Exploring the SMS and Trojan industry chain-from reverse to explosive Chrysanthemum

0x00 Wedge

Recently, James had a headache. It turned out that an Android phone of Goddess had a strange problem, and the text message could not be received by others. What's more, the money the goddess used to prepare for online shopping was mysteriously brushed away. When the goddess was anxious to rummaging through the address book, she suddenly found James's remarks: Jack 17-computer, brush machine. So with the eyes of the goddess, James rang the treasure of his chest and promised to fix it in a day.

So James got the goddess cell phone he dreamed. I did not expect that what happened later made him unexpected.

 

0x01 lock culprit

The first thing to get a mobile phone is to find the reason why the text message cannot be received. I flipped through the system text message settings and apps, and installed things were normal. No suspicious blank icons were found. I used software management tools to view them, and no suspicious signs were found. So James started to check the system program. Otherwise, when he opened the Google store, he found the fox tail.

As shown in, first, when you click an APP that is not connected to the Internet, the system will prompt "the mobile phone cannot be connected to the Internet ".

Second, when you click an APP on the Internet, a large number of permission requirements and a "network normal" prompt will be displayed.

James smiled when he saw this. This is not the most popular text message blocking horse. Therefore, the mobile phone is decisively exported to the target APK file package through the pea pod.

Looking at the text message horse with less than kb on the desktop, James silently tied the apron (Android Virtual Environment), found the surgical knife (decompilation tool dex2jar + Xjad), and pressed the horse to the terminal (Eclipse).

0x02 Ding jieniu

First, James decompress the APK file and find the key classes. dex file. This is the java source code compilation file of the APK file.

Then copy the classes. dex file to the dex2jar directory. Then run cmd to enter the dex2jar directory and enter dex2jar. bat classes. dex and press Enter. in the same directory, we will get the desired source package: classes_dex2jar.jar.

Then, decompile Xjad from our jar file, click File-decompile jar-select the generated jar file, and decompile it into the source code folder.

In this step, our cattle are successfully decomposed. The following figure shows how to find the final steak we want ~

0x03 caressing Chrysanthemum

After decompilation, we can find that the Trojan horse interacts with the background by calling the c # WebService protocol, and the chrysanthemum IP address is encrypted. The call code is shown below:

After the encryption code is directly found by the encryption function as shown in the following figure, the code is decompiled and found as follows:

After running, directly burst to the server address http://103.X.X.X/priv1/baseservice.asmx

So far, the chrysanthemum is identified. Next we will start to study the explosive growth of Chrysanthemum

0x04 Long drive injection (the chrysanthemum burst part is completed by SQL test Daniel)

Since I found the background address, how can I win this background? This is a headache. I used a tool to scan and found no vulnerabilities. I have limited capabilities. It seems that you can only start from the site, and reorganize your ideas and input http://103.x.x.x/priv1/baseservice.asmxto the browser to find out

There are several methods, since there are methods that I can use directly, open the program to reference the WebService Code as follows:

I would like to try XSS and use AddCall to insert it to the database. The Code is as follows:

An error is reported when the call is made.

Speechless. Since SQL Injection exists, let's talk about this WebService SQL injection.

A getOrders method is selected, and a single quotation mark is added to the parameter during the call to indicate a MYSQL error. There are too many injection points.

The query statement is transformed as follows:

XML returned:

<?xml version="1.0" encoding="UTF-8"?><RootJob><Job><Type>9</Type><Content>3</Content><Phone>2</Phone><JobID>1</JobID></Job></RootJob>

The following steps are not detailed. It is root injection.

When I wrote a sentence to IIS, I did not find the directory program directory. I tried C: \ Inetpub \ wwwroot and wrote An Aspx file, and the access was successful on the browser.

Basically, the rest is the Elevation of Privilege. With the help of a friend, the Elevation of Privilege is successful.

0x05 expansion Results

At this time, mysql has obtained the server permission. Check the registry and find that the port is 55555 and the server version is 2003R2. Then, add a user to check the port.

Things are not complicated. IIS + mysql + C # WebService

Remotely connect mysql to a local machine. At first glance, Xiao Ming was shocked by the Group's text message and Trojan monitoring of the victim's content.

In the SO library, James found information about N + victims, including large bank transfers. If such text messages are intercepted, the consequences can be imagined.

0x06 industrial chain Mining

However, an industry must be profitable. Since James has discovered the source, he will go up against the current situation and dig deeper into the whole industry chain of Android text message interception Trojan.

Just do what you need. James entered text message blocking keywords on the computer, such as horse sales and text message Trojan sales, and found that many people are releasing related demands.

It is a lot of posts related to seeking for Trojans in various underground forums.

They bought it mainly for fraud.

Or impersonate an acquaintance for fraud, or to trick online banking, or for some ulterior motives.

A random example is provided.

Through analyzing the code, James found that the text message Trojan runs in this way.

After a trojan is installed on the mobile phone and authorized to the Trojan, Trojan immediately uploads the address book of the victim mobile phone. All text messages sent to and from the mobile phone will be sent to the specified mobile phone number, and the mobile phone number can use code to direct Trojans to forge text messages. So as to implement the purpose of fraud