It's been a while since I last posted an issue #2, but I'm back for educational purposes. I'm currently working on reimplementing the vulnerability you demonstrated in the video Arbitrary Code Execution on ESP32 via Bluetooth Classic.
I've successfully set up a vulnerable ESP-IDF 4.1 stack (from 2019) with an SPP Bluetooth profile, including an LED setup, just as you did. The basic functionality, like turning the LED on or off with a legitimate device, works fine. However, when I attempt to run the exploit "invalid_feature_page_execution" and try to jump to the "led_on" function using an attacker device, I notice in GDB that the PC successfully changes to the desired function address, but the device crashes before the function can execute.
Additionally, when a legitimate device is connected, I can't perform the attack and instead get a "LMP_not_accepted" message in Braktooth. I’ve already removed all security features, such as canary checks, but the attack still fails.
Any insights or suggestions on what might be going wrong?
Hello there!
It's been a while since I last posted an issue #2, but I'm back for educational purposes. I'm currently working on reimplementing the vulnerability you demonstrated in the video Arbitrary Code Execution on ESP32 via Bluetooth Classic.
I've successfully set up a vulnerable ESP-IDF 4.1 stack (from 2019) with an SPP Bluetooth profile, including an LED setup, just as you did. The basic functionality, like turning the LED on or off with a legitimate device, works fine. However, when I attempt to run the exploit "invalid_feature_page_execution" and try to jump to the "led_on" function using an attacker device, I notice in GDB that the PC successfully changes to the desired function address, but the device crashes before the function can execute.
Additionally, when a legitimate device is connected, I can't perform the attack and instead get a "LMP_not_accepted" message in Braktooth. I’ve already removed all security features, such as canary checks, but the attack still fails.
Any insights or suggestions on what might be going wrong?
Thank you once again for this powerfull tool ! ⚡