行之_Binder Fuzz based on drozer

孟昂雄

2017/11/14 发布于 技术 分类

首先介绍基于 drozer 的 binder fuzz 模型,然后分享几个有趣的安卓系统漏洞。最后介绍系统服务漏洞的常见利用方法。

文字内容
1. Binder Fuzz based on drozer & Some interesting Vulnerabilities sharing (@0xr0ot) 0xr0ot.sec@gmail.com Kcon Beijing 2016
2. Who am I • ID:0xr0ot(not 0xroot) • Security researcher(2 years) • Mainly focus on Android security • Always like basketball
3. Agenda • drozer introduction • Binder fuzz model • Case share • How to exploit
4. Drozer Architecture • console • agent • server
5. Functionality • Exploit • Scanner Metasploit?
6. Design Principles • Reflection • Class loading
7. Drozer mode • direct mode • infrastructure mode
8. Commands drozer server start --port port drozer exploit build exploit.usb.socialengineering.usbdebugging --server ip -credentials username password drozer console connect --server ip:port --password
9. Writing a module
10. Binder fuzz Why use drozer? I am familiar with it,XD! • fuzz intent • fuzz service call
11. Fuzz model • drozer module(core) • external python script(control logic) All in the one drozer module is OK
12. Case Share • LockScreen bypass(or clear) • Fake shutdown (eavesdropping) • Capability leak • System Dos
13. LockScreen bypass(CVE-2016-3749)
14. CVE-2016-3749 Details
15. Windfall
16. CVE-2016-3749 Patch
17. My first high severity issue
18. Fake Shutdown(eavesdropping) • Samsung
19. Capability Leak • nexus series car mode • samsung change theme Video demonstration
20. System Dos(restart) • nexus(3 ) Video demonstration. • samsung(11 )
21. Samsung Acknowledgements
22. Good News
23. How to exploit(system service vulnerability) • use AIDL file • use java reflection • native layer • shell script
24. Exploit-use AIDL file • The Android SDK tools will help to generate an interface in the Java programming language, based on the .aidl file you import. • “The ***.aidl file not found”,but it’s just there.If the similar error occurs,you can write the java code manually. Reference: Android Bound Service (by ) http://drops.wooyun.org/mobile/13676
25. Exploit-use AIDL file
26. Exploit-use reflection • The nature is the same as use AIDL file. • It doesn’t need .AIDL file.
27. Exploit-native
28. Exploit-shell script • clear.sh • key code: Runtime runtime = Runtime.getRuntime(); Process proc = runtime.exec(command);
29. Summary • AIDL:It is easy to see the nature of the vulnerability. • java reflection: It is simple and convenient. • native:It needs android source environment. • shell script:It is simple.