MMS Spoofing in Android Oreo!

email-scam-linkin

Disclaimer

The research was done completely for education purposes only. Author is not responsible for your actions. Any content or script is prohibited from using illegal social engineering, spamming or any other malicious purposes.

 

Let’s go!

This is a fun project that I have been working in 2016. By adding an additional “/” character in the MMS sender address, I was able to spoof the sender in both Android and Windows Phones. I haven’t verified yet does latest windows phones still have this bug hence it is not  interesting too much. On Android latest Oreo 8.1.0 is still vulnerable for MMS spoofing! and this bug had existed for two years at least.

To verify where the bug is occurring, we need to check mmssms database and more several stuff hence this is happening in both platforms. I reported to the Android Security Team and they researched on this and their response was this is an app specific error instead of the Android platform.

Capture

Louis-C.K.-WTF

The situation is quite complicated and need to investigate more and figure that out. But it’s not a problem to have fun with this 😉 . If you guys have whatever updates regarding this, please hit me (akiladananjaya79@gmail.com) I would love to hear.

Note that this is not a bug in local Internet Service Provider because we (@OsandaMalith) checked with different platforms such as iPhone etc,  they gently handled the additional character.

 

Steps to reproduce

I have published a script to reproduce this in GitHub . Then need to check are there any MMS gateways available to deliver the MMS to the mobile. To send the mms using an email service I decided to go for FastMail by referring their email structures in RFC documents because service should accept “/” character.

Have Fun ^-^

 

Advertisements

SARASAVI English – Sinhala Dictionary Authentication Bypass

Several years ago (when I was grade 7 I guess) my parents gifted this dictionary to someone. It’s still available  here! There is a regular book + CD bundle.  I kept a copy of that CD to use myself.  But after that hoops.. It required a password which is randomly generate from their database to avoid using copies of the original CD.  So I couldn’t do anything. Yesterday I met  it again when packing my stuff because of the flood. So let’s see what’s inside there.

2

As you can see we can’t use the digital dictionary without the real book.  But hopefully they had used Java. So we can give try to decompile the jar file.  Actually jar files (bytecodes) contains a lots of information about the real source code such as original class, method, function, variable names. We can decompile jar files and generate a very similar code to source code unlike PE files.

3

zoom this

So I decompiled the main jar file.  Above picture is a screenshot of LoginScreen.class file as you can see. There is a nice little OR operator in line 80.  Those developing guys had used special string, instead of the randomly generated word to access the main screen.  It’s for debugging purposes or just for fun.  As you can seesandaObaMage” is the little secret. “Sanda” should be the crush of the developer :0 Anyway we got access to the dictionary.

4

Really I don’t know what the hell is this. There is something calling “Phonetic Alphabet”.  Probably I must install required fonts for a good view.  If you are interested in you can recompile that jar file by removing those IF statements.

Of course it’s possible to avoid these kinds of simple reversing by obfuscating the byte code.  There are several free tools like proguard , launch4j. I think launch4j is the best option because proguard doesn’t work well with libraries and it twices the file size according to my experience. You can obfuscate the code, convert it to exe and bundle the JRE using launch4j.  So it’s handy I think.

If you convert jar to exe without obfuscating it’s doesn’t make any sense, because anyone can extract class files using a zip tool.  Hope you enjoyed 🙂

Serial port handler using python | pyAT.py

Welcome back to my crazy experiments!  This will be a little bit long tutorial because I try to explain few basic things first.

Explanation of background

By connecting smartwatch to phone we can see messages, phone-book, music library and few more in the phone.  But generally we use bluetooth for file transferring.  So I decided to create  a software (as same in smartwatch ) to unleash the power of bluetooth connectivity.

Do you ever think why various kinds of bluetooth devices behave their own way.  Such as , when you connect BT hand-free to smartphone your phone shows headphone symbol, but not same as connect with another smartphone.  Bluetooth is pretty much interesting topic to learn.

6090ae12-1f7e-4953-91d0-eef343f34378

Bluetooth use several kinds of ‘profiles’ to communicate between devices.  Different kinds of devices support different kinds of profiles.  So these capabilities work as identifiers also.  Visit wikpedia to learn more. Don’t miss this ; it’s fun.  😉

https://en.wikipedia.org/wiki/List_of_Bluetooth_profiles

Python

Python for everything, right?   Actually it’s flexible and powerful because there are plenty of useful modules for python.  If you want to access and analyze a website, just you need few simple python lines. Want to send e-mail, the same. Serial port handling is directly related with low level programming.  But the beauty of python modules are, you don’t feel even you are working with hardware.

pyAT.py

pyAT.py is a simple tool to handle your smartphone or smartwatch via serial port.  You can connect your device via bluetooth to computer. Open ‘Device Manager’ to see all available COM ports or goto ‘Devices and printers’ in control panel and just right click on the device you need.

4

Continue reading