Skip to content

jcrutchvt10/Janus

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 

Repository files navigation

Janus CVE-2017-13156 PoC

Android package installer does NOT check extra data before PKZIP, thus concat DEX+APK together and little bit of fix, installation passed.

usage: janus.py dex apk out_apk

ART can run both APK and DEX, so here DEX ahead of base.apk is actually the one to execute.

  • extract the original classes.dex
  • use APKTOOL to do stuffs on it
  • fuse the new dex into original APK
  • update the installed app :)

This vulnerability was found by GuardSquare https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Languages