Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-0781 PoC — Android 安全漏洞

Source
https://github.com/ojasookert/CVE-2017-0781
Associated Vulnerability
Title:Android 安全漏洞 (CVE-2017-0781)
Description:Android是美国谷歌(Google)公司和开放手持设备联盟(简称OHA)共同开发的一套以Linux为基础的开源操作系统。 Android中的Bluetooth Network Encapsulation Protocol(BNEP)服务存在远程代码执行漏洞,该漏洞源于程序没有充分的验证授权。远程攻击者可利用该漏洞执行代码。以下版本受到影响:Android 4.4.4版本,5.0.2版本,5.1.1版本,6.0版本,6.0.1版本,7.0版本,7.1.1版本,7.1.2版本,8.0版本。
Description
Blueborne CVE-2017-0781 Android heap overflow vulnerability
Readme
# CVE-2017-0781 PoC

## Overview

This is an implementation of the CVE-2017-0781 Android heap overflow vulnerability described in the Blueborne whitepaper released by Armis. Further reading: https://www.armis.com/blueborne/

In the current state, this code only demonstrates the overflow and the ability of crashing the bluetooth service. Again, this is not a fully developed remote code execution, but it can be.

## Instructions

Get pwntools.

```
apt-get update
apt-get install python2.7 python-pip python-dev git libssl-dev libffi-dev build-essential
pip install --upgrade pip
pip install --upgrade pwntools
```

Get pybluez.

```
apt-get install bluetooth libbluetooth-dev
pip install pybluez==0.22
```

I have used the `hciconfig` and `btmgmt` tools for this, both are included in the bluez package. If you get your bluetooth module locked, `rfkill` might help.

Run `btmgmt`. 

The `info` command will show the indices of your devices.

Entering `select 0` will make the first bluetooth controller active. A shortcut for this is to launch the tool with `btmgmt --index 0`.

Make sure you can discover devices with the `find` command. Your Android's screen must be on and the bluetooth settings view must be open for it to be discoverable. Note that discoverability is not a prerequisite for exploiting this vulnerability as detailed in the whitepaper released by Armis.

For the exploit to work without manual pairing, you must set the IO capabilities of your host with `io-cap 0x03` in the btmgmt tool.

With this set, run the code with `python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX` and your Android device's bluetooth service should crash. It might take a few tries. Currently the code sends 30 of these invalid packets to corrupt enough memory for the process to crash.

Happy hacking ;)

## Troubleshooting

Make sure you see your bluetooth device on the host with the command `hciconfig`.

```
user-pc user # hciconfig
hci0:	Type: BR/EDR  Bus: USB
	BD Address: XX:XX:XX:XX:XX:XX  ACL MTU: 310:10  SCO MTU: 64:8
	DOWN 
	RX bytes:580 acl:0 sco:0 events:31 errors:0
	TX bytes:368 acl:0 sco:0 commands:30 errors:0
```

If it is not UP but rather DOWN as shown here, then fix it with `hciconfig <intf> up`

```
user-pc user # hciconfig hci0 up
Can't init device hci0: Operation not possible due to RF-kill (132)
```

If you get messages about rf-kill, try the `rfkill list` command.

```
user-pc user # rfkill list
0: phy0: Wireless LAN
	Soft blocked: no
	Hard blocked: no
2: asus-wlan: Wireless LAN
	Soft blocked: no
	Hard blocked: no
3: asus-bluetooth: Bluetooth
	Soft blocked: no
	Hard blocked: no
4: hci0: Bluetooth
	Soft blocked: yes
	Hard blocked: no
```

Unblocking can be done with `rfkill unblock <id>`.

If you see that your device still asks for pairing code after setting the IO capabilities on the host, then this method is probably not currently possible on your device.
File Snapshot

 [4.0K]  /data/pocs/0f30e0cb9a35aee40f0911aebd24e44c1094ec3a
├── [1.2K]  CVE-2017-0781.py
└── [2.8K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.