Normalize component names

modules/adb.py

@@ -6,6 +6,7 @@
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.'''
 
 from modules import common,intents,report
+import re
 
 def showAdbCommands(component,compType,packageName):
 	#Print ADB commands for exploitation
@@ -29,27 +30,39 @@ def showAdbCommands(component,compType,packageName):
 							extras_list+=intents.find_extras(str(c[1]),common.sourceDirectory)
 							if len(extras_list)>0:
 								for t in extras_list:
-									command = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+str(c[1])+"\""+" --es "+str(t)
+									if re.match(r'^\..*',str(c[1])):
+										command = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+packageName+str(c[1])+"\""+" --es "+str(t)+" \"EXTRA_VALUE_IN_QUOTES\""
+									else:
+										command = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+str(c[1])+"\""+" --es "+str(t)+" \"EXTRA_VALUE_IN_QUOTES\""
 									print command
 									report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "activity")
 							else:
-								command = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+packageName+str(c[1])+"\""
+								if re.match(r'^\..*',str(c[1])):
+									command = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+packageName+str(c[1])+"\""
+								else:
+									command = "adb shell am start -a \"" + c[0] + "\" -n \""+packageName+"/"+str(c[1])+"\""
 								print command
 								report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "activity")
 				else:
 					common.logger.debug("No intent filter on:  " + str(component))
 					extras_list=[]
 					extras_list+=intents.find_extras(str(component),common.sourceDirectory)
 					if len(extras_list)>0:
-						command =  "adb shell am start -n \""+packageName+"/"+packageName+component+"\""
+						if re.match(r'^\..*',str(component)):
+							command =  "adb shell am start -n \""+packageName+"/"+packageName+component+"\""
+						else:
+							command =  "adb shell am start -n \""+packageName+"/"+component+"\""
 						print command
 						extras = []
 						for e in extras_list:
 							extras.append("Possible extras to send: " + str(e))
 							print "Possible extras to send: " + str(e)
 						report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, extras, "activity")
 					else:
-						command =  "adb shell am start -n \""+packageName+"/"+packageName+component+"\""
+						if re.match(r'^\..*',str(component)):
+							command =  "adb shell am start -n \""+packageName+"/"+packageName+component+"\""
+						else:
+							command =  "adb shell am start -n \""+packageName+"/"+component+"\""
 						print command
 						report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "activity")
 	elif str(compType)=='service':
@@ -67,11 +80,17 @@ def showAdbCommands(component,compType,packageName):
 							extras_list+=intents.find_extras(str(c[1]),common.sourceDirectory)
 							if len(extras_list)>0:
 								for t in extras_list:
-									command =  "adb shell am startservice " +packageName+"/"+str(c[1])+" --es "+str(t)
+									if re.match(r'^\..*',str(c[1])):
+										command =  "adb shell am startservice " +packageName+"/"+packageName+str(c[1])+" --es "+str(t)
+									else:
+										command =  "adb shell am startservice " +packageName+"/"+str(c[1])+" --es "+str(t)
 									print command
 									report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "service")
 							else:
-								command =  "adb shell am startservice " +packageName+"/"+str(c[1])
+								if re.match(r'^\..*',str(c[1])):
+									command =  "adb shell am startservice " +packageName+"/"+packageName+str(c[1])
+								else:	
+									command =  "adb shell am startservice " +packageName+"/"+str(c[1])
 								print command
 								report.write_adb_commands("adbcommands-issues-list", common.Severity.VULNERABILITY, command, None, "service")
 	elif str(compType)=='receiver':

modules/common.py

@@ -430,8 +430,9 @@ def tree(l):
 
 def normalizeActivityNames(activityList,package_name):
 	for d in range(0,len(activityList)):
-		if not re.match(r''+str(package_name),str(activityList[d])):
+		if re.match(r'\..*',str(activityList[d])):
 			activityList[d]=str(package_name)+str(activityList[d])
+	return activityList
 
 def check_export(tag,output):
 	"""

modules/createExploit.py

@@ -8,7 +8,7 @@
 
 class ExploitType:
     """
-    Enum type for exploitatin category
+    Enum type for exploitation category
     """
     MANIFEST, ACTIVITY, INTENT, PERMISSION, SERVICE, RECEIVER, BROADCAST_INTENT, CERTIFICATE, WEBVIEW, CRYPTO = range(10)
 

modules/findMethods.py

@@ -168,7 +168,7 @@ def find_entry(tree, comp_type):
 		elif comp_type == 'receiver':
 			entry = ['onReceive']
 		elif comp_type == 'service':
-			entry = ['onCreate', 'onBind', 'onStartCommand']
+			entry = ['onCreate', 'onBind', 'onStartCommand', 'onHandleIntent']
 		#TODO - The provider is a unicorn and needs more work
 		elif comp_type == 'provider':
 			entry = ['onReceive']

qark.py

@@ -566,11 +566,11 @@ def reportBadger(identity, objectlist):
 	act_priv_list, act_exp_list, act_exp_perm_list, act_prot_broad_list=[],[],[],[]
 	act_priv_list, act_exp_list, act_exp_perm_list, act_prot_broad_list, report_data, results=common.check_export('activity',True)
 
-	#Normalizing activity names for use in exploit APK to all be fully qualified
-	common.normalizeActivityNames(act_priv_list,package_name)
-	common.normalizeActivityNames(act_exp_list,package_name)
-	common.normalizeActivityNames(act_exp_perm_list,package_name)
-	common.normalizeActivityNames(act_prot_broad_list,package_name)
+	#Normalizing activity names for use in exploit APK, so all will be absolute
+	act_priv_list=common.normalizeActivityNames(act_priv_list,package_name)
+	act_exp_list=common.normalizeActivityNames(act_exp_list,package_name)
+	act_exp_perm_list=common.normalizeActivityNames(act_exp_perm_list,package_name)
+	act_prot_broad_list=common.normalizeActivityNames(act_prot_broad_list,package_name)
 
 	reportBadger("appcomponents", results)
 	common.print_terminal(report_data)
@@ -977,6 +977,8 @@ def reportBadger(identity, objectlist):
 				print str(i)
 				extras_list=[]
 				extras_list+=intents.find_extras(str(i),common.sourceDirectory)
+				if re.match(r'^\..*',str(i)):
+					i=str(package_name)+str(i)
 				exploit.setExportedActivity(str(i))
 				for j in range(0,len(extras_list)):
 					extras_list[j] = extras_list[j].replace('\"','')
@@ -991,7 +993,6 @@ def reportBadger(identity, objectlist):
 		if len(actalias_exp_list)>0:
 			print "ok"
 		if len(serv_exp_list)>0:
-			print "ok"
 			for i in range(0, len(serv_exp_list)):
 				exploit = createExploit.exploitService()
 				exploit.setIntent(filters.find_package() + serv_exp_list[i])