本帖最后由 dimx 于 2019-11-13 17:06 编辑
双十一,剁手入手某电视,“根据xxx法规,禁止安装该软件...”,开机有广告,
凭经验,智能设备一般情况下都有“后门”,
系统设置,没发现有adb选选项,
nmap扫描电视开放的端口,无果
开机一段时间,电视弹出提示,系统更新,
镜像交换机,抓包,搞到ota更新包,在系统框架jar文件发现adb后门
附上后门关键代码
[Java] 纯文本查看 复制代码
private int[] mTurnONADBKeyCode = new int[]{21, 21, 19, 22};
private int[] mTurnONADBKeyCode2 = new int[]{10, 13, 16, 14};
private int[] mFactoryKeyCode = new int[]{24, 166, 24, 167, 82};
private void checkShortcutMode(int keycode) {
Intent intent;
if (this.mFactoryKeyCode[mFactoryIndex] == keycode) {
mFactoryIndex++;
} else {
mFactoryIndex = 0;
}
if (this.mBurnKeyCode[mBurnIndex] == keycode) {
mBurnIndex++;
} else {
mBurnIndex = 0;
}
if (this.mTurnONADBKeyCode[mTurnOnADBIndex] == keycode) {
mTurnOnADBIndex++;
} else {
mTurnOnADBIndex = 0;
}
if (this.mTurnONADBKeyCode2[mTurnOnADBIndex2] == keycode) {
mTurnOnADBIndex2++;
} else {
mTurnOnADBIndex2 = 0;
}
if (this.mStartStockAppSwitcherKeycode[mStartStockAppSwitcherIndex] == keycode) {
mStartStockAppSwitcherIndex++;
} else {
mStartStockAppSwitcherIndex = 0;
}
if (this.mCommitLogKeyCode[mCommitIndex] == keycode) {
mCommitIndex++;
} else {
mCommitIndex = 0;
}
if (mFactoryIndex == this.mFactoryKeyCode.length) {
mFactoryIndex = 0;
intent = new Intent();
intent.setComponent(new ComponentName("com.apptv.factorytest", "com.apptv.factorytest.MainActivity"));
intent.setFlags(268435456);
try {
this.mContext.startActivity(intent);
} catch (Exception e) {
Log.d(TAG, e.toString());
}
}
if (mTurnOnADBIndex == this.mTurnONADBKeyCode.length || mTurnOnADBIndex2 == this.mTurnONADBKeyCode2.length) {
mTurnOnADBIndex = 0;
Global.putInt(this.mContext.getContentResolver(), "adb_enabled", 1);
SystemProperties.set("service.adb.enable", "1");
}
}
解密相对简单,
int[] mTurnONADBKeyCode = new int[]{21, 21, 19, 22};
21, 21, 19, 22分别对应的,是 左 左 上 右 按键
在系统设置的任意地方按左 左 上 右按键,adb后门自动打开
|