├── README.md
├── doc
    └── file_exists_output.png
└── file_exists.js


/README.md:
--------------------------------------------------------------------------------
 1 | # android_frida_scripts
 2 | 
 3 | ## 1) file_exists.js
 4 | 
 5 | **Info**
 6 | 
 7 | This Frida script helps dynamically identify accessed zip files on external media (possible file traversal vulnerability) and existence of .so (native libraries) files on internal media that might be overwritten and executed. Such combination could lead to arbitrary code execution.
 8 | 
 9 | **Impact**
10 | 
11 | Identify ACE
12 | 
13 | **Output**
14 | ![alt text](https://github.com/androidmalware/android_frida_scripts/raw/main/doc/file_exists_output.png)
15 | 
16 | Script was created based on @_bagipro tip - https://twitter.com/_bagipro/status/1319365830728208386
17 | 


--------------------------------------------------------------------------------
/doc/file_exists_output.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/androidmalware/android_frida_scripts/011d957922868b1e1d91b14df2388b461841aa60/doc/file_exists_output.png


--------------------------------------------------------------------------------
/file_exists.js:
--------------------------------------------------------------------------------
 1 | //author @lukasstefanko
 2 | //idea @_bagipro
 3 | 
 4 | Java.perform(function() {
 5 |     
 6 |     var file = Java.use("java.io.File")
 7 |     var fileInput = Java.use("java.io.FileInputStream")
 8 | 
 9 |     
10 |     file.exists.implementation = function(){
11 |        	if ( (this.getAbsolutePath().startsWith("/data/data/")) && (this.getAbsolutePath().endsWith(".so")) ){
12 |                 console.log("[+ Native Library - exists() - internal storage] " +this.getAbsolutePath())
13 | 	        return this.exists()
14 | 	}else{
15 | 	        return this.exists()
16 | 	}
17 |         
18 |     }
19 | 
20 |     file.$init.overload("java.lang.String").implementation = function (s) {
21 |         if ( (s.startsWith("/storage/emulated/0/") || s.startsWith("/sdcard")) && (s.endsWith(".7z") || s.endsWith(".zip")) ) {
22 | 	    console.log("[*] ZIP File opened: " + s.toString());
23 | 
24 | 	}
25 | 	return file.$init.apply(this, arguments);
26 |     }
27 | 
28 |     fileInput.$init.overload('java.lang.String').implementation = function(a){
29 |         if ( (a.startsWith("/storage/emulated/0/") || a.startsWith("/sdcard")) && (a.endsWith(".7z") || a.endsWith(".zip")) ) {
30 |         	console.log("[+] ZIP FileInputStream: " + a)
31 |         }
32 |         return this.$init(a)
33 |     }
34 | 
35 | });
36 | 


--------------------------------------------------------------------------------