Jandroid
Jandroid copied to clipboard
WithSecureLabs
How to write a template to trace zip4jExtractAll
I want to reproduce the case you used in mobile pwn2own 2017, it is Directory Traversal during Unzip in Samsung Notes.
My template as below, but it didn't work and output 'output {'bug_obj': {'JSbridgeBrowsable': False, 'zip4jExtractAll': False}, 'graph_list': []}.', could you help me improve it?
{
"METADATA": {
"NAME": "zip4jExtractAll"
},
"MANIFESTPARAMS": {
"BASEPATH": "manifest->application->activity OR manifest->application->activity-alias",
"SEARCHPATH": {
"intent-filter": {
"action": {
"LOOKFOR": {
"TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.action.VIEW"
}
}
}
},
"RETURN": ["<smali>:<NAMESPACE>:name AS @activity_name"]
},
"CODEPARAMS": {
"SEARCH": {
"SEARCHFORCALLTOMETHOD": {
"METHOD": "Lnet/lingala/zip4j/core/ZipFile;->extractAll",
"RETURN": "<class> AS @zip4j"
}
},
"TRACE": {
"TRACEFROM": "<method>:@zip4j[]->extractAll(Ljava/lang/String;)V",
"TRACETO": "<class>:@activity_name",
"TRACELENGTHMAX": 20,
"RETURN": "<tracepath> AS @tracepath_zip4jextractall"
}
},
"GRAPH": "@tracepath_zip4jextractall WITH <method>:<desc>:<class> AS attribute=nodename"
}
