· 2013/12/16 16:52

0 x00 wedge

Recently, Xiao Ming had a pile of trouble, disturbing his sleep and food. It turned out to be a goddess of some Android mobile phone out of a strange disease, SMS received, sent to others also received, more can be angry is the goddess used to prepare for online shopping money are mysterious brush away. When the goddess full of anxiety through the address book, suddenly found xiao Ming’s remarks: jack 17 – computer, brush. So under the gaze of the goddess’s poor baba’s big eyes, Xiao Ming patted his chest against the mountain and promised to do it in one day.

Therefore, Xiao Ming got the dream goddess mobile phone. However, he was not prepared for what happened.

0x01 Locate the culprit

The first thing you do when you get your phone is find out why you can’t get your text messages. I checked the system SMS Settings and APP, and found that all the things installed were normal. No suspicious blank icon was found. I used the software management tool to check, but found no suspicious signs. So Xiao Ming began to investigate from the system program, if not, when opening the “Google store”, found the fox tail.

As shown in the picture below, first, clicking this APP when not connected to the Internet will prompt “Mobile phone cannot connect to the Internet”.

Second, clicking on the APP when connected to the Internet will prompt a lot of permission requirements and a “Normal network” prompt

See this, xiao Ming smiled, this is not the most fire SMS interception horse. So decisively put the phone through the pea pod export target APK file package. As is shown in

Looking at the SMS horse, which is less than 100KB on the desktop, Ming silently puts on an apron (Android virtual environment), finds a scalpel (decompression tool Dex2JAR +Xjad), and presses the horse onto the anatomy table (Eclipse).

He didn’t eat any meat

First, Ming unzipped the APK file and went to the key classes.dex file. It is a Java source compiler for APK files.

Bat classes.dex = “classes_dex2jar.bat classes.dex” > < div style = “box-sizing: border-box; color: # 0000ff

Please decompile our jar Xjad again, click File – decompile jar- select the generated JAR file, will decompile into the source folder.

At this point, our beef is basically decomposed, so here’s how to find the filet mignon

0x03 Caress chrysanthemum

After decomcompiling, the analysis shows that the Trojan horse and background interaction is through calling WebService protocol of c#, and the IP of chrysanthemum is encrypted. The calling code is shown as follows:

Directly put the encryption code, according to the picture to find the encryption function, decompiled and found as follows:

After the operation, directly to the server address http://103.X.X.X/priv1/baseservice.asmx

At this point, find the chrysanthemum. Now it’s time to get to the butt

0x04 Long drive injection (bursting chrysanthemum part is completed by SQL test)

Now that I have found the background address, how to take down the background, this is a headache, scanning with tools did not find any loopholes, my ability is limited. Well, it seems that only from the site laid hands on him, rearranging the train of thought, the input to the browser found at http://103.X.X.X/priv1/baseservice.asmx

There are several methods, since there are methods I can directly use, open the program reference WebService code as follows:

I wanted to try XSS and insert into the database with the AddCall method as follows

An error was found under the call

Let’s talk about WebService SQL injection.

Select a getOrders method, call it with a single quote indicating MYSQL error, this is too many injection points

Here we transform the query statement

XML is returned:

<? The XML version = "1.0" encoding = "utf-8"? ><RootJob><Job><Type>9</Type><Content>3</Content><Phone>2</Phone><JobID>1</JobID></Job></RootJob>Copy the code

The following steps will not be detailed. It is root injection.

C:Inetpubwwwroot (Aspx) :Inetpubwwwroot (Aspx) :Inetpubwwwroot (Aspx)

Basically finished, the rest is to lift the right, in the help of a friend to lift the right successfully.

0x05 Expand results

At this time, I have obtained the server permission through mysql. I checked the registry and found that the port is 55555 and the server version is 2003R2. I added a user and went to see.

Things not complicated, IIS+mysql+C# WebService

Mysql > create a remote, local connection to see. At first glance, the gang monitors the victims through SMS horse content to Xiao Ming’s surprise.

In SO’s database, Xiao Ming found information about many victims, including tips for large bank transfers. If such texts are intercepted, the consequences can be imagined.

0x06 Mining industry chain

Whenever an industry must be profitable, xiaoming since discovered the source, upstream, to dig, Android SMS interception horse’s entire industry chain.

Xiao Ming inputted the relevant keywords such as SMS interception and SMS horse sale on the computer, and found that there were a lot of people publishing relevant demands.

But in various underground forums, a lot of related begging horse posts.

They bought it mainly to defraud.

Or pretend to be an acquaintance fraud, or in order to lure the net bank, or for some unspeakable secret deeds.

I picked a random example.

Through the analysis of the code, Xiao Ming found that the operation of SMS horse is like this.

Once the Trojan horse is installed on a mobile phone and authorized to the Trojan horse, the Trojan horse will immediately upload the address book of the victim phone. All SMS traffic from the phone will be sent to the designated phone number, and the phone number can use a code to direct the Trojan to forge messages. To carry out the purpose of fraud