-
-
[原创]CVE-2024-0015复现 (DubheCTF DayDream)
-
发表于: 2024-3-19 18:37
-
DayDream是DubheCTF的一个AndroidPwn题,有一说一见到这个题我是真的非常开心(虽然比赛时候在搞其他,就简单看了几眼),当时就立了flag一定要复现这个题,所以文章就来了。
Fix vulnerability that allowed attackers to start arbitary activities
为什么会这样呢?
Then
不过不急,我们再看看server.py,这个文件也是在给我们提示怎么做
由于我是环境关了以后复现,题目docker又缺文件,然后我改server.py又发现模拟器莫名跑不起来。最后索性找了个android12的模拟器敲命令,唉
流程还是很正常的,关键就是one_click了
OK,接下来我们要做的事情就是写一个apk,然后调用SecretActivity了,具体怎么写可以看上面的Dream Service 官方文档
需要注意的是题目明确了包名
用户名联想是历史遗留问题:(
附件是复现视频,logcat里有那么多条是因为尝试了不止一次:(
最后附上源码地址:
好了,可以下机了,如果有什么不对的地方欢迎师傅们来拷打~~~
print_to_user("Welcome to DubheCTF2024 DayDream! Please proof of work to continue.\n")# sha256的爆破,忘了哪个比赛放pwntools爆破的github链接来着emmmif not proof_of_work(): print_to_user("Please proof of work again, exit...\n") exit(-1)# 输入一个apk url,对于没接触过android的人来说可能不知道这是干什么# 因为android安全中经常做的事情就是写一个AttackApk去攻击目标apk# 所以这里需要你写的AttackApk的公网下载链接print_to_user("Please enter your apk url:")url = sys.stdin.readline().strip()EXP_FILE = download_file(url)# 校验下载的apkif not check_apk(EXP_FILE): print_to_user("Invalid apk file.\n") exit(-1)# 启动模拟器emulator = setup_emulator()adb(["wait-for-device"])wait_for_device_boot_complete()# 直接给你ban咯,readme.md里有说,不过提了一嘴parcel序列化让我想起了2017的那几个洞adb(["shell", "su", "root", "pm", "disable", "com.android.settings/.accounts.AddAccountSettings"])# 安装目标apkadb_install(APK_FILE)# 启动目标apkadb_activity(f"{VICTIM}/.MainActivity", wait=True)# 使用广播将flag文件写入模拟器环境with open(FLAG_FILE, "r") as f: adb_broadcast(f"com.tsctf.SET_FLAG", f"{VICTIM}/.FlagReceiver", extras={"flag": f.read()})# 安装攻击apkadb_install(EXP_FILE)# 启动攻击apkadb_activity(f"{ATTACKER}/.MainActivity")# 攻击one_click()print_to_user("One_click finished! The logcat log will be output after 5 seconds.\n")# 将SecretActivity的日志打印出来,如果SecretActivity被调用了,这里就会输出flagadb(["shell","logcat -d -s SecretActivity", ">" ,"/logcat_"+ str(ADB_PORT) + ".txt"])print_to_user("Welcome to DubheCTF2024 DayDream! Please proof of work to continue.\n")# sha256的爆破,忘了哪个比赛放pwntools爆破的github链接来着emmmif not proof_of_work(): print_to_user("Please proof of work again, exit...\n") exit(-1)# 输入一个apk url,对于没接触过android的人来说可能不知道这是干什么# 因为android安全中经常做的事情就是写一个AttackApk去攻击目标apk# 所以这里需要你写的AttackApk的公网下载链接print_to_user("Please enter your apk url:")url = sys.stdin.readline().strip()EXP_FILE = download_file(url)# 校验下载的apkif not check_apk(EXP_FILE): print_to_user("Invalid apk file.\n") exit(-1)# 启动模拟器emulator = setup_emulator()adb(["wait-for-device"])wait_for_device_boot_complete()# 直接给你ban咯,readme.md里有说,不过提了一嘴parcel序列化让我想起了2017的那几个洞adb(["shell", "su", "root", "pm", "disable", "com.android.settings/.accounts.AddAccountSettings"])# 安装目标apkadb_install(APK_FILE)# 启动目标apkadb_activity(f"{VICTIM}/.MainActivity", wait=True)# 使用广播将flag文件写入模拟器环境with open(FLAG_FILE, "r") as f: adb_broadcast(f"com.tsctf.SET_FLAG", f"{VICTIM}/.FlagReceiver", extras={"flag": f.read()})# 安装攻击apkadb_install(EXP_FILE)# 启动攻击apkadb_activity(f"{ATTACKER}/.MainActivity")# 攻击one_click()print_to_user("One_click finished! The logcat log will be output after 5 seconds.\n")# 将SecretActivity的日志打印出来,如果SecretActivity被调用了,这里就会输出flagadb(["shell","logcat -d -s SecretActivity", ">" ,"/logcat_"+ str(ADB_PORT) + ".txt"])def one_click():# 打开屏保设置页面 adb(["shell", "am", "start", "-a", "android.settings.DREAM_SETTINGS"]) adb(["shell", "sleep", "10"])# 向下滑(排除误差哈哈哈) adb(["shell", "input", "keyevent", "KEYCODE_DPAD_DOWN"]) adb(["shell", "sleep", "1"])# 回车,这里就是选择屏保样式 adb(["shell", "input", "keyevent", "KEYCODE_ENTER"]) adb(["shell", "sleep", "5"])# 点击对应的选项,这里就是在选择我们编写的屏保部分 adb(["shell", "input", "tap", "675", "1415"]) adb(["shell", "sleep", "5"])# 点击那个最最最关键的设置按钮 adb(["shell", "input", "tap", "1256", "842"]) adb(["shell", "sleep", "1"])def one_click():# 打开屏保设置页面 adb(["shell", "am", "start", "-a", "android.settings.DREAM_SETTINGS"]) adb(["shell", "sleep", "10"])# 向下滑(排除误差哈哈哈) adb(["shell", "input", "keyevent", "KEYCODE_DPAD_DOWN"]) adb(["shell", "sleep", "1"])# 回车,这里就是选择屏保样式 adb(["shell", "input", "keyevent", "KEYCODE_ENTER"]) adb(["shell", "sleep", "5"])# 点击对应的选项,这里就是在选择我们编写的屏保部分 adb(["shell", "input", "tap", "675", "1415"]) adb(["shell", "sleep", "5"])# 点击那个最最最关键的设置按钮 adb(["shell", "input", "tap", "1256", "842"]) adb(["shell", "sleep", "1"])package com.tsctf.daydream;import android.service.dreams.DreamService;public class MyService extends DreamService { @Override public void onAttachedToWindow() { super.onAttachedToWindow(); // Exit dream upon user touch setInteractive(false); // Hide system UI setFullscreen(true); // Set the dream layout }}[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
