withsecurelabs / jandroid Goto Github PK
View Code? Open in Web Editor NEWLicense: BSD 3-Clause "New" or "Revised" License
jandroid's People
Contributors
Stargazers
Watchers
Forkers
c002 crackercat yanshu911 ethancck arryboom timb-machine-mirrors m00zh33 thomasking2014 misscoconut lqingyu mysctzy c0d1007 y0d4a jack51706 netgb asked637 02bx cokesme wyu0hop jothatron dawdler9527 jermaintian maddiestone freemanzyq modulexcite offend gdraperi kingking888 ashr tiandiyixian digitalarche r3dx0f airdroidan 5l1v3r1 returnhere veath1 ryantzj xorgx304 gsongx polling-repo-continua 0xm3r user1342 t398 jej2660 angrykobe cpplam haidragon bitefoo 309746069 gitwk86 hartl3y94 jalee0606 ckandroidproject snoopysecurity anonsharzzk colorlight eternalsakura cashew09 c0de3 olmarae deepsecurity twistedroll followboy1999jandroid's Issues
_IDENTIFIED_LOOKFOR : 0 with good intent-filter
Hello, Thanks for the tool.
I'm trying to make the filter works on an application created for that.
I use the default template for "JSbridgeBrowsable"
and I got this AndroidManifest.xml:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="fr.neolexsecurity.myvulnapp">
<application
android:allowBackup="true"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/AppTheme">
<activity android:name=".VulnActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<data android:scheme="http" />
<data android:scheme="https" />
<data android:scheme="about" />
<category android:name="android.intent.category.BROWSABLE" />
</intent-filter>
</activity>
<activity android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
</application>
</manifest>But I get : _IDENTIFIED_LOOKFOR : 0 :
DEBUG Analysing <Element activity at 0x7f9b08414908> against template {'BASEPATH': 'manifest->application->activity OR manifest->application->activity-alias', 'SEARCHPATH': {'intent-filter': {'action': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.action.VIEW'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'category': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.category.BROWSABLE'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'data': {'RETURN': ['<NAMESPACE>:host AS @host', '<NAMESPACE>:scheme AS @scheme']}}}, 'RETURN': ['<smali>:<NAMESPACE>:name AS @activity_name']}.
and
DEBUG Analysing <Element intent-filter at 0x7f9b08414e08> against template {'action': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.action.VIEW'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'category': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.category.BROWSABLE'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'data': {'RETURN': ['<NAMESPACE>:host AS @host', '<NAMESPACE>:scheme AS @scheme']}}.
Do you have an idea from where is the problem ?
Thank you.
Get no result for even a obviously vulnerable application
I got nothing on Jandroid output html. I'm sure that:
- all requirements are installed properly
- the target apk has obvious webview vulnerabilities and they can be found manually accourding to the template
But I got this message in the log: {'bug_obj': {'JSbridgeBrowsable': False}
I'm not sure that whether it is a bug, or the target apk just missed the template, or something else is wrong. It would be nice for you to provide a vulnerable apk which could be detected by Jandroid, in order to prove that Jandroid is working properly.
How to write a template to trace zip4jExtractAll
I want to reproduce the case you used in mobile pwn2own 2017, it is Directory Traversal during Unzip in Samsung Notes.
My template as below, but it didn't work and output 'output {'bug_obj': {'JSbridgeBrowsable': False, 'zip4jExtractAll': False}, 'graph_list': []}.', could you help me improve it?
{
"METADATA": {
"NAME": "zip4jExtractAll"
},
"MANIFESTPARAMS": {
"BASEPATH": "manifest->application->activity OR manifest->application->activity-alias",
"SEARCHPATH": {
"intent-filter": {
"action": {
"LOOKFOR": {
"TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.action.VIEW"
}
}
}
},
"RETURN": ["<smali>:<NAMESPACE>:name AS @activity_name"]
},
"CODEPARAMS": {
"SEARCH": {
"SEARCHFORCALLTOMETHOD": {
"METHOD": "Lnet/lingala/zip4j/core/ZipFile;->extractAll",
"RETURN": "<class> AS @zip4j"
}
},
"TRACE": {
"TRACEFROM": "<method>:@zip4j[]->extractAll(Ljava/lang/String;)V",
"TRACETO": "<class>:@activity_name",
"TRACELENGTHMAX": 20,
"RETURN": "<tracepath> AS @tracepath_zip4jextractall"
}
},
"GRAPH": "@tracepath_zip4jextractall WITH <method>:<desc>:<class> AS attribute=nodename"
}
Trace advanced example not working.
Hello,
I'm trying to use this template that I built from the example of trace advance to identify a controllable URI from intent passed to webview.
{
"METADATA": {
"NAME": "Uri from intent to webview"
},
"MANIFESTPARAMS": {
"BASEPATH": "manifest->application->activity OR manifest->application->activity-alias",
"SEARCHPATH": {
"intent-filter": {
"action": {
"LOOKFOR": {
"TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.action.VIEW"
}
},
"category": {
"LOOKFOR": {
"TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.category.BROWSABLE"
}
},
"data": {
"RETURN": ["<NAMESPACE>:host AS @host", "<NAMESPACE>:scheme AS @scheme"]
}
}
},
"RETURN": ["<smali>:<NAMESPACE>:name AS @activity_name"]
},
"CODEPARAMS": {
"TRACE": {
"TRACETYPE": "ADVANCED",
"TRACEFROM": "ARGTO <method>:Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V ARGINDEX 1",
"TRACELENGTHMAX":10,
"TRACETO": "RESULTOF Landroid/content/Intent;->getData()Landroid/net/Uri;",
"RETURN": "<tracepath> AS @tracepath_browsablejsbridge"
}
},
"GRAPH": "@tracepath_browsablejsbridge WITH <method>:<desc>:<class> AS attribute=nodename"
}The smali code of the class I'm trying to detect is :
.class public Lcom/vuln/jandroid/VulnActivity;
.super Landroid/app/Activity;
.source "VulnActivity.java"
# direct methods
.method public constructor <init>()V
.locals 0
.line 11
invoke-direct {p0}, Landroid/app/Activity;-><init>()V
return-void
.end method
# virtual methods
.method protected onCreate(Landroid/os/Bundle;)V
.locals 2
.line 17
invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V
const p1, 0x7f0b001d
.line 18
invoke-virtual {p0, p1}, Lcom/vuln/jandroid/VulnActivity;->setContentView(I)V
.line 19
new-instance p1, Landroid/webkit/WebView;
invoke-direct {p1, p0}, Landroid/webkit/WebView;-><init>(Landroid/content/Context;)V
.line 20
new-instance v0, Lcom/vuln/jandroid/BridgeJS;
invoke-direct {v0}, Lcom/vuln/jandroid/BridgeJS;-><init>()V
const-string v1, "injectedObject"
invoke-virtual {p1, v0, v1}, Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V
.line 21
invoke-virtual {p0, p1}, Lcom/vuln/jandroid/VulnActivity;->setContentView(Landroid/view/View;)V
.line 22
invoke-virtual {p0}, Lcom/vuln/jandroid/VulnActivity;->getIntent()Landroid/content/Intent;
move-result-object v0
.line 23
invoke-virtual {v0}, Landroid/content/Intent;->getData()Landroid/net/Uri;
move-result-object v0
invoke-static {v0}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
move-result-object v0
.line 24
invoke-virtual {p1, v0}, Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V
return-void
.end method
I also tried with the Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String; string but it's not working neither.
I attached the debug output of Jandroid and the APK in a zip file :
Do you have an idea of where the problem is ?
how to track API like onCreate called by browsable Activity with startActivity
As onCreate.get_xref_from() will get nothing, how to track API like onCreate called by browsable Activity with startActivity.
plus, startActivity.get_xref_to() also get nothing
get a error
name 'AnalyzeDEX' is not defined.
Features idea: save class name of the vulnerable class
Hello,
I think it would be nice to save the class name of the vulnerable function in the json response.
Right now you know there is a bug but not where, only the name of the bug, right ?
WARNING Error analysing 5.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
Hello,I want to analysis Multidex,but something wrong happened.
JANDROID
INFO Creating template object.
INFO 1 potential template(s) found.
DEBUG Parsing /Users/Desktop/tools/android/Jandroid/templates/android/sample_basic_browsable_jsbridge.template
INFO Initiating Android analysis.
INFO Performing basic checks. Please wait.
INFO Basic checks complete.
INFO Beginning analysis...
DEBUG 8 app(s) to analyse, using 2 thread(s).
DEBUG Created worker process 0
DEBUG Created worker process 1
INFO Analysing 5.dex in worker thread 1.
INFO Analysing 4.dex in worker thread 0.
WARNING Error analysing 5.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
WARNING Error analysing 4.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 2.dex in worker thread 0.
WARNING Error analysing 2.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 6.dex in worker thread 1.
WARNING Error analysing 6.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 3.dex in worker thread 0.
WARNING Error analysing 3.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 1.dex in worker thread 1.
WARNING Error analysing 1.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 0.dex in worker thread 0.
WARNING Error analysing 0.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Analysing 8.dex in worker thread 1.
WARNING Error analysing 8.dex: [AnalyzeDEXError] name 'AnalyzeDEX' is not defined.
INFO Finished analysing apps.
INFO Creating custom graph.
INFO Custom graph can be found at /Users/Desktop/tools/android/Jandroid/output/graph/jandroid.html
INFO All done.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.