Get Mystery Box with random crypto!

Nice trick to get RCE in Android app using unzip from @_bagipr | Hack3rScr0lls

Nice trick to get RCE in Android app using unzip from @_bagipro

Original

Easy arbitrary code execution on Android:

1. Write a hook (using Xposed or Frida) to log paths of File.exists() and mention all files ending with .so during app load

2.1. Grep for ZipFile usage (and all its methods such as entries(), getEntry(...), etc).

2.2. If there's no security checks such as zipFile.getName().contains("../"), it means you can overwrite arbitrary files during unzip. Now find a way to substitute that zip (very often they are stored on SD card, or its path is accepted by some unprotected component)

3. Compile a native library that executes some code (such as writing user id to a file, or performing chmod 777), create a zip with path-traversal in its name and force the app to process it.

Pretty easy technique that brought me tens of thousands in GPSRP!

#Android
Next Message
telegram-store.com © 2016-2024
Non official site about Telegram
All rights reserved. Copying and using of full materials is prohibited, partial quoting is possible only with a hyperlink to the site telegram-store.com.