作者:昊天实验室
漏洞说明
FlexiSpy安卓版在目标手机安装成功后会主动监听12512端口,该端口是客户端与服务端的通信端口,由于缺少有效的身份认证机制攻击者可通过该端口,远程发送控制指令。
漏洞详情
FlexiSPY启动时调用
public void startAppEngine(Context arg3) {
Intent v0 = new Intent(arg3, CoreService.class);
v0.setAction("wfs.service.action.start_engine");
arg3.startService(v0);
}启动CoreService后, CoreService会调用startEngine()
public void startEngine() throws AppEngineException {
......
this.mTcpSocketCmdServer = new TcpSocketCmdServer("AppEngine", "com.vvt.rmtctrl.server", 12512, ((TcpSocketCmdProcessor)v1));
this.mTcpSocketCmdServer.setName("RemoteControlCmdServerThread");
this.mTcpSocketCmdServer.start();之后FlexiSPY会开始监听12512端口。
TcpSocketCmdServer等待TcpSocketCmd(Client) 连接并调用readObject()获取TcpSocketCmd,作为Command ,调用TcpSocketCmdProcessor.processCommand(Command) 流程如下:
Client
tcpsocketcmd.execute() => connect to socket server => writeobject(this) => readobject(response) Server
tcpsocketcmdserver => accept => readobject(tcpsocketcmd) => TcpSocketCmdProcessor.processCommand(tcpsocketcmd) => writeobject(response) 该Server(com.vvt.rmtctrl.server)的Processor为RemoteControlHandler。
该Processor支持的指令如下:
RemoteFunction.IS_PRODUCT_ACTIVATED = 1;
RemoteFunction.GET_LICENSE_STATUS = 2;
RemoteFunction.ACTIVATE_PRODUCT = 3;
RemoteFunction.DEACTIVATE_PRODUCT = 4;
RemoteFunction.SET_EVENT_MAX_NUMBER = 5;
RemoteFunction.SET_EVENT_TIMER = 6;
RemoteFunction.ENABLE_EVENT_DELIVERY = 7;
RemoteFunction.SET_DELIVERY_METHOD = 8;
RemoteFunction.ENABLE_EVENT_CAPTURE = 9;
RemoteFunction.ENABLE_CAPTURE_CALL = 10;
RemoteFunction.ENABLE_CAPTURE_SMS = 11;
RemoteFunction.ENABLE_CAPTURE_EMAIL = 12;
RemoteFunction.ENABLE_CAPTURE_GPS = 13;
RemoteFunction.SET_GPS_TIME_INTERVAL = 14;
RemoteFunction.ENABLE_CAPTURE_MMS = 15;
RemoteFunction.ENABLE_CAPTURE_IM = 16;
RemoteFunction.ENABLE_CAPTURE_IMAGE = 17;
RemoteFunction.ENABLE_CAPTURE_AUDIO = 18;
点击收藏 | 0
关注 | 0
