πŸ‘Ύ
General
  • πŸ‘Ύwhomai
  • πŸ”₯Mobile Pentest
    • 😎Android Architecture
    • πŸ₯±Mobile Hacking Lab
      • IOT Connect
      • Strings
      • Guess me
      • Secure notes
      • Post Board
      • Food Store
      • Cycle Scanner
      • Document Viewer
      • Config Editor
  • πŸ˜‡Web Vulnerabilities
    • 😁OS Command Injection
    • 😍Information disclosure
    • πŸ₯°JWT attacks
    • 😎Access Control List
    • 😝CSRF
    • 😚SSRF
    • 😚API9:2023 Improper Inventory Management
  • πŸ‘»Privilege Escalation
    • 😎Linux Privilege Escalation
    • 😒Windows Privilege Escalation
  • HTB Writeups
    • 😚Soccer htb
    • πŸ˜ƒDevil HTB
Powered by GitBook
On this page
  1. Mobile Pentest
  2. Mobile Hacking Lab

Document Viewer

Hello everyone , In this blog post , I will try to explain my solution steps for Document Viewer challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

PreviousCycle ScannerNextConfig Editor

Last updated 3 months ago

  1. install the app and open it

  2. AndroidManifest.xml Examination :

    1. we have a Main Activity Exported and contain an intent filter with action view and have a lot of schema like : file - http - https and the mime type : application/pdf

  3. Let’s analysis the Main activity code :

    1. setLoadButtonListener() : This function sets up the button that lets users load a PDF file.

    2. handleIntent() : Handles incoming intents, such as when a user opens a PDF file directly from another app.

    3. renderPdf(Uri uri) : This function renders the selected or received PDF file for viewing.

    4. requestStoragePermissionAsync(Continuation<? super Boolean> continuation) Requests storage permissions .

  4. The important function here is the loadProLibrary() :

    1. the Build.SUPPORTED_ABIS[0] identify the device's architecture (e.g., ARM, x86).

    2. the (getApplicationContext().getFilesDir(), "native-libraries/" + abi) : constructs the path to a folder within the app’s internal storage, where native libraries are stored

    3. then constructs the full path to the Pro version of the native library (libdocviewer_pro.so)

    4. System.load(libraryFile.getAbsolutePath()) attempts to load the native library from the constructed path.

    5. If successful, it enables "Pro" features by setting this.proFeaturesEnabled = true.

  5. After i had decompile the APP i can’t any folder contain the libraries

  6. The exploit here is create a malicious library and then upload it to the path /data/data/com.mobilehackinglab.documentviewer/files/native-libraries/x86_64/

  7. when the app try to load this library we will if we found rce.txt file has been created then we success and get RCE

    #include <stdlib.h>

__attribute__((constructor)) void execute_command() {
    system("touch /data/data/com.mobilehackinglab.documentviewer/rce.txt");
}

  8. Then compiled the c code to be a native library with :

  9. then Push it to the path : and here we success

πŸ”₯
πŸ₯±
image.png