Jump to content

Recommended Posts

Posted

hey guys ive been exploiting my OWN !!!  tablet and phone  recently  my phone is running marshmellow 6.0.1 the tablet  uhmm ...kit kat ? something lol 4.4 i think lol

ok ive created  a payload with msfvenom and made the  .apk payload    and u have to accept the permisions  and install and open the payload to run the binary right ??  ok

what i want to know is  just like in windows u can create shellcode and drop it into the cmd  or drop it into a jpg file and it just runs your binary no questions asked lol

is there any way to run somekind of  shellcode  "like"  payload on android  so i can send the payload  via  sms or email ect ...  so when the user clicks on it it just runs the binary ?

so basically what i would like  is to embed a payload for android into a jpg /jpeg/png  it has to be a picture  i know about the pdf deal i want to do this with a picture ...if ive been unclear in any way feel free to ask i will try my best to explain better of what i want  thanks in advance

i cant wait to hear all your feed back good or bad i accept it all ty    ....and   special thanks to the whole hak5 community for just being here u all are great    who else would  i be able to ask questions like this to lmao

Posted
4 hours ago, datajumper said:

hey guys ive been exploiting my OWN !!!  tablet and phone  recently  my phone is running marshmellow 6.0.1 the tablet  uhmm ...kit kat ? something lol 4.4 i think lol

ok ive created  a payload with msfvenom and made the  .apk payload    and u have to accept the permisions  and install and open the payload to run the binary right ??  ok

what i want to know is  just like in windows u can create shellcode and drop it into the cmd  or drop it into a jpg file and it just runs your binary no questions asked lol

is there any way to run somekind of  shellcode  "like"  payload on android  so i can send the payload  via  sms or email ect ...  so when the user clicks on it it just runs the binary ?

so basically what i would like  is to embed a payload for android into a jpg /jpeg/png  it has to be a picture  i know about the pdf deal i want to do this with a picture ...if ive been unclear in any way feel free to ask i will try my best to explain better of what i want  thanks in advance

i cant wait to hear all your feed back good or bad i accept it all ty    ....and   special thanks to the whole hak5 community for just being here u all are great    who else would  i be able to ask questions like this to lmao

i guess what im asking is  there a payload i can drop on a device and all  you have to do is open it without permisions ..install like a app ?  just by opening it

Posted (edited)

Because of the way that Android always confirms whether you want to download and install an APK file, with multiple warnings, plus the fact that there's a setting on most phones that has to be enabled to allow installation of unknown APKs, this is a difficult one.

I would say no, generally know there is not a way to install an APK file on to a user's phone without the phone either being in the physical hands of the person attacking it, or via some heavy social engineering from the attacker (that I know of).

*edit* I am unaware of any method to get an image file to download anything to a user's mobile phone, at present. Yes, a PC. Not a phone.

A MITM attack of some sort could be a possibility, but some social engineering would still be required.

Edited by haze1434
Posted (edited)

MITM attack basic synopsis (one potential idea);

  • Using an RPi (or similar), create replica of a WiFi access point that the user regularly connects to (spoof MAC, SSID).
  • Make sure signal strength of RPi access point is stronger than that of real AP, or DOS the real AP.
  • User connects to your RPi.
  • Spoof download of updates to user's phone (exact method would need some research), essentially with the idea being that they are then happy to press 'yes' to any downloads they are offered, thinking it's an important security update.
  • APK is now on their phone.
  • Profit.

 

Edited by haze1434
Posted (edited)

Of course, with physical access, a rubber ducky and 30 seconds, this would be a piece of cake.

Edited by haze1434

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...