vailixi Posted September 18, 2015 Share Posted September 18, 2015 I've never hacked a phone before but with all the buzz about Android lately I figure I should at least try it out. I was looking through available metasploit payloads and there are some shells and meterpreters already available but not really a whole lot of encoding options for ARM based payloads. As far as signatures for go I think I could pretty much change up all of the names of variables and functions names within a given program to random strings. Like pipe them through openssl or truncate the output and use the truncated hash random(random(hash)) and it would come out different for signature. Different checksums and whatnot. I don't have an ARM based computer. Well I ordered an Orange pi plus few days ago. I was going to use it as a file server or run an NES emulator on it. So question: Is there an automated way to create an obfuscated ARM payload and. Do I have to compile it on an ARM processor or can I compile ARM on my core i7. Any I'm thinking if I have the ARM binary I can just objdump it to the desired architecture and use the ASM right? Am I getting ahead of myself here? Who hacks themselves some droids? Quote Link to comment Share on other sites More sharing options...
cooper Posted September 18, 2015 Share Posted September 18, 2015 Just as a general observation, because I hack plenty of ARM but pretty much zero droids: Why even bother encoding/obfuscating your payload? Is there anything running on there that checks if something malicious is moving in? Just because it's done that way elsewhere doesn't mean it's done that way here. Quote Link to comment Share on other sites More sharing options...
vailixi Posted September 18, 2015 Author Share Posted September 18, 2015 It pretty much seems like any android device is down to get three holed. Quote Link to comment Share on other sites More sharing options...
digip Posted September 18, 2015 Share Posted September 18, 2015 Cross compilation is not new, and is done all the time for deploying apps in linux form x86 based to arm, but if you're looking to use kali and metasploit for the delivery, check this out - http://docs.kali.org/development/arm-cross-compilation-environment YMMV, as I'm not a programmer or mess with this stuff on a regular basis, but I imagine it would come in handy even for making regular apps work on the Raspberry and port something over from your desktop linux OS to an ARM based linux OS. In the case of exploit code binaries, this would probably help with any sample code you needed to compile for android devices as well, although you probably need all the necessary sdk/ndk stuff for android as well. NDK works from windows as well from what I was reading, so you could work in either environment, but form Kali, might be easier for the metasploit payloads. You my be able to test the results using an x86 android VM if you want to just use native x86 files(althouhg not sure how the android x86 VM actually works, I only used mine to test an sms app over the web that failed to work) https://www.google.com/#q=cross+compiling+android+ndk Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.