From f48e4363f5b521ee557250e4ad0d8dddeb962321 Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Thu, 7 Jan 2016 09:22:42 +0000
Subject: [PATCH 1/4] activity_start

---
 .../meterpreter/extensions/android/android.rb   |  7 +++++++
 .../post/meterpreter/extensions/android/tlv.rb  |  3 +--
 .../ui/console/command_dispatcher/android.rb    | 17 +++++++++++++++--
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index 931b591708..a98ea5bd28 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -242,6 +242,13 @@ class Android < Extension
     response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
   end
 
+  def activity_start(uri)
+    request = Packet.create_request('activity_start')
+    request.add_tlv(TLV_TYPE_URI_STRING, uri)
+    response = client.send_request(request)
+    response
+  end
+
   def send_sms(dest, body, dr)
     request = Packet.create_request('send_sms')
     request.add_tlv(TLV_TYPE_SMS_ADDRESS, dest)
diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb
index 99f269327d..9f434cfffa 100644
--- a/lib/rex/post/meterpreter/extensions/android/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb
@@ -76,8 +76,7 @@ TLV_TYPE_CELL_BASE_LONG              = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS
 TLV_TYPE_CELL_NET_ID                 = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9073)
 TLV_TYPE_CELL_SYSTEM_ID              = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9074)
 
-
-
+TLV_TYPE_URI_STRING                  = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9101)
 
 end
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index 8030c3329c..d72044d9ec 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -29,7 +29,8 @@ class Console::CommandDispatcher::Android
       'device_shutdown'   => 'Shutdown device',
       'send_sms'          => 'Sends SMS from target session',
       'wlan_geolocate'    => 'Get current lat-long using WLAN information',
-      'interval_collect'  => 'Manage interval collection capabilities'
+      'interval_collect'  => 'Manage interval collection capabilities',
+      'activity_start'    => 'Start an Android activity from a Uri string'
     }
 
     reqs = {
@@ -41,7 +42,8 @@ class Console::CommandDispatcher::Android
       'device_shutdown'  => ['device_shutdown'],
       'send_sms'         => ['send_sms'],
       'wlan_geolocate'   => ['wlan_geolocate'],
-      'interval_collect' => ['interval_collect']
+      'interval_collect' => ['interval_collect'],
+      'activity_start'   => ['activity_start']
     }
 
     # Ensure any requirements of the command are met
@@ -528,6 +530,17 @@ class Console::CommandDispatcher::Android
     end
   end
 
+  def cmd_activity_start(*args)
+    if (args.length < 1)
+      print_line("Usage: activity_start <uri>\n")
+      print_line("Start an Android activity from a uri")
+      return
+    end
+    
+    uri = args[0]
+    client.android.activity_start(uri)
+  end
+ 
   #
   # Name for this dispatcher
   #

From c76389629abd913edb6886af404cd442d9591d20 Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Tue, 12 Jan 2016 07:49:37 +0000
Subject: [PATCH 2/4] receive startActivity result

---
 lib/rex/post/meterpreter/extensions/android/android.rb | 2 +-
 lib/rex/post/meterpreter/extensions/android/tlv.rb     | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index a98ea5bd28..32cc0f9af7 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -246,7 +246,7 @@ class Android < Extension
     request = Packet.create_request('activity_start')
     request.add_tlv(TLV_TYPE_URI_STRING, uri)
     response = client.send_request(request)
-    response
+    response.get_tlv(TLV_TYPE_ACTIVITY_START_RESULT).value
   end
 
   def send_sms(dest, body, dr)
diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb
index 9f434cfffa..54cfa1488b 100644
--- a/lib/rex/post/meterpreter/extensions/android/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb
@@ -77,6 +77,7 @@ TLV_TYPE_CELL_NET_ID                 = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS
 TLV_TYPE_CELL_SYSTEM_ID              = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9074)
 
 TLV_TYPE_URI_STRING                  = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9101)
+TLV_TYPE_ACTIVITY_START_RESULT       = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9102)
 
 end
 end

From 4d6791d4323ab3593e725b77f857b6c72f9eed40 Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Sun, 31 Jan 2016 15:13:21 +0000
Subject: [PATCH 3/4] fix returning of error

---
 lib/rex/post/meterpreter/extensions/android/android.rb     | 6 +++++-
 lib/rex/post/meterpreter/extensions/android/tlv.rb         | 1 +
 .../meterpreter/ui/console/command_dispatcher/android.rb   | 7 ++++++-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index 32cc0f9af7..800204d726 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -246,7 +246,11 @@ class Android < Extension
     request = Packet.create_request('activity_start')
     request.add_tlv(TLV_TYPE_URI_STRING, uri)
     response = client.send_request(request)
-    response.get_tlv(TLV_TYPE_ACTIVITY_START_RESULT).value
+    if response.get_tlv(TLV_TYPE_ACTIVITY_START_RESULT).value
+      return nil
+    else
+      return response.get_tlv(TLV_TYPE_ACTIVITY_START_ERROR).value
+    end
   end
 
   def send_sms(dest, body, dr)
diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb
index 54cfa1488b..babbec853a 100644
--- a/lib/rex/post/meterpreter/extensions/android/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb
@@ -78,6 +78,7 @@ TLV_TYPE_CELL_SYSTEM_ID              = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS
 
 TLV_TYPE_URI_STRING                  = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9101)
 TLV_TYPE_ACTIVITY_START_RESULT       = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9102)
+TLV_TYPE_ACTIVITY_START_ERROR        = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9103)
 
 end
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index d72044d9ec..4c6e39e4f4 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -538,7 +538,12 @@ class Console::CommandDispatcher::Android
     end
     
     uri = args[0]
-    client.android.activity_start(uri)
+    result = client.android.activity_start(uri)
+    if result.nil?
+      print_status("Intent started")
+    else
+      print_error("Error: #{result}")
+    end
   end
  
   #

From ed5cf821b2dd21200791fdc9c93acf41300e6b90 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@rapid7.com>
Date: Wed, 10 Feb 2016 23:21:20 -0600
Subject: [PATCH 4/4] bump payloads to 1.1.0

---
 Gemfile.lock                 | 4 ++--
 metasploit-framework.gemspec | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index ea2654ff4a..32690ca571 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -13,7 +13,7 @@ PATH
       metasploit-concern (= 1.0.0)
       metasploit-credential (= 1.0.1)
       metasploit-model (= 1.0.0)
-      metasploit-payloads (= 1.0.24)
+      metasploit-payloads (= 1.1.0)
       metasploit_data_models (= 1.2.10)
       msgpack
       network_interface (~> 0.0.1)
@@ -124,7 +124,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.24)
+    metasploit-payloads (1.1.0)
     metasploit_data_models (1.2.10)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 32bcb1cd36..0aba1e8d59 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '1.0.0'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.24'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.1.0'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # get list of network interfaces, like eth* from OS.