Land #6516, allow Android meterpreter to launch activities

Gemfile.lock

@@ -13,7 +13,7 @@ PATH
       metasploit-concern (= 1.0.0)
       metasploit-credential (= 1.0.1)
       metasploit-model (= 1.0.0)
-      metasploit-payloads (= 1.0.24)
+      metasploit-payloads (= 1.1.0)
       metasploit_data_models (= 1.2.10)
       msgpack
       network_interface (~> 0.0.1)
@@ -124,7 +124,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.24)
+    metasploit-payloads (1.1.0)
     metasploit_data_models (1.2.10)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)

lib/rex/post/meterpreter/extensions/android/android.rb

@@ -242,6 +242,17 @@ class Android < Extension
     response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
   end
 
+  def activity_start(uri)
+    request = Packet.create_request('activity_start')
+    request.add_tlv(TLV_TYPE_URI_STRING, uri)
+    response = client.send_request(request)
+    if response.get_tlv(TLV_TYPE_ACTIVITY_START_RESULT).value
+      return nil
+    else
+      return response.get_tlv(TLV_TYPE_ACTIVITY_START_ERROR).value
+    end
+  end
+
   def send_sms(dest, body, dr)
     request = Packet.create_request('send_sms')
     request.add_tlv(TLV_TYPE_SMS_ADDRESS, dest)

lib/rex/post/meterpreter/extensions/android/tlv.rb

@@ -76,8 +76,9 @@ TLV_TYPE_CELL_BASE_LONG              = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS
 TLV_TYPE_CELL_NET_ID                 = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9073)
 TLV_TYPE_CELL_SYSTEM_ID              = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9074)
 
-
-
+TLV_TYPE_URI_STRING                  = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9101)
+TLV_TYPE_ACTIVITY_START_RESULT       = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9102)
+TLV_TYPE_ACTIVITY_START_ERROR        = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9103)
 
 end
 end

lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb

@@ -29,7 +29,8 @@ class Console::CommandDispatcher::Android
       'device_shutdown'   => 'Shutdown device',
       'send_sms'          => 'Sends SMS from target session',
       'wlan_geolocate'    => 'Get current lat-long using WLAN information',
-      'interval_collect'  => 'Manage interval collection capabilities'
+      'interval_collect'  => 'Manage interval collection capabilities',
+      'activity_start'    => 'Start an Android activity from a Uri string'
     }
 
     reqs = {
@@ -41,7 +42,8 @@ class Console::CommandDispatcher::Android
       'device_shutdown'  => ['device_shutdown'],
       'send_sms'         => ['send_sms'],
       'wlan_geolocate'   => ['wlan_geolocate'],
-      'interval_collect' => ['interval_collect']
+      'interval_collect' => ['interval_collect'],
+      'activity_start'   => ['activity_start']
     }
 
     # Ensure any requirements of the command are met
@@ -528,6 +530,22 @@ class Console::CommandDispatcher::Android
     end
   end
 
+  def cmd_activity_start(*args)
+    if (args.length < 1)
+      print_line("Usage: activity_start <uri>\n")
+      print_line("Start an Android activity from a uri")
+      return
+    end
+    
+    uri = args[0]
+    result = client.android.activity_start(uri)
+    if result.nil?
+      print_status("Intent started")
+    else
+      print_error("Error: #{result}")
+    end
+  end
+ 
   #
   # Name for this dispatcher
   #

metasploit-framework.gemspec

@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '1.0.0'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.24'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.1.0'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # get list of network interfaces, like eth* from OS.