Tested on modern (quite modern) kernel
Used 32 bit for simplicity with addressing.
Kernel 4.3.5
Compiled vulnerable module
Wrote exploit to take advantage of the vulnerability
Disabled Kernel Protection NX and Stack Canaries
Local Root Exploit (chage privs of the current process to root)
Was hard to find working example with commit_creds for modern Kernel (not 2.6.x :))
Used two threads, one with shell, the other one calling commit_creds and called after overwriting EIP (root privs)
Challenges:
Technical description:
http://go.armis.com/blueborne-technical-paper
Get a second Bluetooth Adapter (USB dongle)
Read Bluetooth Documentation (very long)
https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=229737
Understand L2CAP Protocol and Messages exchanges.
Compile Kernel with Debug capabilities (via Virtual Serial Device in Virtual Box)
Debug Kernel :)
Read Kernel Source - it's all there
Trigger BlueBorne
Disable Kernel Protection NX and Stack Canaries
Prepare Shellcode (Trick out the Bluetooth Protocol to pack shellcode in)
Tested with 32 bit Kernel without Protections
Tricking out L2CAP messages
Finding Gadgets
Packing up shellcode
printk() shellcode
Executing
Stabilizing Kernel after shellcode execute
E-mail me: marcinguy@gmail.com