MMS Spoofing in Android Oreo!

email-scam-linkin

Disclaimer

The research was done completely for education purposes only. Author is not responsible for your actions. Any content or script is prohibited from using illegal social engineering, spamming or any other malicious purposes.

 

Let’s go!

This is a fun project that I have been working in 2016. By adding an additional “/” character in the MMS sender address, I was able to spoof the sender in both Android and Windows Phones. I haven’t verified yet does latest windows phones still have this bug hence it is not  interesting too much. On Android latest Oreo 8.1.0 is still vulnerable for MMS spoofing! and this bug had existed for two years at least.

To verify where the bug is occurring, we need to check mmssms database and more several stuff hence this is happening in both platforms. I reported to the Android Security Team and they researched on this and their response was this is an app specific error instead of the Android platform.

Capture

Louis-C.K.-WTF

The situation is quite complicated and need to investigate more and figure that out. But it’s not a problem to have fun with this 😉 . If you guys have whatever updates regarding this, please hit me (akiladananjaya79@gmail.com) I would love to hear.

Note that this is not a bug in local Internet Service Provider because we (@OsandaMalith) checked with different platforms such as iPhone etc,  they gently handled the additional character.

 

Steps to reproduce

I have published a script to reproduce this in GitHub . Then need to check are there any MMS gateways available to deliver the MMS to the mobile. To send the mms using an email service I decided to go for FastMail by referring their email structures in RFC documents because service should accept “/” character.

Have Fun ^-^

 

Advertisements

Portable GUI for manage-bde.exe

While I was working I couldn’t find any built-in all in one place to do things in BitLocker rather than a panel in

 Control Panel\All Control Panel Items\BitLocker Drive Encryption

By little bit of googling I saw there is a CLI to do stuff which is located in %windir%/system32/manage-bde.exe

I created a very simple GUI to do functions using manage-bde. This is currently in beta version and supports  re-lock, unlock, decrypt and upgrade BitLocker drives. In upcoming releases I hope to add several more features like encrypt, backup and continue as a all-in-one place to work with windows BitLocker.

Github repository

Download

Cool PYC – ByteCode Crackme Challenge

Hello again!, after a long time. Today I’m going to share with you a Compiled Python File (.pyc) crackme which is avaiable in root-me.org. This is my first experience with pyc files in reversing because we talk about them rarely in this area.

Here is the challenge : https://www.root-me.org/en/Challenges/Cracking/PYC-ByteCode

It suggests to retrieve the password to validate this challenge.

Let’s run ch19.pyc  ( You have to install python 3.1, if you don’t have it )

Capture5

Okay, fine. Now show us your inside ch19! 😀

Capture61

ord() method convert ASCII to Integer values. We can simply use chr() to reconvert them back

There is an encrypted list named SOLUCE. This list was generated by converting a string/Flag to integer values. Can we convert back these values to a string? In this situation it’s not possible because they have used XOR operator when generating integers.

So I wrote a simple decryption algorithm which bruteforces each integer in SOLUCE list and find which ASCII character is it.

Capture8

Full Code : https://github.com/I2NhbmloZWxweW91/pyc-bytecode-crackme-challenge/blob/master/ch19_solution.py

Let’s execute 😉

Capture10

He hates RUBY then! 😀 😀

Another cool thing happened when I sending the flag in the challenge. Look at bellow one.

Capture3

What!! I just solved your crackme by bruteforcing, actually are you telling me that I’m stupid right now?!

Frustrated moment… Did I miss something..

Tried once again and it worked!

Capture4

Site just adviced not to bruteforce the site itself when finding the password. It detected as I did because of sending wrong passwords two times.

❤❤

SARASAVI English – Sinhala Dictionary Authentication Bypass

Several years ago (when I was grade 7 I guess) my parents gifted this dictionary to someone. It’s still available  here! There is a regular book + CD bundle.  I kept a copy of that CD to use myself.  But after that hoops.. It required a password which is randomly generate from their database to avoid using copies of the original CD.  So I couldn’t do anything. Yesterday I met  it again when packing my stuff because of the flood. So let’s see what’s inside there.

2

As you can see we can’t use the digital dictionary without the real book.  But hopefully they had used Java. So we can give try to decompile the jar file.  Actually jar files (bytecodes) contains a lots of information about the real source code such as original class, method, function, variable names. We can decompile jar files and generate a very similar code to source code unlike PE files.

3

zoom this

So I decompiled the main jar file.  Above picture is a screenshot of LoginScreen.class file as you can see. There is a nice little OR operator in line 80.  Those developing guys had used special string, instead of the randomly generated word to access the main screen.  It’s for debugging purposes or just for fun.  As you can seesandaObaMage” is the little secret. “Sanda” should be the crush of the developer :0 Anyway we got access to the dictionary.

4

Really I don’t know what the hell is this. There is something calling “Phonetic Alphabet”.  Probably I must install required fonts for a good view.  If you are interested in you can recompile that jar file by removing those IF statements.

Of course it’s possible to avoid these kinds of simple reversing by obfuscating the byte code.  There are several free tools like proguard , launch4j. I think launch4j is the best option because proguard doesn’t work well with libraries and it twices the file size according to my experience. You can obfuscate the code, convert it to exe and bundle the JRE using launch4j.  So it’s handy I think.

If you convert jar to exe without obfuscating it’s doesn’t make any sense, because anyone can extract class files using a zip tool.  Hope you enjoyed 🙂

Have fun with stored cross site scripting

Actually we can do lots of different things with XSS ; though we always pop-up a message!  Anyway that’s enough for concept proofing rather than do more practically.

Here, I’m gonna show you how to exploit a cross site scripting vulnerability successfully using another social networking service.  Finally,  If someone view my profile, automatically he will be a my follower.

screenshot-from-2017-03-04-10-53-53

I noticed that line 154 is vulnerable after common xss test.  There wasn’t any filter in this input ; because web application is guided you to use previously defined locations. But we can use javascripts too 🙂

afce1280-eb8d-4249-bef8-8658c2f201f9

When we actually click on TRACK button, web application handle our actions with trackButtonsearch1 identity. So  i can use js click() event to click on it.  But before that, i would like to know more about how really webApp handle these things.  I saw there is a cool external js file called ‘all.js’

image

I opened it and paste all codes to http://jsbeautifier.org to prepare codes for reading!  Then i got something interesting.  See, they handle TRACK/UNTRACK actions using jquery.

screenshot-from-2017-03-04-11-42-32

And there were several more functions for handle various kinds of actions.  Actually read these files are not required to launch the  attack , but better feeling!  😉

So this was my payload.


window.onload = function (){document.getElementById(''trackButtonsearch1'').click()}

(within script tags)
I had to insert elementId withing more ‘ coz, webapp ignored single ‘ mark.  There are more several ways to click on a button in js.  Perhaps i would use jquery, but i didn’t use because developers hadn’t use original min.js file.

Hope you meet somethings interesting in s-xss.