adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tweak description.

Browse Source
This commit is contained in:
Joe Vennix
2014-02-04 02:47:49 -06:00
parent 37479884a5
commit 4923a93974
1 changed files with 13 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/android/browser/webview_addjavascriptinterface.rb
+13 -11
View File
@@ -27,20 +27,22 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Android < 4.2 WebView addJavascriptInterface MITM Code Execution',
'Name' => 'Android < 4.2 Browser/WebView addJavascriptInterface Code Execution',
'Description' => %q{
This module exploits an issue where MITM attackers can execute
arbitrary code on vulnerable Android devices. The issue is rooted in
the use of the addJavascriptInterface function, which exposes Java
Reflection to Javascript executing within a WebView instance. Many
Android ad network integrations are known to be affected.
This module exploits a privilege escalation issue that arises when untrusted
Javascript code is executed by an Android WebView component that has one or more
Interfaces added to it. The untrusted Javascript code can call into the Java Reflection
APIs exposed by the Interface and execute arbitrary commands.
To use this module, the attacker must have some way to inject the html/js
served by metasploit into an affected Webview on the target device. There
are a number of ways to do this (DNS spoofing, rogue HTTP proxy, XSS injection, etc).
Some distributions of the Android Browser app have an addJavascriptInterface
call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs
4.1.2 release of Android is known to work.
This module can also get a shell on some versions of the Browser app on
Android < 4.2, where the vendor has added an addJavascriptInterface wrapper.
A secondary attack vector involves the WebViews embedded inside a large number
of Android applications. Ad integrations are perhaps the worst offender here.
If you can MITM the WebView's network connection, or can get a persistent XSS
into the page displayed in the WebView, then you can inject the html/js served
by this module and get a shell.
Note: Adding a .js to the URL will return plain javascript (no HTML markup).
},