This is an implementation of the CVE-2017-0781 Android heap overflow vulnerability described in the Blueborne whitepaper released by Armis. Further reading: https://www.armis.com/blueborne/
In the current state, this code only demonstrates the overflow and the ability of crashing the bluetooth service. Again, this is not a fully developed remote code execution, but it can be.
Get pwntools.
apt-get update
apt-get install python2.7 python-pip python-dev git libssl-dev libffi-dev build-essential
pip install --upgrade pip
pip install --upgrade pwntools
Get pybluez.
apt-get install bluetooth libbluetooth-dev
pip install pybluez
I have used the hciconfig
and btmgmt
tools for this, both are included in the bluez package. If you get your bluetooth module locked, rfkill
might help.
Run btmgmt
.
The info
command will show the indices of your devices.
Entering select 0
will make the first bluetooth controller active. A shortcut for this is to launch the tool with btmgmt --index 0
.
Make sure you can discover devices with the find
command. Your Android's screen must be on and the bluetooth settings view must be open for it to be discoverable. Note that discoverability is not a prerequisite for exploiting this vulnerability as detailed in the whitepaper released by Armis.
For the exploit to work without manual pairing, you must set the IO capabilities of your host with io-cap 0x03
in the btmgmt tool.
With this set, run the code with python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX
and your Android device's bluetooth service should crash. It might take a few tries. Currently the code sends 30 of these invalid packets to corrupt enough memory for the process to crash.
Happy hacking ;)
Make sure you see your bluetooth device on the host with the command hciconfig
.
user-pc user # hciconfig
hci0: Type: BR/EDR Bus: USB
BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 310:10 SCO MTU: 64:8
DOWN
RX bytes:580 acl:0 sco:0 events:31 errors:0
TX bytes:368 acl:0 sco:0 commands:30 errors:0
If it is not UP but rather DOWN as shown here, then fix it with hciconfig <intf> up
user-pc user # hciconfig hci0 up
Can't init device hci0: Operation not possible due to RF-kill (132)
If you get messages about rf-kill, try the rfkill list
command.
user-pc user # rfkill list
0: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no
2: asus-wlan: Wireless LAN
Soft blocked: no
Hard blocked: no
3: asus-bluetooth: Bluetooth
Soft blocked: no
Hard blocked: no
4: hci0: Bluetooth
Soft blocked: yes
Hard blocked: no
Unblocking can be done with rfkill unblock <id>
.
If you see that your device still asks for pairing code after setting the IO capabilities on the host, then this method is probably not currently possible on your device.