search

rapid7 / metasploit-payloads

Unified repository for different Metasploit Framework payloads
Other
1.75k stars 673 forks source link

Android android/meterpreter/reverse_tcp webcam_snap and webcam_stream not working on Android 11+ #717

Closed danilo-dellorco closed 1 month ago

danilo-dellorco commented 1 month ago

The webcam_snap and webcam_stream commands within the android/meterpreter/reverse_tcp payload are not functioning on Android devices running version 11 and higher. This issue appears to stem from the changes in Android’s window management and permission model introduced in recent Android releases, which restrict the ability to add views to the WindowManager without a valid activity or token.

Reproduction Steps

10-03 15:00:04.846 14103 14103 E AndroidRuntime: android.view.WindowManager$BadTokenException: Unable to add window -- token null is not valid; is your activity running?
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at android.view.ViewRootImpl.setView(ViewRootImpl.java:1531)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at android.view.WindowManagerGlobal.addView(WindowManagerGlobal.java:441)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at android.view.WindowManagerImpl.addView(WindowManagerImpl.java:158)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at com.metasploit.meterpreter.android.webcam_start_android$1.run(Unknown Source:45)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at android.os.Handler.handleCallback(Handler.java:959)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at android.os.Handler.dispatchMessage(Handler.java:100)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at android.os.Looper.loopOnce(Looper.java:232)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at android.os.Looper.loop(Looper.java:317)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at android.app.ActivityThread.main(ActivityThread.java:8592)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at java.lang.reflect.Method.invoke(Native Method)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:580)
10-03 15:00:04.846 14103 14103 E AndroidRuntime:        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:878)

This likely results from a WindowManager$BadTokenException, indicating that the SurfaceView is being added without a valid token or activity context, which is no longer permitted in Android 11 and above.

Impact

Affects any attempt to capture images or stream video using the Android Meterpreter webcam_snap or webcam_stream commands on devices running Android 11 and higher. This affects post-exploitation capabilities on the Android platform, particularly for devices running newer Android versions. Platform:

Possible Cause

The issue likely arises due to changes in how Android 11+ manages windows and tokens. The WindowManager.addView() method cannot be called with null tokens or without a valid running activity context. Updating the implementation to handle the stricter security model (e.g., using the Camera2 API, or ensuring a valid activity token is used) may resolve the issue.

h00die commented 1 month ago

Thank you for posting this in the correct place, and giving lots of good details to help diagnose/debug. I've included it into the larger overhaul issue, please see: https://github.com/rapid7/metasploit-framework/issues/19154