## https://sploitus.com/exploit?id=D0DC4908-C0DC-539F-BC8B-A87CCD40BBFF
# BT-HID-PoC โ CVE-2023-45866 Interactive Wizard
> **DISCLAIMER โ READ FIRST**
>
> This is a real attack chain. CVE-2023-45866 is a Bluetooth HID
> impersonation vulnerability patched in the Android Security Bulletin
> of December 2023. The intended target is your own OPPO A5
> (CPH1931/CPH1943, Android 9, last patched ~2022) which is known to be
> vulnerable. Use ONLY on devices you own, in a controlled lab
> environment, with no path to the public internet or to systems you do
> not own.
>
> **Applicable laws:**
>
> - Australia: Criminal Code Act 1995, Part 10.7 (s. 476.1-477.4)
> Unauthorised access to / modification of / impairment of data โ up
> to 10 years imprisonment.
> - USA: Computer Fraud and Abuse Act, 18 U.S.C. ยง 1030.
> - UK: Computer Misuse Act 1990, s. 1-3.
> - EU: Directive 2013/40/EU.
>
> **Affected range:** Android 4.2.2 through the December 2023 patch.
> Devices patched later (Pixel 6+, GrapheneOS, current Samsung, etc.) are
> NOT vulnerable. Verify the target's patch level before assuming success.
>
> Detection / defense section is in `docs/detection.md`.
---
## What you have
```
~/pentest/bt-hid-poc/
โโโ poc/
โ โโโ bt-hid-wizard.py THE ENTRY POINT. Q&A, then runs the attack.
โ โโโ hid_attack.py The keystroke engine + HID report generator.
โ โโโ hid_inject.c C tool: ships HID reports over BT L2CAP sockets.
โ โโโ troubleshoot.py Plain-language error diagnosis + auto-fix engine.
โโโ profiles/
โ โโโ install-apk.yaml Keystrokes: install invoices.apk
โ โโโ exfil-sms.yaml Keystrokes: open Messages, scroll threads
โ โโโ exfil-screenshots.yaml Keystrokes: screenshot SMS/contacts/call log/gallery/downloads
โ โโโ enable-dev-options.yaml Keystrokes: enable Developer Options + USB debugging
โโโ payloads/
โ โโโ invoices.apk The malicious meterpreter APK (copied from
โ โ ~/pentest/evasion-loader/build/)
โ โโโ README.md How the wizard uses the APK, how to rebuild it.
โโโ run_attack.sh Driver the wizard calls. Does sudo, SDP, msfconsole.
โโโ docs/
โ โโโ WALKTHROUGH.md Full operator walkthrough.
โ โโโ detection.md How blue teams / EDR / MDM would catch this.
โโโ build/ Generated artefacts (current-target.env, hid-reports-*.bin, msfconsole.log)
```
## Run it
```bash
cd ~/pentest/bt-hid-poc
python3 poc/bt-hid-wizard.py
```
The wizard asks you:
1. **How do you want to identify the target?**
- I have the MAC
- Scan now (the wizard will run `hcitool scan` for 10s)
- Discoverable mode (the wizard will scan, then ask for the MAC if it doesn't see it)
2. **What do you want the PoC to do?**
- Install the meterpreter APK (`profiles/install-apk.yaml`)
- Scroll through SMS (`profiles/exfil-sms.yaml`)
- Screenshot SMS, contacts, call log, gallery, and downloads (5 screenshots stay on the phone) (`profiles/exfil-screenshots.yaml`)
- Enable USB debugging (`profiles/enable-dev-options.yaml`)
Note: the "screenshot" and "scroll" profiles do NOT exfiltrate the
data. The data stays on the phone. To get it off, you need either
physical access, a second HID keystroke sequence to push to a cloud
service, or an active meterpreter session to dump the files.
3. **APK path on the target** (only if you picked install-apk) โ usually
`/sdcard/Download/invoices.apk`
4. **Pre-flight checks** โ runs automatically:
- Local Bluetooth adapter is UP
- `bluetooth.service` is running
- pybluez is importable
- Profile file exists
- DDNS resolves
- Public IP matches DDNS
- (If any fail, it asks if you want to proceed anyway)
5. **Final confirmation** โ shows the target MAC + profile + handler config,
asks you to type `go` to execute.
Then `run_attack.sh` runs:
- Brings up `hci0`, makes it discoverable
- Registers the SDP record so the phone sees us as a Bluetooth keyboard
- Generates the HID report bytes from the chosen profile
- Starts `msfconsole` with the existing handler (`../evasion-loader/handler/evasion-handler.rc`)
- Sends the HID reports over Bluetooth via the built-in BT adapter
- Tails the msfconsole log so you can see the session land
## Pre-staging the APK on the target
For the install-apk profile to work, the malicious APK must already be on
the OPPO A5 at `/sdcard/Download/`. Easiest way:
```bash
# Plug the OPPO A5 into this Kali box via USB
# (USB debugging needs to be enabled on the phone first โ see the
# enable-dev-options profile, or just enable it manually)
adb push ~/pentest/bt-hid-poc/payloads/invoices.apk /sdcard/Download/invoices.apk
```
Or via Bluetooth OBEX Push:
- From the OPPO A5, accept a Bluetooth file transfer from this Kali box
- Send the APK with `obexftp --bluetooth --put invoices.apk`
(this Kali box has the tool, install with `apt install obexftp` if missing)
## What "go" actually does on the OPPO A5
Once the keystrokes hit the phone (over Bluetooth from this Kali box's
built-in adapter), the sequence runs in this order:
1. Opens the app drawer (Meta key)
2. Filters to "files" (types "files")
3. Launches the Files app (Enter)
4. Navigates to Downloads
5. Opens `invoices.apk`
6. Confirms the install dialog (Tab + Enter)
7. Toggles "Allow from this source" if the system asks
8. Confirms the install
9. Opens the installed app, which calls home to your msfconsole
Total time on the phone: 8-15 seconds. The user does not need to touch
the phone, but the screen must be on and the phone must be unlocked.
## The toolchain
This PoC ships complete. The pieces:
- `poc/bt-hid-wizard.py` โ interactive operator wizard (Q&A)
- `poc/hid_attack.py` โ converts keystroke profiles to raw HID report bytes
- `poc/hid_inject.c` โ sends those bytes over Bluetooth via raw L2CAP
sockets (PSM 0x0011 HID Control, PSM 0x0013 HID Interrupt) using
the laptop's built-in Bluetooth adapter. Compiles with just
`libbluetooth-dev`.
- `run_attack.sh` โ driver that wires the pieces together, brings
up the BT adapter, registers the SDP record, starts msfconsole,
and runs the C tool.
- `profiles/*.yaml` โ keystroke sequences (install an APK, dump
SMS, enable dev options)
## Verifying the engine without a target
```bash
cd ~/pentest/bt-hid-poc
python3 poc/hid_attack.py --profile profiles/install-apk.yaml --out /tmp/test.bin
xxd /tmp/test.bin | head
# (you should see valid 10-byte HID reports)
```
The pre-flight in the wizard runs the same check and confirms the
profile is well-formed before you commit to the attack.
## What happens on a PATCHED phone
If the OPPO A5 is actually past the December 2023 patch (it isn't, but
hypothetically), the phone will:
1. Show a "Bluetooth keyboard wants to connect" notification
2. Require the user to manually accept the pairing request
3. Then route keystrokes as normal
The attack becomes a notification race. On most modern Android versions
the notification is unmissable, so the user has a chance to dismiss it.
On the OPPO A5 (Android 9) the notification appears as a heads-up but
auto-dismisses after a few seconds, and the keystrokes still go through.
This is part of why the patch is needed.
## Teardown
```bash
# Stop the msfconsole
[ -f build/msfconsole.pid ] && kill "$(cat build/msfconsole.pid)" 2>/dev/null
# Remove SDP records
sudo sdptool remove HID
# Make hci0 not-discoverable
sudo hciconfig hci0 noscan
# Wipe generated configs
rm -f build/current-target.env build/hid-reports-*.bin
```