Janus Vulnerability (CVE-2017-13156) Exploit with Proof-of-Concept(POC)

Android package installer does not check extra data before PKZIP, thus we can concat DEX & APK together with little bit of fix to pass the installation.

ART can run both APK and DEX, so here DEX ahead of base.apk is actually the one to execute.

extract the original classes.dex from apk
use APKTOOL to do stuffs on it
Inject the new dex into original APK
update the installed app :)

Some automation has been added to the exploit to make it easier with the following checks.

• Check if APK is signed with v1 signature scheme
• Check if APK is supported to run on vulnerable android versions
• Decide if APK is vulnerable based on above points and Android version it can be exploited on.
• Wait for user to connect suggested vulnerable device and warn if recommended device is not connected
• Fuse user provided dex into original apk and generate injected apk
• Push an injected apk as an update to the original application
• confirm if exploit was successful or abort with error.

All you have to do is pass dex file along with vulnerable original apk to the script and run the suitable android device.

You can extract raw classes.dex file from the apk using apktool apktool -s d h5.apk and modify the dex if you want and pass it to the script.

usage: kal-janus.py [-h] dex-file original-apk

I use classes.dex of other application and inject with the vulnerable application so that it breaks the vulnerable application.

Proof Of Concept (POC)

NOTE

You can check the writeup link to find the vulnerability and exploit it manually.