Jump to content
Nytro

BlueBorne RCE on Android 6.0.1 (CVE-2017-0781)

Recommended Posts

BlueBorne RCE on Android 6.0.1 (CVE-2017-0781) [English]

A few days ago, the company Armis published a proof of concept (PoC) of a remote code execution vulnerability in Android via Bluetooth (CVE-2017-0781), known as BlueBorne. Although BlueBorne refers to a set of 8 vulnerabilities, this PoC uses only 2 of them to achieve its goal.

The exploitation process is divided into 2 phases, first the memory leak vulnerability (CVE-2017-0785) is used to know the memory addresses and bypass the ASLR protection, and thus make a call to the function libc library system and execute code on the phone, in this case a reverse shell.

The original source code of the Armis PoC is oriented to Android 7.1.2 on Pixel and Nexus 5X phones, and it is implied that to use it in another model it is only necessary to modify in the code the offsets of libc and bluetooth libraries.

Later we will see how in the version 6.0.1 analyzed, the changes in the code of the bluetooth library are significant, complicating the exploitation and forcing us to make more modifications in the code of the PoC.

To perform some of the following actions it is necessary to have root privileges on the phone.

Libraries download

The first step is to extract the libraries to analyze them on our computer with IDA or Radare.

$ adb pull /system/lib/hw/bluetooth.default.so
$ adb pull /system/lib/libc.so

libc system function

We open libc.so with Radare and look for the system function. As we can see it is in the address 0x3ea04, which we introduce in the variable LIBC_TEXT_STSTEM_OFFSET = 0x3ea04 +1.

$ r2 -A libc.so

> afl~system
0x0003ea04   10 184          sym.system

Articol complet: https://jesux.es/exploiting/blueborne-android-6.0.1-english/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...