Exploits (87)¶
Auto-generated from modules/exploits/.
Load any module with use exploits/<name>.
Authorization required
Use only against equipment you own or have explicit written authorization to test. The authors disclaim liability for misuse.
Module index¶
| Module | Severity | CVE | Description |
|---|---|---|---|
exploits/a2dp_inject |
🟡 MEDIUM | - | Bluetooth audio injection, interception, and media control exploitation |
exploits/airoha_race_chain |
🔴 CRITICAL | CVE-2025-20700, CVE-2025-20701, CVE-2025-20702 | Airoha 3-stage BLE→Classic→RACE RCE chain affecting Sony/Bose/JBL/29+ devices… |
exploits/android_att_read_by_type_oow |
🔴 CRITICAL | CVE-2024-0031 | attp_build_read_by_type_value_cmd OOB write → RCE |
exploits/android_att_value_cmd_oow |
🔴 CRITICAL | CVE-2024-0039 | attp_build_value_cmd OOB write → RCE on Android 12-14 |
exploits/android_gatts_read_req_oow |
🔴 CRITICAL | CVE-2024-43771 | gatts_process_read_req OOB write → RCE |
exploits/android_hfp_client_cb_uaf |
🟠 HIGH | CVE-2025-48593 | bta_hf_client_cb_init dangling pointer reuse → RCE |
exploits/android_hfp_uaf_2025 |
🟠 HIGH | CVE-2025-0084 | HFP RFCOMM open/close race UAF → RCE on Android 13-15 |
exploits/android_l2cap_oob_read_2023 |
🟠 HIGH | CVE-2023-21347 | L2CAP info-request length confusion → heap info disclosure |
exploits/android_sdp_search_req_uaf |
🔴 CRITICAL | CVE-2025-22403 | sdp_snd_service_search_req UAF → RCE (Android 15) |
exploits/android_smp_oob |
🟠 HIGH | CVE-2018-9361 | Send SMP_PAIRING_REQ over BR/EDR transport to trigger OOB read/write in Andro… |
exploits/android_system_bt_rce_2022a |
🔴 CRITICAL | CVE-2022-20345 | L2CAP ERTM CONFIG_REQ stack overflow in Android System BT |
exploits/android_system_bt_rce_2022b |
🔴 CRITICAL | CVE-2022-20411 | SDP service-search-attribute response heap overflow in Android |
exploits/apple_bt_dos |
🟠 HIGH | CVE-2026-20650 | Apple BT subsystem crash via malformed packets, iOS/macOS/watchOS/tvOS (CVE-2… |
exploits/badchoice |
🟠 HIGH | CVE-2020-12352 | BleedingTooth Linux A2MP Stack Info Leak (CVE-2020-12352) |
exploits/badkarma |
🔴 CRITICAL | CVE-2020-12351 | BleedingTooth Linux L2CAP Type Confusion RCE (CVE-2020-12351) |
exploits/bias |
🟠 HIGH | CVE-2020-10135 | BIAS - Bluetooth Impersonation AttackS (CVE-2020-10135) |
exploits/ble_adv_spoof |
🟠 HIGH | - | Clone or craft BLE advertisements to impersonate devices by rebroadcasting th… |
exploits/ble_baseband_inject |
🟡 MEDIUM | CVE-2021-31615 | Inject BLE PDUs into adjacent unencrypted BLE link windows to achieve MITM or… |
exploits/ble_crackle |
🟠 HIGH | - | Passive offline crack of BLE Legacy Pairing, recover TK/LTK from sniffed Just… |
exploits/ble_invalid_curve |
🟠 HIGH | CVE-2018-5383 | Exploit CVE-2018-5383, send crafted off-curve ECDH public key to leak peer pr… |
exploits/ble_l2cap_sig_oob_read |
🟡 MEDIUM | CVE-2018-9485 | l2cble_process_sig_cmd OOB read → heap info leak (CVE-2018-9485) |
exploits/ble_longrange |
🟡 MEDIUM | - | BT 5.x Coded PHY / Extended Advertising attacks for long-range exploitation |
exploits/ble_mitm |
🟠 HIGH | - | BLE man-in-the-middle relay, intercept and relay GATT traffic |
exploits/ble_pairing_downgrade |
🟡 MEDIUM | - | Force BLE device to accept JustWorks/legacy pairing (no authentication) |
exploits/ble_relay_attack |
🔴 CRITICAL | - | Two-adapter BLE relay bridging GATT traffic over IP to bypass BLE proximity a… |
exploits/ble_replay |
🟠 HIGH | - | Capture and replay BLE GATT operations against vulnerable devices |
exploits/ble_sc_bypass |
🟠 HIGH | - | BLE Secure Connections bypass via method confusion / invalid public key |
exploits/ble_tracker_spoof |
🟠 HIGH | - | Spoof BLE advertisements to impersonate AirTag, Fast Pair beacons, iBeacon, o… |
exploits/bleedingtooth_native |
🔴 CRITICAL | CVE-2020-12351, CVE-2020-12352 | BleedingTooth full native RCE (CVE-2020-12351/52, EDB-49754) |
exploits/blerp_repairing |
🔴 CRITICAL | - | Force re-pairing of bonded BLE devices via SMP Security Request abuse, 0-clic… |
exploits/blesa_reconnect_spoof |
🟠 HIGH | - | Spoof a previously paired BLE peripheral to hijack reconnection and serve for… |
exploits/blueborne_bnep_overflow |
🔴 CRITICAL | CVE-2017-0781 | BlueBorne Android BNEP setup overflow (CVE-2017-0781, EDB-44554) |
exploits/blueborne_leak |
🟠 HIGH | CVE-2017-0781 | BlueBorne Android BNEP Information Leak (CVE-2017-0781) |
exploits/blueborne_linux_rce |
🔴 CRITICAL | CVE-2017-1000251 | BlueBorne Linux L2CAP Stack Buffer Overflow RCE (CVE-2017-1000251) |
exploits/blueborne_sdp_leak |
🟠 HIGH | CVE-2017-0785 | BlueBorne Android SDP heap info leak (CVE-2017-0785, EDB-44555) |
exploits/bluebugging |
🟠 HIGH | - | RFCOMM AT Command Injection via unauthenticated serial channel |
exploits/bluebump |
🟠 HIGH | - | Forces link key refresh cycles to access privileged RFCOMM channels without u… |
exploits/blueducky |
🔴 CRITICAL | CVE-2023-45866 | Run Rubber-Ducky-style payloads against unauthenticated HID Bluetooth peers v… |
exploits/bluefrag |
🔴 CRITICAL | CVE-2020-0022 | BlueFrag Android A2DP Heap Overflow RCE (CVE-2020-0022) |
exploits/bluesnarfing |
🟠 HIGH | - | Unauthorized OBEX phonebook & object pull (Bluesnarfing) |
exploits/bluffs |
🟠 HIGH | CVE-2023-24023 | BLUFFS Bluetooth session key downgrade attack (CVE-2023-24023) |
exploits/bluffs_mitm |
🟠 HIGH | CVE-2023-24023 | Active MITM session key downgrade attack (BLUFFS/CVE-2023-24023) |
exploits/blurtooth |
🟠 HIGH | CVE-2020-15802 | Exploit Cross-Transport Key Derivation to overwrite an existing authenticated… |
exploits/bnep_heap_disclosure |
🟠 HIGH | CVE-2017-13258, CVE-2017-13260, CVE-2017-13261, CVE-2017-13262 | BNEP bnep_data_ind() Remote Heap Disclosure (CVE-2017-13258) |
exploits/braktooth_esp32 |
🔴 CRITICAL | CVE-2021-28139 | BrakTooth ESP32 Feature Page ACE (CVE-2021-28139) |
exploits/csrk_signed_write |
🟠 HIGH | - | Forge Authenticated Signed Writes using a leaked CSRK to control bonded BLE p… |
exploits/fluoride_gatt_multivar_overflow |
🔴 CRITICAL | CVE-2023-40129, CVE-2023-35673 | ATT_READ_MULTIPLE_VARIABLE_REQ integer underflow → 64 KB heap overflow in And… |
exploits/harmonyos_bt_oob |
🟡 MEDIUM | CVE-2026-28540 | Huawei HarmonyOS Bluetooth OOB read, heap info disclosure (CVE-2026-28540) |
exploits/helomoto |
🟠 HIGH | - | RFCOMM headset profile handshake bypass for silent AT command execution on Mo… |
exploits/hfp_rce_2023 |
🔴 CRITICAL | CVE-2023-21108 | Hands-Free Profile AT command parser overflow RCE |
exploits/internalblue_vendor_hci |
🔴 CRITICAL | - | Send Broadcom/Cypress vendor HCI commands (OGF=0x3F) for chip fingerprinting,… |
exploits/keystroke_injection_android_linux |
🔴 CRITICAL | CVE-2023-45866 | 0-click HID keystroke injection via BlueZ D-Bus profile API, modern alternati… |
exploits/keystroke_injection_apple |
🔴 CRITICAL | CVE-2023-45866 | macOS/iOS HID keystroke injection by spoofing a paired Magic Keyboard's BD_AD… |
exploits/keystroke_injection_windows |
🔴 CRITICAL | CVE-2023-45866 | Inject keystrokes into a Windows host by spoofing the BD_ADDR of a keyboard a… |
exploits/knob |
🟠 HIGH | CVE-2019-9506 | KNOB Attack - Encryption Key Entropy Downgrade (CVE-2019-9506) |
exploits/knob_active |
🟠 HIGH | CVE-2019-9506 | Actively force encryption key entropy downgrade (KNOB/CVE-2019-9506) |
exploits/l2cap_chan_put_uaf_android |
🟠 HIGH | CVE-2022-20566 | Concurrent l2cap_chan_put() refcount race causing UAF on Android kernel (CVE-… |
exploits/l2cap_connect_uaf_2022 |
🟠 HIGH | CVE-2022-42896 | Race condition use-after-free in Linux l2cap_connect() and l2cap_le_connect_r… |
exploits/l2cap_core_memsafety_2022 |
🔴 CRITICAL | CVE-2022-49910 | Malformed L2CAP signaling PDUs causing OOB access in l2cap_core.c state machi… |
exploits/l2cap_unregister_user_uaf |
🔴 CRITICAL | CVE-2026-23461 | Missing conn->lock in l2cap_unregister_user() enables concurrent UAF and list… |
exploits/lovense_unauth |
🟠 HIGH | - | Send vibration, rotate, pump and power-off commands to Lovense adult toys (Ge… |
exploits/mesh_attack |
🟠 HIGH | CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, CVE-2020-26560 | BLE Mesh provisioning exploitation and message injection |
exploits/obex_exploit |
🟠 HIGH | - | OBEX file push/pull and phonebook extraction over Bluetooth |
exploits/opensynergy_bluesdk_rce |
🔴 CRITICAL | CVE-2018-20378 | Heap corruption via malformed L2CAP_ConfigReq + SDP frames on OpenSynergy Blu… |
exploits/pairing_method_confusion |
🟠 HIGH | CVE-2022-25837, CVE-2022-25836, CVE-2020-10134 | Exploit Secure Connections vs Legacy pairing method confusion to authenticate… |
exploits/passkey_reflection_mitm |
🟠 HIGH | CVE-2021-37577, CVE-2020-26558 | Identify SC Passkey by reflecting public key and auth evidence, enabling auth… |
exploits/pin_bruteforce |
🟠 HIGH | CVE-2020-26555 | Brute-force Classic Bluetooth 4-digit pairing PIN |
exploits/rfcomm_core_memsafety |
🟠 HIGH | CVE-2024-22099 | Triggers memory safety violation in rfcomm/core.c via abnormal session teardo… |
exploits/rfcomm_mem_corrupt_2010 |
🔴 CRITICAL | CVE-2010-1084 | Corrupts kernel heap via oversized UIH frames on Linux 2.6.18-2.6.33 (CVE-201… |
exploits/rfcomm_mem_mgmt_2025 |
🟠 HIGH | CVE-2025-21688 | Reference count imbalance in RFCOMM BT subsystem via RPN/DISC race (CVE-2025-… |
exploits/rfcomm_mem_mgmt_flaw |
🟠 HIGH | CVE-2024-49939 | Progressive kernel memory leak via abnormal RFCOMM session teardown (CVE-2024… |
exploits/rfcomm_null_ptr_2015 |
🟠 HIGH | CVE-2015-8956 | Triggers NULL ptr dereference in rfcomm_sock_bind() on Linux < 4.2 (CVE-2015-… |
exploits/rfcomm_privesc_race |
🔴 CRITICAL | CVE-2026-23671 | Windows RFCOMM driver race condition, local EoP to SYSTEM (CVE-2026-23671) |
exploits/rfcomm_setsockopt_overflow |
🟠 HIGH | CVE-2024-35966 | Memory safety violation via malformed RFCOMM PN frames exploiting setsockopt … |
exploits/rfcomm_shell |
🔴 CRITICAL | - | Interactive reverse/bind shell over Bluetooth RFCOMM |
exploits/rfcomm_sock_alloc_uaf |
🔴 CRITICAL | CVE-2024-56604 | Dangling sk pointer UAF in rfcomm_sock_alloc(), kernel memory read/write (CVE… |
exploits/sco_mic_intercept |
🔴 CRITICAL | - | Intercept Bluetooth headset microphone stream via SCO audio channel after gai… |
exploits/screwdriving |
🟠 HIGH | - | Scan for and hijack BLE adult toys using unauthenticated GATT writes (Lovense… |
exploits/smp_keysize_downgrade |
🟠 HIGH | - | Force 7-byte (56-bit) LTK derivation by responding to LE pairing with max_key… |
exploits/sweyntooth |
🔴 CRITICAL | CVE-2019-16336, CVE-2019-17519, CVE-2019-17061, CVE-2019-17060, CVE-2019-17517, CVE-2019-17518 | SweynTooth BLE Link Layer stack overflow / deadlock family |
exploits/ti_simplelink_dh_skip |
🔴 CRITICAL | CVE-2021-22645 | Skip ECDH validation on TI SimpleLink CC2640R2 by setting up encryption befor… |
exploits/unauth_write |
🟠 HIGH | - | Unauthenticated GATT characteristic write |
exploits/whisperpair |
🔴 CRITICAL | CVE-2025-36911 | Google Fast Pair account key injection, force-pair without pairing mode (CVE-… |
exploits/win_bt_stack_uaf |
🔴 CRITICAL | CVE-2011-1265 | Exploit bthport.sys Use-After-Free via malformed L2CAP ConfigReq packets on u… |
exploits/win_rfcomm_info_disclosure |
🟠 HIGH | CVE-2025-59513 | Leaks kernel/driver memory via uninitialized response padding in Windows RFCO… |
exploits/xiaomi_rfcomm_test_oob |
🟠 HIGH | CVE-2025-13834 | Leaks up to 127 bytes of firmware memory per request via RFCOMM TEST OOB read… |
exploits/zephyr_ble_smp_crash |
🟠 HIGH | CVE-2025-10456 | Zephyr RTOS BLE integer overflow via illegal fixed-channel disconnect (CVE-20… |
Modules¶
exploits/a2dp_inject¶
A2DP/AVRCP Attack
Bluetooth audio injection, interception, and media control exploitation
Severity: 🟡 MEDIUM · Protocol: CLASSIC
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Bluetooth device MAC (headset/speaker) | |
mode |
control |
Mode: inject, control, takeover, intercept | |
audio_file |
Audio file to inject (WAV/raw PCM for inject mode) | ||
command |
play |
AVRCP command: play, pause, stop, next, prev, vol_up, vol_down | |
interface |
hci0 |
HCI interface to use | |
duration |
30 |
Duration in seconds for streaming/control | |
volume |
Volume level for absolute volume set (0-127) |
References: - https://www.bluetooth.com/specifications/specs/advanced-audio-distribution-profile-1-4/ - https://www.bluetooth.com/specifications/specs/audio-video-remote-control-profile-1-6-2/
exploits/airoha_race_chain¶
Airoha RACE Chain
Airoha 3-stage BLE→Classic→RACE RCE chain affecting Sony/Bose/JBL/29+ devices (CVE-2025-20700/20701/20702)
Severity: 🔴 CRITICAL · Protocol: DUAL · CVE: CVE-2025-20700, CVE-2025-20701, CVE-2025-20702
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
HCI adapter (e.g. hci0) | |
stage |
0 |
Attack stage: 1 (BLE trigger), 2 (auth bypass), 3 (RACE RCE), 0 (all) | |
race_cmd |
RACE command to execute (hex, stage 3 only) | ||
read_addr |
Memory address to read (hex, stage 3 only) | ||
read_len |
64 |
Number of bytes to read from memory | |
timeout |
15 |
Connection timeout in seconds |
References: - https://nvd.nist.gov/vuln/detail/CVE-2025-20700 - https://nvd.nist.gov/vuln/detail/CVE-2025-20701 - https://nvd.nist.gov/vuln/detail/CVE-2025-20702 - https://troopers.de/troopers25/agenda/
exploits/android_att_read_by_type_oow¶
Android ATT read_by_type OOW (CVE-2024-0031)
attp_build_read_by_type_value_cmd OOB write → RCE
Severity: 🔴 CRITICAL · Protocol: BLE · CVE: CVE-2024-0031
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR | |
mtu |
23 |
ATT MTU to negotiate (small = easier overflow) | |
start_handle |
1 |
Range start | |
end_handle |
65535 |
Range end (use 0xFFFF to walk all attrs) | |
uuid |
ATT_UUID_GAP_DEVICE_NAME |
16-bit ATT type UUID (default 0x2A00 device name) | |
iterations |
5 |
Attempts | |
timeout |
10 |
Socket timeout |
References: - https://nvd.nist.gov/vuln/detail/CVE-2024-0031 - https://source.android.com/security/bulletin/2024-01-01
exploits/android_att_value_cmd_oow¶
Android ATT build_value_cmd OOW (CVE-2024-0039)
attp_build_value_cmd OOB write → RCE on Android 12-14
Severity: 🔴 CRITICAL · Protocol: BLE · CVE: CVE-2024-0039
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR | |
mtu |
23 |
ATT MTU to negotiate | |
value_size |
512 |
Oversized ATT value length (must exceed mtu-3) | |
handle |
1 |
Target attribute handle | |
iterations |
5 |
Attempts | |
timeout |
10 |
Socket timeout |
References: - https://nvd.nist.gov/vuln/detail/CVE-2024-0039 - https://source.android.com/security/bulletin/2024-01-01
exploits/android_gatts_read_req_oow¶
Android GATT gatts_process_read_req OOW (CVE-2024-43771)
gatts_process_read_req OOB write → RCE
Severity: 🔴 CRITICAL · Protocol: BLE · CVE: CVE-2024-43771
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR | |
mtu |
23 |
ATT MTU (small = easier OOW) | |
start_handle |
1 |
First handle to probe | |
end_handle |
255 |
Last handle to probe | |
blob_offset |
65520 |
ATT_READ_BLOB offset to fault (large) | |
iterations |
2 |
Probes per handle | |
timeout |
10 |
Socket timeout |
References: - https://nvd.nist.gov/vuln/detail/CVE-2024-43771 - https://source.android.com/security/bulletin/2024-09-01
exploits/android_hfp_client_cb_uaf¶
Android HFP client cb_init UAF (CVE-2025-48593)
bta_hf_client_cb_init dangling pointer reuse → RCE
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2025-48593
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR | |
channel |
0 |
HFP AG RFCOMM channel (auto if 0) | |
spray_size |
64 |
Heap spray AT command count after free | |
iterations |
40 |
Race rounds | |
timeout |
6 |
Per-socket timeout |
References: - https://nvd.nist.gov/vuln/detail/CVE-2025-48593 - https://source.android.com/security/bulletin/2025-06-01
exploits/android_hfp_uaf_2025¶
Android HFP UAF RCE (CVE-2025-0084)
HFP RFCOMM open/close race UAF → RCE on Android 13-15
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2025-0084
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR | |
channel |
0 |
HFP RFCOMM channel (auto if 0) | |
threads |
8 |
Concurrent racing threads | |
iterations |
80 |
Race cycles per thread | |
timeout |
6 |
Per-socket timeout |
References: - https://nvd.nist.gov/vuln/detail/CVE-2025-0084 - https://source.android.com/security/bulletin/2025-02-01
exploits/android_l2cap_oob_read_2023¶
Android L2CAP OOB Read (CVE-2023-21347)
L2CAP info-request length confusion → heap info disclosure
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2023-21347
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR | |
iterations |
30 |
Number of leak probes | |
leak_size |
512 |
Bytes to request OOB | |
timeout |
8 |
Socket timeout |
References: - https://nvd.nist.gov/vuln/detail/CVE-2023-21347 - https://source.android.com/security/bulletin/2023-06-01
exploits/android_sdp_search_req_uaf¶
Android SDP service_search_req UAF (CVE-2025-22403)
sdp_snd_service_search_req UAF → RCE (Android 15)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2025-22403
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR | |
threads |
6 |
Race threads | |
iterations |
120 |
Race cycles per thread | |
timeout |
8 |
Socket timeout |
References: - https://nvd.nist.gov/vuln/detail/CVE-2025-22403 - https://source.android.com/security/bulletin/2025-01-01
exploits/android_smp_oob¶
Android SMP OOB (CVE-2018-9361)
Send SMP_PAIRING_REQ over BR/EDR transport to trigger OOB read/write in Android com.android.bluetooth state machine
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2018-9361
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | crash |
Mode: crash, fuzz, detect |
target |
✓ | Target Android device BD_ADDR | |
iterations |
5 |
Repetitions (crash/fuzz mode) | |
auth_req |
0x01 |
auth_req field for PAIRING_REQ (hex) | |
timeout |
5 |
L2CAP timeout in seconds |
References: - https://blog.quarkslab.com/a-story-about-three-bluetooth-vulnerabilities-in-android.html - https://source.android.com/security/bulletin/2018-06-01
exploits/android_system_bt_rce_2022a¶
Android System BT RCE (CVE-2022-20345)
L2CAP ERTM CONFIG_REQ stack overflow in Android System BT
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2022-20345
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR | |
psm |
PSM_AVDTP |
L2CAP PSM | |
overflow_size |
512 |
FCS option overflow length | |
iterations |
5 |
Trigger attempts | |
timeout |
10 |
Socket timeout |
References: - https://source.android.com/security/bulletin/2022-08-01 - https://nvd.nist.gov/vuln/detail/CVE-2022-20345
exploits/android_system_bt_rce_2022b¶
Android System BT RCE (CVE-2022-20411)
SDP service-search-attribute response heap overflow in Android
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2022-20411
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR | |
overflow_size |
2048 |
Inner TLV overflow size | |
iterations |
5 |
Attempts | |
timeout |
10 |
Socket timeout |
References: - https://source.android.com/security/bulletin/2022-12-01 - https://nvd.nist.gov/vuln/detail/CVE-2022-20411
exploits/apple_bt_dos¶
Apple Bluetooth DoS
Apple BT subsystem crash via malformed packets, iOS/macOS/watchOS/tvOS (CVE-2026-20650)
Severity: 🟠 HIGH · Protocol: DUAL · CVE: CVE-2026-20650
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
HCI adapter (e.g. hci0) | |
crash_type |
CRASH_TYPE_LENGTH_OVERFLOW |
Crash method: length_overflow, continuation_flag, nested_fragment, cid_confusion | |
repeat |
5 |
Number of malformed packets to send | |
delay |
0.1 |
Delay between packets in seconds |
References: - https://nvd.nist.gov/vuln/detail/CVE-2026-20650 - https://support.apple.com/en-us/HT214000
exploits/badchoice¶
BadChoice (CVE-2020-12352 Linux BT info leak)
BleedingTooth Linux A2MP Stack Info Leak (CVE-2020-12352)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2020-12352
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
iterations |
5 |
Number of leak attempts | |
hci_dev |
0 |
Local HCI device index (0 = hci0) | |
timeout |
15 |
Connection timeout in seconds | |
output_file |
Save leaked data to file |
References: - https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup - https://nvd.nist.gov/vuln/detail/CVE-2020-12352
exploits/badkarma¶
BadKarma (CVE-2020-12351 BleedingTooth L2CAP)
BleedingTooth Linux L2CAP Type Confusion RCE (CVE-2020-12351)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2020-12351
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
mode |
check |
check | crash | poc (poc = full RCE attempt) | |
lhost |
`` | Reverse shell IP (poc mode) | |
lport |
1337 |
Reverse shell port (poc mode) | |
hci_dev |
0 |
Local HCI device index (0 = hci0) | |
spray_count |
6 |
Heap spray iterations (increase for reliability) | |
timeout |
15 |
Connection timeout in seconds |
References: - https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup - https://nvd.nist.gov/vuln/detail/CVE-2020-12351
exploits/bias¶
BIAS Authentication Bypass
BIAS - Bluetooth Impersonation AttackS (CVE-2020-10135)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2020-10135
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR to analyze/impersonate | |
victim |
Victim BD_ADDR (device to connect to) | ||
mode |
check |
Mode: check, analyze, or impersonate | |
role |
master |
Role to impersonate: master or slave | |
timeout |
15 |
Connection timeout in seconds |
References: - https://francozappa.github.io/about-bias/ - https://nvd.nist.gov/vuln/detail/CVE-2020-10135 - https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/bias-vulnerability/ - https://github.com/francozappa/bias
exploits/ble_adv_spoof¶
BLE Advertisement Spoofing / Cloning
Clone or craft BLE advertisements to impersonate devices by rebroadcasting their AD structure
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | clone |
Mode: clone, custom, name, service |
interface |
hci0 |
Local HCI adapter | |
duration |
60 |
Broadcast duration in seconds (0 = until Ctrl+C) | |
interval_ms |
100 |
Advertisement interval in ms | |
clone_target |
BD_ADDR to scan and clone (clone mode) | ||
clone_scan_s |
10 |
Scan duration in seconds to find clone target | |
spoof_addr |
false |
Also spoof BD_ADDR to match clone target (true/false) | |
raw_hex |
Raw AD payload in hex (custom mode) | ||
device_name |
BlueSploit_Device |
Device name to advertise (name mode) | |
service_uuid |
180D |
Service UUID to advertise: 16-bit hex (e.g. 180D) or 128-bit | |
service_data |
Service data payload in hex (optional for service mode) | ||
company_id |
Manufacturer company ID in hex for custom mfr AD (e.g. 004C for Apple) | ||
company_data |
Manufacturer-specific data in hex |
References: - https://www.bluetooth.com/specifications/specs/core-specification-5-3/ - https://dl.acm.org/doi/10.1145/3395351.3399420
exploits/ble_baseband_inject¶
BLE Baseband Adjacent Packet Injection
Inject BLE PDUs into adjacent unencrypted BLE link windows to achieve MITM or terminate connections
Severity: 🟡 MEDIUM · Protocol: BLE · CVE: CVE-2021-31615
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | terminate |
Mode: terminate, reject_enc, version_probe, follow |
target |
✓ | Target BLE device BD_ADDR to inject towards | |
channel |
37 |
BLE data channel to inject on (0-36, or 'follow' for auto-follow) | |
access_addr |
8E89BED6 |
Connection access address (hex, from sniffed connection or 0x8E89BED6 for advertising) | |
repetitions |
10 |
Number of injection attempts | |
interval_ms |
100 |
Interval between injections in milliseconds | |
interface |
0 |
Ubertooth device index | |
pcap_file |
PCAP file to replay as injection payload (follow mode) |
References: - https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/report-vulnerability/ - https://dl.acm.org/doi/10.1145/3448300.3467843 - https://greatscottgadgets.com/ubertoothone/
exploits/ble_crackle¶
BLE Pairing Crack (Crackle)
Passive offline crack of BLE Legacy Pairing, recover TK/LTK from sniffed Just Works or Passkey Entry pairing exchanges
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | sniff_and_crack |
Mode: sniff_and_crack, crack_pcap, decrypt |
pcap_file |
Input PCAP (crack_pcap/decrypt) or output capture (sniff_and_crack) | ||
target |
Target BLE device BD_ADDR (sniff filter) | ||
sniffer |
ubertooth |
Sniffer tool: ubertooth, nrf | |
ltk |
Known LTK for decrypt mode (32 hex chars) | ||
output_pcap |
Decrypted PCAP output (decrypt mode) | ||
duration |
120 |
Sniff duration in seconds | |
device |
0 |
Sniffer device index |
References: - https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf - https://github.com/mikeryan/crackle - https://greatscottgadgets.com/ubertoothone/
exploits/ble_invalid_curve¶
BLE Invalid Curve Attack
Exploit CVE-2018-5383, send crafted off-curve ECDH public key to leak peer private key during BLE Secure Connections pairing
Severity: 🟠 HIGH · Protocol: BLE · CVE: CVE-2018-5383
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | scan |
Mode: scan, exploit, validate |
target |
✓ | Target BLE device BD_ADDR | |
interface |
hci0 |
Local HCI adapter | |
iterations |
20 |
Pairing iterations for exploit mode (more = better odds) | |
custom_x_hex |
Custom invalid X coordinate (64 hex chars) | ||
output_file |
Save derived private key bits to file |
References: - https://biham.cs.technion.ac.il/BT/bt-fixed-coordinate-invalid-curve-attack.pdf - https://www.kb.cert.org/vuls/id/304725 - https://www.bluetooth.com/security/statement-bluetooth-pairing-vulnerability/
exploits/ble_l2cap_sig_oob_read¶
BLE L2CAP Signaling OOB Read
l2cble_process_sig_cmd OOB read → heap info leak (CVE-2018-9485)
Severity: 🟡 MEDIUM · Protocol: BLE · CVE: CVE-2018-9485
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BLE BD_ADDR | |
interface |
hci0 |
Local HCI adapter | |
iterations |
20 |
Number of malformed PDUs to send | |
timeout |
8 |
Per-socket timeout (seconds) |
References: - https://nvd.nist.gov/vuln/detail/CVE-2018-9485 - https://source.android.com/security/bulletin/2018-07-01
exploits/ble_longrange¶
BT 5.x Long-Range Attack
BT 5.x Coded PHY / Extended Advertising attacks for long-range exploitation
Severity: 🟡 MEDIUM · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
scan_extended |
Mode: scan_extended, longrange_scan, inject_extended, dos_periodic, phy_downgrade | |
target |
Target BLE device MAC address | ||
interface |
hci0 |
HCI interface (must support BT 5.x) | |
phy |
coded_s8 |
PHY to use: 1m, 2m, coded_s2, coded_s8 | |
duration |
30 |
Duration in seconds | |
adv_data |
Custom advertisement data (hex) for injection | ||
tx_power |
20 |
TX power level in dBm (-127 to 20) |
References: - https://www.bluetooth.com/specifications/specs/core-specification-5-4/ - https://www.bluetooth.com/blog/new-auracast-white-paper/ - https://dl.acm.org/doi/10.1145/3576915.3623108
exploits/ble_mitm¶
BLE MITM Relay
BLE man-in-the-middle relay, intercept and relay GATT traffic
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Real peripheral MAC address to clone and relay | |
spoof_address |
Spoofed MAC to use when advertising as fake peripheral | ||
interface |
hci0 |
Primary BLE interface (for connecting to real peripheral) | |
adv_interface |
hci1 |
Secondary BLE interface (for advertising as fake peripheral) | |
duration |
120 |
Attack duration in seconds (0 = indefinite) | |
log_file |
Log intercepted GATT operations to file | ||
modify_writes |
false |
Intercept and log GATT writes (true/false) |
References: - https://github.com/securing/gattacker - https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli - https://dl.acm.org/doi/10.1145/3319535.3354249
exploits/ble_pairing_downgrade¶
BLE Pairing Downgrade
Force BLE device to accept JustWorks/legacy pairing (no authentication)
Severity: 🟡 MEDIUM · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BLE device MAC address | |
mode |
justworks |
Attack mode: justworks, legacy, oob_bypass | |
interface |
hci0 |
HCI interface to use | |
bond |
true |
Request bonding after pairing (true/false) | |
attempts |
3 |
Number of pairing attempts |
References: - https://www.bluetooth.com/specifications/specs/core-specification-5-4/ - https://dl.acm.org/doi/10.1145/3319535.3354240 - https://www.usenix.org/conference/usenixsecurity20/presentation/wu
exploits/ble_relay_attack¶
BLE Relay Attack, Proximity Unlock Bypass
Two-adapter BLE relay bridging GATT traffic over IP to bypass BLE proximity authentication on smart locks, cars, and badges
Severity: 🔴 CRITICAL · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | central |
Mode: central (near victim), peripheral (near target), loopback |
victim |
Victim phone/key BD_ADDR (central mode) | ||
target |
Target lock/car BD_ADDR (peripheral mode) | ||
peer_host |
127.0.0.1:9999 |
Other relay endpoint (host:port), central connects to peripheral | |
listen_port |
9999 |
TCP port for peripheral side to listen on | |
interface |
hci0 |
Local HCI adapter | |
duration |
300 |
Relay duration in seconds (0 = until disconnect) | |
latency_budget_ms |
200 |
Max relay latency before bailing (ms) |
References: - https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-authentication-vulnerable-to-relay-attacks/ - https://kentindell.github.io/2022/05/15/tesla-relay/ - https://www.usenix.org/conference/usenixsecurity20/presentation/ho
exploits/ble_replay¶
BLE Replay Attack
Capture and replay BLE GATT operations against vulnerable devices
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BLE device MAC address | |
mode |
capture |
Mode: capture, replay, analyze | |
capture_file |
ble_capture.json |
JSON file to save/load captured packets | |
duration |
30 |
Capture duration in seconds | |
char_uuid |
Specific characteristic UUID to target (empty = all) | ||
replay_count |
1 |
Number of times to replay captured packets | |
replay_delay |
0.5 |
Delay between replayed packets in seconds |
References: - https://www.usenix.org/conference/usenixsecurity19/presentation/zhang-jianliang - https://dl.acm.org/doi/10.1145/3395351.3399357
exploits/ble_sc_bypass¶
BLE SC Bypass
BLE Secure Connections bypass via method confusion / invalid public key
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BLE device MAC address | |
technique |
method_confusion |
Technique: method_confusion, pubkey_invalid, reflection, zero_ltk | |
interface |
hci0 |
HCI interface to use | |
attempts |
3 |
Number of bypass attempts | |
claimed_io |
1 |
IO capability to claim (0-4) |
References: - https://dl.acm.org/doi/10.1145/3548606.3560660 - https://www.usenix.org/conference/usenixsecurity20/presentation/wu - https://kb.cert.org/vuls/id/573757
exploits/ble_tracker_spoof¶
BLE Tracker / Proximity Beacon Spoofing
Spoof BLE advertisements to impersonate AirTag, Fast Pair beacons, iBeacon, or Tile trackers using raw HCI injection
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | airtag |
Spoof mode: airtag, nearby_action, fast_pair, ibeacon, tile, clone |
interface |
hci0 |
Local HCI adapter | |
duration |
60 |
Broadcast duration in seconds (0 = until Ctrl+C) | |
interval_ms |
100 |
Advertisement interval in ms (lower = more aggressive) | |
rotate_addr |
30 |
Rotate random BD_ADDR every N seconds (0 = no rotation) | |
fast_pair_model |
pixel_buds_pro |
Fast Pair model name or hex model ID. Known: … | |
nearby_action |
airpods_pro |
Nearby Action device type. Known: … | |
ibeacon_uuid |
426C756553706C6F697400000000000 |
iBeacon UUID (32 hex chars, no dashes) | |
ibeacon_major |
1 |
iBeacon major value | |
ibeacon_minor |
1 |
iBeacon minor value | |
clone_target |
BD_ADDR to clone advertisement from (for clone mode) | ||
clone_duration_s |
10 |
Seconds to scan for clone target |
References: - https://positive.security/blog/find-you - https://github.com/seemoo-lab/openhaystack - https://developers.google.com/nearby/fast-pair/specifications/introduction - https://support.apple.com/en-us/HT212227
exploits/bleedingtooth_native¶
BleedingTooth Native Exploit
BleedingTooth full native RCE (CVE-2020-12351/52, EDB-49754)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2020-12351, CVE-2020-12352
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (Ubuntu 20.04.1 / kernel 5.4.0-48) | |
lhost |
✓ | Listener IP, start nc -lvp <lport> first |
|
lport |
1337 |
Listener port | |
spray_1024 |
6 |
kmalloc-1024 spray rounds (increase if unreliable) | |
spray_128 |
6 |
kmalloc-128 spray rounds (increase if unreliable) |
References: - https://www.exploit-db.com/exploits/49754 - https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup - https://github.com/google/security-research/tree/master/pocs/linux/bleedingtooth
exploits/blerp_repairing¶
BLERP, BLE Re-Pairing Attacks
Force re-pairing of bonded BLE devices via SMP Security Request abuse, 0-click MITM and impersonation (NDSS 2026)
Severity: 🔴 CRITICAL · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | attack |
Mode: scan, attack, serve |
flavor |
sec_request_inject |
Attack flavor: … | |
target |
✓ | Target bonded BLE peripheral BD_ADDR (or '*' in serve mode) | |
central |
Victim central BD_ADDR, required for mitm_repair and zero_click_impersonate | ||
interface |
hci0 |
Primary HCI adapter | |
interface2 |
hci1 |
Secondary HCI adapter, required for mitm_repair | |
auth_req |
0x01 |
auth_req byte for Security Request / Pairing Request (hex) | |
duration |
60 |
Attack / serve window in seconds |
References: - https://www.ndss-symposium.org/wp-content/uploads/2026-f121-paper.pdf - https://github.com/eurecom-s3/blerp
exploits/blesa_reconnect_spoof¶
BLESA, Spoofing on Reconnection
Spoof a previously paired BLE peripheral to hijack reconnection and serve forged GATT data to the central
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | spoof |
Mode: spoof, observe, inject |
victim_addr |
✓ | BD_ADDR of the peripheral to impersonate | |
victim_name |
BLE_Device |
Local name of victim peripheral (e.g. 'HRM-XXXX') | |
service_uuid |
180D |
16-bit service UUID to advertise (e.g. 180D for Heart Rate) | |
interface |
hci0 |
Local HCI adapter | |
duration |
300 |
Spoof duration in seconds | |
forge_value |
DEADBEEF |
Hex value to send when central reads/subscribes (inject mode) |
References: - https://pursec.cs.purdue.edu/projects/blesa.html - https://www.usenix.org/conference/woot20/presentation/wu
exploits/blueborne_bnep_overflow¶
BlueBorne BNEP Buffer Overflow
BlueBorne Android BNEP setup overflow (CVE-2017-0781, EDB-44554)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2017-0781
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (Android pre-Sept 2017 patch) | |
count |
30 |
Number of overflow packets to send | |
overflow |
AAAABBBB |
Overflow bytes (ASCII or hex with 0x prefix) | |
mtu |
1500 |
L2CAP MTU (default 1500) |
References: - https://www.exploit-db.com/exploits/44554 - https://www.armis.com/blueborne/ - https://nvd.nist.gov/vuln/detail/CVE-2017-0781
exploits/blueborne_leak¶
BlueBorne Information Leak
BlueBorne Android BNEP Information Leak (CVE-2017-0781)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2017-0781
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
packets |
30 |
Number of packets to send | |
delay |
50 |
Delay between packets (ms) | |
payload |
AAAABBBB |
Overflow payload pattern | |
mtu |
1500 |
L2CAP MTU size | |
timeout |
10 |
Connection timeout (seconds) |
References: - https://www.armis.com/blueborne/ - https://nvd.nist.gov/vuln/detail/CVE-2017-0781 - https://source.android.com/security/bulletin/2017-09-01 - https://github.com/ArmisSecurity/blueborne
exploits/blueborne_linux_rce¶
BlueBorne Linux RCE
BlueBorne Linux L2CAP Stack Buffer Overflow RCE (CVE-2017-1000251)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2017-1000251
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
mode |
check |
Mode: check (safe), crash (DoS), or exploit (RCE) | |
timeout |
10 |
Connection timeout in seconds |
References: - https://www.armis.com/blueborne/ - https://nvd.nist.gov/vuln/detail/CVE-2017-1000251 - https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.2 - https://github.com/ArmisSecurity/blueborne
exploits/blueborne_sdp_leak¶
BlueBorne SDP Information Leak
BlueBorne Android SDP heap info leak (CVE-2017-0785, EDB-44555)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2017-0785
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (Android pre-Sept 2017 patch) | |
rounds |
30 |
Number of leak rounds (≈32 bytes per round) | |
output_file |
Save raw leaked stack bytes to this file |
References: - https://www.exploit-db.com/exploits/44555 - https://www.armis.com/blueborne/ - https://nvd.nist.gov/vuln/detail/CVE-2017-0785
exploits/bluebugging¶
Bluebugging (AT-command abuse)
RFCOMM AT Command Injection via unauthenticated serial channel
Severity: 🟠 HIGH · Protocol: CLASSIC
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
command_set |
info |
AT command group to run: info, phonebook, call, sms, all | |
dial_number |
Phone number for call/sms commands (e.g. +15551234567) | ||
channel |
0 |
RFCOMM channel to use (0 = auto-scan) | |
timeout |
8 |
Connection timeout per channel in seconds | |
delay |
0.5 |
Delay between AT commands in seconds |
References: - https://trifinite.org/trifinite_stuff_bluebugging.html - https://www.usenix.org/legacy/event/woot07/tech/full_papers/king/king.pdf
exploits/bluebump¶
BlueBump, RFCOMM Link Re-keying Escalation
Forces link key refresh cycles to access privileged RFCOMM channels without user re-confirmation (BlueBump, 2005)
Severity: 🟠 HIGH · Protocol: CLASSIC
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
rekey_cycles |
5 |
Number of link re-keying cycles before escalation attempt | |
cycle_delay_ms |
200 |
Milliseconds between re-key cycles | |
channels |
1,2,3,4,5 |
RFCOMM channels to attempt after re-keying (comma-separated, 0=all) | |
escalate_timeout |
3 |
Seconds to wait per channel during escalation window | |
at_probe |
True |
Send ATI probe on successfully opened channels |
References: - https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Herfurt.pdf - https://bluetooth-pentest.narod.ru/doc/bluebump.txt
exploits/blueducky¶
BlueDucky, DuckyScript HID Injection (CVE-2023-45866)
Run Rubber-Ducky-style payloads against unauthenticated HID Bluetooth peers via CVE-2023-45866, port of pentestfunctions/BlueDucky
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2023-45866
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | check |
Mode: check, inject, test |
target |
Target BD_ADDR (Android/Linux) | ||
interface |
hci0 |
Local HCI adapter | |
payload |
Path to DuckyScript file (.txt) | ||
key_delay_ms |
20 |
Delay between keystrokes in milliseconds | |
verbose |
True |
Print every keystroke + raw HID bytes |
References: - https://github.com/pentestfunctions/BlueDucky - https://github.com/marcnewlin/hi_my_name_is_keyboard - https://nvd.nist.gov/vuln/detail/CVE-2023-45866
exploits/bluefrag¶
BlueFrag (CVE-2020-0022 Android RCE)
BlueFrag Android A2DP Heap Overflow RCE (CVE-2020-0022)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2020-0022
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
mode |
check |
Mode: check, crash, or info_leak | |
overflow_size |
256 |
Overflow size in bytes | |
timeout |
15 |
Connection timeout in seconds |
References: - https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/ - https://nvd.nist.gov/vuln/detail/CVE-2020-0022 - https://source.android.com/security/bulletin/2020-02-01 - https://github.com/marcinguy/CVE-2020-0022
exploits/bluesnarfing¶
Bluesnarfing OBEX object exfil
Unauthorized OBEX phonebook & object pull (Bluesnarfing)
Severity: 🟠 HIGH · Protocol: CLASSIC
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
channel |
0 |
RFCOMM channel to use (0 = auto-scan) | |
output_dir |
/tmp/bluesnarfing |
Directory to save retrieved files | |
timeout |
10 |
Socket timeout in seconds | |
max_size |
65536 |
Maximum bytes to receive per object |
References: - https://www.bluesecurity.com/bluesnarfing.html - https://trifinite.org/trifinite_stuff_bluesnarfing.html - https://www.blackhat.com/presentations/bh-europe-04/bh-eu-04-laurie.pdf
exploits/bluffs¶
BLUFFS Session Key Downgrade
BLUFFS Bluetooth session key downgrade attack (CVE-2023-24023)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2023-24023
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
mode |
ATTACK_PASSIVE |
Attack mode: …, …, … | |
interface |
hci0 |
HCI interface to use (e.g. hci0) | |
key_size |
1 |
Session key size to negotiate in downgrade mode (…-… bytes) | |
timeout |
30 |
Connection / monitoring timeout in seconds | |
captured_ct |
Hex-encoded ciphertext block to brute-force (bruteforce mode, 16 bytes) | ||
known_pt |
Hex-encoded known plaintext for brute-force (16 bytes, e.g. ATT header) |
References: - https://www.usenix.org/conference/usenixsecurity24/presentation/antonioli - https://nvd.nist.gov/vuln/detail/CVE-2023-24023 - https://francozappa.github.io/publication/2023/bluffs/ - https://github.com/francozappa/bluffs
exploits/bluffs_mitm¶
BLUFFS MITM Variant
Active MITM session key downgrade attack (BLUFFS/CVE-2023-24023)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2023-24023
| Option | Required | Default | Description |
|---|---|---|---|
target_a |
✓ | First target device MAC (initiator/master) | |
target_b |
✓ | Second target device MAC (responder/slave) | |
interface |
hci0 |
HCI interface to use | |
mode |
downgrade |
Attack mode: downgrade, inject, monitor | |
diversifier |
0000 |
Force a specific session key diversifier (hex, e.g. 0000) | |
capture_file |
PCAP output file for captured traffic | ||
duration |
60 |
Attack duration in seconds (0 = indefinite) |
References: - https://www.usenix.org/conference/usenixsecurity23/presentation/antonioli - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24023 - https://francozappa.github.io/about-bluffs/
exploits/blurtooth¶
BLURtooth, CTKD Key Overwrite
Exploit Cross-Transport Key Derivation to overwrite an existing authenticated Bluetooth bond with an unauthenticated derived key
Severity: 🟠 HIGH · Protocol: BOTH · CVE: CVE-2020-15802
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target dual-mode Bluetooth device BD_ADDR | |
mode |
ble_to_classic |
Attack mode: ble_to_classic (default), classic_to_ble | |
interface |
hci0 |
Local HCI adapter | |
timeout |
30 |
Pairing timeout in seconds | |
verify |
true |
Verify key overwrite by checking BlueZ storage (true/false) |
References: - https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/blurtooth/ - https://francozappa.github.io/about-blur/ - https://inria.hal.science/hal-02994406/
exploits/bnep_heap_disclosure¶
BNEP Heap Disclosure
BNEP bnep_data_ind() Remote Heap Disclosure (CVE-2017-13258)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2017-13258, CVE-2017-13260, CVE-2017-13261, CVE-2017-13262
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
src_bdaddr |
hci0 |
Source BD_ADDR (local adapter, e.g., hci0) | |
leak_count |
64 |
Number of heap bytes to attempt leaking | |
timeout |
5 |
Socket timeout (seconds) | |
recv_timeout |
1 |
Receive timeout per byte (seconds) | |
disable_ssp |
True |
Disable Secure Simple Pairing on adapter | |
disconnect_first |
True |
Disconnect existing connections first | |
output_file |
Save leaked bytes to file |
References: - https://www.exploit-db.com/exploits/44326 - https://source.android.com/security/bulletin/2018-03-01 - https://blog.quarkslab.com/android-bluetooth-vulnerabilities-in-the-march-2018-security-bulletin.html - https://nvd.nist.gov/vuln/detail/CVE-2017-13258
exploits/braktooth_esp32¶
BrakTooth ESP32 LMP Exploits
BrakTooth ESP32 Feature Page ACE (CVE-2021-28139)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2021-28139
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
mode |
check |
Mode: check, crash, or exploit | |
page |
255 |
Feature page number to send (0-255) | |
timeout |
15 |
Connection timeout in seconds |
References: - https://asset-group.github.io/disclosures/braktooth/ - https://nvd.nist.gov/vuln/detail/CVE-2021-28139 - https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks - https://www.espressif.com/en/news/ESP32_BrakTooth
exploits/csrk_signed_write¶
CSRK / Signed Write Abuse
Forge Authenticated Signed Writes using a leaked CSRK to control bonded BLE peripherals without re-pairing
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | dump_csrk |
Mode: dump_csrk, forge_write, replay, install_csrk |
peer |
✓ | Bonded peer BD_ADDR | |
csrk |
CSRK (32 hex chars), required for forge/install | ||
handle |
Target characteristic handle (hex, e.g. 0x002B) for forge_write | ||
value |
Value to write (hex) | ||
sign_counter |
0 |
Sign counter to use (must increase per write) | |
captured_pdu |
Captured signed-write PDU (hex) for replay mode | ||
adapter |
hci0 |
Local HCI adapter |
References: - https://www.bluetooth.com/specifications/specs/core-specification-5-3/ - https://github.com/bluez/bluez/blob/master/doc/settings-storage.txt - https://www.usenix.org/conference/usenixsecurity21/presentation/wu-jianliang
exploits/fluoride_gatt_multivar_overflow¶
Android Fluoride GATT READ_MULTI_VAR Integer Underflow
ATT_READ_MULTIPLE_VARIABLE_REQ integer underflow → 64 KB heap overflow in Android Fluoride BT stack (CVE-2023-40129)
Severity: 🔴 CRITICAL · Protocol: DUAL · CVE: CVE-2023-40129, CVE-2023-35673
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Android BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter (hci0, hci1, …) | |
mtu |
55 |
ATT MTU to negotiate (must satisfy: floor((mtu-1)/18)*18 == mtu-1 to land the underflow; 55 = reference PoC value) | |
handle |
9 |
GATT attribute handle whose value is exactly 16 bytes (handle 9 maps to Device Name on most Android devices) | |
handle_repeat |
4 |
Number of times to repeat the handle in READ_MULTI_VAR request (default 4 triggers underflow with MTU=55 and 16-byte attrs) | |
heap_shape |
false |
Enable ERTM heap shaping before trigger (true/false) | |
trigger_count |
3 |
Number of overflow packets to send (1 is usually enough) | |
timeout |
10 |
Per-socket timeout in seconds |
References: - https://nvd.nist.gov/vuln/detail/CVE-2023-40129 - https://source.android.com/security/bulletin/2023-08-01 - https://www.synacktiv.com/en/publications/paint-it-blue-attacking-the-bluetooth-stack - https://nvd.nist.gov/vuln/detail/CVE-2023-35673
exploits/harmonyos_bt_oob¶
HarmonyOS BT OOB Read
Huawei HarmonyOS Bluetooth OOB read, heap info disclosure (CVE-2026-28540)
Severity: 🟡 MEDIUM · Protocol: CLASSIC · CVE: CVE-2026-28540
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target HarmonyOS BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
HCI adapter (e.g. hci0) | |
overflow_size |
256 |
Bytes to read beyond buffer (OOB read length) | |
attribute_id |
256 |
SDP attribute to overflow (0x0100=name, 0x0101=desc, 0x0102=provider) | |
listen_timeout |
30 |
Seconds to wait for target SDP query |
References: - https://nvd.nist.gov/vuln/detail/CVE-2026-28540 - https://www.huawei.com/en/psirt/security-advisories
exploits/helomoto¶
HeloMoto, HFP Silent AT Shell
RFCOMM headset profile handshake bypass for silent AT command execution on Motorola and compatible devices (HeloMoto, 2005)
Severity: 🟠 HIGH · Protocol: CLASSIC
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
channel |
0 |
RFCOMM channel (0 = auto-scan for HFP/HSP) | |
command_set |
info |
AT command set to run: info, phonebook, call, sms, all | |
dial_number |
Phone number for call commands (e.g. +15551234567) | ||
timeout |
6 |
Connection timeout per channel in seconds | |
hfp_handshake |
True |
Perform full HFP SLC handshake before AT injection |
References: - https://bluetooth-pentest.narod.ru/doc/helomoto.txt - https://trifinite.org/trifinite_stuff_helomoto.html
exploits/hfp_rce_2023¶
Android HFP RCE (CVE-2023-21108)
Hands-Free Profile AT command parser overflow RCE
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2023-21108
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR | |
channel |
0 |
HFP RFCOMM channel (auto-discover if 0) | |
overflow_size |
4096 |
AT command argument overflow length | |
at_command |
VGS |
Vulnerable AT command (VGS/BIA/BCS) | |
timeout |
10 |
Socket timeout |
References: - https://source.android.com/security/bulletin/2023-05-01 - https://nvd.nist.gov/vuln/detail/CVE-2023-21108
exploits/internalblue_vendor_hci¶
Vendor HCI Command Injection (InternalBlue-style)
Send Broadcom/Cypress vendor HCI commands (OGF=0x3F) for chip fingerprinting, RAM R/W, code execution, and BD_ADDR spoof
Severity: 🔴 CRITICAL · Protocol: BOTH
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | fingerprint |
Mode: fingerprint, dump_ram, patch_ram, exec, set_bdaddr |
interface |
hci0 |
Local HCI adapter | |
address |
RAM address (hex, e.g. 0x200000) for dump/patch/exec | ||
length |
128 |
Bytes to read (dump_ram mode, max 251) | |
data |
Hex data to write (patch_ram mode) | ||
bdaddr |
New BD_ADDR (set_bdaddr mode) | ||
output_file |
File to save dumped RAM (dump_ram mode) |
References: - https://github.com/seemoo-lab/internalblue - https://www.usenix.org/conference/usenixsecurity19/presentation/mantz - https://h0mbre.github.io/InternalBlue_Bluetooth_Research/
exploits/keystroke_injection_android_linux¶
HID Keystroke Injection, Android / Linux (CVE-2023-45866)
0-click HID keystroke injection via BlueZ D-Bus profile API, modern alternative that avoids sdptool / bluetoothd compat mode
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2023-45866
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Bluetooth BD_ADDR (Android/Linux/iOS) | |
interface |
hci0 |
Local HCI adapter | |
mode |
check |
Mode: check, inject, test | |
payload |
`hello | ||
| ` | String to inject as keystrokes (inject mode) | ||
duration |
0 |
Inject duration in seconds (0 = send payload once) | |
key_delay_ms |
50 |
Delay between keystrokes in milliseconds | |
verbose |
True |
Show every keystroke + raw HID bytes as they're sent |
References: - https://github.com/marcnewlin/hi_my_name_is_keyboard - https://www.skysafe.io/blog/keystroke-injection - https://nvd.nist.gov/vuln/detail/CVE-2023-45866
exploits/keystroke_injection_apple¶
HID Keystroke Injection, Apple Magic Keyboard spoof
macOS/iOS HID keystroke injection by spoofing a paired Magic Keyboard's BD_ADDR, target reconnects, attacker injects keys
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2023-45866
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Mac or iPhone BD_ADDR | |
keyboard_addr |
✓ | BD_ADDR of the paired Magic Keyboard to spoof | |
mode |
mac |
Mode: mac, iphone, test | |
interface |
hci0 |
Local HCI adapter | |
payload |
`terminal | ||
| ` | Keystroke payload to inject (multi-line string) | ||
open_url |
Optional URL to open via Cmd+Space → Terminal → open |
||
trigger_timeout |
120 |
Seconds to wait for target re-connect signal |
References: - https://github.com/marcnewlin/hi_my_name_is_keyboard - https://www.skysafe.io/blog/keystroke-injection
exploits/keystroke_injection_windows¶
HID Keystroke Injection (Windows / BD_ADDR spoof)
Inject keystrokes into a Windows host by spoofing the BD_ADDR of a keyboard already paired with the target (CVE-2023-45866 family)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2023-45866
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | inject |
Mode: inject, test, check |
iface |
hci0 |
HCI interface (e.g. hci0) | |
target_keyboard_addr |
BD_ADDR of keyboard already paired with target Windows host (to clone) | ||
target_computer_addr |
BD_ADDR of target Windows host | ||
duration |
5 |
Seconds of Tab keypresses to inject | |
restore_bdaddr |
DEFAULT_RESTORE_BDADDR |
BD_ADDR to restore adapter to on cleanup |
References: - https://github.com/marcnewlin/hi_my_name_is_keyboard - https://www.skysafe.io/blog/bluetooth-keystroke-injection-unauth - https://nvd.nist.gov/vuln/detail/CVE-2023-45866
exploits/knob¶
KNOB Key Negotiation Attack
KNOB Attack - Encryption Key Entropy Downgrade (CVE-2019-9506)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2019-9506
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
mode |
check |
Mode: check, analyze, or mitm (requires Ubertooth) | |
interface |
ubertooth0 |
Ubertooth interface for MITM mode | |
timeout |
15 |
Connection timeout in seconds |
References: - https://knobattack.com/ - https://nvd.nist.gov/vuln/detail/CVE-2019-9506 - https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli - https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/knob/
exploits/knob_active¶
KNOB Active Downgrade
Actively force encryption key entropy downgrade (KNOB/CVE-2019-9506)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2019-9506
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Bluetooth MAC address (AA:BB:CC:DD:EE:FF) | |
key_size |
1 |
Desired entropy key size in bytes (1-16, 1=weakest) | |
interface |
hci0 |
HCI interface to use | |
attempts |
3 |
Number of connection attempts | |
verify |
true |
Verify downgrade by checking negotiated key size after connection |
References: - https://knobattack.com - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9506 - https://www.bluetooth.com/bluetooth-resources/knob-attack/
exploits/l2cap_chan_put_uaf_android¶
Android L2CAP l2cap_chan_put() UAF
Concurrent l2cap_chan_put() refcount race causing UAF on Android kernel (CVE-2022-20566)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2022-20566
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Android BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
psm |
25 |
L2CAP PSM: 1 (SDP), 3 (RFCOMM), 25 (AVDTP/A2DP) | |
threads |
8 |
Concurrent racing threads (higher = more race pressure) | |
iterations |
100 |
Refcount race cycles per thread | |
timeout |
5 |
Per-connection timeout in seconds |
References: - https://cve.komodosec.com/cve/CVE-2022-20566 - https://nvd.nist.gov/vuln/detail/CVE-2022-20566 - https://source.android.com/security/bulletin/2022-12-01
exploits/l2cap_connect_uaf_2022¶
Linux L2CAP UAF, l2cap_connect()
Race condition use-after-free in Linux l2cap_connect() and l2cap_le_connect_req() (CVE-2022-42896)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2022-42896
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
psm |
3 |
L2CAP PSM to race: 1 (SDP), 3 (RFCOMM), 15 (BNEP) | |
threads |
6 |
Concurrent racing threads | |
iterations |
80 |
Connect/disconnect cycles per thread | |
timeout |
5 |
Per-connection timeout in seconds |
References: - https://access.redhat.com/security/cve/CVE-2022-42896 - https://nvd.nist.gov/vuln/detail/CVE-2022-42896 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=711f8c3fb3db
exploits/l2cap_core_memsafety_2022¶
Linux L2CAP Core Memory Safety Flaw
Malformed L2CAP signaling PDUs causing OOB access in l2cap_core.c state machine (CVE-2022-49910)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2022-49910
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
psm |
1 |
L2CAP PSM to target: 1 (SDP) or 3 (RFCOMM) | |
threads |
4 |
Concurrent threads | |
iterations |
50 |
Malformed PDU sequences per thread | |
timeout |
6 |
Per-connection timeout in seconds |
References: - https://vuldb.com/?id.CVE-2022-49910 - https://nvd.nist.gov/vuln/detail/CVE-2022-49910 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/net/bluetooth/l2cap_core.c
exploits/l2cap_unregister_user_uaf¶
Linux l2cap_unregister_user() UAF + List Corruption
Missing conn->lock in l2cap_unregister_user() enables concurrent UAF and list corruption (CVE-2026-23461)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2026-23461
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
psms |
1,3,15,25,23 |
L2CAP PSMs to use (comma-separated, 0=all known fixed PSMs) | |
threads_per_psm |
4 |
Concurrent threads per PSM (higher = more race pressure) | |
iterations |
100 |
Register/unregister cycles per thread | |
conn_delay_ms |
0 |
Delay between connect and disconnect in ms (0 = immediate) | |
timeout |
5 |
Per-connection timeout in seconds |
References: - https://app.opencve.io/cve/CVE-2026-23461 - https://nvd.nist.gov/vuln/detail/CVE-2026-23461
exploits/lovense_unauth¶
Lovense Unauthenticated BLE Control
Send vibration, rotate, pump and power-off commands to Lovense adult toys (Gen 1-4) without pairing or authentication
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | scan |
scan / info / vibrate / max / stop / rotate / pump / poweroff |
target |
Lovense device BD_ADDR | ||
intensity |
20 |
Intensity 0-20 (vibrate/rotate) or 0-3 (pump) | |
pump_action |
in |
Pump direction: in, out, auto (Max/Calor only) | |
duration |
15 |
Scan duration seconds |
References: - https://lovesense-py.readthedocs.io/en/latest/protocol.html - https://buttplug.io/stpihkal/protocols/lovense/ - https://www.pentestpartners.com/security-blog/screwdriving-locating-and-exploiting-smart-adult-toys/ - https://www.bleepingcomputer.com/news/security/smart-sex-toys-come-with-bluetooth-and-remote-hijacking-weaknesses/
exploits/mesh_attack¶
Mesh Network Attack
BLE Mesh provisioning exploitation and message injection
Severity: 🟠 HIGH · Protocol: BLE · CVE: CVE-2020-26556, CVE-2020-26557, CVE-2020-26559, CVE-2020-26560
| Option | Required | Default | Description |
|---|---|---|---|
mode |
sniff |
Mode: sniff, mitm, replay, impersonate | |
target |
Target mesh node UUID or address (for targeted attacks) | ||
interface |
hci0 |
HCI interface | |
duration |
60 |
Sniff/attack duration in seconds | |
netkey |
Known NetKey for impersonate/replay (hex, 32 chars) | ||
appkey |
Known AppKey (hex, 32 chars) | ||
capture_file |
JSON file to save/load captured mesh data | ||
src_addr |
0001 |
Source mesh address for impersonation (hex, e.g. 0001) | |
dst_addr |
ffff |
Destination mesh address (hex, ffff=broadcast) |
References: - https://www.bluetooth.com/specifications/specs/mesh-protocol-1-1/ - https://dl.acm.org/doi/10.1145/3558482.3590187 - https://www.usenix.org/conference/usenixsecurity21/presentation/wu-jianliang
exploits/obex_exploit¶
OBEX Exploit
OBEX file push/pull and phonebook extraction over Bluetooth
Severity: 🟠 HIGH · Protocol: CLASSIC
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Bluetooth MAC address | |
mode |
scan |
Mode: scan, push, pull, browse, contacts, vcard | |
channel |
OBEX RFCOMM channel (auto-detect if empty) | ||
file |
Local file to push, or remote path to pull | ||
remote_path |
Remote path for pull/browse (e.g. telecom/pb.vcf) | ||
output_dir |
/tmp/bluesploit_obex |
Directory to save pulled files |
References: - https://www.bluetooth.com/specifications/specs/generic-object-exchange-profile-2-1-1/ - https://trifinite.org/trifinite_stuff_bluesnarfing.html
exploits/opensynergy_bluesdk_rce¶
OpenSynergy Blue SDK L2CAP ConfigReq + SDP RCE
Heap corruption via malformed L2CAP_ConfigReq + SDP frames on OpenSynergy Blue SDK 3.2-6.0 (CVE-2018-20378)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2018-20378
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
psm |
1 |
L2CAP PSM to attack: 1 (SDP) or 3 (RFCOMM) | |
mode |
crash |
Mode: check (safe probe), crash (DoS), exploit (heap corruption) | |
connections |
4 |
Concurrent L2CAP connections for heap spray | |
iterations |
20 |
Malformed frame pairs per connection | |
overflow_size |
256 |
Byte length of the oversized EFS option payload | |
sdp_interleave |
True |
Interleave malformed SDP PDUs with ConfigReq frames | |
timeout |
8 |
Per-connection timeout in seconds |
References: - https://nvd.nist.gov/vuln/detail/CVE-2018-20378 - https://cvedetails.com/cve/CVE-2018-20378/ - https://www.opensynergy.com/products/blue-sdk/
exploits/pairing_method_confusion¶
Pairing Method Confusion MITM
Exploit Secure Connections vs Legacy pairing method confusion to authenticate as MITM without knowing the PIN/Passkey
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2022-25837, CVE-2022-25836, CVE-2020-10134
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | classic_sc_vs_legacy |
Attack mode: classic_sc_vs_legacy, ble_sc_vs_legacy, confirm_swap |
initiator |
✓ | BD_ADDR of the pairing initiator (device A) | |
responder |
✓ | BD_ADDR of the pairing responder (device B) | |
interface |
hci0 |
Local HCI adapter | |
timeout |
30 |
Attack window in seconds | |
brute_start |
0 |
Passkey brute-force start value (0-999999) for SC vs legacy mode |
References: - https://www.bluetooth.com/blog/bluetooth-pairing-method-confusion-attacks/ - https://dl.acm.org/doi/10.1145/3548606.3560668 - https://francozappa.github.io/about-bias/
exploits/passkey_reflection_mitm¶
Passkey Reflection MITM
Identify SC Passkey by reflecting public key and auth evidence, enabling authenticated pairing without knowing the Passkey
Severity: 🟠 HIGH · Protocol: BOTH · CVE: CVE-2021-37577, CVE-2020-26558
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | monitor |
Mode: monitor, bit_probe, full_mitm |
target |
✓ | Target BD_ADDR to intercept pairing of | |
interface |
hci0 |
Primary HCI adapter | |
interface2 |
Second HCI adapter (required for full_mitm mode) | ||
timeout |
60 |
Attack duration in seconds | |
output_file |
Save captured keys/passkey to file |
References: - https://www.bluetooth.com/blog/bluetooth-security-update-passkey-reflection/ - https://dl.acm.org/doi/10.1145/3460120.3484754 - https://francozappa.github.io/about-bias/
exploits/pin_bruteforce¶
PIN Brute-Force
Brute-force Classic Bluetooth 4-digit pairing PIN
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2020-26555
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Bluetooth MAC address | |
strategy |
common |
Strategy: common, sequential, dictionary, targeted | |
interface |
hci0 |
HCI interface to use | |
wordlist |
PIN wordlist file (for dictionary strategy) | ||
start_pin |
0000 |
Starting PIN for sequential strategy | |
delay |
0.5 |
Delay between attempts in seconds | |
max_attempts |
0 |
Maximum number of attempts (0 = unlimited) | |
timeout |
5 |
Pairing attempt timeout in seconds |
References: - https://www.bluetooth.com/specifications/specs/core-specification-5-4/ - https://ieeexplore.ieee.org/document/4497524 - https://trifinite.org/trifinite_stuff_btpincrack.html
exploits/rfcomm_core_memsafety¶
Linux RFCOMM core.c Memory Safety Bug
Triggers memory safety violation in rfcomm/core.c via abnormal session teardown (CVE-2024-22099)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2024-22099
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
dlci_count |
6 |
Number of DLCs to open concurrently | |
iterations |
10 |
Number of open/teardown cycles | |
mcc_flood |
True |
Send MCC flood on each DLC before teardown |
References: - https://nvd.nist.gov/vuln/detail/CVE-2024-22099 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/net/bluetooth/rfcomm/core.c
exploits/rfcomm_mem_corrupt_2010¶
Linux RFCOMM Remote Memory Corruption
Corrupts kernel heap via oversized UIH frames on Linux 2.6.18-2.6.33 (CVE-2010-1084)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2010-1084
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
channel |
1 |
RFCOMM channel to open for data DLC | |
payload_size |
512 |
Actual payload bytes sent (declared length is always 32767) | |
burst_count |
20 |
Number of malformed UIH frames to send | |
pattern |
65 |
Fill pattern byte (hex, e.g. 0x41) |
References: - https://nvd.nist.gov/vuln/detail/CVE-2010-1084 - https://www.securityfocus.com/bid/38527
exploits/rfcomm_mem_mgmt_2025¶
Linux RFCOMM BT Subsystem Improper Memory Management
Reference count imbalance in RFCOMM BT subsystem via RPN/DISC race (CVE-2025-21688)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2025-21688
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
sessions |
60 |
Number of RPN/DISC race sessions | |
channel |
1 |
RFCOMM channel for DLC | |
threads |
4 |
Concurrent threads | |
rpn_variants |
True |
Send multiple RPN frames per DLC before DISC |
References: - https://nvd.nist.gov/vuln/detail/CVE-2025-21688 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/net/bluetooth/rfcomm
exploits/rfcomm_mem_mgmt_flaw¶
Linux RFCOMM Memory Management Flaw
Progressive kernel memory leak via abnormal RFCOMM session teardown (CVE-2024-49939)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2024-49939
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
sessions |
50 |
Number of leak sessions to send | |
dlcs_per_session |
8 |
DLCs to allocate per session (multiplies leak size) | |
threads |
3 |
Concurrent session threads | |
pn_before_drop |
True |
Send PN before abrupt teardown (increases leak) |
References: - https://nvd.nist.gov/vuln/detail/CVE-2024-49939 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/net/bluetooth/rfcomm
exploits/rfcomm_null_ptr_2015¶
Linux RFCOMM rfcomm_sock_bind() NULL Deref
Triggers NULL ptr dereference in rfcomm_sock_bind() on Linux < 4.2 (CVE-2015-8956)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2015-8956
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter (e.g. hci0) | |
dlci_start |
1 |
Starting DLCI value for orphan attempts | |
attempts |
30 |
Number of NULL-deref trigger attempts | |
close_delay_ms |
5 |
Milliseconds between SABM and L2CAP teardown |
References: - https://nvd.nist.gov/vuln/detail/CVE-2015-8956 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4d7b413e4f60
exploits/rfcomm_privesc_race¶
Windows RFCOMM Privilege Escalation
Windows RFCOMM driver race condition, local EoP to SYSTEM (CVE-2026-23671)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2026-23671
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Windows BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
HCI adapter (e.g. hci0) | |
channel_start |
1 |
Starting RFCOMM channel number | |
channel_count |
8 |
Number of RFCOMM channels to race | |
race_attempts |
50 |
Number of race attempts per channel pair | |
delay_us |
50 |
Microsecond delay between race ops |
References: - https://nvd.nist.gov/vuln/detail/CVE-2026-23671 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23671
exploits/rfcomm_setsockopt_overflow¶
Linux RFCOMM setsockopt Unvalidated Input
Memory safety violation via malformed RFCOMM PN frames exploiting setsockopt unvalidated input (CVE-2024-35966)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2024-35966
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
channel |
1 |
RFCOMM channel for data DLC | |
iterations |
3 |
Cycles through all malformed PN combinations | |
delay_ms |
20 |
Delay between PN frames in milliseconds |
References: - https://nvd.nist.gov/vuln/detail/CVE-2024-35966 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/net/bluetooth/rfcomm
exploits/rfcomm_shell¶
RFCOMM Shell
Interactive reverse/bind shell over Bluetooth RFCOMM
Severity: 🔴 CRITICAL · Protocol: CLASSIC
| Option | Required | Default | Description |
|---|---|---|---|
target |
Target Bluetooth MAC (for connect mode) | ||
mode |
connect |
Shell mode: connect, listen, bind | |
channel |
1 |
RFCOMM channel number (1-30) | |
shell |
/bin/bash |
Shell command to execute | |
interface |
hci0 |
HCI interface to use | |
timeout |
30 |
Connection timeout in seconds | |
auto_scan |
true |
Auto-scan for open RFCOMM channels before connecting (true/false) |
References: - https://www.bluetooth.com/specifications/specs/rfcomm-1-2/
exploits/rfcomm_sock_alloc_uaf¶
Linux rfcomm_sock_alloc() Use-After-Free
Dangling sk pointer UAF in rfcomm_sock_alloc(), kernel memory read/write (CVE-2024-56604)
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2024-56604
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
channel |
1 |
RFCOMM channel for UAF trigger | |
attempts |
25 |
UAF trigger attempts | |
spray_connections |
4 |
Concurrent connections for heap spray (increases UAF hit rate) | |
close_timing_us |
100 |
Microseconds between SABM and concurrent close (UAF window) |
References: - https://nvd.nist.gov/vuln/detail/CVE-2024-56604 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/net/bluetooth/rfcomm
exploits/sco_mic_intercept¶
SCO/eSCO Microphone Interception
Intercept Bluetooth headset microphone stream via SCO audio channel after gaining connection
Severity: 🔴 CRITICAL · Protocol: CLASSIC
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target headset/HFP device BD_ADDR (XX:XX:XX:XX:XX:XX) | |
local_addr |
Local adapter BD_ADDR (empty = auto-detect from hciconfig) | ||
interface |
hci0 |
Local HCI adapter | |
codec |
cvsd |
Audio codec: cvsd (8kHz) or msbc (16kHz wideband) | |
duration |
30 |
Capture duration in seconds (0 = until Ctrl+C) | |
output_file |
Output WAV file path (empty = auto-generated) | ||
connect_timeout |
10 |
SCO connection timeout in seconds |
References: - https://www.bluetooth.com/specifications/specs/hands-free-profile-1-8/ - https://francozappa.github.io/about-bias/ - https://www.usenix.org/conference/usenixsecurity19/presentation/antonioli
exploits/screwdriving¶
Screwdriving, Unauthenticated BLE Adult Toy Hijack
Scan for and hijack BLE adult toys using unauthenticated GATT writes (Lovense, We-Vibe, Vibratissimo, Kiiroo, Lelo, no pairing required)
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | scan |
Mode: scan, hijack, lockout, stop |
target |
Target BD_ADDR (skip scan, go straight to hijack/stop) | ||
interface |
hci0 |
Local HCI adapter | |
duration |
15 |
Scan duration in seconds | |
intensity |
20 |
Vibration intensity (0-20 for Lovense, 0-255 others) | |
lockout_duration |
30 |
How long to hold connection and block owner (seconds) |
References: - https://www.pentestpartners.com/security-blog/screwdriving-locating-and-exploiting-smart-adult-toys/ - https://arstechnica.com/information-technology/2017/10/screwdriving-many-bluetooth-sex-toys-leave-users-vulnerable/
exploits/smp_keysize_downgrade¶
SMP Key Size Downgrade
Force 7-byte (56-bit) LTK derivation by responding to LE pairing with max_key_size=7; passively detect weak negotiations on link
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | passive |
Mode: passive, responder, brute |
interface |
hci0 |
Local HCI adapter | |
duration |
60 |
Capture / responder duration (seconds) | |
forced_keysize |
7 |
KeySize bytes to force (7=weakest, 16=strongest) | |
pcap_file |
PCAP with encrypted ATT traffic (brute mode) |
References: - https://www.bluetooth.com/specifications/specs/core-specification-5-3/ - https://francozappa.github.io/about-knob/ - https://github.com/mikeryan/crackle
exploits/sweyntooth¶
SweynTooth BLE Link-Layer Exploits
SweynTooth BLE Link Layer stack overflow / deadlock family
Severity: 🔴 CRITICAL · Protocol: BLE · CVE: CVE-2019-16336, CVE-2019-17519, CVE-2019-17061, CVE-2019-17060, CVE-2019-17517, CVE-2019-17518
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BLE device address (XX:XX:XX:XX:XX:XX) | |
attack |
ll_length_overflow |
Attack variant: ll_length_overflow, ll_deadlock, truncated_l2cap, silent_overflow, all | |
addr_type |
public |
BLE address type: public or random | |
interface |
hci0 |
HCI interface (e.g. hci0) | |
timeout |
10 |
Connection timeout in seconds | |
scan_time |
5 |
BLE scan duration in seconds (for check) |
References: - https://sweyntooth.github.io/ - https://asset-group.github.io/disclosures/sweyntooth/ - https://nvd.nist.gov/vuln/detail/CVE-2019-16336 - https://nvd.nist.gov/vuln/detail/CVE-2019-17519 - https://nvd.nist.gov/vuln/detail/CVE-2019-17061
exploits/ti_simplelink_dh_skip¶
TI SimpleLink DH Skip (CVE-2021-22645)
Skip ECDH validation on TI SimpleLink CC2640R2 by setting up encryption before SMP completes, unauth GATT read/write
Severity: 🔴 CRITICAL · Protocol: BLE · CVE: CVE-2021-22645
| Option | Required | Default | Description |
|---|---|---|---|
mode |
✓ | detect |
Mode: detect, exploit, exfil |
target |
✓ | Target BLE device BD_ADDR | |
interface |
hci0 |
Local HCI adapter | |
output_file |
JSON file to save GATT exfil dump | ||
timeout |
15 |
Connection timeout in seconds |
References: - https://github.com/advisories/GHSA-pq68-r59w-pq6c - https://www.ti.com/tool/SIMPLELINK-CC2640R2-SDK - https://nvd.nist.gov/vuln/detail/CVE-2021-22645
exploits/unauth_write¶
Unauthenticated GATT Write
Unauthenticated GATT characteristic write
Severity: 🟠 HIGH · Protocol: BLE
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (XX:XX:XX:XX:XX:XX) | |
char_uuid |
✓ | Target characteristic UUID | |
payload |
✓ | Payload to write (hex string, e.g., 0102030405) | |
write_type |
command |
Write type: 'request' (with response) or 'command' (without response) | |
repeat |
1 |
Number of times to send payload | |
delay |
100 |
Delay between repeated writes (ms) | |
timeout |
15 |
Connection timeout (seconds) |
References: - https://github.com/Mr-IoT/PhantomTouch - https://www.bluetooth.com/specifications/gatt/
exploits/whisperpair¶
WhisperPair Fast Pair Hijack
Google Fast Pair account key injection, force-pair without pairing mode (CVE-2025-36911)
Severity: 🔴 CRITICAL · Protocol: BLE · CVE: CVE-2025-36911
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BLE address (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
HCI adapter (e.g. hci0) | |
account_key |
16-byte account key hex (random if empty) | ||
scan_first |
True |
Scan for Fast Pair devices before attacking | |
timeout |
15 |
BLE connection timeout in seconds |
References: - https://nvd.nist.gov/vuln/detail/CVE-2025-36911 - https://developers.google.com/nearby/fast-pair/specifications
exploits/win_bt_stack_uaf¶
Windows Bluetooth Stack 2.1 UAF RCE
Exploit bthport.sys Use-After-Free via malformed L2CAP ConfigReq packets on unpatched Windows Vista SP1/SP2 and Windows 7
Severity: 🔴 CRITICAL · Protocol: CLASSIC · CVE: CVE-2011-1265
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BD_ADDR (Windows Vista/7 host) | |
mode |
check |
Mode: l2cap_conf_overflow, uaf_trigger, spray, check | |
psm |
1 |
L2CAP PSM to connect on for exploit | |
threads |
4 |
Concurrent connection threads (uaf_trigger mode) | |
iterations |
50 |
Connect/disconnect cycles per thread | |
timeout |
5 |
Per-connection timeout in seconds | |
spray_count |
32 |
Number of spray packets (spray mode) |
References: - https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-053 - https://nvd.nist.gov/vuln/detail/CVE-2011-1265 - https://www.zerodayinitiative.com/advisories/ZDI-11-218/
exploits/win_rfcomm_info_disclosure¶
Windows RFCOMM Driver Information Disclosure
Leaks kernel/driver memory via uninitialized response padding in Windows RFCOMM driver (CVE-2025-59513)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2025-59513
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Windows BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
channel |
1 |
RFCOMM channel for connection | |
probe_rounds |
5 |
Rounds of probe commands per connection | |
analyze_pointers |
True |
Analyze responses for kernel pointer patterns |
References: - https://nvd.nist.gov/vuln/detail/CVE-2025-59513 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59513
exploits/xiaomi_rfcomm_test_oob¶
Xiaomi Redmi Buds RFCOMM TEST OOB Read
Leaks up to 127 bytes of firmware memory per request via RFCOMM TEST OOB read (CVE-2025-13834)
Severity: 🟠 HIGH · Protocol: CLASSIC · CVE: CVE-2025-13834
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target Xiaomi Buds BD_ADDR (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
Local HCI adapter | |
leak_size |
127 |
Bytes to leak per request (1-127) | |
requests |
10 |
Number of OOB read requests | |
marker_byte |
170 |
Known marker byte in actual payload (helps identify boundary) |
References: - https://nvd.nist.gov/vuln/detail/CVE-2025-13834 - https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=282159
exploits/zephyr_ble_smp_crash¶
Zephyr BLE Fixed-Channel Crash
Zephyr RTOS BLE integer overflow via illegal fixed-channel disconnect (CVE-2025-10456)
Severity: 🟠 HIGH · Protocol: BLE · CVE: CVE-2025-10456
| Option | Required | Default | Description |
|---|---|---|---|
target |
✓ | Target BLE address (XX:XX:XX:XX:XX:XX) | |
interface |
hci0 |
HCI adapter (e.g. hci0) | |
target_cid |
0 |
Fixed CID to disconnect (4=ATT, 6=SMP, 0=both) | |
repeat |
3 |
Number of disconnect requests to send | |
delay |
0.2 |
Delay between packets in seconds |
References: - https://nvd.nist.gov/vuln/detail/CVE-2025-10456 - https://github.com/zephyrproject-rtos/zephyr/security/advisories