远程开小区单元门与大门
书接上回对可视对讲设备的分析,当时说可以去实现一下远程开门,今天正好有空就把这个坑填上了
http://aq.mk/index.php/archives/113.html
效果
分析
太细节的分析就不说了,根据上次定位到的函数最后发现实际其所有的串口通讯都封装在了jni library里面,就不整那么复杂的二进制逆向了,直接frida hook一把梭。
不知道是机器配置太低还是他的包有问题,导致直接frida或objection无法自动注入,一旦注入就会导致设备重启,所以这次采用frida-gadget的方式进行注入。
frida-gadget
就不详细展开说了,简单的描述就是找一个他本身就调用的so文件,然后通过给原始的so添加一个外部引用,这个引用就是我们的gadget,然后对apk重新打包安装即可。
操作如下:
# patchelf
# libzzz.so就是gadget 这个直接去官方的github下载然后随便改个名字就行
# 后面是apk自带的的so文件
patchelf --add-needed libzzz.so libjniandroidrkmojing.so
# 生成证书
keytool -genkey -v -keystore myApp.keystore -alias myApp.keystore -keyalg RSA -validity 30000
# 签名
uber-apk-signer -a ml/ml.apk --ks myApp.keystore --ksAlias myApp.keystore
# 安装
adb install -r android-release-signed.apk我在这里出现了个问题,因为该软件是系统内置的,无法卸载,重新安装的话会因为签名不同导致安装
我的解决方案是找到其路径,然后直接替换他已经释放的so文件
# 查询路径
adb shell pm path com.mili.smarthome.snj一般是这样的路径,这个图是随便找了个app截的
替换之后在重启app就可以发现注入成功了
方法调用
根据之前找到他的调用逻辑大概如下
# 初始化门禁, 参数是类型
Called com.android.client.InterCommClient.InterMonitorStart(int, int)
# 解锁
Called com.android.client.InterCommClient.InterMonitorUnlock()
# 关闭监听
Called com.android.client.InterCommClient.InterMonitorStop()
# 释放程序
Called com.android.client.InterCommClient.StopInterCommClient()先写一个js验证一下
setTimeout(function() {
Java.perform(function() {
var InterCommClient = Java.use('com.android.client.InterCommClient');
var InterCommClientInstance = InterCommClient.$new();
console.log(InterCommClientInstance.InterMonitorStart(49,1));
console.log(InterCommClientInstance.InterMonitorUnlock());
})
})调用成功之后就去实现一下rpc远程调用
hook.js
var InterCommClient =""
var InterCommClientInstance =""
function opendoor(a,b){
return new Promise(resolve => {
Java.perform(function () {
var ua="";
// 需要context
var Context = Java.use('android.content.Context');
var ctx = Java.cast(Java.use('android.app.ActivityThread').currentApplication().getApplicationContext(), Context);
InterCommClient = Java.use('com.android.client.InterCommClient');
InterCommClientInstance = InterCommClient.$new(ctx);
var initRet = InterCommClientInstance.InterMonitorStart(a,b)
var unlockRet = InterCommClientInstance.InterMonitorUnlock();
var stopRet = InterCommClientInstance.InterMonitorStop()
var closeRet = InterCommClientInstance.StopInterCommClient()
ua=initRet + " - " + unlockRet + " - " + stopRet + " - " + closeRet
console.log(ua)
resolve(ua)
})
})
}
rpc.exports={
opendoor:opendoor
}在用flask写一个api
import os
from flask import Flask, escape, request,make_response
import frida
JS_CODE = open("hook.js").read()
app = Flask(__name__)
doorList = {
"1":[49,0],
"2":[49,1],
"3":[48,1],
"4":[48,2]
}
def message_header(message, payload):
message_type = message['type']
if message_type == 'send':
print('[* message]', message['payload'])
elif message_type == 'error':
stack = message['stack']
print('[* error]', stack)
else:
print(message)
os.system("adb forward tcp:27042 tcp:27042")
device = frida.get_usb_device(30)
session = device.attach("Gadget")
script = session.create_script(JS_CODE, runtime='v8')
script.on('message', message_header)
script.load()
@app.errorhandler(500)
def page_not_found(e):
return 'error'
@app.route("/")
def index():
data = open("index.html").read()
return str(data)
@app.route("/open")
def opendoor():
door=request.args.get("door")
doors=doorList.get(door)
script.exports.OpenDoor(doors[0],doors[1])
return "success"
app.run(
host='0.0.0.0',
port=65511,
debug=True
)
参考资料
https://www.bilibili.com/read/cv13148752
https://windysha.github.io/2020/05/28/%E9%9D%9ERoot%E7%8E%AF%E5%A2%83%E4%B8%8B%E4%BD%BF%E7%94%A8Frida%E7%9A%84%E4%B8%80%E7%A7%8D%E6%96%B9%E6%A1%88/
https://www.cnblogs.com/xiaoshen666/p/11008255.html
https://www.cnblogs.com/xiaoshen666/p/11008255.html
https://fadeevab.com/frida-gadget-injection-on-android-no-root-2-methods/
https://www.cnblogs.com/xiaoweigege/p/14976108.html