ojasookert / cve-2017-0781 Goto Github PK

Blueborne CVE-2017-0781 Android heap overflow vulnerability

Python 100.00%

blueborne bluetooth armis exploit poc

cve-2017-0781's Introduction

CVE-2017-0781 PoC

Overview

This is an implementation of the CVE-2017-0781 Android heap overflow vulnerability described in the Blueborne whitepaper released by Armis. Further reading: https://www.armis.com/blueborne/

In the current state, this code only demonstrates the overflow and the ability of crashing the bluetooth service. Again, this is not a fully developed remote code execution, but it can be.

Instructions

Get pwntools.

apt-get update
apt-get install python2.7 python-pip python-dev git libssl-dev libffi-dev build-essential
pip install --upgrade pip
pip install --upgrade pwntools

Get pybluez.

apt-get install bluetooth libbluetooth-dev
pip install pybluez==0.22

I have used the hciconfig and btmgmt tools for this, both are included in the bluez package. If you get your bluetooth module locked, rfkill might help.

Run btmgmt.

The info command will show the indices of your devices.

Entering select 0 will make the first bluetooth controller active. A shortcut for this is to launch the tool with btmgmt --index 0.

Make sure you can discover devices with the find command. Your Android's screen must be on and the bluetooth settings view must be open for it to be discoverable. Note that discoverability is not a prerequisite for exploiting this vulnerability as detailed in the whitepaper released by Armis.

For the exploit to work without manual pairing, you must set the IO capabilities of your host with io-cap 0x03 in the btmgmt tool.

With this set, run the code with python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX and your Android device's bluetooth service should crash. It might take a few tries. Currently the code sends 30 of these invalid packets to corrupt enough memory for the process to crash.

Happy hacking ;)

Troubleshooting

Make sure you see your bluetooth device on the host with the command hciconfig.

user-pc user # hciconfig
hci0:	Type: BR/EDR  Bus: USB
	BD Address: XX:XX:XX:XX:XX:XX  ACL MTU: 310:10  SCO MTU: 64:8
	DOWN 
	RX bytes:580 acl:0 sco:0 events:31 errors:0
	TX bytes:368 acl:0 sco:0 commands:30 errors:0

If it is not UP but rather DOWN as shown here, then fix it with hciconfig <intf> up

user-pc user # hciconfig hci0 up
Can't init device hci0: Operation not possible due to RF-kill (132)

If you get messages about rf-kill, try the rfkill list command.

user-pc user # rfkill list
0: phy0: Wireless LAN
	Soft blocked: no
	Hard blocked: no
2: asus-wlan: Wireless LAN
	Soft blocked: no
	Hard blocked: no
3: asus-bluetooth: Bluetooth
	Soft blocked: no
	Hard blocked: no
4: hci0: Bluetooth
	Soft blocked: yes
	Hard blocked: no

Unblocking can be done with rfkill unblock <id>.

If you see that your device still asks for pairing code after setting the IO capabilities on the host, then this method is probably not currently possible on your device.

cve-2017-0781's People

Contributors

Stargazers

Watchers

Forkers

johndpope ytrewqytrewqytrewqytrewq1 anonshadow nfinformatique natepizzle g43ys3lf jake-jensen fahri314 emorasoul janddda dorancals adeptex sireof deeby dothanthitiendiettiende limyz nicholas1126 zheisbug prodject lingerlingerling o0starley0o eeettt orf53975 ehash1 flyopenair bb33bb cyb3rr0nn13 hacktest keralahacker hackerman-2005 djn3m0 fafifi lolalset denroun firefoxxpyang jesusgaelgs thealgirdas anthonyb28 ja-o error303-cyber wds657 syscore-yiimfn 5l1v3r1 thegoldenplatypus sorokinvld mahmoudibrahim29 ramtripathi33 jmontoyac

cve-2017-0781's Issues

invalid stuff

hi so when i execute the python program it comes back with
Traceback (most recent call last):
File "/home/kalilinux/Downloads/CVE-2017-0781.py", line 36, in
bad_packet = packet('AAABBBB')
File "/home/kalilinux/Downloads/CVE-2017-0781.py", line 32, in packet
pkt += p8(set_bnep_header_extension_bit(BNEP_FRAME_CONTROL))
TypeError: can only concatenate str (not "bytes") to str
what am i doing wrong and how can i fix this?

Error on command

Hey, I tried to run the command below but occurred the error in the image uploaded

Can you help me? I'm newbie at Python. Thanks!

The result after running only zero

here is the result：
[+] Exploit： Done
00000000

Is this means I crack failed or something I did wrong?
I run it in Virtual Box, please help me

No module named pwn

Traceback (most recent call last):
File "CVE-2017-0781.py", line 1, in
from pwn import *
ImportError: No module named pwn

I used:

python2.7 CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX

error

Traceback (most recent call last):
File "CVE-2017-0781.py", line 35, in
bad_packet = packet('AAAABBBB')
File "CVE-2017-0781.py", line 31, in packet
pkt += p8(set_bnep_header_extension_bit(BNEP_FRAME_CONTROL))
TypeError: can only concatenate str (not "bytes") to str

Error while doing python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX

Hello! When I running the command python CVE-2017-0781.py TARGET=xxx I get the result:

  File "/usr/local/lib/python2.7/dist-packages/psutil/_pslinux.py", line 312, in <module>
    set_scputimes_ntuple("/proc")
  File "/usr/local/lib/python2.7/dist-packages/psutil/_common.py", line 298, in wrapper
    ret = cache[key] = fun(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/psutil/_pslinux.py", line 279, in set_scputimes_ntuple
    with open_binary('%s/stat' % procfs_path) as f:
  File "/usr/local/lib/python2.7/dist-packages/psutil/_common.py", line 604, in open_binary
    return open(fname, "rb", **kwargs)
IOError: [Errno 13] Permission denied: '/proc/stat'
[*] Connecting...
Traceback (most recent call last):
  File "CVE-2017-0781.py", line 38, in <module>
    sock = bluetooth.BluetoothSocket(bluetooth.L2CAP)
  File "/usr/local/lib/python2.7/dist-packages/bluetooth/bluez.py", line 155, in __init__
    _sock = _bt.btsocket (proto)
_bluetooth.error: (13, 'Permission denied')

Thank you!

Where to find android example shellcode ?

Hey ojasookert, great job !
This code is way easier to understand that marsyy's code in C.
I wan't to do some extensive research on this, do you know where can I find some shellcodes for arm or arm64 ? shell-storm.org is full of execve shellcodes and I'm looking for one that create a file, or something else that we can check (I can't debug com.android.bluetooth)