Skip to content

Trace advanced example not working. #9

New issue
New issue
Open
Open
Trace advanced example not working.#9
@Neolex-Security

Description

@Neolex-Security
Neolex-Security
opened on Jun 5, 2020

Hello,
I'm trying to use this template that I built from the example of trace advance to identify a controllable URI from intent passed to webview.

{
    "METADATA": {
        "NAME": "Uri from intent to webview"
    },    
    "MANIFESTPARAMS": {
        "BASEPATH": "manifest->application->activity OR manifest->application->activity-alias",
        "SEARCHPATH": {
            "intent-filter": {
                "action": {
                    "LOOKFOR": {
                        "TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.action.VIEW"
                    }
                },
                "category": {
                    "LOOKFOR": {
                        "TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.category.BROWSABLE"
                    }
                },
                "data": {
                    "RETURN": ["<NAMESPACE>:host AS @host", "<NAMESPACE>:scheme AS @scheme"]
                }                
            }
        },
        "RETURN": ["<smali>:<NAMESPACE>:name AS @activity_name"]
    },
    "CODEPARAMS": {
        "TRACE": {
            "TRACETYPE": "ADVANCED",
            "TRACEFROM": "ARGTO <method>:Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V ARGINDEX 1",
            "TRACELENGTHMAX":10,
            "TRACETO": "RESULTOF Landroid/content/Intent;->getData()Landroid/net/Uri;",
            "RETURN": "<tracepath> AS @tracepath_browsablejsbridge"
        }
    },
    "GRAPH": "@tracepath_browsablejsbridge WITH <method>:<desc>:<class> AS attribute=nodename"
}

The smali code of the class I'm trying to detect is :

.class public Lcom/vuln/jandroid/VulnActivity;
.super Landroid/app/Activity;
.source "VulnActivity.java"


# direct methods
.method public constructor <init>()V
    .locals 0

    .line 11
    invoke-direct {p0}, Landroid/app/Activity;-><init>()V

    return-void
.end method


# virtual methods
.method protected onCreate(Landroid/os/Bundle;)V
    .locals 2

    .line 17
    invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

    const p1, 0x7f0b001d

    .line 18
    invoke-virtual {p0, p1}, Lcom/vuln/jandroid/VulnActivity;->setContentView(I)V

    .line 19
    new-instance p1, Landroid/webkit/WebView;

    invoke-direct {p1, p0}, Landroid/webkit/WebView;-><init>(Landroid/content/Context;)V

    .line 20
    new-instance v0, Lcom/vuln/jandroid/BridgeJS;

    invoke-direct {v0}, Lcom/vuln/jandroid/BridgeJS;-><init>()V

    const-string v1, "injectedObject"

    invoke-virtual {p1, v0, v1}, Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V

    .line 21
    invoke-virtual {p0, p1}, Lcom/vuln/jandroid/VulnActivity;->setContentView(Landroid/view/View;)V

    .line 22
    invoke-virtual {p0}, Lcom/vuln/jandroid/VulnActivity;->getIntent()Landroid/content/Intent;

    move-result-object v0

    .line 23
    invoke-virtual {v0}, Landroid/content/Intent;->getData()Landroid/net/Uri;

    move-result-object v0

    invoke-static {v0}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v0

    .line 24
    invoke-virtual {p1, v0}, Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V

    return-void
.end method

I also tried with the Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String; string but it's not working neither.

I attached the debug output of Jandroid and the APK in a zip file :

attachments.zip

Do you have an idea of where the problem is ?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions