Search code examples
androidsqlitesecuritymmsapn

Is there a way to download an MMS from command line using curl or wget?

I'm doing some Android malware research for MMS based attacks. And I'm looking for a manual way to retrieve or download a received MMS message. I was hoping to find some curl or wget lines to be able to do so, but have not found anything useful.

So far I have got some MMS info from the internal databases, found by:

# find / -iname "*.db" |grep -iE "mms|sms"
...
/data/data/com.android.providers.telephony/databases/mmssms.db
/data/data/com.google.android.gms/databases/icing_mmssms.db
/data/data/com.android.mms/databases/message.db
/data/data/com.android.mms/databases/message_glance.db

# cd /data/data/com.android.providers.telephony/databases/
# echo "select * from pdu;" | sqlite3 -header mmssms.db
...
# echo "select date,sub,ct_l,tr_id from pdu;" | sqlite3 -header mmssms.db

  date|sub|ct_l|tr_id
  1495xxxxxx|Download this message|http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx|Ae_xxxx_xxxxx-xxx

How to interpret the mmsc32:10021 part?

Then looking in the message settings for the MMSC, Proxy and port, I want to build a working CLI one-liner or browser request, to download the file for inspection.

In the phone settings settings we can find the MMSC via:

Settings > More > Mobile network > Access Point Names > MMS: <your operator>

MMSC:       http://mms.company.net:8002/
MMS Proxy:  194.xx.xx.xx
MMS Port:   8080

How can I download the MMS file from shell command line (or an external browser)?

PS. Obviously the phone is rooted and have both busybox and sqlite3, and perhaps also curl or wget installed. The AOS is 5.0+.

Addendum: 2017-11-09

From here:

MMS (Multimedia Messaging Service) messages are sent using a combination of SMS and WAP technologies. When an MMS message is sent, a mobile device receives an MMS notification message via SMS. When this MMS notification message is received by the mobile device, the mobile device automatically initiates a WAP gateway connection to download the content of the MMS message.

To send an MMS message, you must first create an MMS message file. The format of an MMS message file is documented in the MMS Encapsulation Protocol specification published by the Open Mobile Alliance (http://www.openmobilealliance.org) and/or the WAP Forum (http://www.wapforum.org). The MMS message file format consists of an MMS message binary header, followed by a multipart MIME message where the multipart message is encoded in a binary multipart format as defined by the WAP Wireless Session Protocol (WSP) specification. This binary MMS message file is stored on a web server using a MIME type of application/vnd.wap.mms-message and an MMS message type of m-retrieve-conf. A subset of the binary MMS header is sent as an MMS notification message (MMS message type m-notification-ind) via SMS to the mobile device together with a URL pointer to the location of the complete message.

Also, smartphones does not download the MMS or SMS content to SIM any more. That is how "feature" phones used to do it.

Addendum: 2017-11-13

Looking at the API-23 (M) sources for the SQLite3 tables shown in Telephony.java, we find that CONTENT_LOCATION = "ct_l";, so we can search for its other uses here. To briefly summarize our findings: 

date    # The message delivery time.
sub     # The subject of the message, if present.
ct_l    # The Content-Location of the message. A field in interface:Telephony.BaseMmsColumns 
tr_id   # The transaction-id of the message.

Thus we might expect that the URI in ct_l can be interpreted as follows:

  • http://mmsc32:10021 is the server (IP:PORT) masked by the MMS proxy (shown) above
  • /mmsc/3_2 is the WAP URL to the message processor
  • ?Ae_xxxx_xxxxx-xxx is telling the message processor to retrieve the message given by the "transaction id": Ae_xxxx_xxxxx-xxx`

Therefore, using the proxy (APN) settings, and using the URL extracted from the message DB (mmssms.db), one should be able to retrieve and download the content of the MMS, using a carefully crafted curl statement. Perhaps something like: 

# curl -x http://proxy_server:proxy_port --proxy-user username:password -L http://url
curl -v -x http://194.xx.xx.xx:8080 -L http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx
# Or from outside local net:
curl -v -x http://mms.company.net:8002 -L http://mmsc32:10021/mmsc/3_2?Ae_xxxx_xxxxx-xxx

The first one obviously wouldn't work from outside the phone environment as it refers to an IP class C, only visible within the mobile assigned IP.

Solution

  • I just used your addendum to get it working, but had to change it slightly.

    Note that I'm running this from linux with a PPP interface defined via a connected USB modem. Obviously the connection this executes from has to be "on net" for the carrier that delivered the MMS push.

    curl --interface ppp0 -v -x 10.202.2.60:8080 --output mms.pdu http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx

    where:

    • ppp0 is the interface defined by the modem connection, and:

    • http://pxt-get.vodafone.net.au:8080/mmsc?xxxxxxxxxxx
      was the URL passed in the original MMS push notification, and:

    • 10.202.2.60 is the MMS proxy given by my carrier, and:

    • 8080 is the MMS port given by my carrier.

    This saves the MMS to the file mms.pdu.

    The config files: /etc/ppp/options:

    debug
4000000
modem
crtscts
lock
connect /etc/ppp/net-connect
asyncmap 0
defaultroute
:
mtu 1400

    /etc/ppp/net-chat:

    #!/bin/sh
/usr/sbin/chat -v -t 60 -f /etc/ppp/net-chat

    /etc/ppp/net-connect:

    ABORT 'ERROR'
ABORT 'BUSY'
ABORT 'NO CARRIER'
'' AT
OK ATE0
OK AT+IPR=4000000
OK AT+CGDCONT=1,"IP","live.vodafone.com"
OK AT&S1
OK AT&F
OK AT&W
OK AT+CNMP=14
OK AT&W
OK ATE0
OK ATD*99***1#
CONNECT

    Finally connect, by doing: /usr/sbin/pppd /dev/ttyUSB3