admin/dddd
1
0
Fork 0
mirror of https://github.com/SleepingBag945/dddd.git synced 2025-06-21 10:20:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
dddd/gopocs/adb.go
SleepingBag945 9a83a1b39f dddd v2.0
2024-04-03 06:32:26 +02:00

125 lines
3.7 KiB
Go
Raw Permalink Blame History

package gopocs
import (
"dddd/common"
"dddd/ddout"
"dddd/structs"
"fmt"
"strings"
"time"
)
func ADBScan(info *structs.HostInfo) {
_, _ = aDBUnauthorized(info.Host, info.Ports)
}
func aDBUnauthorized(ip string, port string) (error, string) {
result := "ADB> host::features=shell_v2,cmd,stat_v2,ls_v2,fixed_push_mkdir,apex,abb,fixed_push_symlink_timestamp,abb_exec,remount_shell,track_app,sendrecv_v2,sendrecv_v2_brotli,sendrecv_v2_lz4,sendrecv_v2_zstd,sendrecv_v2_dry_run_send,openscreen_mdns\n"
realHost := ip + ":" + port
conn, err := common.WrapperTcpWithTimeout("tcp", realHost, time.Duration(6)*time.Second)
if err == nil {
defer func() {
if conn != nil {
_ = conn.Close()
}
}()
} else {
return err, ""
}
_, err = conn.Write([]byte{0x43, 0x4e, 0x58, 0x4e, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x10, 0x00, 0xea, 0x00, 0x00, 0x00,
0x44, 0x5b, 0x00, 0x00, 0xbc, 0xb1, 0xa7, 0xb1,
0x68, 0x6f, 0x73, 0x74, 0x3a, 0x3a, 0x66, 0x65,
0x61, 0x74, 0x75, 0x72, 0x65, 0x73, 0x3d, 0x73,
0x68, 0x65, 0x6c, 0x6c, 0x5f, 0x76, 0x32, 0x2c,
0x63, 0x6d, 0x64, 0x2c, 0x73, 0x74, 0x61, 0x74,
0x5f, 0x76, 0x32, 0x2c, 0x6c, 0x73, 0x5f, 0x76,
0x32, 0x2c, 0x66, 0x69, 0x78, 0x65, 0x64, 0x5f,
0x70, 0x75, 0x73, 0x68, 0x5f, 0x6d, 0x6b, 0x64,
0x69, 0x72, 0x2c, 0x61, 0x70, 0x65, 0x78, 0x2c,
0x61, 0x62, 0x62, 0x2c, 0x66, 0x69, 0x78, 0x65,
0x64, 0x5f, 0x70, 0x75, 0x73, 0x68, 0x5f, 0x73,
0x79, 0x6d, 0x6c, 0x69, 0x6e, 0x6b, 0x5f, 0x74,
0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
0x2c, 0x61, 0x62, 0x62, 0x5f, 0x65, 0x78, 0x65,
0x63, 0x2c, 0x72, 0x65, 0x6d, 0x6f, 0x75, 0x6e,
0x74, 0x5f, 0x73, 0x68, 0x65, 0x6c, 0x6c, 0x2c,
0x74, 0x72, 0x61, 0x63, 0x6b, 0x5f, 0x61, 0x70,
0x70, 0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65,
0x63, 0x76, 0x5f, 0x76, 0x32, 0x2c, 0x73, 0x65,
0x6e, 0x64, 0x72, 0x65, 0x63, 0x76, 0x5f, 0x76,
0x32, 0x5f, 0x62, 0x72, 0x6f, 0x74, 0x6c, 0x69,
0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65, 0x63,
0x76, 0x5f, 0x76, 0x32, 0x5f, 0x6c, 0x7a, 0x34,
0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65, 0x63,
0x76, 0x5f, 0x76, 0x32, 0x5f, 0x7a, 0x73, 0x74,
0x64, 0x2c, 0x73, 0x65, 0x6e, 0x64, 0x72, 0x65,
0x63, 0x76, 0x5f, 0x76, 0x32, 0x5f, 0x64, 0x72,
0x79, 0x5f, 0x72, 0x75, 0x6e, 0x5f, 0x73, 0x65,
0x6e, 0x64, 0x2c, 0x6f, 0x70, 0x65, 0x6e, 0x73,
0x63, 0x72, 0x65, 0x65, 0x6e, 0x5f, 0x6d, 0x64,
0x6e, 0x73})
if err != nil {
return err, ""
}
err = conn.SetReadDeadline(time.Now().Add(time.Duration(6) * time.Second))
if err != nil {
return err, ""
}
buf := make([]byte, 0x1000)
n, err := conn.Read(buf)
if err != nil {
return err, ""
}
if n > 4 && string(buf[:4]) != "CNXN" {
return fmt.Errorf("ADB需要授权/非ADB服务"), ""
}
if strings.Contains(string(buf[:n]), "ro.product.name") {
result += string(buf[24:n]) + "\n"
} else {
buf = make([]byte, 0x1000)
n, err = conn.Read(buf)
if err != nil {
return err, ""
}
result += string(buf[:n]) + "\n"
}
// fmt.Println(result)
if result != "" {
ddout.FormatOutput(ddout.OutputMessage{
Type: "GoPoc",
IP: "",
IPs: nil,
Port: "",
Protocol: "",
Web: ddout.WebInfo{},
Finger: nil,
Domain: "",
GoPoc: ddout.GoPocsResultType{PocName: "ADB-Unauthorized",
Security: "CRITICAL",
Target: ip + ":" + port,
InfoLeft: result,
Description: "安卓调试桥未授权访问,可尝试RCE",
ShowMsg: fmt.Sprintf("ADB: %s:%s", ip, port)},
AdditionalMsg: "",
})
GoPocWriteResult(structs.GoPocsResultType{
PocName: "ADB-Unauthorized",
Security: "CRITICAL",
Target: ip + ":" + port,
InfoLeft: result,
Description: "安卓调试桥未授权访问,可尝试RCE",
})
}
return nil, result
}
Reference in New Issue View Git Blame Copy Permalink