GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ojasookert → Cve 2017 0781

ojasookert / Cve 2017 0781

Blueborne CVE-2017-0781 Android heap overflow vulnerability

Programming Languages

python
139335 projects - #7 most used programming language

Labels

exploitbluetoothpoc

Projects that are alternatives of or similar to Cve 2017 0781

Ladongo
Ladon Pentest Scanner framework 全平台LadonGo开源内网渗透扫描器框架,使用它可轻松一键批量探测C段、B段、A段存活主机、高危漏洞检测MS17010、SmbGhost,远程执行SSH/Winrm,密码爆破SMB/SSH/FTP/Mysql/Mssql/Oracle/Winrm/HttpBasic/Redis,端口扫描服务识别PortScan指纹识别/HttpBanner/HttpTitle/TcpBanner/Weblogic/Oxid多网卡主机,端口扫描服务识别PortScan。
Stars: ✭ 366 (+394.59%)
Mutual labels:  exploit, poc
Poc Bank
Focus on cybersecurity | collection of PoC and Exploits
Stars: ✭ 68 (-8.11%)
Mutual labels:  exploit, poc
Ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Stars: ✭ 4,808 (+6397.3%)
Mutual labels:  exploit, poc
Cve 2018 7600
💀Proof-of-Concept for CVE-2018-7600 Drupal SA-CORE-2018-002
Stars: ✭ 330 (+345.95%)
Mutual labels:  exploit, poc
Powerladon
Ladon Network Penetration Scanner for PowerShell, vulnerability / exploit / detection / MS17010/SmbGhost,Brute-Force SMB/IPC/WMI/NBT/SSH/FTP/MSSQL/MYSQL/ORACLE/VNC
Stars: ✭ 39 (-47.3%)
Mutual labels:  exploit, poc
Cve 2019 0708
3389远程桌面代码执行漏洞CVE-2019-0708批量检测工具(Rdpscan Bluekeep Check)
Stars: ✭ 350 (+372.97%)
Mutual labels:  exploit, poc
Drupalgeddon2
Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)
Stars: ✭ 464 (+527.03%)
Mutual labels:  exploit, poc
Commodity Injection Signatures
Commodity Injection Signatures, Malicious Inputs, XSS, HTTP Header Injection, XXE, RCE, Javascript, XSLT
Stars: ✭ 267 (+260.81%)
Mutual labels:  exploit, poc
K8cscan
K8Cscan大型内网渗透自定义插件化扫描神器,包含信息收集、网络资产、漏洞扫描、密码爆破、漏洞利用,程序采用多线程批量扫描大型内网多个IP段C段主机,目前插件包含: C段旁注扫描、子域名扫描、Ftp密码爆破、Mysql密码爆破、Oracle密码爆破、MSSQL密码爆破、Windows/Linux系统密码爆破、存活主机扫描、端口扫描、Web信息探测、操作系统版本探测、Cisco思科设备扫描等,支持调用任意外部程序或脚本,支持Cobalt Strike联动
Stars: ✭ 693 (+836.49%)
Mutual labels:  exploit, poc
Am I Affected By Meltdown
Meltdown Exploit / Proof-of-concept / checks whether system is affected by Variant 3: rogue data cache load (CVE-2017-5754), a.k.a MELTDOWN.
Stars: ✭ 549 (+641.89%)
Mutual labels:  exploit, poc
Wordpress Xmlrpc Brute Force Exploit
Wordpress XMLRPC System Multicall Brute Force Exploit (0day) by 1N3 @ CrowdShield
Stars: ✭ 315 (+325.68%)
Mutual labels:  exploit, poc
Cve 2020 0796
CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost
Stars: ✭ 1,102 (+1389.19%)
Mutual labels:  exploit, poc
Penetration testing poc
渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss penetration-testing-poc csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms
Stars: ✭ 3,858 (+5113.51%)
Mutual labels:  poc, exploit
K8tools
K8工具合集(内网渗透/提权工具/远程溢出/漏洞利用/扫描工具/密码破解/免杀工具/Exploit/APT/0day/Shellcode/Payload/priviledge/BypassUAC/OverFlow/WebShell/PenTest) Web GetShell Exploit(Struts2/Zimbra/Weblogic/Tomcat/Apache/Jboss/DotNetNuke/zabbix)
Stars: ✭ 4,173 (+5539.19%)
Mutual labels:  exploit, poc
Cve 2019 1003000 Jenkins Rce Poc
Jenkins RCE Proof-of-Concept: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)
Stars: ✭ 270 (+264.86%)
Mutual labels:  exploit, poc
Cve 2017 0785
Blueborne CVE-2017-0785 Android information leak vulnerability
Stars: ✭ 428 (+478.38%)
Mutual labels:  exploit, poc
Exploit-Development
Exploit Development - Weaponized Exploit and Proof of Concepts (PoC)
Stars: ✭ 84 (+13.51%)
Mutual labels:  exploit, poc
CVE-2018-7750
an RCE (remote command execution) approach of CVE-2018-7750
Stars: ✭ 18 (-75.68%)
Mutual labels:  exploit, poc
Poc
Proofs-of-concept
Stars: ✭ 467 (+531.08%)
Mutual labels:  exploit, poc
Exploit Discord Cache System Poc
Exploit Discord's cache system to remote upload payloads on Discord users machines
Stars: ✭ 51 (-31.08%)
Mutual labels:  exploit, poc
View All Similar Projects ➔

CVE-2017-0781 PoC

Overview

This is an implementation of the CVE-2017-0781 Android heap overflow vulnerability described in the Blueborne whitepaper released by Armis. Further reading: https://www.armis.com/blueborne/

In the current state, this code only demonstrates the overflow and the ability of crashing the bluetooth service. Again, this is not a fully developed remote code execution, but it can be.

Instructions

Get pwntools.

apt-get update
apt-get install python2.7 python-pip python-dev git libssl-dev libffi-dev build-essential
pip install --upgrade pip
pip install --upgrade pwntools

Get pybluez.

apt-get install bluetooth libbluetooth-dev
pip install pybluez

I have used the hciconfig and btmgmt tools for this, both are included in the bluez package. If you get your bluetooth module locked, rfkill might help.

Run btmgmt.

The info command will show the indices of your devices.

Entering select 0 will make the first bluetooth controller active. A shortcut for this is to launch the tool with btmgmt --index 0.

Make sure you can discover devices with the find command. Your Android's screen must be on and the bluetooth settings view must be open for it to be discoverable. Note that discoverability is not a prerequisite for exploiting this vulnerability as detailed in the whitepaper released by Armis.

For the exploit to work without manual pairing, you must set the IO capabilities of your host with io-cap 0x03 in the btmgmt tool.

With this set, run the code with python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX and your Android device's bluetooth service should crash. It might take a few tries. Currently the code sends 30 of these invalid packets to corrupt enough memory for the process to crash.

Happy hacking ;)

Troubleshooting

Make sure you see your bluetooth device on the host with the command hciconfig.

user-pc user # hciconfig
hci0:	Type: BR/EDR  Bus: USB
	BD Address: XX:XX:XX:XX:XX:XX  ACL MTU: 310:10  SCO MTU: 64:8
	DOWN 
	RX bytes:580 acl:0 sco:0 events:31 errors:0
	TX bytes:368 acl:0 sco:0 commands:30 errors:0

If it is not UP but rather DOWN as shown here, then fix it with hciconfig <intf> up

user-pc user # hciconfig hci0 up
Can't init device hci0: Operation not possible due to RF-kill (132)

If you get messages about rf-kill, try the rfkill list command.

user-pc user # rfkill list
0: phy0: Wireless LAN
	Soft blocked: no
	Hard blocked: no
2: asus-wlan: Wireless LAN
	Soft blocked: no
	Hard blocked: no
3: asus-bluetooth: Bluetooth
	Soft blocked: no
	Hard blocked: no
4: hci0: Bluetooth
	Soft blocked: yes
	Hard blocked: no

Unblocking can be done with rfkill unblock <id>.

If you see that your device still asks for pairing code after setting the IO capabilities on the host, then this method is probably not currently possible on your device.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].