drozer no longer supports old intent URI scheme and broken parcelable intents

WithSecureLabs / drozer

The Leading Security Assessment Framework for Android.

https://labs.withsecure.com/tools/drozer

Other

3.88k stars 773 forks source link

drozer no longer supports old intent URI scheme and broken parcelable intents #458

Closed nyaalex closed 2 months ago

nyaalex commented 3 months ago

Previous versions of drozer supported a slightly modified version of the intent:// URI scheme that did not require wrapping the extras in Intent and end, as can be seen in the documentation under help intents:

For Intents, it uses a slightly modified version of the 'intent://' format of URI:

  --extra parcelable yayintentyay
intent://host.com?queryparameter=value#package=targetPackage;component=targetComponent;action=action;category=category;type=type;identifier=identifier;launchFlags=launchFlags;scheme=scheme;sourceBounds=sourceBounds;S.extraString=value;B.extraBoolean=value;b.extraByte=value;c.extraChar=value;d.extraDouble=value;i.extraInt=value;f.extraFloat=value;l.extraLong=value;s.extraShort=value;

However, in modern versions this is unsupported, and this change is not reflected in the documentation.

Additionally, the content://, file://, and http(s):// URI schemes for a parcelable extra are non-functional due to an undefined variable yayUriClassyay.

Yogehi commented 3 months ago

Holy shit why do you know about this function

As the author that created that old function and never documented it, wow good job

So anyway, what I did was that I changed it so that the android internal intent parser will now create your intent extra object

It's now more similar to how browsable intents work

In your case, your new intent object will work like this:

intent://host.com?queryparameter=value#Intent;package=targetPackage;component=targetComponent;action=action;category=category;type=type;identifier=identifier;launchFlags=launchFlags;scheme=scheme;sourceBounds=sourceBounds;S.extraString=value;B.extraBoolean=value;b.extraByte=value;c.extraChar=value;d.extraDouble=value;i.extraInt=value;f.extraFloat=value;l.extraLong=value;s.extraShort=value;end

Google doc on how browsable intents are crafted: https://developer.chrome.com/docs/android/intents

If you're more of a source code guy, then here's another thing. Your Intent Parcelable Extra URI gets passed to android.content.Inteng.parseUri(Uri)

https://android.googlesource.com/platform/frameworks/base/+/refs/heads/main/core/java/android/content/Intent.java#8094

Yogehi commented 3 months ago

I just realized that you even mentioned the wrapping of Intent and end

I'll look at this when I get the chance and see if we can implement your PR

I never realized people wanted my shitty code lol

Yogehi commented 3 months ago

Also I just realized

"However, in modern versions this is unsupported, and this change is not reflected in the documentation"

There's documentation on the old way?

I'll look into that too

nyaalex commented 3 months ago

Well... "documentation" is probably a strong word here since it's just the one line when running help intents in the console. It was enough to throw me off though so I figured it was worth quickly fixing.