This is an implementation of the CVE-2017-0781 Android heap overflow vulnerability by ojasookert as described in Armis's Blueborne whitepaper. Further reading: https://www.armis.com/blueborne/
This code is intended to be automated on the Raspberry Pi 3 (RPi3). As such, older versions of the Raspberry Pi are not compatible as they are unable to run pwntools, which require a 64-bit OS.
Note that this code does not contain the actual payload nor it implements discovery for undiscoverable devices. It can be modified to target undiscoverable devices and injected with an actual payload. However, this mandates the use of a ROP chain to run attacker-specified code and can be performed by using ROPgadget, a tool which allows to search gadgets on binaries to facilitate ROP exploitations.
To use this script, a 64-bit Unix OS is required, along with the installation of Python 2.7 (packages: pybluz, pwntools) and bluez (packages: bluetooth, libbluetooth-dev, libffi-dev) in the RPi3, with the use of a Bluetooth dongle. The bulit-in Bluetooth lacks driver support from pi64 as of this date of writing.
Install pi64
https://github.com/bamarni/pi64
Get pwntools.
apt-get update
apt-get install python2.7 python-pip python-dev git libssl-dev libffi-dev build-essential
pip install --upgrade pip
pip install --upgrade pwntools
Get pybluez.
apt-get install bluetooth libbluetooth-dev
pip install pybluez
I have used the hciconfig
and btmgmt
tools for this, both are included in the bluez package. If you get your bluetooth module locked, rfkill
might help.
Run btmgmt
.
The info
command will show the indices of your devices.
Entering select 0
will make the first bluetooth controller active. A shortcut for this is to launch the tool with btmgmt --index 0
.
Make sure you can discover devices with the find
command. Your Android's screen must be on and the bluetooth settings view must be open for it to be discoverable. Note that discoverability is not a prerequisite for exploiting this vulnerability as detailed in the whitepaper released by Armis.
For the exploit to work without manual pairing, you must set the IO capabilities of your host with io-cap 0x03
in the btmgmt tool.
With this set, run the code with python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX
and your Android device's bluetooth service should crash. It might take a few tries. Currently the code sends 30 of these invalid packets to corrupt enough memory for the process to crash.
Happy hacking ;)
Code is provided AS-IS and without warranty. That said, I am not reponsible or liable for any damage caused by this script.