dddd/gopocs/adb.go

package gopocs

import (
	"dddd/common"
	"dddd/ddout"
	"dddd/structs"
	"fmt"
	"strings"
	"time"
)

func ADBScan(info *structs.HostInfo) {
	_, _ = aDBUnauthorized(info.Host, info.Ports)
}

func aDBUnauthorized(ip string, port string) (error, string) {
	result := "ADB> host::features=shell_v2,cmd,stat_v2,ls_v2,fixed_push_mkdir,apex,abb,fixed_push_symlink_timestamp,abb_exec,remount_shell,track_app,sendrecv_v2,sendrecv_v2_brotli,sendrecv_v2_lz4,sendrecv_v2_zstd,sendrecv_v2_dry_run_send,openscreen_mdns\n"
	realHost := ip + ":" + port
	conn, err := common.WrapperTcpWithTimeout("tcp", realHost, time.Duration(6)*time.Second)
	if err == nil {
		defer func() {
			if conn != nil {
				_ = conn.Close()
			}
		}()
	} else {
		return err, ""
	}

	_, err = conn.Write([]byte{0x43, 0x4e, 0x58, 0x4e, 0x01, 0x00, 0x00, 0x01,
		0x00, 0x00, 0x10, 0x00, 0xea, 0x00, 0x00, 0x00,
		0x44, 0x5b, 0x00, 0x00, 0xbc, 0xb1, 0xa7, 0xb1,
		0x68, 0x6f, 0x73, 0x74, 0x3a, 0x3a, 0x66, 0x65,
		0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x3d, 0x73,
		0x68, 0x65, 0x6c, 0x6c, 0x5f, 0x76, 0x32, 0x2c,
		0x63, 0x6d, 0x64, 0x2c, 0x73, 0x74, 0x61, 0x74,
		0x5f, 0x76, 0x32, 0x2c, 0x6c, 0x73, 0x5f, 0x76,
		0x32, 0x2c, 0x66, 0x69, 0x78, 0x65, 0x64, 0x5f,
		0x70, 0x75, 0x73, 0x68, 0x5f, 0x6d, 0x6b, 0x64,
		0x69, 0x72, 0x2c, 0x61, 0x70, 0x65, 0x78, 0x2c,
		0x61, 0x62, 0x62, 0x2c, 0x66, 0x69, 0x78, 0x65,
		0x64, 0x5f, 0x70, 0x75, 0x73, 0x68, 0x5f, 0x73,
		0x79, 0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x5f, 0x74,
		0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
		0x2c, 0x61, 0x62, 0x62, 0x5f, 0x65, 0x78, 0x65,
		0x63, 0x2c, 0x72, 0x65, 0x6d, 0x6f, 0x75, 0x6e,
		0x74, 0x5f, 0x73, 0x68, 0x65, 0x6c, 0x6c, 0x2c,
		0x74, 0x72, 0x61, 0x63, 0x6b, 0x5f, 0x61, 0x70,
		0x70, 0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65,
		0x63, 0x76, 0x5f, 0x76, 0x32, 0x2c, 0x73, 0x65,
		0x6e, 0x64, 0x72, 0x65, 0x63, 0x76, 0x5f, 0x76,
		0x32, 0x5f, 0x62, 0x72, 0x6f, 0x74, 0x6c, 0x69,
		0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65, 0x63,
		0x76, 0x5f, 0x76, 0x32, 0x5f, 0x6c, 0x7a, 0x34,
		0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65, 0x63,
		0x76, 0x5f, 0x76, 0x32, 0x5f, 0x7a, 0x73, 0x74,
		0x64, 0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65,
		0x63, 0x76, 0x5f, 0x76, 0x32, 0x5f, 0x64, 0x72,
		0x79, 0x5f, 0x72, 0x75, 0x6e, 0x5f, 0x73, 0x65,
		0x6e, 0x64, 0x2c, 0x6f, 0x70, 0x65, 0x6e, 0x73,
		0x63, 0x72, 0x65, 0x65, 0x6e, 0x5f, 0x6d, 0x64,
		0x6e, 0x73})
	if err != nil {
		return err, ""
	}

	err = conn.SetReadDeadline(time.Now().Add(time.Duration(6) * time.Second))
	if err != nil {
		return err, ""
	}

	buf := make([]byte, 0x1000)
	n, err := conn.Read(buf)
	if err != nil {
		return err, ""
	}

	if n > 4 && string(buf[:4]) != "CNXN" {
		return fmt.Errorf("ADB需要授权/非ADB服务"), ""
	}

	if strings.Contains(string(buf[:n]), "ro.product.name") {
		result += string(buf[24:n]) + "\n"
	} else {
		buf = make([]byte, 0x1000)
		n, err = conn.Read(buf)
		if err != nil {
			return err, ""
		}

		result += string(buf[:n]) + "\n"
	}

	// fmt.Println(result)
	if result != "" {
		ddout.FormatOutput(ddout.OutputMessage{
			Type:     "GoPoc",
			IP:       "",
			IPs:      nil,
			Port:     "",
			Protocol: "",
			Web:      ddout.WebInfo{},
			Finger:   nil,
			Domain:   "",
			GoPoc: ddout.GoPocsResultType{PocName: "ADB-Unauthorized",
				Security:    "CRITICAL",
				Target:      ip + ":" + port,
				InfoLeft:    result,
				Description: "安卓调试桥未授权访问,可尝试RCE",
				ShowMsg:     fmt.Sprintf("ADB: %s:%s", ip, port)},
			AdditionalMsg: "",
		})

		GoPocWriteResult(structs.GoPocsResultType{
			PocName:     "ADB-Unauthorized",
			Security:    "CRITICAL",
			Target:      ip + ":" + port,
			InfoLeft:    result,
			Description: "安卓调试桥未授权访问,可尝试RCE",
		})
	}

	return nil, result
}
dddd v2.0 2024-04-03 06:32:26 +02:00			`package gopocs`

			`import (`
			`"dddd/common"`
			`"dddd/ddout"`
			`"dddd/structs"`
			`"fmt"`
			`"strings"`
			`"time"`
			`)`

			`func ADBScan(info *structs.HostInfo) {`
			`_, _ = aDBUnauthorized(info.Host, info.Ports)`
			`}`

			`func aDBUnauthorized(ip string, port string) (error, string) {`
			`result := "ADB> host::features=shell_v2,cmd,stat_v2,ls_v2,fixed_push_mkdir,apex,abb,fixed_push_symlink_timestamp,abb_exec,remount_shell,track_app,sendrecv_v2,sendrecv_v2_brotli,sendrecv_v2_lz4,sendrecv_v2_zstd,sendrecv_v2_dry_run_send,openscreen_mdns\n"`
			`realHost := ip + ":" + port`
			`conn, err := common.WrapperTcpWithTimeout("tcp", realHost, time.Duration(6)*time.Second)`
			`if err == nil {`
			`defer func() {`
			`if conn != nil {`
			`_ = conn.Close()`
			`}`
			`}()`
			`} else {`
			`return err, ""`
			`}`

			`_, err = conn.Write([]byte{0x43, 0x4e, 0x58, 0x4e, 0x01, 0x00, 0x00, 0x01,`
			`0x00, 0x00, 0x10, 0x00, 0xea, 0x00, 0x00, 0x00,`
			`0x44, 0x5b, 0x00, 0x00, 0xbc, 0xb1, 0xa7, 0xb1,`
			`0x68, 0x6f, 0x73, 0x74, 0x3a, 0x3a, 0x66, 0x65,`
			`0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x3d, 0x73,`
			`0x68, 0x65, 0x6c, 0x6c, 0x5f, 0x76, 0x32, 0x2c,`
			`0x63, 0x6d, 0x64, 0x2c, 0x73, 0x74, 0x61, 0x74,`
			`0x5f, 0x76, 0x32, 0x2c, 0x6c, 0x73, 0x5f, 0x76,`
			`0x32, 0x2c, 0x66, 0x69, 0x78, 0x65, 0x64, 0x5f,`
			`0x70, 0x75, 0x73, 0x68, 0x5f, 0x6d, 0x6b, 0x64,`
			`0x69, 0x72, 0x2c, 0x61, 0x70, 0x65, 0x78, 0x2c,`
			`0x61, 0x62, 0x62, 0x2c, 0x66, 0x69, 0x78, 0x65,`
			`0x64, 0x5f, 0x70, 0x75, 0x73, 0x68, 0x5f, 0x73,`
			`0x79, 0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x5f, 0x74,`
			`0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,`
			`0x2c, 0x61, 0x62, 0x62, 0x5f, 0x65, 0x78, 0x65,`
			`0x63, 0x2c, 0x72, 0x65, 0x6d, 0x6f, 0x75, 0x6e,`
			`0x74, 0x5f, 0x73, 0x68, 0x65, 0x6c, 0x6c, 0x2c,`
			`0x74, 0x72, 0x61, 0x63, 0x6b, 0x5f, 0x61, 0x70,`
			`0x70, 0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65,`
			`0x63, 0x76, 0x5f, 0x76, 0x32, 0x2c, 0x73, 0x65,`
			`0x6e, 0x64, 0x72, 0x65, 0x63, 0x76, 0x5f, 0x76,`
			`0x32, 0x5f, 0x62, 0x72, 0x6f, 0x74, 0x6c, 0x69,`
			`0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65, 0x63,`
			`0x76, 0x5f, 0x76, 0x32, 0x5f, 0x6c, 0x7a, 0x34,`
			`0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65, 0x63,`
			`0x76, 0x5f, 0x76, 0x32, 0x5f, 0x7a, 0x73, 0x74,`
			`0x64, 0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65,`
			`0x63, 0x76, 0x5f, 0x76, 0x32, 0x5f, 0x64, 0x72,`
			`0x79, 0x5f, 0x72, 0x75, 0x6e, 0x5f, 0x73, 0x65,`
			`0x6e, 0x64, 0x2c, 0x6f, 0x70, 0x65, 0x6e, 0x73,`
			`0x63, 0x72, 0x65, 0x65, 0x6e, 0x5f, 0x6d, 0x64,`
			`0x6e, 0x73})`
			`if err != nil {`
			`return err, ""`
			`}`

			`err = conn.SetReadDeadline(time.Now().Add(time.Duration(6) * time.Second))`
			`if err != nil {`
			`return err, ""`
			`}`

			`buf := make([]byte, 0x1000)`
			`n, err := conn.Read(buf)`
			`if err != nil {`
			`return err, ""`
			`}`

			`if n > 4 && string(buf[:4]) != "CNXN" {`
			`return fmt.Errorf("ADB需要授权/非ADB服务"), ""`
			`}`

			`if strings.Contains(string(buf[:n]), "ro.product.name") {`
			`result += string(buf[24:n]) + "\n"`
			`} else {`
			`buf = make([]byte, 0x1000)`
			`n, err = conn.Read(buf)`
			`if err != nil {`
			`return err, ""`
			`}`

			`result += string(buf[:n]) + "\n"`
			`}`

			`// fmt.Println(result)`
			`if result != "" {`
			`ddout.FormatOutput(ddout.OutputMessage{`
			`Type: "GoPoc",`
			`IP: "",`
			`IPs: nil,`
			`Port: "",`
			`Protocol: "",`
			`Web: ddout.WebInfo{},`
			`Finger: nil,`
			`Domain: "",`
			`GoPoc: ddout.GoPocsResultType{PocName: "ADB-Unauthorized",`
			`Security: "CRITICAL",`
			`Target: ip + ":" + port,`
			`InfoLeft: result,`
			`Description: "安卓调试桥未授权访问,可尝试RCE",`
			`ShowMsg: fmt.Sprintf("ADB: %s:%s", ip, port)},`
			`AdditionalMsg: "",`
			`})`

			`GoPocWriteResult(structs.GoPocsResultType{`
			`PocName: "ADB-Unauthorized",`
			`Security: "CRITICAL",`
			`Target: ip + ":" + port,`
			`InfoLeft: result,`
			`Description: "安卓调试桥未授权访问,可尝试RCE",`
			`})`
			`}`

			`return nil, result`
			`}`