Sunday, May 19, 2013

SL4A Python Script - Built Simple Python Listener to Allow Remote Execution on Droid

I built this python script to take remote commands and execute them locally on the droid as if I had terminal access.  It establishes a connection on port 21000 on the droid.  Then you can connect using netcat or other clients.  Then I added the functionality (since the 1st terminal emulator would not allow cat of files) to view the contents of files.  With this I discovered the insecure storage of files on the sdcard that other researchers have also recognized.

import android
import os

from socket import *

droid = android.Android()

HOST=''
PORT=21000
BUFSIZE=1024
ADDR = (HOST, PORT)

tcpSrvSocket = socket(AF_INET, SOCK_STREAM)
tcpSrvSocket.bind(ADDR)
tcpSrvSocket.listen(5)

while True:
    tcpClientSocket, addr = tcpSrvSocket.accept()
    print 'Connected from:', addr

    while True:
        data = tcpClientSocket.recv(BUFSIZE)
        if not data:
            break
        if "cat" in data:
            # Remove the 'cat ' in the data
            fileName = data[4:]
            # Remove the newline character at the end
            fileName2 = fileName[:-1]
            fileContent = open(fileName2, 'r')
            for line in fileContent:
                tcpClientSocket.send('%s' % line)
        else:
            returnData = os.popen(data, 'r')
            for eachLine in returnData:
                tcpClientSocket.send('%s' % eachLine)

    tcpClientSocket.close()
tcpSrvSocket.close()

Friday, May 17, 2013

SL4A Python Script - Delete SMS Messages from Phone based on Keyword

I developed this script to run on my droid to remove the SMS messages that are sent to me from the python script that logs into Twitter using OAUTH and sends me a text through an email account.

This was to assist in keeping my text messages cleaned out.

import android

droid = android.Android()

msgids = droid.smsGetMessages(False).result
for message in msgids:
    if "14100" in message['address']:
        #print message['_id']
        #droid.ttsSpeak(message['body'])
        droid.smsDeleteMessage(message['_id'])


The script also has the capability to speak the messages prior to deleting them.

Friday, May 3, 2013

Great Book: Violent Python by TJ O'Conner - Geo Location Script Adapted

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Script was adapted from Violent Python by TJ O'Conner

import dpkt
import socket
import pygeoip
import optparse
# Geodatabase from Maxmind
gi = pygeoip.GeoIP('geo.dat')


def retKML(description, ip):
    rec = gi.record_by_name(ip)
    try:
        longitude = rec['longitude']
        latitude = rec['latitude']
        kml = (
               '<Placemark>\n'
               '<name>%s</name>\n'
               '<Point>\n'
               '<coordinates>%6f,%6f</coordinates>\n'
               '</Point>\n'
               '</Placemark>\n'
               ) %(description, longitude, latitude)
        return kml
    except:
        return ''



def main():
        # logfile.log contains 2 columns consisting of the label and the IP Address
        f = open('logfile.log', 'r')
        kmlPoints = ''
        count = 1
        for line in f:
                info = line.split()
                for item in info:
                        if count == 1:
                                description = item
                                count = 2
                        else:
                                ip = item
                                count = 1

                location = retKML(description, ip)
                kmlPoints = kmlPoints + location

        kmlheader = '<?xml version="1.0" encoding="UTF-8"?>\n<kml xmlns="http://www.opengis.net/kml/2.2">\n<Document>\n'
        kmlfooter = '</Document>\n</kml>\n'
        kmldoc = kmlheader + kmlPoints + kmlfooter
        print kmldoc



if __name__ == '__main__':
        main()

Powershell Script to Fix Unquoted Path Vulnerability

# This script is designed to fix an unquoted path vulnerability that could be detected as a vulnerability
# Designed for Powershell

$Username = 'username'
$Password = 'password'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass

# Resolve the IP Address to a Hostname
$hostName = [System.Net.DNS]::GetHostbyAddress("IP Address").HostName

# Created to change the unquoted path for "A Service"
$info = Invoke-Command -ComputerName $hostName -ScriptBlock {
    (Get-ItemProperty "hklm:\SYSTEM\CurrentControlSet\Services\Service Name" -Name ImagePath).ImagePath
} -credential $Cred

if ($info -eq 'Z:\Path Name')
{
    Write-Host "Service does not contain quotes adding them for Service"
    Invoke-Command -ComputerName $hostName -ScriptBlock {
        Set-ItemProperty "hklm:\SYSTEM\CurrentControlSet\Services\Service Name" -Name ImagePath -Value '"Z:\Path Name"'
    } -credential $Cred
}

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...