Trace advanced example not working.
Neolex-Security opened this issue · comments
Neolex commented
Hello,
I'm trying to use this template that I built from the example of trace advance to identify a controllable URI from intent passed to webview.
{
"METADATA": {
"NAME": "Uri from intent to webview"
},
"MANIFESTPARAMS": {
"BASEPATH": "manifest->application->activity OR manifest->application->activity-alias",
"SEARCHPATH": {
"intent-filter": {
"action": {
"LOOKFOR": {
"TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.action.VIEW"
}
},
"category": {
"LOOKFOR": {
"TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.category.BROWSABLE"
}
},
"data": {
"RETURN": ["<NAMESPACE>:host AS @host", "<NAMESPACE>:scheme AS @scheme"]
}
}
},
"RETURN": ["<smali>:<NAMESPACE>:name AS @activity_name"]
},
"CODEPARAMS": {
"TRACE": {
"TRACETYPE": "ADVANCED",
"TRACEFROM": "ARGTO <method>:Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V ARGINDEX 1",
"TRACELENGTHMAX":10,
"TRACETO": "RESULTOF Landroid/content/Intent;->getData()Landroid/net/Uri;",
"RETURN": "<tracepath> AS @tracepath_browsablejsbridge"
}
},
"GRAPH": "@tracepath_browsablejsbridge WITH <method>:<desc>:<class> AS attribute=nodename"
}
The smali code of the class I'm trying to detect is :
.class public Lcom/vuln/jandroid/VulnActivity;
.super Landroid/app/Activity;
.source "VulnActivity.java"
# direct methods
.method public constructor <init>()V
.locals 0
.line 11
invoke-direct {p0}, Landroid/app/Activity;-><init>()V
return-void
.end method
# virtual methods
.method protected onCreate(Landroid/os/Bundle;)V
.locals 2
.line 17
invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V
const p1, 0x7f0b001d
.line 18
invoke-virtual {p0, p1}, Lcom/vuln/jandroid/VulnActivity;->setContentView(I)V
.line 19
new-instance p1, Landroid/webkit/WebView;
invoke-direct {p1, p0}, Landroid/webkit/WebView;-><init>(Landroid/content/Context;)V
.line 20
new-instance v0, Lcom/vuln/jandroid/BridgeJS;
invoke-direct {v0}, Lcom/vuln/jandroid/BridgeJS;-><init>()V
const-string v1, "injectedObject"
invoke-virtual {p1, v0, v1}, Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V
.line 21
invoke-virtual {p0, p1}, Lcom/vuln/jandroid/VulnActivity;->setContentView(Landroid/view/View;)V
.line 22
invoke-virtual {p0}, Lcom/vuln/jandroid/VulnActivity;->getIntent()Landroid/content/Intent;
move-result-object v0
.line 23
invoke-virtual {v0}, Landroid/content/Intent;->getData()Landroid/net/Uri;
move-result-object v0
invoke-static {v0}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
move-result-object v0
.line 24
invoke-virtual {p1, v0}, Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V
return-void
.end method
I also tried with the Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
string but it's not working neither.
I attached the debug output of Jandroid and the APK in a zip file :
Do you have an idea of where the problem is ?