It took a while to do PoC changes, port from python to ruby, port from ruby to a metasploit module, change the used library in ruby, divide into two files (a tincd protocol library and an exploit module), write ROP chains for x86 and ARM architecture, support various operating systems and make all the necessary changes to make ruby people happy. But it was really a good experience.
I’m happy to announce that my tincd buffer overflow module I wrote a while ago is now officially part of Metasploit.
Two weeks ago I had a talk about “Reversing Android Apps – Hacking and cracking Android apps is easy” at 0sec. You can download the slides. The video on slide 6 (circumventing the Android lock screen with button mashing) is available here. If you’re interested in the topic, you should check out the other posts in the Android category.
During my research for the Android platform and in some pentests I tried several things and used different techniques. This is kind of a summary post and I packed some of my tools together into one zip file. The contents are:
- Importing Burp CA into the Android phone, which I already wrote a blog post about
- Some Ubuntu bash scripts that can be used to compile statically linked ARM binaries for Android, which I already wrote a blog post about
- Decompiling/Disassembling bash scripts that I used to disassemble/decompile 3’500 apps from the market, including the Apple Script for Mac to automate the JD-GUI decompilation
- A simple Python script that can be used to install a list of apps on your Android mobile
- A list of Google Market App IDs, one list with free apps, one list with apps that cost money
- A bash script that creates the Metasploit ARM reverse TCP shell payload
- GingerBreak2 and RageAgainstTheCage exploit but including Ubuntu bash ARM compilation scripts, that let you compile the binary on your own instead of using the shipped ARM binary (I only tested the RageAgainstTheCage exploit)
- A list of interesting files on the Android filesystem, that serves as a starting point if you don’t know where to start. Having a rooted phone to access the entire filesystem and using a text editor (.xml and .conf files) and a sqlite db viewer (files ending on .db) you’ll find pretty interesting stuff.
- A file with the Hidden Secret Codes I found on my HTC Desire and in some apps. Actually only two of the 3’500 apps I decompiled had secret codes: The Twicca Twitter client (dial *#*#459338#*#*) and Baidu, the chinese search engine app (*#*#22438#*#*)
You can download the zip file here. I didn’t want to make up my own Android tool project svn or anything like that, but if you have your own toolset (e.g. you’re the developer of one of the tools below), I’d be happy to give my scripts to your project. If you have any feedback, just let me know, I’m happy to discuss it.
Addtionally, I thought I’ll write down some project/tools I used or I want to look into in the future:
- Apkinspector (GUI combining apktool, dex2jar, a Java decompiler, byte code, etc.)
- Taintdroid (Privacy issues)
- Android Forensic Toolkit
- viaExtract (There’s a VMWare with viaExtract installed. Does standard Forensic for Android: calls, sms, etc. Needs USB debug on)
I might update this post once in a while
Most Android mobiles are running on the ARM architecture. Therefore you have to use a special compiler for such binaries. The Android SDK built in adb shell has no auto completion, which is really a nightmare in my opinion. Therefore I was looking for a way to compile bash for Android. Altough a lot of tutorials tell you to download the CodeSourcery cross-compiling toolchain, they are not really necessary (at least if you do a static compile like I do here).
I wrote a script that compiles bash-4.0. Should work out-of-the-box in Ubuntu 11.04. Edit: By now I’ve also put it on github: https://github.com/floyd-fuh/ARM-cross-compile
#BASH source code from http://ftp.gnu.org/gnu/bash/
#Example for compiling bash on Ubuntu 11.04
#Warnings during the compilation process seem to be alright, errors would be bad
echo "[INFO] Checking if packages installed"
dpkg --status autoconf | grep -q not-installed
if [ $? -eq 0 ]; then
echo "[INFO] Apt-get installing autoconf, please provide sudo password"
sudo apt-get install autoconf
echo "[INFO] autoconf already installed, good"
dpkg --status gcc-arm-linux-gnueabi | grep -q not-installed
if [ $? -eq 0 ]; then
echo "[INFO] Apt-get installing gcc-arm-linux-gnueabi, please provide sudo password"
sudo apt-get install gcc-arm-linux-gnueabi
echo "[INFO] gcc-arm-linux-gnueabi already installed, good"
echo "[INFO] Starting bash source code download"
tar xvfz $BASH_VERSION.tar.gz
./configure --host=arm-linux-gnueabi --enable-static-link --without-bash-malloc
file bash | grep -q ARM
if [ ! $? -eq 0 ]; then
echo "[ERROR] Looks like bash was incorrectly compiled with another compler than arm-linux-gnueabi-gcc"
echo "[ERROR] The resulting bash binary will not run on ARM, therefore aborting!"
arm-linux-gnueabi-strip -o bash-stripped -s bash
cp ./bash-stripped ../bash
echo "[INFO] Your bash binary is finished (file 'bash' in current directory), happy autocompleting on ARM!"
By changing the variable BASH_VERSION to bash-4.1 you should be able to compile an even newer version. Bash-4.2 did not work for me.