Rapid7 Vulnerability & Exploit Database

Rapid7 Metasploit Framework msfvenom APK Template Command Injection

Back to Search

Rapid7 Metasploit Framework msfvenom APK Template Command Injection

Disclosed
10/29/2020
Created
11/10/2020

Description

This module exploits a command injection vulnerability in Metasploit Framework's msfvenom payload generator when using a crafted APK file as an Android payload template. Affects Metasploit Framework <= 6.0.11 and Metasploit Pro <= 4.18.0. The file produced by this module is a relatively empty yet valid-enough APK file. To trigger the vulnerability, the victim user should do the following: msfvenom -p android/<...> -x

Author(s)

  • Justin Steven

Platform

Unix

Architectures

cmd

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > show targets
    ...targets...
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > set TARGET < target-id >
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > show options
    ...show and set options...
msf exploit(metasploit_msfvenom_apk_template_cmd_injection) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;