-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathobject_input_stream.py
More file actions
executable file
·66 lines (52 loc) · 3.03 KB
/
object_input_stream.py
File metadata and controls
executable file
·66 lines (52 loc) · 3.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pydiesel.reflection import ReflectionException
from drozer.modules import common, Module
class ObjectInputStream(Module, common.FileSystem, common.PackageManager, common.Provider, common.Strings, common.ZipFile):
name = "ObjectInputStream Check"
description = """
Finds applications that make use of java.io.ObjectInputStream (CVE-2014-7911: Android <5.0 Privilege Escalation)
It was identified that on Android <5.0 java.io.ObjectInputStream did not check whether the Object that is being
deserialized is actually serializable. This means that when ObjectInputStream is used on untrusted inputs, an
attacker can cause an instance of any class with a non-private parameterless constructor to be created
See:
http://seclists.org/fulldisclosure/2014/Nov/51
http://researchcenter.paloaltonetworks.com/2015/01/cve-2014-7911-deep-dive-analysis-android-system-service-vulnerability-exploitation/
"""
examples = ""
author = "/dev/null <devnull@libcrack.so>"
date = "2015-05-13"
license = "BSD (3 clause)"
path = ["scanner", "misc"]
permissions = ["com.mwr.dz.permissions.GET_CONTEXT"]
def add_arguments(self, parser):
parser.add_argument("-a", "--package", "--uri", dest="package_or_uri", help="specify a package, or content uri to search", metavar="<package or uri>")
parser.add_argument("-v", "--verbose", action="store_true", help="enable verbose mode")
def execute(self, arguments):
if arguments.package_or_uri != None:
self.check_package(arguments.package_or_uri,arguments)
else:
for package in self.packageManager().getPackages(common.PackageManager.GET_PERMISSIONS):
try:
self.check_package(package.packageName, arguments)
except Exception, e:
print str(e)
def check_package(self, package, arguments):
self.deleteFile("/".join([self.cacheDir(), "classes.dex"]))
for path in self.packageManager().getSourcePaths(package):
strings = []
if ".apk" in path:
dex_file = self.extractFromZip("classes.dex", path, self.cacheDir())
if dex_file != None:
strings = self.getStrings(dex_file.getAbsolutePath())
dex_file.delete()
strings += self.getStrings(path.replace(".apk", ".odex"))
elif (".odex" in path):
strings = self.getStrings(path)
else:
continue
object_input_stream = "false"
if "java.io.ObjectInputStream" in str(strings) or "Ljava/io/ObjectInputStream" in str(strings):
object_input_stream = "true"
if object_input_stream == "true":
self.stdout.write("[color red]%s uses ObjectInputStream[/color]\n" % package)
elif arguments.verbose:
self.stdout.write("[color green]%s doesn't use ObjectInputStream[/color]\n" % package)