Here are the demo exploits and vulnerable apks for my HitCon'14 presentation titled "On the Feasibility of Automatically Generating Android Component Hijacking Exploits".
- My PPT: http://www.slideshare.net/daoyuan0x/chv-exploit-hitcon-38299593
- HitCon agenda: http://hitcon.org/2014/agenda/
In this talk, we conduct an empirical study to explore the feasibility of automatically generating exploits for vetting component hijacking vulnerabilities in Android apps. Our study takes our hands-on exploit analysis for several real vulnerable apps as basis, and meanwhile reflects them to high-level analysis. Through this process, we identify several challenges that need to be addressed for a robust exploit generation technique, and some of them are first pinpointed. In particular, we believe one challenge is nearly impossible to be automatically tackled, if no domain knowledge is pre-provided. Overall, an automatic, accurate, and efficient solution for generating component hijacking exploits remains enough room to explore.
- HackCleanMaster has two versions. You need to make a bit code change for moving to another version.
- Facebook exploit can be found here: http://seclists.org/bugtraq/2013/Jan/27
GO SMS Pro has two versions: 4.35 and 5.23, but I missed the 5.23 apk. So I only include its Manifest and Jar files.