Shulou(Shulou.com)05/31 Report--

This article is about how to insert Meterpreter in Android APK. I think it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

With the rapid development of mobile devices, many applications in our daily life are migrating to cloud deployment, from the JavaScript browser framework to the front end that supports mobile devices, such as Objective-C on Apple iOS, or Android-based Java. This has also promoted the development of mobile apps. Unlike Apple, the Android market is an open way that allows anyone to contribute to the store and occupies the majority of the mobile market share.

In addition, there are a variety of third-party websites that can download Android application package files (APK) directly. Metasploit allows testers to use meterpreter to generate Android payload and install it on Android devices. The Android application is written in Java and is compiled into an Dalvik executable format called DEX. The compiled version of the application is the ZIP file of the DEX bytecode file.

The Dalvik virtual machine on Android was recently replaced by Android RunTime (ART), which adds optimizations and compiles DEX bytecode into native assembly code. Dalvik VM mainly performs immediate (JIT) interpretation of most bytecodes. ART has higher performance than the Dalvik virtual machine, which optimizes only the bytecode portion of the frequently executed portion of the application.

Smali/baksmali is an assembler / disassembler for Android DEX bytecode. Another Android tool called "apktool" can disassemble the compressed DEX (APK file) into a smali file, reassemble the smali file back to DEX, and then reassemble it into APK format. We can use this tool to disassemble and modify existing APK files.

In the next article, we can use this tool to disassemble and add an additional static entry point to the smali code of the initial Android Activity to start our Meterpreter. In general, the steps to embed Meterpreter into an APK file are as follows:

1. Find existing interesting APK applications on "apkmonk.com" or similar mirror sites.

two。 Generate a Metasploit APK file.

3. Disassemble the Metasploit APK file with "apktool", as well as the APK file we intend to modify.

4. Copy all Meterpreter smali code to the new APK smali directory.

5. Find the entry point of the code in the AndroidManifest.xml file of the APK application by looking for the intent-filter with the following line: the name of the activity containing this intent-filter will be the entry point you want to search.

6. Modify the ".smali" file to include the code to start the Meterpreter phase.

7. Copy all Meterpreter permissions in Meterpreter AndroidManifest.xml to the AndroidManifest.xml of the modified APK.

8. Reassemble it into DEX compressed format.

9. Use "jarsigner" to sign the newly created APK file and then load it on the target Android device. Next I'll use a concrete example to explain the above steps. I downloaded an APK file for a game called Cowboy Shooting Game from apkmonk.com.

Generate malware APK

Then, I use the "msfvenom" command to generate Metasploit APK, as shown below.

Disassemble APK files

Then use "apktool" to disassemble the two files, as follows:

Copy malware code into the game

A simple way is to change the directory to the Metasploit APK directory, and then copy all the files under the "smali" directory to the "com.CowboyShootingGames_2018-09-22" directory. What I learned from the system administrator is that with the "tar" command, you can transfer the output of tar to the second command, which changes the directory and "unzips" the generated files.

Find Activity EntryPoint.

Below we can see that the input activity is listed as "com.CowboyShootingGames.MainActivity". We know this because XML contains an intent-filter with "android.intent.action.MAIN".

Modify the Activity EntryPoint Smali file

As you can see from the above, in this case, the file will be named "MainActivity.smali" and fully qualify the "com/CowboyShootingGames" directory as per the periods (".") in the classpath. In the catalog.

In the "MainActivity.smali" file, we are looking for the "onCreate ()" method.

We need to add a line of "smali" code directly below the "onCreate ()" method call to call our Meterpreter. Invoke-static {p0}, Lcom/metasploit/stage/Payload;- > start (Landroid/content/Context;) V Please note that there is a line of code above. All path references used in all "smali" files contained in the "payload" directory must be modified and the directory name itself changed. This can be done manually, but it is error-prone. Continue without any confusion for a moment, and the final result of the modification will be like the screenshot below.

Add permissions to the modified APK "AndroidManifest.xml" file

Next, use "grep" to search for the strings "uses-permission" and "uses-feature" in the metasploit "AndroidManfest.xml" file to the modified APK's AndroidManiest.xml file.

You need to use the editor to insert permissions in the appropriate location in the new "AndroidManifest.xml" file. Search for an existing "use-permission" line as a reference to where the text is inserted.

You may end up getting some duplicate permissions. You can choose to delete them, it is of little use.

Build a new APK package file

Now use "apktool" again to reassemble the generated APK package file. The final result is written to the "dist" directory of the APK directory itself.

Re-sign the generated package file

An easy way to re-sign is to use the Android debug KeyStore that was built when you installed Android studio. The debug KeyStore is located in the ".Android" hidden directory in the home directory on the UN * X system.

Another way is to use Java "keytool" to generate your own self-signed KeyStore and sign it using the "jarsigner" tool, as shown in the screenshot below.

At this point, the "final.apk" file is ready and can be installed on the Android system using "adb".

In the demonstration, I used the "GenyMotion" virtual machine, an x86-based simulator that uses VirtualBox for very high-performance Android emulation. The problem you may encounter is that the x86 emulation itself does not support ARM processors. There is a solution to this: some ARM translation libraries are available online. You need to search for "Genymotion-ARM-Translation_v1.1.zip" and then drag the ZIP file to the running GenyMotion Android system. This is not 100% reliable and can still cause some applications to crash. I found the Nexus 6 series devices very suitable because the "rooting" kit was quite reliable and it was not too troublesome to test over a USB cable connection.

The final step, of course, is to try our newly infected game. We soon discovered that the moment we finished installing the game, we got a Meterpreter shell on the KALI system.

Then the problem arises, after performing all the necessary steps above. I find that the possibility of making mistakes is very high. So I decided to use the Python script to automate this process. I call it "android_embedit.py" and it doesn't take much effort to get the job done.

The principle of "android_embedit.py" is that as long as you provide the APK file generated by Metasploit, and the original APK and KeyStore to be modified, it will automatically perform all the steps and generate results for you. The following is an example of running the tool. All temporary files and output will be stored in the "~ / .ae" directory.

The tool also deletes the "metasploit" directory name and automatically obfuscates it with a random string directory name. You can see this result in the screenshot below, which lists the contents of the APK "smali / com" directory. The directory named "dbarpubw" actually contains Metasploitstager code.

The above is how to insert Meterpreter into Android APK. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.