rapid7 / metasploit-payloads

Unified repository for different Metasploit Framework payloads
Other
1.74k stars 671 forks source link

[Question] Looking for code related specifically to the Android equivalent of Meterpreter #670

Closed Morsmalleo closed 1 year ago

Morsmalleo commented 1 year ago

Hi guys, sorry if this is not allowed, if it's not please by all means go ahead and remove it ๐Ÿ™‚ otherwise if any one could help me out that would be great.

Basically I'm looking for files/code in this repository that's related specifically to the Android equivalent of Meterpreter itself, because I wish to study it further so I can figure out how an android payload generated by passing android/meterpreter/reverse_tcp in the command line ends up consisting only 4 Java/Smali files (i.e MainActivity, MainService, MainBroadcastReceiver & Payload) in its com.metasploit.stage package directory despite the fact that we can connect back to meterpreter and exploit the device.

I've checked the Payload.java file located at java/androidpayload/app/src/com/metasploit/stage in this repo, but from what I see, anything regarding meterpreter in there seems like it's only related to connecting back to meterpreter itself (correct me if I am wrong).

I would love to know how these payloads are so small yet so powerful, and I believe to understand this, I need to study the android meterpreter itself rather than the payloads that connect back to it.

TL;DR

I want to locate files/code related specifically to android meterpreter itself so I can study how android meterpreter allows android payloads to exploit so much (i.e Camera Access etc etc) without the payload APK actually containing Java/Smali files related to accessing these components on the victim device (as stated above they only contain 4 Java/Smali files which are

I've checked the Payload.java file located at java/androidpayload/app/src/com/metasploit/stage in this repo but anything related to meterpreter there seems like it's only related to establishing connections back to meterpreter itself either via the invoke-static {}, Lcom/metasploit/stage/MainService;->start()V Smali hook for backdoored applications or via other means.

I hope this makes sense, I apologise if my information on Meterpreter isn't correct as well.

timwr commented 1 year ago

The dynamically loaded part of Android meterpreter is here: https://github.com/rapid7/metasploit-payloads/blob/master/java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_start_android.java

Morsmalleo commented 1 year ago

The dynamically loaded part of Android meterpreter is here: https://github.com/rapid7/metasploit-payloads/blob/master/java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_start_android.java

Hi @timwr, this points me to a file for starting the webcam after gaining access to the exploited victim?

Morsmalleo commented 1 year ago

I'd like to know How the android version of Meterpreter dynamically loads itself in memory along with classes needed to access components on the exploited device such as geolocation or camera access, because there are no classes related to accessing any of these components in the java/androidpayload/app/src/com/metasploit/stage so therefore they must be loaded dynamically in memory.

I'd like to know how this is done ๐Ÿ˜ any explanation would be helpful

bcoles commented 1 year ago

See also:

https://github.com/rapid7/metasploit-payloads/blob/master/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_webcam_audio_record_V1_4.java

[2023-09-05 03:52:28] root@kali:/tmp# git clone https://github.com/rapid7/metasploit-payloads
Cloning into 'metasploit-payloads'...
remote: Enumerating objects: 35715, done.
remote: Counting objects: 100% (1041/1041), done.
remote: Compressing objects: 100% (330/330), done.
remote: Total 35715 (delta 601), reused 981 (delta 579), pack-reused 34674
Receiving objects: 100% (35715/35715), 59.78 MiB | 17.89 MiB/s, done.
Resolving deltas: 100% (19370/19370), done.
[2023-09-05 03:52:36] root@kali:/tmp# cd metasploit-payloads/
[2023-09-05 03:52:38] root@kali:/tmp/metasploit-payloads# grep -ri webcam | grep -iE "(Android|Java)" 
java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/command/CommandId.java:    public static final int STDAPI_WEBCAM_AUDIO_RECORD = 1110;
java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/command/CommandId.java:    public static final int STDAPI_WEBCAM_GET_FRAME = 1111;
java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/command/CommandId.java:    public static final int STDAPI_WEBCAM_LIST = 1112;
java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/command/CommandId.java:    public static final int STDAPI_WEBCAM_START = 1113;
java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/command/CommandId.java:    public static final int STDAPI_WEBCAM_STOP = 1114;
java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_webcam_audio_record_V1_4.java:public class stdapi_webcam_audio_record_V1_4 extends stdapi_webcam_audio_record implements Command {
java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/Loader.java:        mgr.registerCommand(CommandId.STDAPI_WEBCAM_AUDIO_RECORD, stdapi_webcam_audio_record.class, V1_4);
java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_webcam_audio_record.java:public class stdapi_webcam_audio_record {
java/version-compatibility-check/java16/pom.xml:                                                                        <!-- Webcam_audio_record_V1_4 depends on Sun proprietary API -->
java/version-compatibility-check/java16/pom.xml:                                                                        <fileset dir="${project.basedir}/../../meterpreter/meterpreter/target/extension-src" includes="**/*.java" excludes="**/stdapi_webcam_audio_record_V1_4.java" />
java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java:            mgr.registerCommand(CommandId.STDAPI_WEBCAM_AUDIO_RECORD, stdapi_webcam_audio_record_android.class);
java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java:            mgr.registerCommand(CommandId.STDAPI_WEBCAM_LIST, webcam_list_android.class);
java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java:            mgr.registerCommand(CommandId.STDAPI_WEBCAM_START, webcam_start_android.class);
java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java:            mgr.registerCommand(CommandId.STDAPI_WEBCAM_STOP, webcam_stop_android.class);
java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java:            mgr.registerCommand(CommandId.STDAPI_WEBCAM_GET_FRAME, webcam_get_frame_android.class);
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:import com.metasploit.meterpreter.stdapi.stdapi_webcam_audio_record;
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:public class webcam_get_frame_android extends stdapi_webcam_audio_record implements Command {
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:    private static final int TLV_TYPE_WEBCAM_IMAGE = TLVPacket.TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 1);
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:    private static final int TLV_TYPE_WEBCAM_QUALITY = TLVPacket.TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 3);
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:        int quality = request.getIntValue(TLV_TYPE_WEBCAM_QUALITY);
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:        if (webcam_start_android.camera == null) {
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:        Parameters params = webcam_start_android.camera.getParameters();
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:        webcam_start_android.camera.setParameters(params);
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:        webcam_start_android.camera.takePicture(null, null, new PictureCallback() {
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:                // Fix webcam_stream
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:                synchronized (webcam_get_frame_android.this) {
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:                    webcam_get_frame_android.this.notify();
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_get_frame_android.java:            response.add(TLV_TYPE_WEBCAM_IMAGE, cameraData);                                               
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_stop_android.java:import com.metasploit.meterpreter.stdapi.stdapi_webcam_audio_record;                                            
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_stop_android.java:public class webcam_stop_android extends stdapi_webcam_audio_record implements Command {                        
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_stop_android.java:        if (webcam_start_android.camera != null) {                                                              
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_stop_android.java:            webcam_start_android.camera.stopPreview();                                                          
grep: java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_stop_android.java:            webcam_start_android.camera.release();                                                        
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_stop_android.java:            webcam_start_android.camera = null;                                                                 
java/androidpayload/library/src/com/metasploit/meterpreter/android/stdapi_webcam_audio_record_android.java:import com.metasploit.meterpreter.stdapi.stdapi_webcam_audio_record;                             
java/androidpayload/library/src/com/metasploit/meterpreter/android/stdapi_webcam_audio_record_android.java:public class stdapi_webcam_audio_record_android extends stdapi_webcam_audio_record implements Command {                                                                                                                                                                                                      
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_start_android.java:import com.metasploit.meterpreter.stdapi.stdapi_webcam_audio_record;                                           
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_start_android.java:public class webcam_start_android extends stdapi_webcam_audio_record implements Command {                      
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_start_android.java:    private static final int TLV_TYPE_WEBCAM_INTERFACE_ID = TLVPacket.TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 2);                                                                                                                                                                                                           
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_start_android.java:        int camId = request.getIntValue(TLV_TYPE_WEBCAM_INTERFACE_ID);                                         
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_start_android.java:                        synchronized (webcam_start_android.this) {                                             
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_start_android.java:                            webcam_start_android.this.notify();                                                
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_list_android.java:import com.metasploit.meterpreter.stdapi.stdapi_webcam_audio_record;                                            
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_list_android.java:public class webcam_list_android extends stdapi_webcam_audio_record implements Command {                        
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_list_android.java:    private static final int TLV_TYPE_WEBCAM_NAME = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 4);      
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_list_android.java:            response.add(TLV_TYPE_WEBCAM_NAME, "Default Camera"); // Pre 2.2 device
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_list_android.java:                    response.addOverflow(TLV_TYPE_WEBCAM_NAME, "Front Camera");
java/androidpayload/library/src/com/metasploit/meterpreter/android/webcam_list_android.java:                    response.addOverflow(TLV_TYPE_WEBCAM_NAME, "Back Camera");
.git/index: binary file matches
grep: .git/objects/pack/pack-a03a9a1cc5458b65c82e406041c679c475342f10.pack: binary file matches
timwr commented 1 year ago

I don't really understand the question. This line https://github.com/rapid7/metasploit-payloads/blob/dcaad10486e22885d0cbcbce508e3e763ce689e9/java/androidpayload/app/src/com/metasploit/stage/Payload.java#L238 dynamically loads the rest of meterpeter, which contains code that accesses, for example, the camera. The code that does camera functionality has been linked to already by me and by @bcoles.

Morsmalleo commented 1 year ago

I don't really understand the question. This line

https://github.com/rapid7/metasploit-payloads/blob/dcaad10486e22885d0cbcbce508e3e763ce689e9/java/androidpayload/app/src/com/metasploit/stage/Payload.java#L238

dynamically loads the rest of meterpeter, which contains code that accesses, for example, the camera. The code that does camera functionality has been linked to already by me and by @bcoles.

Ahhh I see now, I can also see why you linked the camera file as well now, my sincerest apologies, my brain was quite out of it yesterday... I had a very long day of work.

Morsmalleo commented 1 year ago

I don't really understand the question. This line https://github.com/rapid7/metasploit-payloads/blob/dcaad10486e22885d0cbcbce508e3e763ce689e9/java/androidpayload/app/src/com/metasploit/stage/Payload.java#L238

dynamically loads the rest of meterpeter, which contains code that accesses, for example, the camera. The code that does camera functionality has been linked to already by me and by @bcoles.

Ahhh I see now, I can also see why you linked the camera file as well now, my sincerest apologies, my brain was quite out of it yesterday... I had a very long day of work.

Can't believe I missed that one, sorry for wasting any time guys, this is definitely solved.