Jump to content
MiniDisc

Bluetooth Stack Smasher (BlueTooth)

By MiniDisc, in Wireless Pentesting

Recommended Posts

MiniDisc Newbie

MiniDisc

Posted
Posted

BSS (Bluetooth Stack Smasher) is a L2CAP layer Fuzzer for Linux, distributed under GPL licence.

BSS requires the standard bluetooth library.

BSS Usage :

Usage: ./bss [-s size] [-m mode] [-p pad_byte for modes 1-11] [-M maxcrash]

Modes :

0 All mode listed below

1 L2CAP_COMMAND_REJ

2 L2CAP_CONN_REQ

3 L2CAP_CONN_RSP

4 L2CAP_CONF_REQ

5 L2CAP_CONF_RSP

6 L2CAP_DISCONN_REQ

7 L2CAP_DISCONN_RSP

8 L2CAP_ECHO_REQ

9 L2CAP_ECHO_RSP

10 L2CAP_INFO_REQ

11 L2CAP_INFO_RSP

12 L2CAP Random Fuzzing (-s: max_size) (-M: crashcount)

BSS Example:

./bss -s 100 -m 12 -M 0 XX:@X:@X:@X:@X:@X

This example sends short random (mode 12) packets (maxsize is set to 100 bytes), in an infinite loop (-M 0).

Performs several L2CAP checks sending malicious packets (L2CAP)

Initial source code analysis from tanya tool (tbear)

Other example of use (short random L2CAP packets):

./bss -s 50 -m 12 00:12:EE:@X:@X:@X

.......

00:12:EE:@X:@X:@X BT stack may have crashed. This device seems to be vulnerable to buggy packets. Please, ensure that the device has really crashed doing a bt scan for instance.

Host 00:12:EE:@X:@X:@X

Packet size 11

Packet dump

0x75 0x3F 0x1E 0x3B 0x0B 0xBD 0xC4 0x98 0xBB 0x72 0xD0

char replay_buggy_packet[]="x75x3Fx1Ex3Bx0BxBD xC4x98xBBx72xD0";

Then, try to ensure that this packet is responsible (and only this one :sometimes, cellphones crash because of multiple packets, or flooding effects) :

cd replay_packet

Edit replay_l2cap_packet.c and modify SIZE and replay_buggy_packet :

#define SIZE 11

char replay_buggy_packet[]="x75x3Fx1Ex3Bx0BxBDxC4x98xBBx72xD0";

Then, type make :

make

and try this packet against your equipment :

./replay_l2cap_packet 00:12:EE:@X:@X:@X

TIPS:

* In order to benchmark BT implementation, you may want to use time command :

    time ./bss -m 12 00:12:EE:@X:@X:@X

* You may increase -M value, which allows you to go on fuzzing even if some packets have not been sent to the equipment : some devices may crash because of flooding for instance. 0 means an infinite loop.

Download: http://www.secuobs.com/bss-0.6.tar.gz

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...