def write_manifest(data):
"""
Writes an issue to the report. Takes in the section to which the data is to be written, the severity of the data and finally the actual vulnerability to be reported
"""
if common.reportInitSuccess:
try:
if os.path.exists(
common.getConfig("rootDir") + "/report/report.html"):
pre_rendered = open(
common.getConfig("rootDir") + "/report/report.html",
'r').read()
pre_rendered_html = BeautifulSoup(pre_rendered, 'html5lib')
new_code_div = pre_rendered_html.new_tag("code")
new_code_div['class'] = "xml"
new_code_div.string = data
pre_rendered_html.find("pre",
id="rawmanifest").append(new_code_div)
with open(
common.getConfig("rootDir") + "/report/report.html",
"w") as fh:
fh.write(str(pre_rendered_html.prettify()))
fh.close()
except Exception as e:
common.logger.debug("Error writing manifest: " + str(e))
def write_counters():
try:
if os.path.exists(common.getConfig("rootDir") + "/report/report.html"):
pre_rendered = open(common.getConfig("rootDir") + "/report/report.html",'r').read()
pre_rendered_html = BeautifulSoup(pre_rendered,'html5lib')
warnings = len(re.findall(r'badger-warning', str(pre_rendered_html)))
information = len(re.findall(r'badger-success', str(pre_rendered_html)))
vulnerabilities = len(re.findall(r'badger-danger', str(pre_rendered_html)))
debug = len(re.findall(r'debug-level', str(pre_rendered_html)))
new_div_tag = pre_rendered_html.new_tag("div")
new_div_tag.string = str(vulnerabilities)
pre_rendered_html.find("h1", id="vulnerability_count").append(new_div_tag)
new_div_tag1 = pre_rendered_html.new_tag("div")
new_div_tag1.string = str(warnings)
pre_rendered_html.find("h1", id="warning_count").append(new_div_tag1)
new_div_tag2 = pre_rendered_html.new_tag("div")
new_div_tag2.string = str(information)
pre_rendered_html.find("h1", id="information_count").append(new_div_tag2)
new_div_tag3 = pre_rendered_html.new_tag("div")
new_div_tag3.string = str(debug)
pre_rendered_html.find("h1", id="debug_count").append(new_div_tag3)
with open(common.getConfig("rootDir") + "/report/report.html", "w") as fh:
fh.write(str(pre_rendered_html.prettify()))
fh.close()
except Exception as e:
common.logger.debug("Error in write_counters: " + str(e))
def write_badger(identity, sev, data, extra=None):
if common.reportInitSuccess:
try:
if os.path.exists(common.getConfig("rootDir") + "/report/report.html"):
pre_rendered = open(common.getConfig("rootDir") + "/report/report.html",'r').read()
pre_rendered_html = BeautifulSoup(pre_rendered,'html5lib')
new_div_tag = pre_rendered_html.new_tag("div")
new_div_tag['class'] = badger[sev]
new_div_tag['data-badger'] = severity[sev]
new_strong_tag = pre_rendered_html.new_tag("strong")
new_strong_tag.string = data
new_ul_tag = pre_rendered_html.new_tag("ul")
if extra is not None:
if isinstance(extra, dict):
for key,val in extra.items():
for i in extra[key]:
if isinstance(i, list) :
if len(i)>0:
firstelement = True
new_ul_tag_depth_1 = pre_rendered_html.new_tag("ul")
new_li_tag = pre_rendered_html.new_tag("li")
for j in i:
if firstelement:
new_li_tag.string = j
firstelement = False
else:
new_li_tag_depth_1 = pre_rendered_html.new_tag("li")
new_li_tag_depth_1.string = j
new_ul_tag_depth_1.append(new_li_tag_depth_1)
new_li_tag.append(new_ul_tag_depth_1)
new_ul_tag.append(new_li_tag)
else:
new_li_tag = pre_rendered_html.new_tag("li")
new_li_tag.string = i
new_ul_tag.append(new_li_tag)
elif isinstance(extra, list):
for i in extra:
new_li_tag = pre_rendered_html.new_tag("li")
new_li_tag.string = i
new_ul_tag.append(new_li_tag)
elif isinstance(extra, str):
new_li_tag = pre_rendered_html.new_tag("li")
new_li_tag.string = extra
new_ul_tag.append(new_li_tag)
else:
logger.debug("Not a valid type of object in terminalPrint extras")
new_div_tag.append(new_strong_tag)
new_div_tag.append(new_ul_tag)
pre_rendered_html.find("div", id=identity).insert(0, new_div_tag)
with open(common.getConfig("rootDir") + "/report/report.html", "w") as fh:
fh.write(str(pre_rendered_html.prettify()))
fh.close()
except Exception as e:
common.logger.debug("Error badger don't care: " + str(e))
def is_android_sdk_installed():
"""
Verify if Android SDK is installed and available for use by QARK
"""
if common.getConfig('AndroidSDKPath'):
os.environ["PATH"] += os.pathsep + common.getConfig('AndroidSDKPath') +'/tools' + os.pathsep + common.getConfig('AndroidSDKPath') +'/platform-tools' + os.pathsep + common.getConfig('AndroidSDKPath') +'/tools/lib'
os.environ["ANDROID_HOME"] = common.getConfig('AndroidSDKPath')
return True
else:
return False
def is_android_sdk_installed():
"""
Verify if Android SDK is installed and available for use by QARK
"""
if common.getConfig('AndroidSDKPath'):
os.environ["PATH"] += os.pathsep + common.getConfig(
'AndroidSDKPath') + '/tools' + os.pathsep + common.getConfig(
'AndroidSDKPath'
) + '/platform-tools' + os.pathsep + common.getConfig(
'AndroidSDKPath') + '/tools/lib'
os.environ["ANDROID_HOME"] = common.getConfig('AndroidSDKPath')
return True
else:
return False
def build_apk(path):
"""
Builds the APK when path the the source is available
"""
print "------------ Building Exploit APK ------------"
currentDir = common.getConfig("rootDir")
os.chdir(currentDir + "/build/" + path)
properties = open("local.properties", "w+")
os.chdir(currentDir)
properties.write("sdk.dir=" + common.getConfig("AndroidSDKPath"))
properties.close()
os.chdir(currentDir + "/build/" + path)
p1 = Popen(["./gradlew", "assembleDebug"], stdout=PIPE, stdin=PIPE, stderr=STDOUT, bufsize=1)
for line in iter(p1.stdout.readline, b""):
print line,
def buildAPK(path):
"""
Builds the APK when path the the source is available
"""
print "------------ Building Exploit APK ------------"
currentDir = common.getConfig("rootDir")
os.chdir(currentDir + "/build/" + path)
properties = open('local.properties','w+')
os.chdir(currentDir)
properties.write('sdk.dir='+common.getConfig('AndroidSDKPath'))
properties.close()
os.chdir(currentDir + "/build/" + path)
p1 = Popen(['./gradlew',"assembleDebug"], stdout=PIPE, stdin=PIPE, stderr=STDOUT, bufsize=1)
for line in iter(p1.stdout.readline, b''):
print line,
def getAndroidSDKManager():
"""
Gets the location of SDK manager through CLI while in interactive mode, or via settings.properties if running headlessly
"""
print common.term.yellow + str(
common.config.get(
'qarkhelper',
'ANDROID_SDK_INFO')).decode('string-escape').format(t=common.term)
print common.term.cyan
choice = raw_input(
common.config.get('qarkhelper', 'GET_ANDROID_SDK_MANAGER_PROMPT'))
if str(choice).lower() == 'y':
downloadSDK()
else:
AndroidSDKPath = raw_input(
common.config.get('qarkhelper', 'ANDROID_SDK_MANAGER_PATH_PROMPT'))
common.writeKey('AndroidSDKPath', AndroidSDKPath)
while not (
os.path.exists(common.getConfig('AndroidSDKPath') + "/tools")):
logger.error(
str(
common.config.get(
'qarkhelper',
'ANDROID_SDK_MANAGER_PATH_PROMPT_AGAIN')).decode(
'string-escape'))
print common.term.cyan
AndroidSDKPath = raw_input(
common.config.get('qarkhelper',
'ANDROID_SDK_MANAGER_PATH_PROMPT'))
common.writeKey('AndroidSDKPath', AndroidSDKPath)
common.logger.debug("Located SDK")
def createUsing(replacementData):
"""
Core of the exploit generation\n
Takes in a dictionary with (exploittype,replacement value) data, processes them to find all substitutions, and looks up the config.properties to identify all applicable files that require substution
"""
path = common.getConfig("rootDir") + '/build/qark'
data = dict(replacementData)
for key,value in data.iteritems():
if key==exploitType.BROADCAST_INTENT:
exploit_type="BROADCAST_INTENT"
elif key==exploitType.ACTIVITY:
exploit_type="ACTIVITY"
elif key==exploitType.INTENT:
exploit_type="INTENT"
elif key==exploitType.MANIFEST:
exploit_type="MANIFEST"
elif key==exploitType.PERMISSION:
exploit_type="PERMISSION"
elif key==exploitType.RECEIVER:
exploit_type="RECEIVER"
elif key==exploitType.SERVICE:
exploit_type="SERVICE"
for instance in value:
replacement_keys = dict(common.config.items('exploit'))
for type_key,type_value in replacement_keys.iteritems():
if exploit_type in str(type_key).upper():
replacement_files = dict(common.config.items(type_value))
for file_key,file_value in replacement_files.iteritems():
modifyTemplate2(path + file_value, type_value, instance)
def reset():
"""
Flushes the contents of the report
"""
try:
common.reportDir = common.getConfig("rootDir") + "/report"
if common.args.reportDir is not None:
common.reportDir = common.args.reportDir + "/report"
# common.writeKey("reportDir",report_dir);
if os.path.exists(common.reportDir):
shutil.rmtree(common.reportDir)
shutil.copytree(common.getConfig("rootDir") + "/template3", common.reportDir)
os.rename(common.reportDir + "/index.html", common.reportDir + "/report.html")
except Exception as e:
common.logger.debug("Error when trying to reset report")
def list_all_apk():
result = []
adb = common.getConfig('AndroidSDKPath') + "platform-tools/adb"
st = os.stat(adb)
os.chmod(adb, st.st_mode | stat.S_IEXEC)
while True:
p1 = Popen([adb, 'devices'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
a = 0
error = False
for line in p1.stdout:
a = a+1
if "daemon not running. starting it now on port" in line:
error = True
# If atleast one device is connected
if a >2 and not error:
break
else:
common.logger.warning("Waiting for a device to be connected...")
time.sleep(5)
p0 = Popen([adb, 'shell', 'pm', 'list', 'packages', '-f'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
index = 0
for line in p0.stdout:
path = str(line).find('=')
result.append(str(line)[8:path])
index+=1
return result
def list_all_apk():
result = []
adb = common.getConfig('AndroidSDKPath') + "platform-tools/adb"
st = os.stat(adb)
os.chmod(adb, st.st_mode | stat.S_IEXEC)
while True:
p1 = Popen([adb, 'devices'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
a = 0
error = False
for line in p1.stdout:
a = a+1
if "daemon not running. starting it now on port" in line:
error = True
# If atleast one device is connected
if a >2 and not error:
break
else:
common.logger.warning("Waiting for a device to be connected...")
time.sleep(5)
p0 = Popen([adb, 'shell', 'pm', 'list', 'packages', '-f'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
index = 0
for line in p0.stdout:
path = str(line).find('=')
result.append(str(line)[8:path])
index+=1
return result
def reset():
"""
Flushes the contents of the report
"""
try:
common.reportDir = common.getConfig("rootDir") + "/report"
if common.args.reportdir is not None :
common.reportDir = common.args.reportdir + "/report"
# report_dir = common.args.reportdir
# common.writeKey("reportDir",report_dir);
if os.path.exists(common.reportDir):
shutil.rmtree(common.reportDir)
shutil.copytree(common.getConfig("rootDir") + "/template3", common.reportDir)
os.rename(common.reportDir + "/index.html", common.reportDir + "/report.html")
except Exception as e:
common.logger.debug("Error when trying to reset report")
def build_apk(path):
"""
Builds the APK when path the the source is available
"""
print "------------ Building Exploit APK ------------"
currentDir = common.getConfig(
"rootDir") if common.buildLocation == '' else common.buildLocation
os.chdir(currentDir + "/build/" + path)
properties = open('local.properties', 'w+')
os.chdir(currentDir)
properties.write('sdk.dir=' + common.getConfig('AndroidSDKPath'))
properties.close()
os.chdir(currentDir + "/build/" + path)
# adb expects settings.properties.
# If building from a different directory need to copy it over to the new build directory
if common.buildLocation != '':
try:
settings_properties_path = os.path.abspath(
os.path.join(os.path.dirname(__file__),
'../settings.properties'))
destination = '{}/{}/{}'.format(os.path.abspath(currentDir),
'build/', path)
shutil.copy(settings_properties_path, destination)
shutil.copy(settings_properties_path, common.buildLocation)
common.logger.info('TRIED COPYING %s TO %s',
settings_properties_path, destination)
except Exception as e:
common.logger.exception(
'COPYING SETTINGS.PROPERTIES FROM QARK DIRECTORY FAILED')
settings_properties_path = os.path.abspath(
os.path.join(os.path.dirname(__file__),
'../settings.properties'))
common.logger.debug('TRIED COPYING %s TO %s',
settings_properties_path,
os.path.join(currentDir, "/build/", path))
common.logger.debug('currentDir: %s', currentDir)
p1 = Popen(['./gradlew', "assembleDebug"],
stdout=PIPE,
stdin=PIPE,
stderr=STDOUT,
bufsize=1)
for line in iter(p1.stdout.readline, b''):
print line,
def pull_apk(pathOnDevice):
adb = common.getConfig('AndroidSDKPath') + "platform-tools/adb"
st = os.stat(adb)
os.chmod(adb, st.st_mode | stat.S_IEXEC)
if not os.path.exists('temp' + "/"):
os.makedirs('temp' + "/")
p0 = Popen([adb, 'pull', pathOnDevice, 'temp/'+str(pathOnDevice).split('/')[-1]], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
for line in p0.stdout:
print line,
return 'temp/'+str(pathOnDevice).split('/')[-1]
def pull_apk(pathOnDevice):
adb = common.getConfig('AndroidSDKPath') + "platform-tools/adb"
st = os.stat(adb)
os.chmod(adb, st.st_mode | stat.S_IEXEC)
if not os.path.exists('temp' + "/"):
os.makedirs('temp' + "/")
p0 = Popen([adb, 'pull', pathOnDevice, 'temp/'+str(pathOnDevice).split('/')[-1]], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
for line in p0.stdout:
print line,
return 'temp/'+str(pathOnDevice).split('/')[-1]
def buildAPK(path):
"""
Builds the APK when path the the source is available
"""
print "------------ Building Exploit APK ------------"
currentDir = common.getConfig("rootDir")
os.chdir(currentDir + "/build/" + path)
properties = open('local.properties', 'w+')
os.chdir(currentDir)
properties.write('sdk.dir=' + common.getConfig('AndroidSDKPath'))
properties.close()
os.chdir(currentDir + "/build/" + path)
p1 = Popen(['./gradlew', "assembleDebug"],
stdout=PIPE,
stdin=PIPE,
stderr=STDOUT,
bufsize=1)
for line in iter(p1.stdout.readline, b''):
print line,
def downloadSDK():
"""
Download the SDK from Google
"""
url = " https://dl.google.com/android/android-sdk_r24.0.2-macosx.zip"
file_name = url.split('/')[-1]
u = urllib2.urlopen(url)
f = open(common.getConfig("rootDir") + "/" + file_name, 'wb')
meta = u.info()
file_size = int(meta.getheaders("Content-Length")[0])
common.logger.debug(
"Downloading: %s \r\n FileName: %s \r\n FileSize: \r\n %s" %
(url, file_name, file_size))
block_sz = file_size / 100
count = 0
while True:
buffer = u.read(block_sz)
if not buffer:
break
f.write(buffer)
count = count + 1
if count % 10 == 0:
sys.stdout.write('\r[{0}] {1}%'.format('#' * (count / 10), count))
sys.stdout.flush()
f.close()
androidSDKZIP = f.name
print common.term.cyan + str(
common.config.get('qarkhelper', 'FILE_DOWNLOADED_TO')
) + androidSDKZIP.decode('string-escape').format(t=common.term)
print common.term.cyan + str(common.config.get(
'qarkhelper',
'UNPACKING')) + androidSDKZIP.decode('string-escape').format(
t=common.term)
zf = zipfile.ZipFile(androidSDKZIP)
for filename in [zf.namelist()]:
try:
if not os.path.exists(androidSDKZIP.rsplit(".", 1)[0]):
os.makedirs(androidSDKZIP.rsplit(".", 1)[0])
zf.extractall(
androidSDKZIP.rsplit(".", 1)[0] + "/",
zf.namelist(),
)
except KeyError:
logger.error('Oops!! %s doesnt look like a valid APK', filename)
else:
logger.info('Done')
#We dont need the ZIP file anymore
os.remove(androidSDKZIP)
common.writeKey('AndroidSDKPath',
androidSDKZIP.rsplit(".", 1)[0] + "/android-sdk-macosx/")
runSDKManager()
def write(identity, data, tag=None):
try:
if os.path.exists(common.getConfig("rootDir") + "/report/report.html"):
pre_rendered = open(common.getConfig("rootDir") + "/report/report.html",'r').read()
pre_rendered_html = BeautifulSoup(pre_rendered,'html5lib')
if tag is not None:
new_span_tag = pre_rendered_html.new_tag(tag)
new_span_tag['class'] = "debug-level"
else:
new_span_tag = pre_rendered_html.new_tag("span")
new_span_tag.string = str(data)
pre_rendered_html.find("span", id=identity).append(new_span_tag)
with open(common.getConfig("rootDir") + "/report/report.html", "w") as fh:
fh.write(str(pre_rendered_html.prettify()))
fh.close()
except Exception as e:
common.reportInitSuccess=False
common.logger.debug("Report writing error: " + str(e))
def write_manifest(data):
"""
Writes an issue to the report. Takes in the section to which the data is to be written, the severity of the data and finally the actual vulnerability to be reported
"""
if common.reportInitSuccess:
try:
if os.path.exists(common.getConfig("rootDir") + "/report/report.html"):
pre_rendered = open(common.getConfig("rootDir") + "/report/report.html",'r').read()
pre_rendered_html = BeautifulSoup(pre_rendered,'html5lib')
new_code_div = pre_rendered_html.new_tag("code")
new_code_div['class'] = "xml"
new_code_div.string = data
pre_rendered_html.find("pre", id="rawmanifest").append(new_code_div)
with open(common.getConfig("rootDir") + "/report/report.html", "w") as fh:
fh.write(str(pre_rendered_html.prettify()))
fh.close()
except Exception as e:
common.logger.debug("Error writing manifest: " + str(e))
def write_counters():
try:
if os.path.exists(common.getConfig("rootDir") + "/report/report.html"):
pre_rendered = open(
common.getConfig("rootDir") + "/report/report.html",
'r').read()
pre_rendered_html = BeautifulSoup(pre_rendered, 'html5lib')
warnings = len(
re.findall(r'badger-warning', str(pre_rendered_html)))
information = len(
re.findall(r'badger-success', str(pre_rendered_html)))
vulnerabilities = len(
re.findall(r'badger-danger', str(pre_rendered_html)))
debug = len(re.findall(r'debug-level', str(pre_rendered_html)))
new_div_tag = pre_rendered_html.new_tag("div")
new_div_tag.string = str(vulnerabilities)
pre_rendered_html.find(
"h1", id="vulnerability_count").append(new_div_tag)
new_div_tag1 = pre_rendered_html.new_tag("div")
new_div_tag1.string = str(warnings)
pre_rendered_html.find("h1",
id="warning_count").append(new_div_tag1)
new_div_tag2 = pre_rendered_html.new_tag("div")
new_div_tag2.string = str(information)
pre_rendered_html.find("h1",
id="information_count").append(new_div_tag2)
new_div_tag3 = pre_rendered_html.new_tag("div")
new_div_tag3.string = str(debug)
pre_rendered_html.find("h1", id="debug_count").append(new_div_tag3)
with open(
common.getConfig("rootDir") + "/report/report.html",
"w") as fh:
fh.write(str(pre_rendered_html.prettify()))
fh.close()
except Exception as e:
common.logger.debug("Error in write_counters: " + str(e))
def run_sdk_manager():
"""
Runs the SDK manager
"""
flag_no_ui = " --no-ui"
android = common.getConfig('AndroidSDKPath') + "tools/android"
# need to have execute permission on the android executable
st = os.stat(android)
os.chmod(android, st.st_mode | stat.S_IEXEC)
# Android list sdk
android_cmd1 = android + "list" + "sdk" + "-a"
args1 = shlex.split(android_cmd1)
p0 = Popen([android, 'list', 'sdk', '-a'],
stdout=PIPE,
stdin=PIPE,
stderr=STDOUT)
# regexpattern = re.compile(r'Android SDK Platform-tools|Android SDK Build-tools|SDK Platform Android 5.0.1|Android Support Repository|Android Support Library')
regexpattern = re.compile(
r'SDK Platform Android 5.0.1, API 21, revision 2|Android SDK Build-tools, revision 21.1.2|Android Support Repository|Android Support Library|Android SDK Platform-tools'
)
selected_filters_list = []
for line in p0.stdout:
if regexpattern.search(line):
common.logger.debug(
'Selected the following packages for installation:\r\n')
common.logger.debug(str(line.rstrip()))
selected_filters_list.append(line.rstrip().split('-')[0].strip())
if len(selected_filters_list) == 5:
# We have the basic filters needed to compile the exploit APL at this point.
break
# Android install build tools with selected filters in headless mode
selected_filters = myString = ",".join(selected_filters_list)
print selected_filters
p1 = Popen([
android, 'update', 'sdk', '-a', '--filter', selected_filters, '--no-ui'
],
stdout=PIPE,
stdin=PIPE,
stderr=STDOUT,
bufsize=1)
if not common.interactive_mode:
p1.stdin.write(common.args.acceptterms)
else:
p1.stdin.write("y\n")
for line in iter(p1.stdout.readline, b''):
print line,
if "Do you accept the license" in line:
p1.stdin.flush()
p1.stdin.write("y\n")
output, err = p1.communicate("y\n")
common.set_environment_variables()
def write(identity, data, tag=None):
try:
if os.path.exists(common.getConfig("rootDir") + "/report/report.html"):
pre_rendered = open(
common.getConfig("rootDir") + "/report/report.html",
'r').read()
pre_rendered_html = BeautifulSoup(pre_rendered, 'html5lib')
if tag is not None:
new_span_tag = pre_rendered_html.new_tag(tag)
new_span_tag['class'] = "debug-level"
else:
new_span_tag = pre_rendered_html.new_tag("span")
new_span_tag.string = str(data)
pre_rendered_html.find("span", id=identity).append(new_span_tag)
with open(common.getConfig("rootDir") + "/report/report.html",
"w") as fh:
fh.write(str(pre_rendered_html.prettify()))
fh.close()
except Exception as e:
common.reportInitSuccess = False
common.logger.debug("Report writing error: " + str(e))
def run_sdk_manager():
"""
Runs the SDK manager
"""
flag_no_ui = " --no-ui"
android = common.getConfig("AndroidSDKPath") + "tools/android"
# need to have execute permission on the android executable
st = os.stat(android)
os.chmod(android, st.st_mode | stat.S_IEXEC)
# Android list sdk
android_cmd1 = android + "list" + "sdk" + "-a"
args1 = shlex.split(android_cmd1)
p0 = Popen([android, "list", "sdk", "-a"], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
# regexpattern = re.compile(r'Android SDK Platform-tools|Android SDK Build-tools|SDK Platform Android 5.0.1|Android Support Repository|Android Support Library')
regexpattern = re.compile(
r"SDK Platform Android 5.0.1, API 21, revision 2|Android SDK Build-tools, revision 21.1.2|Android Support Repository|Android Support Library|Android SDK Platform-tools"
)
selected_filters_list = []
for line in p0.stdout:
if regexpattern.search(line):
common.logger.debug("Selected the following packages for installation:\r\n")
common.logger.debug(str(line.rstrip()))
selected_filters_list.append(line.rstrip().split("-")[0].strip())
if len(selected_filters_list) == 5:
# We have the basic filters needed to compile the exploit APL at this point.
break
# Android install build tools with selected filters in headless mode
selected_filters = myString = ",".join(selected_filters_list)
print selected_filters
p1 = Popen(
[android, "update", "sdk", "-a", "--filter", selected_filters, "--no-ui"],
stdout=PIPE,
stdin=PIPE,
stderr=STDOUT,
bufsize=1,
)
if not common.interactive_mode:
p1.stdin.write(common.args.acceptterms)
else:
p1.stdin.write("y\n")
for line in iter(p1.stdout.readline, b""):
print line,
if "Do you accept the license" in line:
p1.stdin.flush()
p1.stdin.write("y\n")
output, err = p1.communicate("y\n")
common.set_environment_variables()
def reset():
"""
Flushes the contents of the report
"""
try:
if os.path.exists(common.getConfig("rootDir") + "/report"):
shutil.rmtree(common.getConfig("rootDir") + "/report")
shutil.copytree(common.getConfig("rootDir") + "/template3", common.getConfig("rootDir") + "/report")
os.rename(common.getConfig("rootDir") + "/report/index.html", common.getConfig("rootDir") + "/report/report.html")
except Exception as e:
common.logger.debug("Error when trying to reset report")
def getAndroidSDKManager():
"""
Gets the location of SDK manager through CLI while in interactive mode, or via settings.properties if running headlessly
"""
print common.term.yellow + str(common.config.get('qarkhelper','ANDROID_SDK_INFO')).decode('string-escape').format(t=common.term)
print common.term.cyan
choice=raw_input(common.config.get('qarkhelper','GET_ANDROID_SDK_MANAGER_PROMPT'))
if str(choice).lower()=='y':
downloadSDK()
else:
AndroidSDKPath=raw_input(common.config.get('qarkhelper','ANDROID_SDK_MANAGER_PATH_PROMPT'))
common.writeKey('AndroidSDKPath', AndroidSDKPath)
while not (os.path.exists(common.getConfig('AndroidSDKPath') + "/tools")):
logger.error(str(common.config.get('qarkhelper','ANDROID_SDK_MANAGER_PATH_PROMPT_AGAIN')).decode('string-escape'))
print common.term.cyan
AndroidSDKPath=raw_input(common.config.get('qarkhelper','ANDROID_SDK_MANAGER_PATH_PROMPT'))
common.writeKey('AndroidSDKPath', AndroidSDKPath)
common.logger.debug("Located SDK")
def downloadSDK():
"""
Download the SDK from Google
"""
url = " https://dl.google.com/android/android-sdk_r24.0.2-macosx.zip"
file_name = url.split('/')[-1]
u = urllib2.urlopen(url)
f = open(common.getConfig("rootDir") + "/" + file_name, 'wb')
meta = u.info()
file_size = int(meta.getheaders("Content-Length")[0])
common.logger.debug("Downloading: %s \r\n FileName: %s \r\n FileSize: \r\n %s" % (url, file_name, file_size))
block_sz = file_size/100
count = 0
while True:
buffer = u.read(block_sz)
if not buffer:
break
f.write(buffer)
count = count + 1
if count%10==0:
sys.stdout.write('\r[{0}] {1}%'.format('#'*(count/10), count))
sys.stdout.flush()
f.close()
androidSDKZIP = f.name
print common.term.cyan + str(common.config.get('qarkhelper','FILE_DOWNLOADED_TO')) + androidSDKZIP.decode('string-escape').format(t=common.term)
print common.term.cyan + str(common.config.get('qarkhelper','UNPACKING')) + androidSDKZIP.decode('string-escape').format(t=common.term)
zf = zipfile.ZipFile(androidSDKZIP)
for filename in [ zf.namelist()]:
try:
if not os.path.exists(androidSDKZIP.rsplit(".",1)[0]):
os.makedirs(androidSDKZIP.rsplit(".",1)[0])
zf.extractall(androidSDKZIP.rsplit(".",1)[0] + "/", zf.namelist(), )
except KeyError:
logger.error('Oops!! %s doesnt look like a valid APK', filename)
else:
logger.info('Done')
#We dont need the ZIP file anymore
os.remove(androidSDKZIP)
common.writeKey('AndroidSDKPath', androidSDKZIP.rsplit(".",1)[0] + "/android-sdk-macosx/")
runSDKManager()
def reset():
"""
Flushes the contents of the report
"""
try:
if os.path.exists(common.getConfig("rootDir") + "/report"):
shutil.rmtree(common.getConfig("rootDir") + "/report")
shutil.copytree(
common.getConfig("rootDir") + "/template3",
common.getConfig("rootDir") + "/report")
os.rename(
common.getConfig("rootDir") + "/report/index.html",
common.getConfig("rootDir") + "/report/report.html")
except Exception as e:
common.logger.debug("Error when trying to reset report")
def uninstall(package):
print "trying to uninstall " + package
result = []
adb = common.getConfig('AndroidSDKPath') + "platform-tools/adb"
st = os.stat(adb)
os.chmod(adb, st.st_mode | stat.S_IEXEC)
while True:
p1 = Popen([adb, 'devices'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
a = 0
for line in p1.stdout:
a = a+1
# If atleast one device is connected
if a >2 :
break
else:
common.logger.warning("Waiting for a device to be connected...")
time.sleep(5)
uninstall = Popen([adb, 'shell', 'pm', 'uninstall', package], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
for line in uninstall.stdout:
if "Failure" in line:
package = re.sub('-\d$', '', package)
uninstall_try_again = Popen([adb, 'shell', 'pm', 'uninstall', package], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
return
def uninstall(package):
print "trying to uninstall " + package
result = []
adb = common.getConfig('AndroidSDKPath') + "platform-tools/adb"
st = os.stat(adb)
os.chmod(adb, st.st_mode | stat.S_IEXEC)
while True:
p1 = Popen([adb, 'devices'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
a = 0
for line in p1.stdout:
a = a+1
# If atleast one device is connected
if a >2 :
break
else:
common.logger.warning("Waiting for a device to be connected...")
time.sleep(5)
uninstall = Popen([adb, 'shell', 'pm', 'uninstall', package], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
for line in uninstall.stdout:
if "Failure" in line:
package = re.sub('-\d$', '', package)
uninstall_try_again = Popen([adb, 'shell', 'pm', 'uninstall', package], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
return
parser.error("Please provide a valid Debug level (10,20,30,40,50,60)")
exploit_choice = 1
if common.args.version:
version()
if common.args.basesdk is not None:
common.writeKey('AndroidSDKPath', str(common.args.basesdk).strip())
#######################################
#Reset any old report
report.reset()
common.set_environment_variables()
#Copy the exploit code into a separate temp directory
if not os.path.exists(common.getConfig("rootDir") + "/build"):
shutil.copytree(common.getConfig("rootDir") + "/exploitAPKs", common.getConfig("rootDir") + "/build")
common.logger.info(common.config.get('qarkhelper', 'STARTUP'))
if not sdkManager.is_android_sdk_installed():
sdkManager.get_android_sdk_manager()
else:
common.logger.info( common.config.get('qarkhelper', 'SDK_INSTALLATION_IDENTIFIED'))
common.minSdkVersion=1
def read_files(filename,rex):
things_to_inspect=[]
with open(filename) as f:
content=f.readlines()
def write_adb_commands(identity, sev, data, extra=None, infobartext=None):
try:
if os.path.exists(common.getConfig("rootDir") + "/report/report.html"):
pre_rendered = open(
common.getConfig("rootDir") + "/report/report.html",
'r').read()
pre_rendered_html = BeautifulSoup(pre_rendered, 'html5lib')
new_div_tag = pre_rendered_html.new_tag("div")
new_div_tag['class'] = badger[sev]
if infobartext is not None:
new_div_tag['data-badger'] = infobartext
else:
new_div_tag['data-badger'] = severity[sev]
new_strong_tag = pre_rendered_html.new_tag("kbd")
new_strong_tag.string = data
new_ul_tag = pre_rendered_html.new_tag("ul")
if extra is not None:
if isinstance(extra, dict):
for key, val in extra.items():
for i in extra[key]:
if isinstance(i, list):
if len(i) > 0:
firstelement = True
new_ul_tag_depth_1 = pre_rendered_html.new_tag(
"ul")
new_li_tag = pre_rendered_html.new_tag(
"li")
for j in i:
if firstelement:
new_li_tag.string = j
firstelement = False
else:
new_li_tag_depth_1 = pre_rendered_html.new_tag(
"li")
new_li_tag_depth_1.string = j
new_ul_tag_depth_1.append(
new_li_tag_depth_1)
new_li_tag.append(new_ul_tag_depth_1)
new_ul_tag.append(new_li_tag)
else:
new_li_tag = pre_rendered_html.new_tag("li")
new_li_tag.string = i
new_ul_tag.append(new_li_tag)
elif isinstance(extra, list):
for i in extra:
new_li_tag = pre_rendered_html.new_tag("li")
new_li_tag.string = i
new_ul_tag.append(new_li_tag)
elif isinstance(extra, str):
new_li_tag = pre_rendered_html.new_tag("li")
new_li_tag.string = extra
new_ul_tag.append(new_li_tag)
else:
logger.debug(
"Not a valid type of object in terminalPrint extras")
new_div_tag.append(new_strong_tag)
new_div_tag.append(new_ul_tag)
pre_rendered_html.find("div", id=identity).insert(0, new_div_tag)
with open(common.getConfig("rootDir") + "/report/report.html",
"w") as fh:
fh.write(str(pre_rendered_html.prettify()))
fh.close()
except Exception as e:
common.logger.debug("Error writing ADB commands to report: " + str(e))
parser.error("Please provide a valid Debug level (10,20,30,40,50,60)")
exploit_choice = 1
if common.args.version:
version()
if common.args.basesdk is not None:
common.writeKey('AndroidSDKPath', str(common.args.basesdk).strip())
#######################################
#Reset any old report
report.reset()
common.set_environment_variables()
#Copy the exploit code into a separate temp directory
if not os.path.exists(common.getConfig("rootDir") + "/build"):
shutil.copytree(common.getConfig("rootDir") + "/exploitAPKs", common.getConfig("rootDir") + "/build")
common.logger.info(common.config.get('qarkhelper', 'STARTUP'))
if not sdkManager.is_android_sdk_installed():
sdkManager.get_android_sdk_manager()
else:
common.logger.info( common.config.get('qarkhelper', 'SDK_INSTALLATION_IDENTIFIED'))
common.minSdkVersion=1
#Begin
common.logger.info('Initializing QARK\n')
common.checkJavaVersion()
def writeSection(sec, data_list):
try:
pre_rendered = open(
common.getConfig("rootDir") + "/report/report.html", 'r').read()
pre_rendered_html2 = BeautifulSoup(pre_rendered, 'html5lib')
list_of_files = []
#Gather unique files
for item in data_list:
if isinstance(item, ReportIssue):
if item.getFile() in list_of_files:
pass
else:
list_of_files.append(item.getFile())
#Consolidate issues by filename
for file in list_of_files:
issues = {}
details = []
file_name = "No Filename provided"
for item in data_list:
if isinstance(item, ReportIssue):
if file == item.getFile():
file_name = str(item.getFile())
if item.getDetails() is not None:
details.append(item.getDetails())
for key, value in item.getExtras().iteritems():
issues[key] = value
#Construct HTML blob
new_tag_webview_issue = pre_rendered_html2.new_tag("div")
new_tag_webview_issue['class'] = str(section[sec] + "-issue")
new_div_image_tag = pre_rendered_html2.new_tag("div")
new_div_image_tag['class'] = "blockquote-box clearfix"
new_div_image_square_tag = pre_rendered_html2.new_tag("div")
new_div_image_square_tag['class'] = "square pull-left"
new_glyphicon_tag = pre_rendered_html2.new_tag("span")
new_glyphicon_tag['class'] = "glyphicon glyphicon-list-alt white"
new_div_image_square_tag.append(new_glyphicon_tag)
new_div_image_tag.append(new_div_image_square_tag)
new_tag_h4 = pre_rendered_html2.new_tag("h6")
new_div_image_tag.append(new_tag_h4)
new_code_tag = pre_rendered_html2.new_tag("code")
new_p_class = pre_rendered_html2.new_tag("p")
new_p_class['class'] = "clip-ellipsis"
if len(file_name) > 85:
trim = 75
else:
trim = 0
new_code_tag.string = '...{}'.format(file_name[-trim:])
new_p_class.append(new_code_tag)
new_div_image_tag.append(new_p_class)
br_tag = pre_rendered_html2.new_tag("br")
new_div_image_tag.append(br_tag)
new_div_image_tag.append(br_tag)
new_tag_div = pre_rendered_html2.new_tag("div")
new_tag_div['class'] = "span4 collapse-group"
new_br_tag_1 = pre_rendered_html2.new_tag("br/")
new_tag_div.insert(0, new_br_tag_1)
new_tag_p = pre_rendered_html2.new_tag("p")
new_tag_div.append(new_tag_p)
new_div_image_tag.append(new_tag_div)
new_tag_a = pre_rendered_html2.new_tag("a")
new_tag_a['class'] = "collapse-button"
new_tag_a.string = "View details >>"
new_tag_p.append(new_tag_a)
new_tag_p_details = pre_rendered_html2.new_tag("div")
new_tag_p_details['class'] = "collapse"
new_strong_tag = pre_rendered_html2.new_tag("strong")
new_strong_tag.string = "File: "
new_code_tag = pre_rendered_html2.new_tag("code")
new_code_tag.string = file_name
new_strong_tag.append(new_code_tag)
new_br_tag_1.append(new_strong_tag)
new_h4_tag = pre_rendered_html2.new_tag("h4")
#new_small_tag = pre_rendered_html2.new_tag("small")
new_strong_tag = pre_rendered_html2.new_tag("strong")
new_strong_tag['class'] = "details"
new_ul_tag = pre_rendered_html2.new_tag("ul")
new_div_tag = pre_rendered_html2.new_tag("div")
data = ""
count = 0
for item in details:
new_br_tag = pre_rendered_html2.new_tag("br/")
new_li_tag = pre_rendered_html2.new_tag("li")
new_li_tag.string = item
if count % 2 == 0:
new_li_tag['class'] = "row-even"
else:
new_li_tag['class'] = "row-odd"
count = count + 1
new_ul_tag.append(new_li_tag)
new_div_tag.append(new_ul_tag)
new_strong_tag.append(new_div_tag)
#new_small_tag.append(new_strong_tag)
new_h4_tag.append(new_strong_tag)
new_div_tag_1 = pre_rendered_html2.new_tag("div")
new_div_tag_1['class'] = badger[Severity.INFO]
new_div_tag_1['data-badger'] = severity[Severity.INFO]
new_div_tag_1.append(new_br_tag_1)
new_div_tag_1.append(new_h4_tag)
new_tag_p_details.append(new_div_tag_1)
new_tag_div.append(new_tag_p_details)
new_div_image_tag.append(new_tag_div)
pre_rendered_html2.find(
"div",
id=str(section[sec] + "-issues-list")).append(new_div_tag_1)
with open(
common.getConfig("rootDir") + "/report/report.html",
"w") as fh:
fh.write(str(pre_rendered_html2.prettify()))
fh.close()
except Exception as e:
logger.debug(e.message)
logger.debug(e)
def download_sdk():
"""
Download the SDK from Google
"""
url = ""
url_macosx = "https://dl.google.com/android/android-sdk_r24.0.2-macosx.zip"
url_linux = "https://dl.google.com/android/android-sdk_r24.3.4-linux.tgz"
if sys.platform == "linux2":
url = url_linux
else:
url = url_macosx
file_name = url.split("/")[-1]
u = urllib2.urlopen(url)
f = open(common.getConfig("rootDir") + "/" + file_name, "wb")
meta = u.info()
file_size = int(meta.getheaders("Content-Length")[0])
common.logger.debug("Downloading: %s \r\n FileName: %s \r\n FileSize: \r\n %s" % (url, file_name, file_size))
block_sz = file_size / 100
count = 0
while True:
buffer = u.read(block_sz)
if not buffer:
break
f.write(buffer)
count = count + 1
if count % 10 == 0:
sys.stdout.write("\r[{0}] {1}%".format("#" * (count / 10), count))
sys.stdout.flush()
f.close()
androidSDKZIP = f.name
print common.term.cyan + str(common.config.get("qarkhelper", "FILE_DOWNLOADED_TO")) + androidSDKZIP.decode(
"string-escape"
).format(t=common.term)
print common.term.cyan + str(common.config.get("qarkhelper", "UNPACKING")) + androidSDKZIP.decode(
"string-escape"
).format(t=common.term)
if sys.platform == "linux2":
try:
if not os.path.exists(androidSDKZIP.rsplit(".", 1)[0]):
os.makedirs(androidSDKZIP.rsplit(".", 1)[0])
extract(androidSDKZIP, androidSDKZIP.rsplit(".", 1)[0])
except Exception as e:
logger.error(e.message)
common.writeKey("AndroidSDKPath", androidSDKZIP.rsplit(".", 1)[0] + "/android-sdk-linux/")
else:
zf = zipfile.ZipFile(androidSDKZIP)
for filename in [zf.namelist()]:
try:
if not os.path.exists(androidSDKZIP.rsplit(".", 1)[0]):
os.makedirs(androidSDKZIP.rsplit(".", 1)[0])
zf.extractall(androidSDKZIP.rsplit(".", 1)[0] + "/", zf.namelist())
except Exception as e:
logger.error(e.message)
else:
logger.info("Done")
common.writeKey("AndroidSDKPath", androidSDKZIP.rsplit(".", 1)[0] + "/android-sdk-macosx/")
# We dont need the ZIP file anymore
os.remove(androidSDKZIP)
run_sdk_manager()
def writeSection(sec,data_list):
try:
pre_rendered = open(common.getConfig("rootDir") + "/report/report.html",'r').read()
pre_rendered_html2 = BeautifulSoup(pre_rendered,'html5lib')
list_of_files = []
#Gather unique files
for item in data_list:
if isinstance(item, ReportIssue):
if item.getFile() in list_of_files:
pass
else:
list_of_files.append(item.getFile())
#Consolidate issues by filename
for file in list_of_files:
issues = {}
details = []
file_name = "No Filename provided"
for item in data_list:
if isinstance(item, ReportIssue):
if file == item.getFile():
file_name = str(item.getFile())
if item.getDetails() is not None:
details.append(item.getDetails())
for key, value in item.getExtras().iteritems():
issues[key]=value
#Construct HTML blob
new_tag_webview_issue = pre_rendered_html2.new_tag("div")
new_tag_webview_issue['class']=str(section[sec] + "-issue")
new_div_image_tag = pre_rendered_html2.new_tag("div")
new_div_image_tag['class']="blockquote-box clearfix"
new_div_image_square_tag = pre_rendered_html2.new_tag("div")
new_div_image_square_tag['class']="square pull-left"
new_glyphicon_tag = pre_rendered_html2.new_tag("span")
new_glyphicon_tag['class']="glyphicon glyphicon-list-alt white"
new_div_image_square_tag.append(new_glyphicon_tag)
new_div_image_tag.append(new_div_image_square_tag)
new_tag_h4 = pre_rendered_html2.new_tag("h6")
new_div_image_tag.append(new_tag_h4)
new_code_tag = pre_rendered_html2.new_tag("code")
new_p_class = pre_rendered_html2.new_tag("p")
new_p_class['class']="clip-ellipsis"
if len(file_name)>85:
trim = 75
else:
trim = 0
new_code_tag.string = '...{}'.format(file_name[-trim:])
new_p_class.append(new_code_tag)
new_div_image_tag.append(new_p_class)
br_tag = pre_rendered_html2.new_tag("br")
new_div_image_tag.append(br_tag)
new_div_image_tag.append(br_tag)
new_tag_div = pre_rendered_html2.new_tag("div")
new_tag_div['class']="span4 collapse-group"
new_br_tag_1 = pre_rendered_html2.new_tag("br/")
new_tag_div.insert(0, new_br_tag_1)
new_tag_p = pre_rendered_html2.new_tag("p")
new_tag_div.append(new_tag_p)
new_div_image_tag.append(new_tag_div)
new_tag_a = pre_rendered_html2.new_tag("a")
new_tag_a['class']="collapse-button"
new_tag_a.string = "View details >>"
new_tag_p.append(new_tag_a)
new_tag_p_details = pre_rendered_html2.new_tag("div")
new_tag_p_details['class']="collapse"
new_strong_tag = pre_rendered_html2.new_tag("strong")
new_strong_tag.string = "File: "
new_code_tag = pre_rendered_html2.new_tag("code")
new_code_tag.string = file_name
new_strong_tag.append(new_code_tag)
new_br_tag_1.append(new_strong_tag)
new_h4_tag = pre_rendered_html2.new_tag("h4")
#new_small_tag = pre_rendered_html2.new_tag("small")
new_strong_tag = pre_rendered_html2.new_tag("strong")
new_strong_tag['class']="details"
new_ul_tag = pre_rendered_html2.new_tag("ul")
new_div_tag = pre_rendered_html2.new_tag("div")
data = ""
count = 0
for item in details:
new_br_tag = pre_rendered_html2.new_tag("br/")
new_li_tag = pre_rendered_html2.new_tag("li")
new_li_tag.string = item
if count % 2 == 0:
new_li_tag['class'] = "row-even"
else:
new_li_tag['class'] = "row-odd"
count = count + 1
new_ul_tag.append(new_li_tag)
new_div_tag.append(new_ul_tag)
new_strong_tag.append(new_div_tag)
#new_small_tag.append(new_strong_tag)
new_h4_tag.append(new_strong_tag)
new_div_tag_1 = pre_rendered_html2.new_tag("div")
new_div_tag_1['class'] = badger[Severity.INFO]
new_div_tag_1['data-badger'] = severity[Severity.INFO]
new_div_tag_1.append(new_br_tag_1)
new_div_tag_1.append(new_h4_tag)
new_tag_p_details.append(new_div_tag_1)
new_tag_div.append(new_tag_p_details)
new_div_image_tag.append(new_tag_div)
pre_rendered_html2.find("div", id=str(section[sec] + "-issues-list")).append(new_div_tag_1)
with open(common.getConfig("rootDir") + "/report/report.html", "w") as fh:
fh.write(str(pre_rendered_html2.prettify()))
fh.close()
except Exception as e:
logger.debug(e.message)
logger.debug(e)
