[求助]binder 利用 TokenManger疑惑-Android安全-看雪-安全社区|安全招聘|kanxue.com

[求助]binder 利用 TokenManger疑惑

发表于: 2024-12-16 12:01 1245

[求助]binder 利用 TokenManger疑惑

areuu

2024-12-16 12:01

1245

在非特权情况下，无法直接注册服务，所以一些poc 使用tokenmanager 来获取用户自定义服务handle, 建立通信，但是我分析了一下tokenmanger 代码，主要是有createToken 和get 来完成pushlish 和grab handle 的

createToken 主要代码直接从参数store 转为Interface

    TokenInterface interface = generateToken(store);
-> 
TokenManager::TokenInterface TokenManager::generateToken(const sp<IBase> &interface) {
    uint64_t id = ++mTokenIndex;
 
    std::array<uint8_t, EVP_MAX_MD_SIZE> hmac;
    uint32_t hmacSize;
 
    uint8_t *hmacOut = HMAC(EVP_sha256(),
                            mKey.data(), mKey.size(),
                            (uint8_t*) &id, sizeof(id),
                            hmac.data(), &hmacSize);
 
    if (hmacOut == nullptr ||
            hmacOut != hmac.data()) {
        ALOGE("Generating token failed, got %p.", hmacOut);
        return { nullptr, TOKEN_ID_NONE, {} };
    }
 
    // only care about the first HMAC_SIZE bytes of the HMAC
    const hidl_vec<uint8_t> &token = makeToken(id, hmac.data(), hmacSize);
 
    return { interface, id, token };
}
其中
    struct TokenInterface {
        sp<IBase> interface;
        uint64_t id;
        hidl_vec<uint8_t> token; // First eight bytes are tokenId. Remaining bytes are hmac.
    };
 
接着
    uint64_t id = getTokenId(interface.token);
...
    mMap[id] = interface;

而get 是直接从mMap 中找到token 对应interface

所以这边怎么就获取fake service 的handle 了呢

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

#漏洞相关

收藏・1

免费・0

支持

最新回复 (1)
999 雪币： 70 能力值： ( LV1，RANK：0 ) 在线值：发帖 6 回帖 21 粉丝 1 关注私信	999 2 楼 4aeK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7#2)9J5k6h3q4F1k6s2u0G2K9h3c8Q4x3X3g2U0L8$3#2Q4x3V1k6S2L8X3c8J5L8$3W2V1i4K6u0r3M7r3I4S2N6r3k6G2M7X3#2Q4x3V1k6K6N6i4m8W2M7Y4m8J5L8$3A6W2j5%4c8Q4x3V1k6E0j5h3W2F1i4K6u0r3i4K6u0n7i4K6u0r3L8h3q4A6L8W2)9K6b7h3!0#2N6q4)9J5c8Y4y4G2L8$3&6Y4i4K6u0r3i4K6u0W2K9h3&6@1k6i4u0E0k6h3c8A6j5i4c8W2M7#2)9J5c8Y4y4&6M7%4c8W2L8g2)9J5c8X3I4A6j5X3S2A6k6r3I4Q4x3V1k6@1M7X3q4F1M7%4m8G2M7Y4c8Q4x3V1k6@1L8$3E0W2L8W2)9J5c8U0q4Q4x3X3f1H3i4K6u0r3j5h3&6V1M7X3!0A6k6q4)9J5k6h3S2A6k6r3I4Q4x3X3g2@1L8$3E0W2L8W2)9@1x3o6q4Q4x3X3f1H3i4K6g2X3k6$3g2F1j5#2)9J5b7W2)9J5b7W2)9J5c8X3N6W2L8W2)9J5c8X3q4F1k6s2u0G2K9h3c8Q4x3V1k6Z5K9h3c8D9i4K6u0r3N6r3!0C8k6h3&6Q4x3V1j5I4i4K6u0W2x3q4)9J5c8W2c8G2K9$3g2F1e0h3q4F1j5h3N6W2M7V1q4D9L8q4)9J5k6h3y4H3M7q4)9K6b7X3I4Q4x3@1b7%4y4o6q4Q4x3@1u0V1M7X3y4Q4x3@1b7$3x3e0p5&6y4K6x3$3y4o6x3$3y4$3x3&6k6e0b7H3y4r3x3%4k6r3p5$3z5e0l9H3y4U0f1^5k6U0q4T1x3e0k6U0y4o6u0V1x3r3c8S2 他并不只是单纯的在hwservicemanager中处理，hwservicemanager会触发内核层的binder_transaction，在内核层让一个进程可以通过ref引用另一个进程的target_node 991K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7#2)9J5k6h3q4F1k6s2u0G2K9h3c8Q4x3X3g2U0L8$3#2Q4x3V1k6S2L8X3c8J5L8$3W2V1i4K6u0r3K9$3g2J5L8X3g2D9i4K6u0r3M7%4g2H3k6i4u0H3M7X3!0B7k6h3y4@1i4K6u0r3i4K6u0n7i4K6u0r3j5$3!0E0L8h3!0F1i4K6u0V1j5h3&6V1M7X3!0A6k6q4)9J5k6r3#2S2K9h3&6D9K9h3&6W2i4K6y4m8j5$3!0E0L8h3!0F1i4K6u0r3k6s2u0A6N6X3g2J5M7#2)9J5c8X3q4F1k6s2u0G2K9h3c8Q4x3V1k6T1K9h3&6V1k6i4u0Q4x3X3g2U0i4K6y4n7L8q4)9K6c8o6x3J5z5e0m8Q4x3@1u0V1M7X3y4Q4x3@1b7J5k6o6j5%4y4e0g2X3j5$3b7@1j5X3p5K6j5e0t1I4z5h3j5@1j5e0k6X3x3K6V1I4z5e0l9%4y4o6j5^5x3h3t1H3y4e0t1#2k6X3u0X3i4K6y4n7j5Y4m8$3i4K6y4p5x3g2)9K6b7X3u0H3N6q4)9K6c8o6l9`. `generateToken(store)也并不是单纯的将store转换为interface，而是创建token后将store、token、id一起打包成新的TokenInterface实例返回` b3fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7#2)9J5k6h3q4F1k6s2u0G2K9h3c8Q4x3X3g2U0L8$3#2Q4x3V1k6S2L8X3c8J5L8$3W2V1i4K6u0r3M7r3I4S2N6r3k6G2M7X3#2Q4x3V1k6K6N6i4m8W2M7Y4m8J5L8$3A6W2j5%4c8Q4x3V1k6E0j5h3W2F1i4K6u0r3i4K6u0n7i4K6u0r3L8h3q4A6L8W2)9K6b7i4y4&6M7%4c8W2L8g2)9J5c8X3S2%4M7$3g2J5N6X3W2U0k6h3#2S2L8X3q4Y4k6i4u0Q4x3V1k6f1L8$3E0W2L8V1#2S2L8X3q4Y4k6i4u0Q4x3X3g2U0M7s2m8Q4x3@1u0D9i4K6y4p5x3e0f1&6i4K6y4n7k6s2u0U0i4K6y4p5y4U0p5I4z5e0M7K6y4U0b7K6y4U0N6U0z5h3f1@1x3o6c8U0y4$3c8S2y4U0V1H3x3o6j5#2z5r3j5I4j5U0p5$3j5K6b7J5k6o6m8V1j5g2)9K6b7X3u0H3N6W2)9K6c8o6m8Q4x3@1u0T1M7s2c8Q4x3@1b7I4 最后于 5天前被999编辑，原因： 2025-6-10 16:40 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

999

雪币： 70

能力值：

( LV1，RANK：0 )

在线值：

发帖

回帖

粉丝

关注

私信

999: 2 楼

4aeK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7#2)9J5k6h3q4F1k6s2u0G2K9h3c8Q4x3X3g2U0L8$3#2Q4x3V1k6S2L8X3c8J5L8$3W2V1i4K6u0r3M7r3I4S2N6r3k6G2M7X3#2Q4x3V1k6K6N6i4m8W2M7Y4m8J5L8$3A6W2j5%4c8Q4x3V1k6E0j5h3W2F1i4K6u0r3i4K6u0n7i4K6u0r3L8h3q4A6L8W2)9K6b7h3!0#2N6q4)9J5c8Y4y4G2L8$3&6Y4i4K6u0r3i4K6u0W2K9h3&6@1k6i4u0E0k6h3c8A6j5i4c8W2M7#2)9J5c8Y4y4&6M7%4c8W2L8g2)9J5c8X3I4A6j5X3S2A6k6r3I4Q4x3V1k6@1M7X3q4F1M7%4m8G2M7Y4c8Q4x3V1k6@1L8$3E0W2L8W2)9J5c8U0q4Q4x3X3f1H3i4K6u0r3j5h3&6V1M7X3!0A6k6q4)9J5k6h3S2A6k6r3I4Q4x3X3g2@1L8$3E0W2L8W2)9@1x3o6q4Q4x3X3f1H3i4K6g2X3k6$3g2F1j5#2)9J5b7W2)9J5b7W2)9J5c8X3N6W2L8W2)9J5c8X3q4F1k6s2u0G2K9h3c8Q4x3V1k6Z5K9h3c8D9i4K6u0r3N6r3!0C8k6h3&6Q4x3V1j5I4i4K6u0W2x3q4)9J5c8W2c8G2K9$3g2F1e0h3q4F1j5h3N6W2M7V1q4D9L8q4)9J5k6h3y4H3M7q4)9K6b7X3I4Q4x3@1b7%4y4o6q4Q4x3@1u0V1M7X3y4Q4x3@1b7$3x3e0p5&6y4K6x3$3y4o6x3$3y4$3x3&6k6e0b7H3y4r3x3%4k6r3p5$3z5e0l9H3y4U0f1^5k6U0q4T1x3e0k6U0y4o6u0V1x3r3c8S2

他并不只是单纯的在hwservicemanager中处理，hwservicemanager会触发内核层的binder_transaction，在内核层让一个进程可以通过ref引用另一个进程的target_node

991K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7#2)9J5k6h3q4F1k6s2u0G2K9h3c8Q4x3X3g2U0L8$3#2Q4x3V1k6S2L8X3c8J5L8$3W2V1i4K6u0r3K9$3g2J5L8X3g2D9i4K6u0r3M7%4g2H3k6i4u0H3M7X3!0B7k6h3y4@1i4K6u0r3i4K6u0n7i4K6u0r3j5$3!0E0L8h3!0F1i4K6u0V1j5h3&6V1M7X3!0A6k6q4)9J5k6r3#2S2K9h3&6D9K9h3&6W2i4K6y4m8j5$3!0E0L8h3!0F1i4K6u0r3k6s2u0A6N6X3g2J5M7#2)9J5c8X3q4F1k6s2u0G2K9h3c8Q4x3V1k6T1K9h3&6V1k6i4u0Q4x3X3g2U0i4K6y4n7L8q4)9K6c8o6x3J5z5e0m8Q4x3@1u0V1M7X3y4Q4x3@1b7J5k6o6j5%4y4e0g2X3j5$3b7@1j5X3p5K6j5e0t1I4z5h3j5@1j5e0k6X3x3K6V1I4z5e0l9%4y4o6j5^5x3h3t1H3y4e0t1#2k6X3u0X3i4K6y4n7j5Y4m8$3i4K6y4p5x3g2)9K6b7X3u0H3N6q4)9K6c8o6l9`.

generateToken(store)也并不是单纯的将store转换为interface，而是创建token后将store、token、id一起打包成新的TokenInterface实例返回

b3fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0M7#2)9J5k6h3q4F1k6s2u0G2K9h3c8Q4x3X3g2U0L8$3#2Q4x3V1k6S2L8X3c8J5L8$3W2V1i4K6u0r3M7r3I4S2N6r3k6G2M7X3#2Q4x3V1k6K6N6i4m8W2M7Y4m8J5L8$3A6W2j5%4c8Q4x3V1k6E0j5h3W2F1i4K6u0r3i4K6u0n7i4K6u0r3L8h3q4A6L8W2)9K6b7i4y4&6M7%4c8W2L8g2)9J5c8X3S2%4M7$3g2J5N6X3W2U0k6h3#2S2L8X3q4Y4k6i4u0Q4x3V1k6f1L8$3E0W2L8V1#2S2L8X3q4Y4k6i4u0Q4x3X3g2U0M7s2m8Q4x3@1u0D9i4K6y4p5x3e0f1&6i4K6y4n7k6s2u0U0i4K6y4p5y4U0p5I4z5e0M7K6y4U0b7K6y4U0N6U0z5h3f1@1x3o6c8U0y4$3c8S2y4U0V1H3x3o6j5#2z5r3j5I4j5U0p5$3j5K6b7J5k6o6m8V1j5g2)9K6b7X3u0H3N6W2)9K6c8o6m8Q4x3@1u0T1M7s2c8Q4x3@1b7I4

最后于 5天前被999编辑，原因：

2025-6-10 16:40

areuu

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号