作者:昊天实验室


漏洞说明

FlexiSpy安卓版在目标手机安装成功后会主动监听12512端口,该端口是客户端与服务端的通信端口,由于缺少有效的身份认证机制攻击者可通过该端口,远程发送控制指令。

漏洞详情

FlexiSPY启动时调用

public void startAppEngine(Context arg3) {  
    Intent v0 = new Intent(arg3, CoreService.class);
    v0.setAction("wfs.service.action.start_engine");
    arg3.startService(v0);
}

启动CoreService后, CoreService会调用startEngine()

public void startEngine() throws AppEngineException {  
    ......
    this.mTcpSocketCmdServer = new TcpSocketCmdServer("AppEngine", "com.vvt.rmtctrl.server", 12512, ((TcpSocketCmdProcessor)v1));
    this.mTcpSocketCmdServer.setName("RemoteControlCmdServerThread");
    this.mTcpSocketCmdServer.start();

之后FlexiSPY会开始监听12512端口。

TcpSocketCmdServer等待TcpSocketCmd(Client) 连接并调用readObject()获取TcpSocketCmd,作为Command ,调用TcpSocketCmdProcessor.processCommand(Command) 流程如下:

Client

tcpsocketcmd.execute() => connect to socket server => writeobject(this) => readobject(response)  

Server

tcpsocketcmdserver => accept => readobject(tcpsocketcmd) => TcpSocketCmdProcessor.processCommand(tcpsocketcmd) => writeobject(response)  

该Server(com.vvt.rmtctrl.server)的Processor为RemoteControlHandler。

该Processor支持的指令如下:

     RemoteFunction.IS_PRODUCT_ACTIVATED = 1;

     RemoteFunction.GET_LICENSE_STATUS = 2;

     RemoteFunction.ACTIVATE_PRODUCT = 3;

     RemoteFunction.DEACTIVATE_PRODUCT = 4;

     RemoteFunction.SET_EVENT_MAX_NUMBER = 5;

     RemoteFunction.SET_EVENT_TIMER = 6;

     RemoteFunction.ENABLE_EVENT_DELIVERY = 7;

     RemoteFunction.SET_DELIVERY_METHOD = 8;

     RemoteFunction.ENABLE_EVENT_CAPTURE = 9;

     RemoteFunction.ENABLE_CAPTURE_CALL = 10;

     RemoteFunction.ENABLE_CAPTURE_SMS = 11;

     RemoteFunction.ENABLE_CAPTURE_EMAIL = 12;

     RemoteFunction.ENABLE_CAPTURE_GPS = 13;

     RemoteFunction.SET_GPS_TIME_INTERVAL = 14;

     RemoteFunction.ENABLE_CAPTURE_MMS = 15;

     RemoteFunction.ENABLE_CAPTURE_IM = 16;

     RemoteFunction.ENABLE_CAPTURE_IMAGE = 17;

     RemoteFunction.ENABLE_CAPTURE_AUDIO = 18;
点击收藏 | 0 关注 | 0
  • 动动手指,沙发就是你的了!
登录 后跟帖