Android Framework for Exploitation

June 29, 2013, by | Start Discussion

Android is a mobile operating system platform developed by Andy Rubin, Rich Miner, Nich Sears and Chris White, which was later acquired by Google Inc. and is right now developed and maintained by Google itself.  In the smartphone share, Android covers more than 50% of the market share, much more than iOS and other mobile platforms such as Blackberry, Windows and Symbian.

Due to the popularity of Android among both the consumer and developer base, it is also mostly targeted by Malware Authors. That is the reason we see a lot of Android malware applications on 3rd party app-stores and even sometimes Google Play.

The question arises, how does a malware for an Android device is created. To show how easy it is to create a malware for the Android platform, we will be using a famous framework known as Android Framework for Exploitation, also known as AFE, which is a framework which you could use to create Automated Android Malwares, Botnets, Application vulnerabilities, Write exploits and so on.

Android Framework for Exploitation could be downloaded from http://github.com/xysec/ and download the AFE and AFE-server as well.

AFE is the python based tool, which runs on the Unix-based OS, and AFE-server is the application, which runs on the phone, and connects to the python interface. So, we would launch up AFE, and the interface would look something like this.

To do this, after downloading, you need to type in

./afe.py

and go to menu, and to modules. You could list the modules by typing in list, and get a list of all the available modules right now.

To use a particular module in AFE, you need to type in run module to start the module.

Afe/menu/modules$ run malware

Once you are started with the malware module, you need to set the reverse IP, and the items you would like to steal. Once you set up the options, we would then proceed to Build It option, and generate an APK (Android Package/android application file), which you could use on any android device. The IP address, which you had specified, would receive all the Call Logs, Contacts and Messages from the victim’s phone.

It is really surprising, that when this framework was released, none of the anti viruses detected it.  You could also go ahead and prove proof-of-concepts botnets, which are operated all via SMS.

In this article, we will be focusing more on the Leaking Content Provider vulnerability in Android Applications.
Content Provider in Android, allows applications to exchange and share data with other applications, and also provides them with a better interface to query data, and perform various functions on it.

In Android by default, when you define a content provider, it is set to as public. So, if the application developer has not put special permissions to protect the content provider, any other application could have access to that vulnerable applications data. Let’s take an example, say you are using a Banking Application, and the user is allowed to store his credit card information and other sensitive information in the banking application for easier and faster transactions. But, in the banking application, the application developer has not properly defined the permissions for content provider. So, what an attacker could do here, is he could create his own malicious application, and use his application (which won’t be needing any permissions upon installation) and use it to steal the data stored in the Baking Application storage. So the attacker’s application has now unrestricted access to the entire sensitive information in the baking application, and the user’s security and privacy is put at risk.

For the present article, we would be taking the example of an Android Application named Catch Notes.  https://play.google.com/store/apps/details?id=com.threebanana.notes&hl=en

The application has got around 5000000 – 10000000 downloads so far, and is one of the top 100 applications in android. Catch Notes application allows the user to store his private and personal notes on his phone.

So, the first thing we need to do is to go to AFE menu, and then modules.

From the modules section, we will select the option Get Content Provider.
Afe/menu/modules$ list
apk_inject
dbstealer
decompile_apk
get_content_provider
malware
rageagainstthecage
Afe/menu/modules$ run get_content_provider

After selecting Get_Content_Provider, it will show a list of all the available Android apk’s existing in the AFE Input folder. It will also ask the user to enter the name of the apk, which he wishes to decompile.

Here we would be selecting catch.apk, which is nothing but the apk file of the catch application. After entering the apk name, it will automatically decompile, and will parse out all the content providers for us.

Enter the name of the apk you want to check the content query: catch.apk

Here we would be analyzing all the content providers, and one content provider looks interesting to us:-

At this point, we would just select the content provider we are interested in, and go back to the menu.
Now, we will use the query functionality in AFE, to query this content provider via AFE.  For this functionality, we need the phone and the python interface to be connected to each other. Therefore, we would be using the AFE-Sever app, available at afe-framework.com/afeserver.apk. The application screen would look something like this.

Here, we would be selecting a port, for example 8899, and in the python interface, we would be forwarding the port using adb forward.

Afe$ !adb forward tcp:8899 tcp:8899

Thereafter, we need to connect using the connect command ,and specifying the IP address and port number.

Afe$ connect 127.0.0.1 -p 8899

Now, it will show us a message connected and an asterisk sign before the afe. This means we can now directly interact with the phone and its applications.

Coming back to the content provider vulnerability we were discussing about, we would be using query command. To get more info about this command and various options on how to use it we would be typing in ?query.  Make sure you have the catch application installed on your device/emulator, and you have created a note. My application screen looks like this:-

So, to query that particular content provider, and find out whether it is vulnerable or not, we would type in:-

*Afe/menu$ query "get --url content://com.threebanana.notes.provider.NotePad/notes"

You would be getting a similar kind of screen like the one shown below.

This is the entire information stored in the content providers of the catch notes application, which could be accessed by any other application.  In the middle, if you notice carefully, you would see the text field, corresponding to the value of Hello Clubhack – from Aditya.

That is how you find and exploit content provider vulnerabilities. But what if you want to share it with someone, or publish your exploit online. For this, you could use the sploit module present in AFE. Using this module, you could automate the entire process of typing in the content provider name, and extracting information from the application on the device.

If you go to the exploits folder in the AFE directory structure, you would notice a file named as exp-appname.xml. This is a sample exploit for Local File Inclusion/Directory Traversal vulnerability in Adobe Reader android application. So, keeping that as a base, we would be building out own exploit for catch notes.

In this file, we would be changing few things, like the <name> tag to be

<name>com.threebanana.notes</name>

and<query> tag will contain the query which needs to be executed, so

<query>
"get --url content://com.threebanana.notes.provider.NotePad/notes"
</query>

So, my final exploit looks like this:-

Now, we should save this exploit as catchexploit.xml at the same location as of exp-appname.xml, and go back to the python interface. There, we would type in exploit to go to the exploit menu.

*Afe/menu$ exploit
*Afe/menu/exploit$

Type in a ?to see all the available options.

Now, if you type in the command sploit [exploitname].xml it will automate the entire exploitation process for you.

So, if you wish you could now share it with the community or publish it in the Github repo of AFE and so on.

Conclusion

In this article, we saw how to find and exploit basic content provider vulnerability and even write an exploit for it. A lot of famous applications are vulnerable to this particular vulnerability; the only drawback is very few people are looking into android application based vulnerabilities right now. So, it’s a great time to start looking into app-vulnerabilities and write exploits for it. To prevent these kinds of vulnerabilities all the application developer needs to do, is set the permissions for the content provider in AndroidManifest.xml and also set android:exported value to false. That’s all for this article guys. Hope you enjoyed it.

Author bio not avialable

Leave a Reply