withsecurelabs / jandroid Goto Github PK
View Code? Open in Web Editor NEWLicense: BSD 3-Clause "New" or "Revised" License
License: BSD 3-Clause "New" or "Revised" License
Hello, Thanks for the tool.
I'm trying to make the filter works on an application created for that.
I use the default template for "JSbridgeBrowsable"
and I got this AndroidManifest.xml:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="fr.neolexsecurity.myvulnapp">
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/AppTheme">
<activity android:name=".VulnActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<data android:scheme="http" />
<data android:scheme="https" />
<data android:scheme="about" />
<category android:name="android.intent.category.BROWSABLE" />
</intent-filter>
</activity>
<activity android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>
But I get : _IDENTIFIED_LOOKFOR : 0 :
DEBUG Analysing <Element activity at 0x7f9b08414908> against template {'BASEPATH': 'manifest->application->activity OR manifest->application->activity-alias', 'SEARCHPATH': {'intent-filter': {'action': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.action.VIEW'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'category': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.category.BROWSABLE'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'data': {'RETURN': ['<NAMESPACE>:host AS @host', '<NAMESPACE>:scheme AS @scheme']}}}, 'RETURN': ['<smali>:<NAMESPACE>:name AS @activity_name']}.
and
DEBUG Analysing <Element intent-filter at 0x7f9b08414e08> against template {'action': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.action.VIEW'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'category': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.category.BROWSABLE'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'data': {'RETURN': ['<NAMESPACE>:host AS @host', '<NAMESPACE>:scheme AS @scheme']}}.
Do you have an idea from where is the problem ?
Thank you.
I got nothing on Jandroid output html. I'm sure that:
But I got this message in the log: {'bug_obj': {'JSbridgeBrowsable': False}
I'm not sure that whether it is a bug, or the target apk just missed the template, or something else is wrong. It would be nice for you to provide a vulnerable apk which could be detected by Jandroid, in order to prove that Jandroid is working properly.
I want to reproduce the case you used in mobile pwn2own 2017, it is Directory Traversal during Unzip
in Samsung Notes.
My template as below, but it didn't work and output 'output {'bug_obj': {'JSbridgeBrowsable': False, 'zip4jExtractAll': False}, 'graph_list': []}.',
could you help me improve it?
{
"METADATA": {
"NAME": "zip4jExtractAll"
},
"MANIFESTPARAMS": {
"BASEPATH": "manifest->application->activity OR manifest->application->activity-alias",
"SEARCHPATH": {
"intent-filter": {
"action": {
"LOOKFOR": {
"TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.action.VIEW"
}
}
}
},
"RETURN": ["<smali>:<NAMESPACE>:name AS @activity_name"]
},
"CODEPARAMS": {
"SEARCH": {
"SEARCHFORCALLTOMETHOD": {
"METHOD": "Lnet/lingala/zip4j/core/ZipFile;->extractAll",
"RETURN": "<class> AS @zip4j"
}
},
"TRACE": {
"TRACEFROM": "<method>:@zip4j[]->extractAll(Ljava/lang/String;)V",
"TRACETO": "<class>:@activity_name",
"TRACELENGTHMAX": 20,
"RETURN": "<tracepath> AS @tracepath_zip4jextractall"
}
},
"GRAPH": "@tracepath_zip4jextractall WITH <method>:<desc>:<class> AS attribute=nodename"
}
Hello,
I'm trying to use this template that I built from the example of trace advance to identify a controllable URI from intent passed to webview.
{
"METADATA": {
"NAME": "Uri from intent to webview"
},
"MANIFESTPARAMS": {
"BASEPATH": "manifest->application->activity OR manifest->application->activity-alias",
"SEARCHPATH": {
"intent-filter": {
"action": {
"LOOKFOR": {
"TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.action.VIEW"
}
},
"category": {
"LOOKFOR": {
"TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.category.BROWSABLE"
}
},
"data": {
"RETURN": ["<NAMESPACE>:host AS @host", "<NAMESPACE>:scheme AS @scheme"]
}
}
},
"RETURN": ["<smali>:<NAMESPACE>:name AS @activity_name"]
},
"CODEPARAMS": {
"TRACE": {
"TRACETYPE": "ADVANCED",
"TRACEFROM": "ARGTO <method>:Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V ARGINDEX 1",
"TRACELENGTHMAX":10,
"TRACETO": "RESULTOF Landroid/content/Intent;->getData()Landroid/net/Uri;",
"RETURN": "<tracepath> AS @tracepath_browsablejsbridge"
}
},
"GRAPH": "@tracepath_browsablejsbridge WITH <method>:<desc>:<class> AS attribute=nodename"
}
The smali code of the class I'm trying to detect is :
.class public Lcom/vuln/jandroid/VulnActivity;
.super Landroid/app/Activity;
.source "VulnActivity.java"
# direct methods
.method public constructor <init>()V
.locals 0
.line 11
invoke-direct {p0}, Landroid/app/Activity;-><init>()V
return-void
.end method
# virtual methods
.method protected onCreate(Landroid/os/Bundle;)V
.locals 2
.line 17
invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V
const p1, 0x7f0b001d
.line 18
invoke-virtual {p0, p1}, Lcom/vuln/jandroid/VulnActivity;->setContentView(I)V
.line 19
new-instance p1, Landroid/webkit/WebView;
invoke-direct {p1, p0}, Landroid/webkit/WebView;-><init>(Landroid/content/Context;)V
.line 20
new-instance v0, Lcom/vuln/jandroid/BridgeJS;
invoke-direct {v0}, Lcom/vuln/jandroid/BridgeJS;-><init>()V
const-string v1, "injectedObject"
invoke-virtual {p1, v0, v1}, Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V
.line 21
invoke-virtual {p0, p1}, Lcom/vuln/jandroid/VulnActivity;->setContentView(Landroid/view/View;)V
.line 22
invoke-virtual {p0}, Lcom/vuln/jandroid/VulnActivity;->getIntent()Landroid/content/Intent;
move-result-object v0
.line 23
invoke-virtual {v0}, Landroid/content/Intent;->getData()Landroid/net/Uri;
move-result-object v0
invoke-static {v0}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
move-result-object v0
.line 24
invoke-virtual {p1, v0}, Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V
return-void
.end method
I also tried with the Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
string but it's not working neither.
I attached the debug output of Jandroid and the APK in a zip file :
Do you have an idea of where the problem is ?
As onCreate.get_xref_from() will get nothing, how to track API like onCreate called by browsable Activity with startActivity.
plus, startActivity.get_xref_to() also get nothing
name 'AnalyzeDEX' is not defined.
Hello,
I think it would be nice to save the class name of the vulnerable function in the json response.
Right now you know there is a bug but not where, only the name of the bug, right ?
Hello,I want to analysis Multidex,but something wrong happened.
JANDROID
INFO Creating template object.
INFO 1 potential template(s) found.
DEBUG Parsing /Users/Desktop/tools/android/Jandroid/templates/android/sample_basic_browsable_jsbridge.template
INFO Initiating Android analysis.
INFO Performing basic checks. Please wait.
INFO Basic checks complete.
INFO Beginning analysis...
DEBUG 8 app(s) to analyse, using 2 thread(s).
DEBUG Created worker process 0
DEBUG Created worker process 1
INFO Analysing 5.dex in worker thread 1.
INFO Analysing 4.dex in worker thread 0.
WARNING Error analysing 5.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
WARNING Error analysing 4.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 2.dex in worker thread 0.
WARNING Error analysing 2.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 6.dex in worker thread 1.
WARNING Error analysing 6.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 3.dex in worker thread 0.
WARNING Error analysing 3.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 1.dex in worker thread 1.
WARNING Error analysing 1.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 0.dex in worker thread 0.
WARNING Error analysing 0.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 8.dex in worker thread 1.
WARNING Error analysing 8.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Finished analysing apps.
INFO Creating custom graph.
INFO Custom graph can be found at /Users/Desktop/tools/android/Jandroid/output/graph/jandroid.html
INFO All done.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.