Trace advanced example not working.

Question

Trace advanced example not working.

Neolex-Security opened this issue 4 years ago · comments

Hello,
I'm trying to use this template that I built from the example of trace advance to identify a controllable URI from intent passed to webview.

{
    "METADATA": {
        "NAME": "Uri from intent to webview"
    },    
    "MANIFESTPARAMS": {
        "BASEPATH": "manifest->application->activity OR manifest->application->activity-alias",
        "SEARCHPATH": {
            "intent-filter": {
                "action": {
                    "LOOKFOR": {
                        "TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.action.VIEW"
                    }
                },
                "category": {
                    "LOOKFOR": {
                        "TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.category.BROWSABLE"
                    }
                },
                "data": {
                    "RETURN": ["<NAMESPACE>:host AS @host", "<NAMESPACE>:scheme AS @scheme"]
                }                
            }
        },
        "RETURN": ["<smali>:<NAMESPACE>:name AS @activity_name"]
    },
    "CODEPARAMS": {
        "TRACE": {
            "TRACETYPE": "ADVANCED",
            "TRACEFROM": "ARGTO <method>:Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V ARGINDEX 1",
            "TRACELENGTHMAX":10,
            "TRACETO": "RESULTOF Landroid/content/Intent;->getData()Landroid/net/Uri;",
            "RETURN": "<tracepath> AS @tracepath_browsablejsbridge"
        }
    },
    "GRAPH": "@tracepath_browsablejsbridge WITH <method>:<desc>:<class> AS attribute=nodename"
}

The smali code of the class I'm trying to detect is :

.class public Lcom/vuln/jandroid/VulnActivity;
.super Landroid/app/Activity;
.source "VulnActivity.java"


# direct methods
.method public constructor <init>()V
    .locals 0

    .line 11
    invoke-direct {p0}, Landroid/app/Activity;-><init>()V

    return-void
.end method


# virtual methods
.method protected onCreate(Landroid/os/Bundle;)V
    .locals 2

    .line 17
    invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

    const p1, 0x7f0b001d

    .line 18
    invoke-virtual {p0, p1}, Lcom/vuln/jandroid/VulnActivity;->setContentView(I)V

    .line 19
    new-instance p1, Landroid/webkit/WebView;

    invoke-direct {p1, p0}, Landroid/webkit/WebView;-><init>(Landroid/content/Context;)V

    .line 20
    new-instance v0, Lcom/vuln/jandroid/BridgeJS;

    invoke-direct {v0}, Lcom/vuln/jandroid/BridgeJS;-><init>()V

    const-string v1, "injectedObject"

    invoke-virtual {p1, v0, v1}, Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V

    .line 21
    invoke-virtual {p0, p1}, Lcom/vuln/jandroid/VulnActivity;->setContentView(Landroid/view/View;)V

    .line 22
    invoke-virtual {p0}, Lcom/vuln/jandroid/VulnActivity;->getIntent()Landroid/content/Intent;

    move-result-object v0

    .line 23
    invoke-virtual {v0}, Landroid/content/Intent;->getData()Landroid/net/Uri;

    move-result-object v0

    invoke-static {v0}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v0

    .line 24
    invoke-virtual {p1, v0}, Landroid/webkit/WebView;->loadUrl(Ljava/lang/String;)V

    return-void
.end method

I also tried with the Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String; string but it's not working neither.

I attached the debug output of Jandroid and the APK in a zip file :

attachments.zip

Do you have an idea of where the problem is ?