BadIntent - Interception, modify, repeat and attack Android's Binder transactions.

BadIntent – Interception, modify, repeat and attack Android’s Binder transactions.

BadIntent is the missing link between the Burp Suite and the core Android’s IPC/Messaging-system. BadIntent consists of two parts, an Xposed-based module running on Android and a Burp-plugin. Based on this interplay, it is possible to use the Burp’s common workflow and all involved tools and extensions, since the intercept and repeater functionality is provided. BadIntent hooks deeply into the Android system, performs various method redirections in Parcels and adds additional services to provide the described features. Most notably, BadIntent works system-wide experimental and is not restricted to individual user apps.

Installation:
The most handy approach is to install BadIntent Android from the Xposed Module Repository and BadIntent Burp from the Burp’s BApp Store. Both will be made available/submitted during the Arsenal presentation of BadIntent in Black Hat Las Vegas 2017.

Environment
+ BadIntent has been tested on Genymotion with Xposed v87 on Android Marshmallow (6.0) and Burp Suite 1.7.23 (Free and Pro).
+ There are known limitations in hooking all system apps and all interfaces. During the boot proccess the Android system will remain in a boot loop and you will not be able to uninstall BadIntent from your Android device. Therefore, it is strongly recommended to use the mentioned setup in case all system apps are hooked.

BadIntent Android

BadIntent ANDROID
– Package Filter
This regular expression filter determine which packages are qualified for interception. It is possible to override disabled “Hook System Apps” settings, when a specific system app package name has been specified.

– Interface Filter
Since (almost) every binder transaction contains an INTERFACE TOKEN in order to validate that the correct interface is used (AIDL implementation), it is possible to filter interfaces, which are interesting for analysis purposes.

– Capture Log
If enabled logs from all monitored apps are sent via the proxy.

– Hook System Apps
If enabled, all apps including user- and system-apps are monitored. Otherwise, only user-apps are hooked.

– Target IP
Specify the current IP of the device. On first launch the current WiFi-IP is set. Target IP is needed, because Burp (or any other proxy) needs to determine where the transaction details are going to.

– Use System Proxy
Determine if the system proxy or a dedicated HTTP proxy should be used.

– Proxy Host
self explanatory
– Proxy Port

Usage and install:

Source: https://github.com/mateuszk87