Hey everyone, welcome to pentestguy. We have already discussed how to exploit android components using the android debug bridge. If you don’t know about it check out this article –https://pentestguy.com/exploiting-android-components-abusing-activities/ Now we are going to talk about the drozer framework, it will cover most of the things about drozer.
For dynamic testing of an app, we require an android device or an emulator, I used genymotion, if you don’t know how to install it follow the video given below.
What is Drozer?
drozer (formerly Mercury) is the leading security testing framework for Android. It allows search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints, and the underlying OS. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximize the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).
First, we need to install a drozer agent on an android device and forward port using ADB then using the drozer console we are going to command the agent. Download drozer agent – https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk and drozer can install via python2 or we can directly use Appie(Android Pentesting Portable Integrated Environment).
adb install drozer.apk
Open the agent installed on the device and make sure the embedded server is on then run the command given below.
adb forward tcp:31415 tcp:31415
Run the drozer from your device which may be windows or Linux
drozer console connect drozer.bat console connect //this is for windows if you have standalone bat file
The first thing we can check is any tool for a help option because every tool has its own docs and i.e. nothing but the help option.
Checking attackable components is really easy using drozer within a single command we can check the number of activities, content provider, broadcast receiver, etc.
run app.package.list -f sieve
run app.package.attacksurface com.mwr.example.sieve
Exploit Insecure Activity(Exported true)
Doesn’t know where we got information about activities or intent filter?
The answer is a really simple reverse engineer application and checks for the androidmanifest.xml file. If you don’t know how to do it follow this article – https://pentestguy.com/android-app-pentesting-static-analysis/
But in drozer, we can check it directly without digging into the code of an application, yeah! but without checking the code it’s not possible to exploit any application properly.
run app.activity.info -a com.mwr.example.sieve
Example – In this scenario, the insecure activity contains a password list stored in the password manager sieve. To get a password need to enter the master password because of this insecure activity attackers is able to get a password list.
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
Exploit Insecure Activity with Extra value
Example – In this scenario of diva application, insecure activity but after trying to exploit, it asks for a pin. Dug into the source code and found it has boolean logic which has a value of check_pin.
Check for logic and there found chk_pin but the value of it present in /res/values/strings.xml
In the above example, we can see the login which checking chk_pin boolean value
In the above picture, able to find the value of chk_pin
run.app.activity.start --component jakhar.aseem.diva jakhar.aseem.diva.APICreds2Activity --extra boolean check_pin false
Exploit Content Provider
Content providers use to store the data of applications in a relational database, It’s like a central repository system which is data stored accessed, and modified based on the user requirements. Content URI(Uniform Resource Identifier) is the key concept of Content providers. To access the data from a content provider, URI is used as a query string.
Example – In this scenario, the application has a content provider which contains user data with proper permission. To check whether the content provider is vulnerable or not check if there is any content provider present in the application or not and check for URI by using it can access data.
run app.provider.info -a com.mwr.example.sieve
To finduri no need to dig into the code, drozer has the capabilities to extract all finduri.
run app.provider.finduri com.mwr.example.sieve
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords
Exploit Broadcast Receiver
Broadcast Receivers are used to respond to system-wide events. Broadcast Receivers allow us to register for the system and application events, and when that event happens, then the registered receivers get notified
Example – In this scenario (Insecurebankv2), the application has a broadcast receiver and it is exported and not protected by a permission, meaning that any app can create an Intent that will result in this receiver being triggered.
run app.broadcast.info -a com.android.insecurebankv2 -i
according to the code, there are two string values that need to pass
run app.broadcast.send --action theBroadcast --extra string phonenumber 12345 --extra string newpass pentestguy@123
Exploit Service
You can use a Service when you want to perform something in the background; it handles any long-running process. For example, you want to play music when your application gets close. In that case, the service will be running in the background with music.
Example – In this scenario(Sieve), there are two services running which is vulnerable and by digging into the code an attacker is able to exploit it.
run app.service.info -a com.mwr.example.sieve
after getting service info, dig into the code to check the logic
Provide data msg what, arg1 and arg2 and with extra value need to provide the actual pin also.
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1234 --bundle-as-obj
There are many examples we can try about exploiting content providers and broadcast receivers from different applications.
If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!
References
https://labs.withsecure.com/tools/
https://github.com/payatu/diva-android
https://github.com/dineshshetty/Android-InsecureBankv2
