mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-21 10:33:36 +00:00
111 lines
7.3 KiB
Markdown
111 lines
7.3 KiB
Markdown
|
# Exploiting a debuggeable application
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
# **Bypassing root and debuggeable checks**
|
|||
|
|
|||
|
This section of the post is a summary from the post [**https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0**](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0)
|
|||
|
|
|||
|
## Steps to Make an Android App Debuggable and Bypass Checks
|
|||
|
|
|||
|
### **Making the App Debuggable**
|
|||
|
|
|||
|
Content based on https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0
|
|||
|
|
|||
|
1. **Decompile the APK:**
|
|||
|
- Utilize the APK-GUI tool for decompiling the APK.
|
|||
|
- In the _android-manifest_ file, insert `android:debuggable=true` to enable debugging mode.
|
|||
|
- Recompile, sign, and zipalign the modified application.
|
|||
|
|
|||
|
2. **Install the Modified Application:**
|
|||
|
- Use the command: `adb install <application_name>`.
|
|||
|
|
|||
|
3. **Retrieve the Package Name:**
|
|||
|
- Execute `adb shell pm list packages –3` to list third-party applications and find the package name.
|
|||
|
|
|||
|
4. **Set the App to Await Debugger Connection:**
|
|||
|
- Command: `adb shell am setup-debug-app –w <package_name>`.
|
|||
|
- **Note:** This command must be run each time before starting the application to ensure it waits for the debugger.
|
|||
|
- For persistence, use `adb shell am setup-debug-app –w -–persistent <package_name>`.
|
|||
|
- To remove all flags, use `adb shell am clear-debug-app <package_name>`.
|
|||
|
|
|||
|
5. **Prepare for Debugging in Android Studio:**
|
|||
|
- Navigate in Android Studio to _File -> Open Profile or APK_.
|
|||
|
- Open the recompiled APK.
|
|||
|
|
|||
|
6. **Set Breakpoints in Key Java Files:**
|
|||
|
- Place breakpoints in `MainActivity.java` (specifically in the `onCreate` method), `b.java`, and `ContextWrapper.java`.
|
|||
|
|
|||
|
### **Bypassing Checks**
|
|||
|
|
|||
|
The application, at certain points, will verify if it is debuggable and will also check for binaries indicating a rooted device. The debugger can be used to modify app info, unset the debuggable bit, and alter the names of searched binaries to bypass these checks.
|
|||
|
|
|||
|
For the debuggable check:
|
|||
|
|
|||
|
1. **Modify Flag Settings:**
|
|||
|
- In the debugger console's variable section, navigate to: `this mLoadedAPK -> mApplicationInfo -> flags = 814267974`.
|
|||
|
- **Note:** The binary representation of `flags = 814267974` is `11000011100111011110`, indicating that the "Flag_debuggable" is active.
|
|||
|
|
|||
|
![https://miro.medium.com/v2/resize:fit:1400/1*-ckiSbWGSoc1beuxxpKbow.png](https://miro.medium.com/v2/resize:fit:1400/1*-ckiSbWGSoc1beuxxpKbow.png)
|
|||
|
|
|||
|
These steps collectively ensure that the application can be debugged and that certain security checks can be bypassed using the debugger, facilitating a more in-depth analysis or modification of the application's behavior.
|
|||
|
|
|||
|
Step 2 involves changing a flag value to 814267972, which is represented in binary as 110000101101000000100010100.
|
|||
|
|
|||
|
# **Exploiting a Vulnerability**
|
|||
|
|
|||
|
A demonstration was provided using a vulnerable application containing a button and a textview. Initially, the application displays "Crack Me". The aim is to alter the message from "Try Again" to "Hacked" at runtime, without modifying the source code.
|
|||
|
|
|||
|
## **Checking for Vulnerability**
|
|||
|
- The application was decompiled using `apktool` to access the `AndroidManifest.xml` file.
|
|||
|
- The presence of `android_debuggable="true"` in the AndroidManifest.xml indicates the application is debuggable and susceptible to exploitation.
|
|||
|
- It's worth noting that `apktool` is employed solely to check the debuggable status without altering any code.
|
|||
|
|
|||
|
## **Preparing the Setup**
|
|||
|
- The process involved initiating an emulator, installing the vulnerable application, and using `adb jdwp` to identify Dalvik VM ports that are listening.
|
|||
|
- The JDWP (Java Debug Wire Protocol) allows debugging of an application running in a VM by exposing a unique port.
|
|||
|
- Port forwarding was necessary for remote debugging, followed by attaching JDB to the target application.
|
|||
|
|
|||
|
## **Injecting Code at Runtime**
|
|||
|
- The exploitation was carried out by setting breakpoints and controlling the application flow.
|
|||
|
- Commands like `classes` and `methods <class_name>` were used to uncover the application’s structure.
|
|||
|
- A breakpoint was set at the `onClick` method, and its execution was controlled.
|
|||
|
- The `locals`, `next`, and `set` commands were utilized to inspect and modify local variables, particularly changing the "Try Again" message to "Hacked".
|
|||
|
- The modified code was executed using the `run` command, successfully altering the application’s output in real-time.
|
|||
|
|
|||
|
This example demonstrated how the behavior of a debuggable application can be manipulated, highlighting the potential for more complex exploits like gaining shell access on the device in the application's context.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
## References
|
|||
|
* [https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0)
|
|||
|
* [https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications)
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|