output is

/usr/share/BlueToolkit/modules/tools/bleedingtooth ./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF # if needed adjust a format as told by the exploits zsh: exec format error: ./poc_badchoice_cve_2020_12352

Output of last command are

rm -f poc_badchoice_cve_2020_12352 # if needed use sudo gcc -o poc_badchoice_cve_2020_12352 poc_badchoice_cve_2020_12352.c -lbluetooth ./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF # if needed adjust a format as told by the exploits cc1: fatal error: poc_badchoice_cve_2020_12352.c: No such file or directory compilation terminated. zsh: no such file or directory: ./poc_badchoice_cve_2020_12352

@sgxgsx

[sgxgsx]

@Steso871 That would be difficult to debug then as I don't have a nethunter device. I believe the problem is that you have an ARM architecture and binaries were compiled for x64.

You need to experiment by compiling exploits in bleedingtooth

You may git clone the following repo

git clone https://github.com/sgxgsx/bluetoothexploits

Then cd into the directory

cd bluetoothexploits/bleedingtooth

You have to remove poc_badchoice_cve_2020_12352 binary.

rm -f poc_badchoice_cve_2020_12352

You need to compile it

gcc -o poc_badchoice_cve_2020_12352 poc_badchoice_cve_2020_12352.c -lbluetooth

Then run the poc again

./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF

Fix all the problems along the way. If it says there is no library x to compile - install it and try again.

Additionally find out your architecture by running (should be arm****)

uname -a

If you fail, and cannot do that, then the best and fast way to solve your problem is to use a linux device or a VM with vagrant.

[Steso871]

I got no error at all but it's stuck . I let it go for an hour @sgxgsx root@kali:/bluetoothexploits/bleedingtooth# ./poc_badchoice_cve_2020_12352 AA:BB:CC:DD:EE:FF [] Resetting hci0 device... [] Opening hci device... [] Connecting to victim... [+] HCI handle: 4b [] Creating AMP channel... [] Configuring to L2CAP_MODE_BASIC... [] Sending malicious AMP info request...

[sgxgsx]

@Steso871 If I remember right this exploit awaits the connection to be established to the device.*

Can you let me know whether you see that the exploit works only when you execute it directly? and not if you execute it via the bluetoolkit?

[sgxgsx]

@Steso871 Should be fixed now with the latest update.