DayDream是DubheCTF的一个AndroidPwn题,有一说一见到这个题我是真的非常开心(虽然比赛时候在搞其他,就简单看了几眼),当时就立了flag一定要复现这个题,所以文章就来了。
https://developer.android.com/reference/android/service/dreams/DreamService
https://android.googlesource.com/platform/frameworks/base/+/2ce1b7fd37273ea19fbbb6daeeaa6212357b9a70%5E%21/#F1
Fix vulnerability that allowed attackers to start arbitary activities
为什么会这样呢?
Then
不过不急,我们再看看server.py,这个文件也是在给我们提示怎么做
由于我是环境关了以后复现,题目docker又缺文件,然后我改server.py又发现模拟器莫名跑不起来。最后索性找了个android12的模拟器敲命令,唉
流程还是很正常的,关键就是one_click
了
OK,接下来我们要做的事情就是写一个apk,然后调用SecretActivity了,具体怎么写可以看上面的Dream Service 官方文档
需要注意的是题目明确了包名
用户名联想是历史遗留问题:(
附件是复现视频,logcat里有那么多条是因为尝试了不止一次:(
最后附上源码地址:
https://github.com/UmVfX1BvaW50/CVE-2024-0015
好了,可以下机了,如果有什么不对的地方欢迎师傅们来拷打~~~
print_to_user(
"Welcome to DubheCTF2024 DayDream! Please proof of work to continue.\n"
)
if
not
proof_of_work():
print_to_user(
"Please proof of work again, exit...\n"
)
exit(
-
1
)
print_to_user(
"Please enter your apk url:"
)
url
=
sys.stdin.readline().strip()
EXP_FILE
=
download_file(url)
if
not
check_apk(EXP_FILE):
print_to_user(
"Invalid apk file.\n"
)
exit(
-
1
)
emulator
=
setup_emulator()
adb([
"wait-for-device"
])
wait_for_device_boot_complete()
adb([
"shell"
,
"su"
,
"root"
,
"pm"
,
"disable"
,
"com.android.settings/.accounts.AddAccountSettings"
])
adb_install(APK_FILE)
adb_activity(f
"{VICTIM}/.MainActivity"
, wait
=
True
)
with
open
(FLAG_FILE,
"r"
) as f:
adb_broadcast(f
"com.tsctf.SET_FLAG"
, f
"{VICTIM}/.FlagReceiver"
, extras
=
{
"flag"
: f.read()})
adb_install(EXP_FILE)
adb_activity(f
"{ATTACKER}/.MainActivity"
)
one_click()
print_to_user(
"One_click finished! The logcat log will be output after 5 seconds.\n"
)
adb([
"shell"
,
"logcat -d -s SecretActivity"
,
">"
,
"/logcat_"
+
str
(ADB_PORT)
+
".txt"
])
print_to_user(
"Welcome to DubheCTF2024 DayDream! Please proof of work to continue.\n"
)
if
not
proof_of_work():
print_to_user(
"Please proof of work again, exit...\n"
)
exit(
-
1
)
print_to_user(
"Please enter your apk url:"
)
url
=
sys.stdin.readline().strip()
EXP_FILE
=
download_file(url)
if
not
check_apk(EXP_FILE):
print_to_user(
"Invalid apk file.\n"
)
exit(
-
1
)
emulator
=
setup_emulator()
adb([
"wait-for-device"
])
wait_for_device_boot_complete()
adb([
"shell"
,
"su"
,
"root"
,
"pm"
,
"disable"
,
"com.android.settings/.accounts.AddAccountSettings"
])
adb_install(APK_FILE)
adb_activity(f
"{VICTIM}/.MainActivity"
, wait
=
True
)
with
open
(FLAG_FILE,
"r"
) as f:
adb_broadcast(f
"com.tsctf.SET_FLAG"
, f
"{VICTIM}/.FlagReceiver"
, extras
=
{
"flag"
: f.read()})
adb_install(EXP_FILE)
adb_activity(f
"{ATTACKER}/.MainActivity"
)
one_click()
print_to_user(
"One_click finished! The logcat log will be output after 5 seconds.\n"
)
adb([
"shell"
,
"logcat -d -s SecretActivity"
,
">"
,
"/logcat_"
+
str
(ADB_PORT)
+
".txt"
])
def
one_click():
adb([
"shell"
,
"am"
,
"start"
,
"-a"
,
"android.settings.DREAM_SETTINGS"
])
adb([
"shell"
,
"sleep"
,
"10"
])
adb([
"shell"
,
"input"
,
"keyevent"
,
"KEYCODE_DPAD_DOWN"
])
adb([
"shell"
,
"sleep"
,
"1"
])
adb([
"shell"
,
"input"
,
"keyevent"
,
"KEYCODE_ENTER"
])
adb([
"shell"
,
"sleep"
,
"5"
])
adb([
"shell"
,
"input"
,
"tap"
,
"675"
,
"1415"
])
adb([
"shell"
,
"sleep"
,
"5"
])
adb([
"shell"
,
"input"
,
"tap"
,
"1256"
,
"842"
])
adb([
"shell"
,
"sleep"
,
"1"
])
def
one_click():
adb([
"shell"
,
"am"
,
"start"
,
"-a"
,
"android.settings.DREAM_SETTINGS"
])
adb([
"shell"
,
"sleep"
,
"10"
])
adb([
"shell"
,
"input"
,
"keyevent"
,
"KEYCODE_DPAD_DOWN"
])
adb([
"shell"
,
"sleep"
,
"1"
])
adb([
"shell"
,
"input"
,
"keyevent"
,
"KEYCODE_ENTER"
])
adb([
"shell"
,
"sleep"
,
"5"
])
adb([
"shell"
,
"input"
,
"tap"
,
"675"
,
"1415"
])
adb([
"shell"
,
"sleep"
,
"5"
])
adb([
"shell"
,
"input"
,
"tap"
,
"1256"
,
"842"
])
adb([
"shell"
,
"sleep"
,
"1"
])
package
com.tsctf.daydream;
import
android.service.dreams.DreamService;
public
class
MyService
extends
DreamService {
@Override
public
void
onAttachedToWindow() {
super
.onAttachedToWindow();
setInteractive(
false
);
setFullscreen(
true
);
}
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课