def show_adb_commands(component,compType,packageName):
#Print ADB commands for exploitation
cmd_list=[]
cmd_list.append([])
#BUG - THIS PRINTS DUPS
extra_parameters=[]
extra_parameters.append('[-e|--es <EXTRA_KEY> <EXTRA_STRING_VALUE> ...]')
extra_parameters.append('[--esn <EXTRA_KEY> ...]')
extra_parameters.append('[--ez <EXTRA_KEY> <EXTRA_BOOLEAN_VALUE> ...]')
extra_parameters.append('[--ei <EXTRA_KEY> <EXTRA_INT_VALUE> ...]')
extra_parameters.append('[--el <EXTRA_KEY> <EXTRA_LONG_VALUE> ...]')
extra_parameters.append('[--ef <EXTRA_KEY> <EXTRA_FLOAT_VALUE> ...]')
extra_parameters.append('[--eu <EXTRA_KEY> <EXTRA_URI_VALUE> ...]')
extra_parameters.append('[--ecn <EXTRA_KEY> <EXTRA_COMPONENT_NAME_VALUE>]')
extra_parameters.append('[--eia <EXTRA_KEY> <EXTRA_INT_VALUE>[,<EXTRA_INT_VALUE...]]')
extra_parameters.append('[--ela <EXTRA_KEY> <EXTRA_LONG_VALUE>[,<EXTRA_LONG_VALUE...]]')
extra_parameters.append('[--efa <EXTRA_KEY> <EXTRA_FLOAT_VALUE>[,<EXTRA_FLOAT_VALUE...]]')
extra_parameters.append('[--esa <EXTRA_KEY> <EXTRA_STRING_VALUE>[,<EXTRA_STRING_VALUE...]]')
type_list=['String','StringArray','StringArrayList','Boolean','BooleanArray','Int','Float','Long','LongArray','[]','','IntArray','IntegerArrayList','FloatArray','Double','Char','CharArray','CharSequence','CharSequenceArray','CharSequenceArrayList','Byte','ByteArray', 'Bundle','Short','ShortArray','Serializable','Parcelable','ParcelableArrayList','ParcelableArray','unknownType']
#TODO - Need to add
#TODO - -d for data uri
if str(compType)=='activity':
for node in common.xmldoc.getElementsByTagName('activity'):
if node.attributes['android:name'].value == component:
if len(node.getElementsByTagName('intent-filter'))>0:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([a.attributes['android:name'].value,component])
cmd_list=common.dedup(cmd_list)
for c in cmd_list:
if len(c)>0:
#find extra suggestions for the intents in c[1], if any
extras_list=[]
extras_list.append([])
entries=common.get_entry_for_component('activity')
output=False
for n in entries:
tmp_extra=findExtras.find_extras(str(c[1]),n)
if tmp_extra not in extras_list:
extras_list+=tmp_extra
if len(extras_list)>2:
for t in range(1,(len(extras_list)-1)):
if str(extras_list[t]) not in type_list:
if re.match(r'^\..*',str(c[1])):
baseIntent = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+packageName+str(c[1])+"\""
else:
baseIntent = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+str(c[1])+"\""
simple_type=True
if extras_list[t+1]=='String':
baseIntent+=" --es "
elif extras_list[t+1]=='Boolean':
baseIntent+=" --ez "
elif extras_list[t+1]=='Int':
baseIntent+=" --ei "
elif extras_list[t+1]=='Long':
baseIntent+=" --el "
elif extras_list[t+1]=='Float':
baseIntent+=" --ef "
else:
simple_type=False
if simple_type:
extra_type=str(extras_list[t+1])
print baseIntent+"\""+str(extras_list[t])+"\" \"Insert"+extra_type+"Here\""
output=True
#TODO, Need to think of a better way to do this
#This is excluding all the known types, because every second element is type
elif str(extras_list[t]) not in type_list:
common.logger.info("Extra: " + str(extras_list[t])+" is not a simple type, or could not be determined. You'll need to append the parameter which corresponds with the correct data type, followed by a key and value, both in quotes.")
print "Example: "+baseIntent+str(" --es \"YOURKEYHERE\" \"YOURVALUEHERE\"")
print "Here are your options for different data types: "
for x in extra_parameters:
print str(x)
print "\n"
output=True
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, baseIntent, None, "activity")
extras_list=[]
if not output:
if re.match(r'^\..*',str(c[1])):
baseIntent = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+packageName+str(c[1])+"\""
else:
baseIntent = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+str(c[1])+"\""
print baseIntent
else:
common.logger.debug("No intent filter on: " + str(component))
extras_list=[]
entries=common.get_entry_for_component('activity')
output=False
last_extra=''
for n in entries:
tmp_extra=findExtras.find_extras(str(component),n)
if tmp_extra not in extras_list:
if str(tmp_extra)!=str(last_extra):
extras_list+=tmp_extra
last_extra=str(tmp_extra)
if len(extras_list)>0:
for t in range(1,(len(extras_list)-1)):
if str(extras_list[t]) not in type_list:
if re.match(r'^\..*',str(component)):
baseIntent = "adb shell am start -n \""+packageName+"/"+packageName+str(component)+"\""
else:
baseIntent = "adb shell am start -n \""+packageName+"/"+str(component)+"\""
simple_type=True
if extras_list[t+1]=='String':
baseIntent+=" --es "
elif extras_list[t+1]=='Boolean':
baseIntent+=" --ez "
elif extras_list[t+1]=='Int':
baseIntent+=" --ei "
elif extras_list[t+1]=='Long':
baseIntent+=" --el "
elif extras_list[t+1]=='Float':
baseIntent+=" --ef "
elif extras_list[t+1]=='Uri':
baseIntent+=" -d "
else:
simple_type=False
if simple_type:
extra_type=str(extras_list[t+1])
print baseIntent+str(extras_list[t])+" \"Insert"+extra_type+"Here\""
output=True
#TODO, Need to think of a better way to do this
#This is excluding all the known types, because every second element is type
elif str(extras_list[t]) not in type_list:
common.logger.info("Extra: " + str(extras_list[t])+" is not a simple type, or could not be determined. You'll need to append the parameter which corresponds with the correct data type, followed by a key and value, both in quotes.")
print "Example: "+baseIntent+str(" --es \"YOURKEYHERE\" \"YOURVALUEHERE\"")
print "Here are your options for different data types: "
for x in extra_parameters:
print str(x)
print "\n"
ouput=True
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, baseIntent, None, "activity")
extras_list=[]
if not output:
if re.match(r'^\..*',str(component)):
baseIntent = "adb shell am start -n \""+packageName+"/"+packageName+str(component)+"\""
else:
baseIntent = "adb shell am start -n \""+packageName+"/"+str(component)+"\""
print baseIntent
elif str(compType)=='service':
#BUG - THIS PRINTS DUPS without the below
for node in common.xmldoc.getElementsByTagName('service'):
if node.attributes['android:name'].value == component:
if len(node.getElementsByTagName('intent-filter'))>0:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([a.attributes['android:name'].value,component])
cmd_list=common.dedup(cmd_list)
for c in cmd_list:
if len(c)>0:
output=False
extras_list=[]
entries=common.get_entry_for_component('service')
for n in entries:
tmp_extra=findExtras.find_extras(str(c[1]),n)
if tmp_extra not in extras_list:
extras_list+=tmp_extra
if len(extras_list)>0:
for t in range(1,(len(extras_list)-1)):
if str(extras_list[t]) not in type_list:
if re.match(r'^\..*',str(c[1])):
baseIntent = "adb shell am startservice -n \"" +packageName+"/"+packageName+str(c[1])+"\""+" -a \""+str(c[0])+"\""
else:
baseIntent = "adb shell am startservice -n \"" +packageName+"/"+str(c[1])+"\""+" -a \""+str(c[0])+"\""
simple_type=True
if extras_list[t+1]=='String':
baseIntent+=" --es "
elif extras_list[t+1]=='Boolean':
baseIntent+=" --ez "
elif extras_list[t+1]=='Int':
baseIntent+=" --ei "
elif extras_list[t+1]=='Long':
baseIntent+=" --el "
elif extras_list[t+1]=='Float':
baseIntent+=" --ef "
elif extras_list[t+1]=='Uri':
baseIntent+=" -d "
else:
simple_type=False
if simple_type:
extra_type=str(extras_list[t+1])
print baseIntent+str(extras_list[t])+" \"Insert"+extra_type+"Here\""
output=True
#TODO, Need to think of a better way to do this
#This is excluding all the known types, because every second element is type
elif str(extras_list[t]) not in type_list:
common.logger.info("Extra: " + str(extras_list[t])+" is not a simple type, or could not be determined. You'll need to append the parameter which corresponds with the correct data type, followed by a key and value, both in quotes.")
print "Example: "+baseIntent+str(" --es \"YOURKEYHERE\" \"YOURVALUEHERE\"")
print "Here are your options for different data types: "
for x in extra_parameters:
print str(x)
print "\n"
output=True
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, baseIntent, None, "service")
extras_list=[]
if not output:
if re.match(r'^\..*',str(c[1])):
baseIntent = "adb shell am startservice -n \"" +packageName+"/"+packageName+str(c[1])+"\""
else:
baseIntent = "adb shell am startservice -n \"" +packageName+"/"+str(c[1])+"\""
print baseIntent
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, baseIntent, None, "service")
elif str(compType)=='receiver':
for node in common.xmldoc.getElementsByTagName('receiver'):
if node.attributes['android:name'].value==component:
if len(node.getElementsByTagName('intent-filter'))>0:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([a.attributes['android:name'].value,component])
try:
cmd_list=common.dedup(cmd_list)
except Exception as e:
common.logger.error("Error de-duplicating command list in adb.py while processing receivers: " + str(e))
for c in cmd_list:
if len(c)>0:
output=False
extras_list=[]
try:
entries=common.get_entry_for_component('receiver')
except Exception as e:
common.logger.error("Error getting entry point for receivers in adb.py: " + str(e) )
for n in entries:
try:
tmp_extra=findExtras.find_extras(str(c[1]),n)
except Exception as e:
common.logger.error("Error finding extras for receivers in adb.py: " + str(e))
if tmp_extra not in extras_list:
extras_list+=tmp_extra
if len(extras_list)>0:
for t in range(1,(len(extras_list)-1)):
if str(extras_list[t]) not in type_list:
baseIntent="adb shell am broadcast -a \""+str(c[0])+"\""
simple_type=True
if extras_list[t+1]=='String':
baseIntent+=" --es "
elif extras_list[t+1]=='Boolean':
baseIntent+=" --ez "
elif extras_list[t+1]=='Int':
baseIntent+=" --ei "
elif extras_list[t+1]=='Long':
baseIntent+=" --el "
elif extras_list[t+1]=='Float':
baseIntent+=" --ef "
elif extras_list[t+1]=='Uri':
baseIntent+=" -d "
else:
simple_type=False
if simple_type:
extra_type=str(extras_list[t+1])
print baseIntent+"\""+str(extras_list[t])+"\" \"Insert"+extra_type+"Here\""
output=True
#TODO, Need to think of a better way to do this
#This is excluding all the known types, because every second element is type
elif str(extras_list[t]) not in type_list:
common.logger.info("Extra: " + str(extras_list[t])+" is not a simple type, or could not be determined. You'll need to append the parameter which corresponds with the correct data type, followed by a key and value, both in quotes.")
print "Example: "+baseIntent+str(" --es \"YOURKEYHERE\" \"YOURVALUEHERE\"")
print "Here are your options for different data types: "
for x in extra_parameters:
print str(x)
print "\n"
output=True
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, baseIntent, None, "receiver")
extras_list=[]
if not output:
baseIntent = "adb shell am broadcast -a \""+str(c[0])+"\""
print baseIntent
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, baseIntent, None, "receiver")
elif str(compType)=='provider':
for node in common.xmldoc.getElementsByTagName('provider'):
if node.attributes['android:name'].value == component:
print "TO INSERT DATA:"
print "adb shell content insert --uri <URI> [--user <USER_ID>] --bind <BINDING> [--bind <BINDING>...]"
print "TO UPDATE DATA:"
print "adb shell content update --uri <URI> [--user <USER_ID>] [--where <WHERE>]"
print "TO DELETE DATA:"
print "adb shell content delete --uri <URI> [--user <USER_ID>] --bind <BINDING> [--bind <BINDING>...]" \
"[--where <WHERE>]"
print "TO QUERY DATA: "
print "adb shell content query --uri <URI> [--user <USER_ID>] [--projection <PROJECTION>]" \
"[--where <WHERE>] [--sort <SORT_ORDER>]"
print "TO CALL THE PROVIDER DIRECTLY"
print "adb shell content call --uri <URI> --method <METHOD> [--arg <ARG>]"
return
def showAdbCommands(component,compType,packageName):
#Print ADB commands for exploitation
cmd_list=[]
cmd_list.append([])
#BUG - THIS PRINTS DUPS
#TODO - re-implement the extras, just want to make sure it looks good first
#suggest_extras=raw_input("Would you like us to suggest extras to add? (y/n) ")
if str(compType)=='activity':
for node in common.xmldoc.getElementsByTagName('activity'):
if node.attributes['android:name'].value == component:
if len(node.getElementsByTagName('intent-filter'))>0:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([a.attributes['android:name'].value,component])
cmd_list=common.dedup(cmd_list)
for c in cmd_list:
if len(c)>0:
#find extra suggestions for the intents in c[1], if any
extras_list=[]
extras_list+=intents.find_extras(str(c[1]),common.sourceDirectory)
if len(extras_list)>0:
for t in extras_list:
if re.match(r'^\..*',str(c[1])):
command = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+packageName+str(c[1])+"\""+" --es "+str(t)+" \"EXTRA_VALUE_IN_QUOTES\""
else:
command = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+str(c[1])+"\""+" --es "+str(t)+" \"EXTRA_VALUE_IN_QUOTES\""
print command
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "activity")
else:
if re.match(r'^\..*',str(c[1])):
command = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+packageName+str(c[1])+"\""
else:
command = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+str(c[1])+"\""
print command
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "activity")
else:
common.logger.debug("No intent filter on: " + str(component))
extras_list=[]
extras_list+=intents.find_extras(str(component),common.sourceDirectory)
if len(extras_list)>0:
if re.match(r'^\..*',str(component)):
command = "adb shell am start -n \""+packageName+"/"+packageName+component+"\""
else:
command = "adb shell am start -n \""+packageName+"/"+component+"\""
print command
extras = []
for e in extras_list:
extras.append("Possible extras to send: " + str(e))
print "Possible extras to send: " + str(e)
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, extras, "activity")
else:
if re.match(r'^\..*',str(component)):
command = "adb shell am start -n \""+packageName+"/"+packageName+component+"\""
else:
command = "adb shell am start -n \""+packageName+"/"+component+"\""
print command
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "activity")
elif str(compType)=='service':
#BUG - THIS PRINTS DUPS without the below
for node in common.xmldoc.getElementsByTagName('service'):
if node.attributes['android:name'].value == component:
if len(node.getElementsByTagName('intent-filter'))>0:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([a.attributes['android:name'].value,component])
cmd_list=common.dedup(cmd_list)
for c in cmd_list:
if len(c)>0:
extras_list=[]
extras_list+=intents.find_extras(str(c[1]),common.sourceDirectory)
if len(extras_list)>0:
for t in extras_list:
if re.match(r'^\..*',str(c[1])):
command = "adb shell am startservice " +packageName+"/"+packageName+str(c[1])+" --es "+str(t)
else:
command = "adb shell am startservice " +packageName+"/"+str(c[1])+" --es "+str(t)
print command
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "service")
else:
if re.match(r'^\..*',str(c[1])):
command = "adb shell am startservice " +packageName+"/"+packageName+str(c[1])
else:
command = "adb shell am startservice " +packageName+"/"+str(c[1])
print command
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "service")
elif str(compType)=='receiver':
for node in common.xmldoc.getElementsByTagName('receiver'):
if node.attributes['android:name'].value==component:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([a.attributes['android:name'].value,component])
cmd_list=common.dedup(cmd_list)
for c in cmd_list:
if len(c)>0:
extras_list=[]
extras_list+=intents.find_extras(str(c[1]),common.sourceDirectory)
if len(extras_list)>0:
for t in extras_list:
baseIntent="adb shell am broadcast -a \""+str(c[0])+"\""
print "Possible Extra: " + str(t)
baseIntent+=" --es "+str(t)+" \"YOURDATAHERE\""
print baseIntent
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, baseIntent, None, "receiver")
common.logger.info("Sorry, the dynamic extra suggestions is still a work in progress. In the mean time, know that the --es flag is used for sending key/value pairs which are strings.")
common.logger.info("If the suggested extra does not appear quoted, it is either a CONSTANT or String variable, it should not be used literally as shown")
else:
command = "adb shell am broadcast -a \""+str(c[0])+"\""
print command
report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "receiver")
elif str(compType)=='provider':
for node in common.xmldoc.getElementsByTagName('provider'):
if node.attributes['android:name'].value == component:
print "TO INSERT DATA:"
print "adb shell content insert --uri <URI> [--user <USER_ID>] --bind <BINDING> [--bind <BINDING>...]"
print "TO UPDATE DATA:"
print "adb shell content update --uri <URI> [--user <USER_ID>] [--where <WHERE>]"
print "TO DELETE DATA:"
print "adb shell content delete --uri <URI> [--user <USER_ID>] --bind <BINDING> [--bind <BINDING>...]" \
"[--where <WHERE>]"
print "TO QUERY DATA: "
print "adb shell content query --uri <URI> [--user <USER_ID>] [--projection <PROJECTION>]" \
"[--where <WHERE>] [--sort <SORT_ORDER>]"
print "TO CALL THE PROVIDER DIRECTLY"
print "adb shell content call --uri <URI> --method <METHOD> [--arg <ARG>]"
return
def showAdbCommands(component, compType, packageName):
#Print ADB commands for exploitation
cmd_list = []
cmd_list.append([])
#BUG - THIS PRINTS DUPS
#TODO - re-implement the extras, just want to make sure it looks good first
#suggest_extras=raw_input("Would you like us to suggest extras to add? (y/n) ")
if str(compType) == 'activity':
for node in common.xmldoc.getElementsByTagName('activity'):
if node.attributes['android:name'].value == component:
if len(node.getElementsByTagName('intent-filter')) > 0:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([
a.attributes['android:name'].value, component
])
cmd_list = common.dedup(cmd_list)
for c in cmd_list:
if len(c) > 0:
#find extra suggestions for the intents in c[1], if any
extras_list = []
extras_list += intents.find_extras(
str(c[1]), common.sourceDirectory)
if len(extras_list) > 0:
for t in extras_list:
if re.match(r'^\..*', str(c[1])):
command = "adb shell am start -a \"" + c[
0] + "\" -n \"" + packageName + "/" + packageName + str(
c[1]
) + "\"" + " --es " + str(
t
) + " \"EXTRA_VALUE_IN_QUOTES\""
else:
command = "adb shell am start -a \"" + c[
0] + "\" -n \"" + packageName + "/" + str(
c[1]
) + "\"" + " --es " + str(
t
) + " \"EXTRA_VALUE_IN_QUOTES\""
print command
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY, command,
None, "activity")
else:
if re.match(r'^\..*', str(c[1])):
command = "adb shell am start -a \"" + c[
0] + "\" -n \"" + packageName + "/" + packageName + str(
c[1]) + "\""
else:
command = "adb shell am start -a \"" + c[
0] + "\" -n \"" + packageName + "/" + str(
c[1]) + "\""
print command
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY, command,
None, "activity")
else:
common.logger.debug("No intent filter on: " +
str(component))
extras_list = []
extras_list += intents.find_extras(str(component),
common.sourceDirectory)
if len(extras_list) > 0:
if re.match(r'^\..*', str(component)):
command = "adb shell am start -n \"" + packageName + "/" + packageName + component + "\""
else:
command = "adb shell am start -n \"" + packageName + "/" + component + "\""
print command
extras = []
for e in extras_list:
extras.append("Possible extras to send: " + str(e))
print "Possible extras to send: " + str(e)
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY, command, extras,
"activity")
else:
if re.match(r'^\..*', str(component)):
command = "adb shell am start -n \"" + packageName + "/" + packageName + component + "\""
else:
command = "adb shell am start -n \"" + packageName + "/" + component + "\""
print command
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY, command, None,
"activity")
elif str(compType) == 'service':
#BUG - THIS PRINTS DUPS without the below
for node in common.xmldoc.getElementsByTagName('service'):
if node.attributes['android:name'].value == component:
if len(node.getElementsByTagName('intent-filter')) > 0:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([
a.attributes['android:name'].value, component
])
cmd_list = common.dedup(cmd_list)
for c in cmd_list:
if len(c) > 0:
extras_list = []
extras_list += intents.find_extras(
str(c[1]), common.sourceDirectory)
if len(extras_list) > 0:
for t in extras_list:
if re.match(r'^\..*', str(c[1])):
command = "adb shell am startservice " + packageName + "/" + packageName + str(
c[1]) + " --es " + str(t)
else:
command = "adb shell am startservice " + packageName + "/" + str(
c[1]) + " --es " + str(t)
print command
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY, command,
None, "service")
else:
if re.match(r'^\..*', str(c[1])):
command = "adb shell am startservice " + packageName + "/" + packageName + str(
c[1])
else:
command = "adb shell am startservice " + packageName + "/" + str(
c[1])
print command
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY, command,
None, "service")
elif str(compType) == 'receiver':
for node in common.xmldoc.getElementsByTagName('receiver'):
if node.attributes['android:name'].value == component:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append(
[a.attributes['android:name'].value, component])
cmd_list = common.dedup(cmd_list)
for c in cmd_list:
if len(c) > 0:
extras_list = []
extras_list += intents.find_extras(
str(c[1]), common.sourceDirectory)
if len(extras_list) > 0:
for t in extras_list:
baseIntent = "adb shell am broadcast -a \"" + str(
c[0]) + "\""
print "Possible Extra: " + str(t)
baseIntent += " --es " + str(
t) + " \"YOURDATAHERE\""
print baseIntent
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY,
baseIntent, None, "receiver")
common.logger.info(
"Sorry, the dynamic extra suggestions is still a work in progress. In the mean time, know that the --es flag is used for sending key/value pairs which are strings."
)
common.logger.info(
"If the suggested extra does not appear quoted, it is either a CONSTANT or String variable, it should not be used literally as shown"
)
else:
command = "adb shell am broadcast -a \"" + str(
c[0]) + "\""
print command
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY, command,
None, "receiver")
elif str(compType) == 'provider':
for node in common.xmldoc.getElementsByTagName('provider'):
if node.attributes['android:name'].value == component:
print "TO INSERT DATA:"
print "adb shell content insert --uri <URI> [--user <USER_ID>] --bind <BINDING> [--bind <BINDING>...]"
print "TO UPDATE DATA:"
print "adb shell content update --uri <URI> [--user <USER_ID>] [--where <WHERE>]"
print "TO DELETE DATA:"
print "adb shell content delete --uri <URI> [--user <USER_ID>] --bind <BINDING> [--bind <BINDING>...]" \
"[--where <WHERE>]"
print "TO QUERY DATA: "
print "adb shell content query --uri <URI> [--user <USER_ID>] [--projection <PROJECTION>]" \
"[--where <WHERE>] [--sort <SORT_ORDER>]"
print "TO CALL THE PROVIDER DIRECTLY"
print "adb shell content call --uri <URI> --method <METHOD> [--arg <ARG>]"
return
def show_adb_commands(component, compType, packageName):
#Print ADB commands for exploitation
cmd_list = []
cmd_list.append([])
#BUG - THIS PRINTS DUPS
extra_parameters = []
extra_parameters.append('[-e|--es <EXTRA_KEY> <EXTRA_STRING_VALUE> ...]')
extra_parameters.append('[--esn <EXTRA_KEY> ...]')
extra_parameters.append('[--ez <EXTRA_KEY> <EXTRA_BOOLEAN_VALUE> ...]')
extra_parameters.append('[--ei <EXTRA_KEY> <EXTRA_INT_VALUE> ...]')
extra_parameters.append('[--el <EXTRA_KEY> <EXTRA_LONG_VALUE> ...]')
extra_parameters.append('[--ef <EXTRA_KEY> <EXTRA_FLOAT_VALUE> ...]')
extra_parameters.append('[--eu <EXTRA_KEY> <EXTRA_URI_VALUE> ...]')
extra_parameters.append('[--ecn <EXTRA_KEY> <EXTRA_COMPONENT_NAME_VALUE>]')
extra_parameters.append(
'[--eia <EXTRA_KEY> <EXTRA_INT_VALUE>[,<EXTRA_INT_VALUE...]]')
extra_parameters.append(
'[--ela <EXTRA_KEY> <EXTRA_LONG_VALUE>[,<EXTRA_LONG_VALUE...]]')
extra_parameters.append(
'[--efa <EXTRA_KEY> <EXTRA_FLOAT_VALUE>[,<EXTRA_FLOAT_VALUE...]]')
extra_parameters.append(
'[--esa <EXTRA_KEY> <EXTRA_STRING_VALUE>[,<EXTRA_STRING_VALUE...]]')
type_list = [
'String', 'StringArray', 'StringArrayList', 'Boolean', 'BooleanArray',
'Int', 'Float', 'Long', 'LongArray', '[]', '', 'IntArray',
'IntegerArrayList', 'FloatArray', 'Double', 'Char', 'CharArray',
'CharSequence', 'CharSequenceArray', 'CharSequenceArrayList', 'Byte',
'ByteArray', 'Bundle', 'Short', 'ShortArray', 'Serializable',
'Parcelable', 'ParcelableArrayList', 'ParcelableArray', 'unknownType'
]
#TODO - Need to add
#TODO - -d for data uri
if str(compType) == 'activity':
for node in common.xmldoc.getElementsByTagName('activity'):
if node.attributes['android:name'].value == component:
if len(node.getElementsByTagName('intent-filter')) > 0:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([
a.attributes['android:name'].value, component
])
cmd_list = common.dedup(cmd_list)
for c in cmd_list:
if len(c) > 0:
#find extra suggestions for the intents in c[1], if any
extras_list = []
extras_list.append([])
entries = common.get_entry_for_component(
'activity')
output = False
for n in entries:
tmp_extra = findExtras.find_extras(
str(c[1]), n)
if tmp_extra not in extras_list:
extras_list += tmp_extra
if len(extras_list) > 2:
for t in range(1, (len(extras_list) - 1)):
if str(extras_list[t]) not in type_list:
if re.match(r'^\..*', str(c[1])):
baseIntent = "adb shell am start -a \"" + c[
0] + "\" -n \"" + packageName + "/" + packageName + str(
c[1]) + "\""
else:
baseIntent = "adb shell am start -a \"" + c[
0] + "\" -n \"" + packageName + "/" + str(
c[1]) + "\""
simple_type = True
if extras_list[t + 1] == 'String':
baseIntent += " --es "
elif extras_list[t + 1] == 'Boolean':
baseIntent += " --ez "
elif extras_list[t + 1] == 'Int':
baseIntent += " --ei "
elif extras_list[t + 1] == 'Long':
baseIntent += " --el "
elif extras_list[t + 1] == 'Float':
baseIntent += " --ef "
else:
simple_type = False
if simple_type:
extra_type = str(extras_list[t +
1])
print baseIntent + "\"" + str(
extras_list[t]
) + "\" \"Insert" + extra_type + "Here\""
output = True
#TODO, Need to think of a better way to do this
#This is excluding all the known types, because every second element is type
elif str(extras_list[t]
) not in type_list:
common.logger.info(
"Extra: " +
str(extras_list[t]) +
" is not a simple type, or could not be determined. You'll need to append the parameter which corresponds with the correct data type, followed by a key and value, both in quotes."
)
print "Example: " + baseIntent + str(
" --es \"YOURKEYHERE\" \"YOURVALUEHERE\""
)
print "Here are your options for different data types: "
for x in extra_parameters:
print str(x)
print "\n"
output = True
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY,
baseIntent, None, "activity")
extras_list = []
if not output:
if re.match(r'^\..*', str(c[1])):
baseIntent = "adb shell am start -a \"" + c[
0] + "\" -n \"" + packageName + "/" + packageName + str(
c[1]) + "\""
else:
baseIntent = "adb shell am start -a \"" + c[
0] + "\" -n \"" + packageName + "/" + str(
c[1]) + "\""
print baseIntent
else:
common.logger.debug("No intent filter on: " +
str(component))
extras_list = []
entries = common.get_entry_for_component('activity')
output = False
last_extra = ''
for n in entries:
tmp_extra = findExtras.find_extras(str(component), n)
if tmp_extra not in extras_list:
if str(tmp_extra) != str(last_extra):
extras_list += tmp_extra
last_extra = str(tmp_extra)
if len(extras_list) > 0:
for t in range(1, (len(extras_list) - 1)):
if str(extras_list[t]) not in type_list:
if re.match(r'^\..*', str(component)):
baseIntent = "adb shell am start -n \"" + packageName + "/" + packageName + str(
component) + "\""
else:
baseIntent = "adb shell am start -n \"" + packageName + "/" + str(
component) + "\""
simple_type = True
if extras_list[t + 1] == 'String':
baseIntent += " --es "
elif extras_list[t + 1] == 'Boolean':
baseIntent += " --ez "
elif extras_list[t + 1] == 'Int':
baseIntent += " --ei "
elif extras_list[t + 1] == 'Long':
baseIntent += " --el "
elif extras_list[t + 1] == 'Float':
baseIntent += " --ef "
elif extras_list[t + 1] == 'Uri':
baseIntent += " -d "
else:
simple_type = False
if simple_type:
extra_type = str(extras_list[t + 1])
print baseIntent + str(
extras_list[t]
) + " \"Insert" + extra_type + "Here\""
output = True
#TODO, Need to think of a better way to do this
#This is excluding all the known types, because every second element is type
elif str(extras_list[t]) not in type_list:
common.logger.info(
"Extra: " + str(extras_list[t]) +
" is not a simple type, or could not be determined. You'll need to append the parameter which corresponds with the correct data type, followed by a key and value, both in quotes."
)
print "Example: " + baseIntent + str(
" --es \"YOURKEYHERE\" \"YOURVALUEHERE\""
)
print "Here are your options for different data types: "
for x in extra_parameters:
print str(x)
print "\n"
ouput = True
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY, baseIntent,
None, "activity")
extras_list = []
if not output:
if re.match(r'^\..*', str(component)):
baseIntent = "adb shell am start -n \"" + packageName + "/" + packageName + str(
component) + "\""
else:
baseIntent = "adb shell am start -n \"" + packageName + "/" + str(
component) + "\""
print baseIntent
elif str(compType) == 'service':
#BUG - THIS PRINTS DUPS without the below
for node in common.xmldoc.getElementsByTagName('service'):
if node.attributes['android:name'].value == component:
if len(node.getElementsByTagName('intent-filter')) > 0:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([
a.attributes['android:name'].value, component
])
cmd_list = common.dedup(cmd_list)
for c in cmd_list:
if len(c) > 0:
output = False
extras_list = []
entries = common.get_entry_for_component('service')
for n in entries:
tmp_extra = findExtras.find_extras(
str(c[1]), n)
if tmp_extra not in extras_list:
extras_list += tmp_extra
if len(extras_list) > 0:
for t in range(1, (len(extras_list) - 1)):
if str(extras_list[t]) not in type_list:
if re.match(r'^\..*', str(c[1])):
baseIntent = "adb shell am startservice -n \"" + packageName + "/" + packageName + str(
c[1]) + "\"" + " -a \"" + str(
c[0]) + "\""
else:
baseIntent = "adb shell am startservice -n \"" + packageName + "/" + str(
c[1]) + "\"" + " -a \"" + str(
c[0]) + "\""
simple_type = True
if extras_list[t + 1] == 'String':
baseIntent += " --es "
elif extras_list[t + 1] == 'Boolean':
baseIntent += " --ez "
elif extras_list[t + 1] == 'Int':
baseIntent += " --ei "
elif extras_list[t + 1] == 'Long':
baseIntent += " --el "
elif extras_list[t + 1] == 'Float':
baseIntent += " --ef "
elif extras_list[t + 1] == 'Uri':
baseIntent += " -d "
else:
simple_type = False
if simple_type:
extra_type = str(extras_list[t +
1])
print baseIntent + str(
extras_list[t]
) + " \"Insert" + extra_type + "Here\""
output = True
#TODO, Need to think of a better way to do this
#This is excluding all the known types, because every second element is type
elif str(extras_list[t]
) not in type_list:
common.logger.info(
"Extra: " +
str(extras_list[t]) +
" is not a simple type, or could not be determined. You'll need to append the parameter which corresponds with the correct data type, followed by a key and value, both in quotes."
)
print "Example: " + baseIntent + str(
" --es \"YOURKEYHERE\" \"YOURVALUEHERE\""
)
print "Here are your options for different data types: "
for x in extra_parameters:
print str(x)
print "\n"
output = True
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY,
baseIntent, None, "service")
extras_list = []
if not output:
if re.match(r'^\..*', str(c[1])):
baseIntent = "adb shell am startservice -n \"" + packageName + "/" + packageName + str(
c[1]) + "\""
else:
baseIntent = "adb shell am startservice -n \"" + packageName + "/" + str(
c[1]) + "\""
print baseIntent
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY, baseIntent,
None, "service")
elif str(compType) == 'receiver':
for node in common.xmldoc.getElementsByTagName('receiver'):
if node.attributes['android:name'].value == component:
if len(node.getElementsByTagName('intent-filter')) > 0:
for x in node.getElementsByTagName('intent-filter'):
for a in node.getElementsByTagName('action'):
cmd_list.append([
a.attributes['android:name'].value, component
])
try:
cmd_list = common.dedup(cmd_list)
except Exception as e:
common.logger.error(
"Error de-duplicating command list in adb.py while processing receivers: "
+ str(e))
for c in cmd_list:
if len(c) > 0:
output = False
extras_list = []
try:
entries = common.get_entry_for_component(
'receiver')
except Exception as e:
common.logger.error(
"Error getting entry point for receivers in adb.py: "
+ str(e))
for n in entries:
try:
tmp_extra = findExtras.find_extras(
str(c[1]), n)
except Exception as e:
common.logger.error(
"Error finding extras for receivers in adb.py: "
+ str(e))
if tmp_extra not in extras_list:
extras_list += tmp_extra
if len(extras_list) > 0:
for t in range(1, (len(extras_list) - 1)):
if str(extras_list[t]
) not in type_list:
baseIntent = "adb shell am broadcast -a \"" + str(
c[0]) + "\""
simple_type = True
if extras_list[t + 1] == 'String':
baseIntent += " --es "
elif extras_list[t +
1] == 'Boolean':
baseIntent += " --ez "
elif extras_list[t + 1] == 'Int':
baseIntent += " --ei "
elif extras_list[t + 1] == 'Long':
baseIntent += " --el "
elif extras_list[t + 1] == 'Float':
baseIntent += " --ef "
elif extras_list[t + 1] == 'Uri':
baseIntent += " -d "
else:
simple_type = False
if simple_type:
extra_type = str(
extras_list[t + 1])
print baseIntent + "\"" + str(
extras_list[t]
) + "\" \"Insert" + extra_type + "Here\""
output = True
#TODO, Need to think of a better way to do this
#This is excluding all the known types, because every second element is type
elif str(extras_list[t]
) not in type_list:
common.logger.info(
"Extra: " +
str(extras_list[t]) +
" is not a simple type, or could not be determined. You'll need to append the parameter which corresponds with the correct data type, followed by a key and value, both in quotes."
)
print "Example: " + baseIntent + str(
" --es \"YOURKEYHERE\" \"YOURVALUEHERE\""
)
print "Here are your options for different data types: "
for x in extra_parameters:
print str(x)
print "\n"
output = True
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY,
baseIntent, None, "receiver")
extras_list = []
if not output:
baseIntent = "adb shell am broadcast -a \"" + str(
c[0]) + "\""
print baseIntent
report.write_adb_commands(
"adbcommands-issues-list",
common.Severity.VULNERABILITY,
baseIntent, None, "receiver")
elif str(compType) == 'provider':
for node in common.xmldoc.getElementsByTagName('provider'):
if node.attributes['android:name'].value == component:
print "TO INSERT DATA:"
print "adb shell content insert --uri <URI> [--user <USER_ID>] --bind <BINDING> [--bind <BINDING>...]"
print "TO UPDATE DATA:"
print "adb shell content update --uri <URI> [--user <USER_ID>] [--where <WHERE>]"
print "TO DELETE DATA:"
print "adb shell content delete --uri <URI> [--user <USER_ID>] --bind <BINDING> [--bind <BINDING>...]" \
"[--where <WHERE>]"
print "TO QUERY DATA: "
print "adb shell content query --uri <URI> [--user <USER_ID>] [--projection <PROJECTION>]" \
"[--where <WHERE>] [--sort <SORT_ORDER>]"
print "TO CALL THE PROVIDER DIRECTLY"
print "adb shell content call --uri <URI> --method <METHOD> [--arg <ARG>]"
return
