Commit Graph

99 Commits (3ef6f828948e5399816e6afbdbf278cdb32c5614)

Author SHA1 Message Date
Joe Vennix cd61975966
Change puts to vprint_debug. 2014-11-17 10:13:13 -06:00
Joe Vennix 2a24151fa8
Remove BAP target, payload is flaky. Add warning. 2014-11-17 02:02:37 -06:00
Joe Vennix 5de69ab6a6
minor syntax fixes. 2014-11-15 21:39:37 -06:00
Joe Vennix 3fb6ee4f7d
Remove dead constant. 2014-11-15 21:38:11 -06:00
Joe Vennix 7a62b71839
Some URL fixes from @jduck and exploit ideas from Andre Moulu.
The exploit works with the URLs fixed, installs the APK, but hangs at the Installing...
screen and never actually launches. We tried opening the APK in a setTimeout() intent
URI, but the previously launched intent seemed unresponsive. Andre had the bright
idea of re-opening the previously launched intent with invalid args, crashing it and
allow us to launch the payload.
2014-11-15 21:33:16 -06:00
Joe Vennix ea6d8860a1
Not root, just arbitrary permissions. 2014-11-12 21:51:55 -06:00
Joe Vennix 1895311911
Change URL to single line. 2014-11-12 10:56:51 -06:00
Joe Vennix 8689b0adef
Add module for samsung knox root exploit. 2014-11-12 09:53:20 -06:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
James Lee a65ee6cf30
Land #3373, recog
Conflicts:
	Gemfile
	Gemfile.lock
	data/js/detect/os.js
	lib/msf/core/exploit/remote/browser_exploit_server.rb
	modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
Joe Vennix 5a8eca8946
Adds a :vuln_test option to BES, just like in BAP.
I needed this to run a custom JS check for the Android
webview vuln when the exploit is served straight
through BES. The check already existed when using BAP,
so I tried to preserve that syntax, and also added a
:vuln_test_error as an optional error message.

This commit also does some mild refactoring of un-
useful behavior in BES.
2014-10-01 23:34:31 -05:00
Joe Vennix 2b02174999
Yank Android->jsobfu integration. Not really needed currently. 2014-09-25 16:00:37 -05:00
HD Moore 43d65cc93a Merge branch 'master' into feature/recog
Resolves conflicts:
	Gemfile
	data/js/detect/os.js
	modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-07-06 09:17:44 -05:00
Tod Beardsley 2aa26fa290
Minor spacing and word choice fixups 2014-06-16 11:40:21 -05:00
joev 461fba97d7
Update forgotten call to js() in webview exploit. 2014-06-15 23:43:05 -05:00
joev eddac55c37
Remove spaces at EOL. 2014-06-13 08:37:44 -05:00
joev 56efd82112
Correct the disclosure date. 2014-06-11 21:53:42 -05:00
joev 04ac07a216 Compress and base64 data to save bytes.
Reduced file size from 43kb to 12kb, yay.
2014-06-02 23:06:46 -05:00
joev cf6b181959 Revert change to trailer(). Kill dead method.
* I verified that changes to PDF mixin do not affect any older modules that
generate PDF. I did this by (on each branch) running  in irb, then
running the module and diffing the pdf's generated by each branch. There were
no changes.
2014-06-02 22:26:14 -05:00
joev 9f5dfab9ea Add better interface for specifying custom #eol. 2014-06-02 22:26:11 -05:00
joev feca6c4700 Add exploit for ajsif vuln in Adobe Reader.
* This refactors the logic of webview_addjavascriptinterface into a mixin (android.rb).
* Additionally, some behavior in pdf.rb had to be modified (in backwards-compatible ways).

Conflicts:
	lib/msf/core/exploit/mixins.rb
2014-06-02 22:25:55 -05:00
HD Moore 583dab62b2 Introduce and use OS matching constants 2014-05-28 14:35:22 -05:00
Tim Wright a60558061c
re-enable x86 stager 2014-05-10 19:58:19 +01:00
Joe Vennix 8920e0cc80
Use octal encoding and -e, so that echo always works. 2014-04-17 01:17:46 -05:00
Joe Vennix fc841331d2 Add a test on echo to check for hex support.
* This is much nicer than checking version on userAgent, which
is often changed when rendered in an embedded webview.
2014-04-08 17:58:31 -05:00
joev 2e4c2b1637 Disable Android 4.0, add arch detection.
Android 4.0, it turns out, has a different echo builtin than the other androids.
Until we can figure out how to drop a payload on a 4.0 shell, we cannot support it.

Arch detection allows mips/x86/arm ndkstagers to work, unfortunately
x86 ndkstager was not working, so it is disabled for now.
2014-04-07 09:44:43 -05:00
Joe Vennix 55500ea2f3 Avoid the nullchar. 2014-04-02 21:53:12 -05:00
Joe Vennix 176cc84865 Remove BES and calculate the pid manually. 2014-04-02 17:21:13 -05:00
HD Moore 9b025347a9 Use a string match vs regex for Android as the OS 2014-04-02 07:52:20 -07:00
HD Moore c6013b8514 Fix use of os_flavor for targeting 2014-04-02 07:24:03 -07:00
HD Moore 7e227581a7 Rework OS fingerprinting to match Recog changes
This commit changes how os_name and os_flavor are handled
for client-side exploits, matching recent changes to the
server-side exploits and scanner fingerprints.

This commit also updates the client-side fingerprinting to
take into account Windows 8.1 and IE 9, 10, and 11.
2014-04-01 08:14:58 -07:00
Tim 25ca0552e0 cleanup files after exploit 2014-03-23 17:00:29 +00:00
Tim f9972239cf randomize payload filename 2014-03-23 16:36:26 +00:00
Joe Vennix facd743f1f Oops. Add missing dir to dalvikstager path. 2014-03-11 19:48:39 -05:00
Joe Vennix 5c2168513a Update path in #dalvikstager. 2014-03-11 11:03:36 -05:00
Tim 1e14ec7f6c native jni stager 2014-03-04 11:28:45 +00:00
Tod Beardsley 745f313413
Remove @nmonkee as author per twitter convo 2014-02-13 14:41:10 -06:00
Tod Beardsley 371f23b265
Unbreak the URL refs add nmonkee as ref and author
While @nmonkee didn't actually contribute to #2942, he did publish a
python exploit that leverages WebView, so given our policy of being
loose with author credit, I added him.

Also added a ref to @nmonkee's thing.

@jduck @jvennix-r7 if you have a problem with this, please do say so, I
don't think adding @nmonkee in any way diminishes your work, and I don't
want to appear like we're secretly ripping off people's work. I know you
aren't on this or any other module, and I know @nmonkee doesn't think
that either.
2014-02-13 14:19:59 -06:00
Joe Vennix 362e937c8d Forgot to push local changes. 2014-02-06 11:47:35 -06:00
Joe Vennix 0dc2ec5c4d Use BrowserExploitServer mixin.
This prevents drive-by users on other browsers from ever receiving
the exploit contents.
2014-02-06 11:32:42 -06:00
Joe Vennix 553616b6cc Add URL for browser exploit. 2014-02-04 17:04:06 -06:00
Joe Vennix 23fc73924e Msftidy it up. 2014-02-04 14:24:36 -06:00
Joe Vennix 700e09f386 Wording tweak. 2014-02-04 02:55:10 -06:00
Joe Vennix bbabd72b0e Whitespace tweaks. 2014-02-04 02:52:52 -06:00
Joe Vennix eb6a5a4c19 Tweak checks. 2014-02-04 02:49:44 -06:00
Joe Vennix 4923a93974 Tweak description. 2014-02-04 02:47:49 -06:00
Joe Vennix 37479884a5 Add browserautopwn support. 2014-02-04 02:32:12 -06:00
Joe Vennix eba3a5aab0 More accurate description. 2014-02-04 01:44:39 -06:00
Joe Vennix 177bd35552 Add webview HTTP exploit. 2014-02-04 01:37:09 -06:00