CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/android/local/janus.md
Views: 1904
Description
This module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fixed by the APK Signature scheme v2, so only APKs signed with the v1 scheme are vulnerable.
This module will potentially give two things, the first is access to the private date for the app which was injected in to. The second is a more stealthy persistence mechanism since the payload will start each time the injected app starts.
Some devices when installing the updated apk file give an error "There was a problem parsing the package."
Confirmed Vulnerable Apps
The following table shows known vulnerable apps either pre-installed on a phone or available to download.
Package | Version | From Phone | MD5 |
---|---|---|---|
com.google.android.googlequicksearchbox | Stock ZTE Z798BL Android 6.0.1 tracphone | 854378571509c9aa7a49f84d3f2c11c8 | |
com.ume.browser.northamerica (Browser) | v3.42.21161215 | Stock ZTE Z798BL Android 6.0.1 tracphone | 726a13647fb6afb9c147b540641eb82a |
com.phonegap.camerasample | 1.0 | 00411ebec8e7ab3fc0292070cba5efbd | |
com.android.vending (Google play store) | 6.9.21.G-all [0] 3270725 | Stock ZTE Z798BL Android 6.0.1 tracphone | bed81c338f61c6095265592ee6fbb6d8 |
com.apptap.appfinder.tracfone | 1.7.5.0 | Stock ZTE Z798BL Android 6.0.1 tracphone | c20da001a44cd30cc09c1460ca84f743 |
com.tracfone.generic.downloaderapp | R3.1.2 | Stock ZTE Z798BL Android 6.0.1 tracphone | 448d39f6e5b2370d5b14f24c0d2dd79b |
com.google.android.tts (must enable TalkBack feature) | 3.10.10 | Stock ZTE Z798BL Android 6.0.1 tracphone | c44485e17a9a5987e9e3d09507b2bfda |
com.google.android.videos | 3.19.11 | Stock ZTE Z798BL Android 6.0.1 tracphone | e95baeda7fabc3173289be7274fa350f |
Hostile Apps
This table shows apps which seemed to work (injected, installed without error) but had adverse effects. These apps should typically be avoided unless tested.
Package | Version | From Phone | MD5 | Issue |
---|---|---|---|---|
com.google.android.youtube | 11.38.54 | Stock ZTE Z798BL Android 6.0.1 tracphone | 8152ea89b99da5fe66880607a8f93d96 | App crash on start |
com.android.launcher3 | Stock ZTE Z798BL Android 6.0.1 tracphone | 45139b7bf9cc328dcd1f0a3f01f87eb6 | Seems to be the GUI for the phone. When GUI restarted, no session. | |
com.instagram.android | stub | Stock ZTE Z798BL Android 6.0.1 tracphone | 6e8543dec479508f4952ece014218597 | No session |
com.google.android.music | 6.14.3420-0.G.3279860 | Stock ZTE Z798BL Android 6.0.1 tracphone | 09a49fea442c88b23a8f3752caff33de | App crash on start |
com.google.android.apps.docs | Stock ZTE Z798BL Android 6.0.1 tracphone | b0e96f36b7bdfa7ca3064c71538c1339 | App loop, no start | |
com.google.android.apps.maps | 9.38.1 | Stock ZTE Z798BL Android 6.0.1 tracphone | 91d0f8f24ce451deb31cf9f4b9a1d3c6 | App crash on start |
com.android.chrome | 53.0.2785.124 | Stock ZTE Z798BL Android 6.0.1 tracphone | ac6bbbd5ea559dbb63c42eb7e863286b | Original session dies on upload |
com.google.android.gms | Stock ZTE Z798BL Android 6.0.1 tracphone | 504de5427ec47fa3e124c7b5e3413c50 | Original session dies on upload |
Vulnerable Application
This module will only work on applications that are signed with only the v1 signature scheme. You can verify which signing scheme an APK is signed with using the apksigner
tool in the Android SDK:
Verification Steps
Start
msfconsole
Get a session
Start a handler with
exploit/multi/handlers
Do:
use exploit/android/local/janus
Do:
set session [session]
Do:
check
Do:
run
On the phone, a new screen will ask about installing the updated app, say yes/ok, then open the app.
You should get a new session.
Options
PACKAGE
Select a package to infect. A list of packages can be obtained by running app_list
on meterpreter. Using ALL
will loop through all packages and attempt to exploit them until successful. This can take a while, and cause lots of data to be transferred. Default is com.phonegap.camerasample
Scenarios
com.phonegap.camerasample on Nexus 6p with November 2016 Security Patch
Install com.phonegap.camerasample
An exploit/multi/handler
was started prior to exploitation.
Please note that the user will need to manually accept the install prompt on the device (and also open the application) before a new session is opened.
Browser (com.ume.browser.northamerica) on ZTE Z798BL Android 6.0.1 with December 2016 Security Patch
Original payload was generated as such:
Start the payload handler to catch the new callback
Exploit
Install the app on the phone. For this app, clicking Open was not required, the shell was immediate.