Making msfpayload take into account added res files.

[frenchbeard]

Hi, I am working on a security threat awareness demo, focusing on BYOD and everything mobile. I was wondering if there is an easy way to add a display to the Android Meterpreter (no actual app, but just change the Launch Activity to display simple things). I tried modifying it just to display a background image, but even such a tiny modification, even thought compilation goes well, msf does not seem to include the picture in the final apk.

[timwr]

Hi @audhulma, you'll need to modify the payload ( https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stagers/android/reverse_tcp.rb#L45 ) to ensure the new files are added.

[timwr]

We actually used to display something in the activity but it was removed to reduce the size here: https://github.com/rapid7/metasploit-javapayload/commit/aa2d16f395424b77039caa05ec755dd36f463d0c And here: https://github.com/rapid7/metasploit-framework/commit/4f31eba7f47036503f9254b1b58d83f6575a1bac

[frenchbeard]

What I don't get is that the "resources.arsc" should contain what was added when compiling the original apk, or should all resource files be added to the list "by hand" ? (or I did not understand a thing I did...)

[timwr]

AFAIK strings are included in the arsc, but graphics (pngs, assets, etc) are included in the zip separately. Just unzip the final apk built by this repo (androidpayload/app/target/something.apk) and have a look. You could also try just pasting Payload.java into your own project.

[frenchbeard]

Last question (I hope) : as long as I let the "Payload.startWithContext(this);" in the onCreate, can I modify anything else in the MainActivity (make a more complex application around it, in my case, a dummy companion app for a forum), or is there any chance of actually preventing the payload from being preperly staged ?

[timwr]

As long as Payload.startWithContext still works you can add what you like to the activity. Not sure how you could unintentionally break the staging. If you modify https://github.com/rapid7/metasploit-javapayload/blob/master/androidpayload/app/src/com/metasploit/stage/Payload.java#L28 you won't even need msfpayload

[frenchbeard]

Thanks for the answer, I thought about doing that, but the other way around is gonna be simpler for me. Anyway, thanks again for the quick answers. If I have any time available in the future, I'm thinking about making it possible to integrate it within any app either through msfpayload or any other metasploit tool. I think some people may have tried already, and don't know if it would meet any need, but still...

[frenchbeard]

Just a quick question regarding the maven plugins used for android, since I switched to the latest ones on my fork of this repository, I was wondering whether there was any reason why it had not yet been changed (for both android-maven-plugin and android)

[timwr]

Very cool. It's relatively straightforward to backdoor an apk with apktool but I'm yet to add it to msfvenom as it involves parsing the classes.dex. (@anwarmohamed this might be up your street). Not sure why we haven't upped the plugin versions, a pull request would be welcomed :) Better still we could start using gradle

[frenchbeard]

I'm currently trying to build with gradle, at least I will be after work, but it does not look that difficult, just tedious to translate the manipulations from maven to gradle. I already managed a full build of the pure java part with gradle (I only tried with my config though), but you're welcome to try...

[frenchbeard]

Hi again, I come back to you after the last update. If I understand the way the payload works now, it prevents any more display from the activity that launched (causes a WindowLeaked exception in my logcat).

E/WindowManager(27840): android.view.WindowLeaked: Activity com.metasploit.stage.CapitalePaysMondeActivity has leaked window com.android.internal.policy.impl.PhoneWindow$DecorView{3ace5450 V.E..... R.....ID 0,0-320,215} that was originally added here

The application I'm using as a "front" tries to display a simple dialog in the onCreate, which is quite different from the "finish()" from the payload itself. Are there any way around it, or am I missing something ?

[timwr]

My guess is that the issue you're seeing is unrelated to the Payload, and without seeing the entire source it's difficult for me to debug. Make sure you're not calling finish() like the example does (that's only to hide the app launch). You might be better off starting with a working project and just pasting in Payload.java?

[frenchbeard]

That's what I ended up doing. The Dialog trying to show up was indeed the problem in this case.

[Nicknam3]

Hi,

I try to bind android payload with a game (for a test). I noticed two version of the payload when i use apktool (smali code).

On kali (old metasploit version) i've this code on MainActivity.smali :

invoke-static {p0}, Lcom/metasploit/stage/Payload;->startWithContext(Landroid/content/Context;)V

but on a newer version:

invoke-static {v0}, Lcom/metasploit/stage/Payload;->startInPath(Ljava/lang/String;)V

My game is not launching when i use the newer version (i copy this line on the MainActivity of my game).

Do you have an idea why my game does not start with the newer version of the payload ? Maybe i need to add this line too on the MainActivity of my game:

invoke-virtual {v0}, Ljava/io/File;->toString()Ljava/lang/String;

Thx for your work timwr !

[timwr]

Sorry for the delay! Yes you'll need to copy the new (slightly more complicated) smali code, including the second line. You may need to pay attention to the registers. I'll put the old simpler code back so it's easier to invoke in the the next version.

[frenchbeard]

Thanks for the work put it @timwr .

In my case, I simply built the application in android-studio via gradle, only using the Payload.java and the PayloadTrustManager.java. I had a slight issue though, when trying to modify / add / access anything in the Activity that launched the payload, the app simply crashed due to a NullPointerException when accessing the Activity itself (even only loading content from a layout file crashed).

The application consisted of a single activity that displayed a couple of static elements, and any access to its content after the call to startWithContext() caused said crash (I did not call finish() in the Activity, just launched the payload)

My question is : is it due to the Payload becoming the foreground process, therefore changing the context of the application, or is there a way to regain "control" over your app after launching the payload ?

[timwr]

Hi @Nicknam3, thanks for your feedback and sorry for the delay! We'll be adding that function call back with this change: https://github.com/rapid7/metasploit-javapayload/pull/34 I've put a simple script to backdoor any apk file here: https://github.com/timwr/metasploit-framework/blob/apk_backdoor/tools/apk_backdoor.rb and we'll be integrating it with the framework shortly (hopefully as part of msfvenom). Please note it relies on https://github.com/rapid7/metasploit-javapayload/pull/34

@frenchbeard I'm not sure what the problem you are experiencing could be. If you can provide the source and logs it might be easier to diagnose. Using the script mentioned above it seems possible to backdoor any apk and still retain the exact same app behaviour (assuming that using apktool and resigning the app does not modify the behaviour).

Feedback and testing is more than welcome :)

[frenchbeard]

I'm currently not working on the project anymore (will get baack on it in the beginning of June), but I'll try to be as verbose as possible.

[timwr]

No worries, we'll hopefully have fixed msfvenom to support --template by then. If you have any issues feel free to re-open or preferably open a new issue. Thanks again for the feedback.

[Nicknam3]

Thx timwr ! i'll try this new script soon. You did a very good work :+1: