Share
## https://sploitus.com/exploit?id=D0DC4908-C0DC-539F-BC8B-A87CCD40BBFF
# BT-HID-PoC โ€” CVE-2023-45866 Interactive Wizard

> **DISCLAIMER โ€” READ FIRST**
>
> This is a real attack chain. CVE-2023-45866 is a Bluetooth HID
> impersonation vulnerability patched in the Android Security Bulletin
> of December 2023. The intended target is your own OPPO A5
> (CPH1931/CPH1943, Android 9, last patched ~2022) which is known to be
> vulnerable. Use ONLY on devices you own, in a controlled lab
> environment, with no path to the public internet or to systems you do
> not own.
>
> **Applicable laws:**
>
> - Australia: Criminal Code Act 1995, Part 10.7 (s. 476.1-477.4)
>   Unauthorised access to / modification of / impairment of data โ€” up
>   to 10 years imprisonment.
> - USA: Computer Fraud and Abuse Act, 18 U.S.C. ยง 1030.
> - UK: Computer Misuse Act 1990, s. 1-3.
> - EU: Directive 2013/40/EU.
>
> **Affected range:** Android 4.2.2 through the December 2023 patch.
> Devices patched later (Pixel 6+, GrapheneOS, current Samsung, etc.) are
> NOT vulnerable. Verify the target's patch level before assuming success.
>
> Detection / defense section is in `docs/detection.md`.

---

## What you have

```
~/pentest/bt-hid-poc/
โ”œโ”€โ”€ poc/
โ”‚   โ”œโ”€โ”€ bt-hid-wizard.py      THE ENTRY POINT. Q&A, then runs the attack.
โ”‚   โ”œโ”€โ”€ hid_attack.py         The keystroke engine + HID report generator.
โ”‚   โ”œโ”€โ”€ hid_inject.c          C tool: ships HID reports over BT L2CAP sockets.
โ”‚   โ””โ”€โ”€ troubleshoot.py       Plain-language error diagnosis + auto-fix engine.
โ”œโ”€โ”€ profiles/
โ”‚   โ”œโ”€โ”€ install-apk.yaml         Keystrokes: install invoices.apk
โ”‚   โ”œโ”€โ”€ exfil-sms.yaml           Keystrokes: open Messages, scroll threads
โ”‚   โ”œโ”€โ”€ exfil-screenshots.yaml   Keystrokes: screenshot SMS/contacts/call log/gallery/downloads
โ”‚   โ””โ”€โ”€ enable-dev-options.yaml  Keystrokes: enable Developer Options + USB debugging
โ”œโ”€โ”€ payloads/
โ”‚   โ”œโ”€โ”€ invoices.apk          The malicious meterpreter APK (copied from
โ”‚   โ”‚                         ~/pentest/evasion-loader/build/)
โ”‚   โ””โ”€โ”€ README.md             How the wizard uses the APK, how to rebuild it.
โ”œโ”€โ”€ run_attack.sh             Driver the wizard calls. Does sudo, SDP, msfconsole.
โ”œโ”€โ”€ docs/
โ”‚   โ”œโ”€โ”€ WALKTHROUGH.md        Full operator walkthrough.
โ”‚   โ””โ”€โ”€ detection.md          How blue teams / EDR / MDM would catch this.
โ””โ”€โ”€ build/                    Generated artefacts (current-target.env, hid-reports-*.bin, msfconsole.log)
```

## Run it

```bash
cd ~/pentest/bt-hid-poc
python3 poc/bt-hid-wizard.py
```

The wizard asks you:

  1. **How do you want to identify the target?**
     - I have the MAC
     - Scan now (the wizard will run `hcitool scan` for 10s)
     - Discoverable mode (the wizard will scan, then ask for the MAC if it doesn't see it)

  2. **What do you want the PoC to do?**
     - Install the meterpreter APK (`profiles/install-apk.yaml`)
     - Scroll through SMS (`profiles/exfil-sms.yaml`)
     - Screenshot SMS, contacts, call log, gallery, and downloads (5 screenshots stay on the phone) (`profiles/exfil-screenshots.yaml`)
     - Enable USB debugging (`profiles/enable-dev-options.yaml`)

  Note: the "screenshot" and "scroll" profiles do NOT exfiltrate the
  data. The data stays on the phone. To get it off, you need either
  physical access, a second HID keystroke sequence to push to a cloud
  service, or an active meterpreter session to dump the files.

  3. **APK path on the target** (only if you picked install-apk) โ€” usually
     `/sdcard/Download/invoices.apk`

  4. **Pre-flight checks** โ€” runs automatically:
     - Local Bluetooth adapter is UP
     - `bluetooth.service` is running
     - pybluez is importable
     - Profile file exists
     - DDNS resolves
     - Public IP matches DDNS
     - (If any fail, it asks if you want to proceed anyway)

  5. **Final confirmation** โ€” shows the target MAC + profile + handler config,
     asks you to type `go` to execute.

Then `run_attack.sh` runs:
  - Brings up `hci0`, makes it discoverable
  - Registers the SDP record so the phone sees us as a Bluetooth keyboard
  - Generates the HID report bytes from the chosen profile
  - Starts `msfconsole` with the existing handler (`../evasion-loader/handler/evasion-handler.rc`)
  - Sends the HID reports over Bluetooth via the built-in BT adapter
  - Tails the msfconsole log so you can see the session land

## Pre-staging the APK on the target

For the install-apk profile to work, the malicious APK must already be on
the OPPO A5 at `/sdcard/Download/`. Easiest way:

```bash
# Plug the OPPO A5 into this Kali box via USB
# (USB debugging needs to be enabled on the phone first โ€” see the
#  enable-dev-options profile, or just enable it manually)
adb push ~/pentest/bt-hid-poc/payloads/invoices.apk /sdcard/Download/invoices.apk
```

Or via Bluetooth OBEX Push:
  - From the OPPO A5, accept a Bluetooth file transfer from this Kali box
  - Send the APK with `obexftp --bluetooth  --put invoices.apk`
    (this Kali box has the tool, install with `apt install obexftp` if missing)

## What "go" actually does on the OPPO A5

Once the keystrokes hit the phone (over Bluetooth from this Kali box's
built-in adapter), the sequence runs in this order:

  1. Opens the app drawer (Meta key)
  2. Filters to "files" (types "files")
  3. Launches the Files app (Enter)
  4. Navigates to Downloads
  5. Opens `invoices.apk`
  6. Confirms the install dialog (Tab + Enter)
  7. Toggles "Allow from this source" if the system asks
  8. Confirms the install
  9. Opens the installed app, which calls home to your msfconsole

Total time on the phone: 8-15 seconds. The user does not need to touch
the phone, but the screen must be on and the phone must be unlocked.

## The toolchain

This PoC ships complete. The pieces:

  - `poc/bt-hid-wizard.py` โ€” interactive operator wizard (Q&A)
  - `poc/hid_attack.py` โ€” converts keystroke profiles to raw HID report bytes
  - `poc/hid_inject.c` โ€” sends those bytes over Bluetooth via raw L2CAP
    sockets (PSM 0x0011 HID Control, PSM 0x0013 HID Interrupt) using
    the laptop's built-in Bluetooth adapter. Compiles with just
    `libbluetooth-dev`.
  - `run_attack.sh` โ€” driver that wires the pieces together, brings
    up the BT adapter, registers the SDP record, starts msfconsole,
    and runs the C tool.
  - `profiles/*.yaml` โ€” keystroke sequences (install an APK, dump
    SMS, enable dev options)

## Verifying the engine without a target

```bash
cd ~/pentest/bt-hid-poc
python3 poc/hid_attack.py --profile profiles/install-apk.yaml --out /tmp/test.bin
xxd /tmp/test.bin | head
# (you should see valid 10-byte HID reports)
```

The pre-flight in the wizard runs the same check and confirms the
profile is well-formed before you commit to the attack.

## What happens on a PATCHED phone

If the OPPO A5 is actually past the December 2023 patch (it isn't, but
hypothetically), the phone will:
  1. Show a "Bluetooth keyboard wants to connect" notification
  2. Require the user to manually accept the pairing request
  3. Then route keystrokes as normal

The attack becomes a notification race. On most modern Android versions
the notification is unmissable, so the user has a chance to dismiss it.
On the OPPO A5 (Android 9) the notification appears as a heads-up but
auto-dismisses after a few seconds, and the keystrokes still go through.
This is part of why the patch is needed.

## Teardown

```bash
# Stop the msfconsole
[ -f build/msfconsole.pid ] && kill "$(cat build/msfconsole.pid)" 2>/dev/null

# Remove SDP records
sudo sdptool remove HID

# Make hci0 not-discoverable
sudo hciconfig hci0 noscan

# Wipe generated configs
rm -f build/current-target.env build/hid-reports-*.bin
```