New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drozer Shell Injection, Octal Escaping and /system/bin/ash #102
Comments
I am not sure I understand what you mean. Do you mean that some devices do not have |
No, AFAIK, all Android devices have /system/bin/sh, which is a symlink to /system/bin/ash. The ash binary doesn't properly preserve the escaped octal content, preventing us from encoding and delivering the Weasel binary in the described method. Maybe you can let us know what Android release you used for your demonstration with weasel? I can see if there are any changes between that and other versions of ash. Thanks, -Josh |
I have tested this on emulators and predominantly Samsung devices that I own. Devices that I can recall where I know it works 100% are:
Which devices are you seeing this on? If I run
Is this what you are seeing? |
Ah, frag. I was screwing this up all along:
The arguments passed to "sh -c" need to be in quotes. I suck. Sorry about that. Do you think you could post your whole working drozer.js script, with the escaped Weasel code? I have command injection working just fine, but keep getting messed up on getting the escaped code right. Thanks! -Josh |
No problem :) Really glad that this does work universally - I really tried to test the method thoroughly. I don't have my MWR laptop with me at the moment. Will be able to get back to you about that escaped weasel code tomorrow (Sunday) night. We are going through testing stages for the full-on MiTM exploit module for drozer that works on every app that is vulnerable to this issue. There is some pretty neat stuff in there that you may be interested in Tyrone |
I'd love to see that. Great work on :1,$s/Mercury/Drozer/g. I'm surprised more media outlets haven't caught on to Drozer and this addJSInterface issue. -Josh |
Any word on getting that complete drozer.js posted? Thanks! -Josh |
Hi, Sorry for the delayed reply. I have put it here for you: https://www.dropbox.com/s/x4zdgj9j0k0uvxm/dz.js.zip Please note that this is the output generated by the drozer exploit that we are releasing soon :) You will have to change the IP address that weasel calls back to (which should be the IP of your drozer server) |
Please let me know once you have downloaded this so that I can remove this file. Did it work for you? :) |
I grabbed it, thank you! I'll try it tomorrow, but it looks awesome. Nice job automatically enumerating the JS interface! -Josh |
Hi, drozer.js is now implemented in https://github.com/mwrlabs/drozer/blob/master/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py - go check it out.
You are correct. drozer does not have payloads for anything other than ARM |
hey Tyrone, Thank you for clearing my doubt regarding ARM. I appreciate it. Regards |
Im trying to deploy a weasel in an android emulator. I'm using windows and therefore i'm not executing fully this command
However I should get the conexion to drozer server with the following injected code isnt it?
What I'm doing wrong? |
I am struggling to understand your question. Lets take a step back and explain the following to me:
|
Sorry for my bad expression. The thing is that I'm using Windows and I cannot execute this command:
But the thing is that this comand is to build the weasel therefore is not needed to make the mobile device to the drozer server. I'm working with an emulator and I am injecting the following JavaScript code into an app. In theory the emulator should connect to the drozer server even if the weasel was not build isnt it?
|
Please see the following module that is already in drozer that exploits this issue: https://github.com/mwrlabs/drozer/blob/master/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py This exploit is slightly more up-to-date than that article as well |
Sorry about last comment, afterwards i realized this. However I used a virtual machine to build the payload but is not working either :(. I've tried to generate again the payload using $drozer payload build weasel.shell.armeabi >weasel and then change the IP in weasel file to 10.0.2.2 (cause i will run it in an emulator). I pushed in the device and leaving only this code
but doesn't work either... the code you passed me is the code of drozer application right? IDK how to use it :( thanks for all the help |
You do not need to manually change the IP address, you can you the The code I linked in my last code is already in drozer. To use it do:
|
As a silent lurker on this thread, let me say that you are awesome Tyrone! -JoshSent from my iPhone
|
I'm sorry for not getting this, but this command is for attacking an app right? all im getting is: Uploading weasel to /weasel and W...timed out Ive tried to build again the payload using the server flag like this
Then i've pushed the file to the right path inside the device and trying to execute it with
However im getting "error calling npobject" I know I should inject the weasel code in the javascript but ive done this to try at least if the code executes something inside the device. I have to this because the following line is not creating a file in the device:
Sorry for all the inconvenience and thank you very much for all your effort! |
Hello again! I've been doing some experiments trying to make this work for me. Its weird but, as I said in the previous post, the following line is not generating any file: execute(['/system/bin/sh','-c','echo -e "\0177...\0000" > '+path]); However, i just take the first characters like in the following line, the files is created just fine. execute(['/system/bin/sh','-c','echo -e "\0177\0105\0114\0106" > '+path]); Any Ideas on what could be happening? Thankyou very much! |
Thank you @joswr1ght :) @tersark: If you can get it to write any content to a file then the exploit is working correctly. As for the weasel code not being written out - that is a mystery to me. Try break up the problem: for instance, do
More than debugging this one line at a time I am not sure what else to do without being able to replicate this problem on your specific device. EDIT: You may want to use |
HI, I've tried to copy line by line, but the weasel line is to big for the command buffer (I imagine, because i can't paste the whole line) so i've pushed the a file with code created by drozer.
the thing is that now in the directory appears a file named w but seems invisible to commands such as rm or just trying to execute the file. although its there and it has the right permisions
very weird :S |
This is very unusual behaviour - maybe try on a different phone or emulator? :) You do not need root on the device that you will be testing on |
ive tried in a different emulator, the file is created but when i try to execute it with the adb shell this is what I get ( fragment)
Could be possible to contact you in a live chat?? Thank you very much for everything! |
Is this emulator target ARM or x86/Atom? If you download the file to a Linux box, what does "file weasel" say? -JoshSent from my iPhone
|
The emulator is and ARM. I've pulled the file and try that command in a linux environment. The result is:
Thanks! |
In the "WebView addJavascriptInterface Remote Code Execution" article, there is a great introduction to drozer payload injecting using the addJavaScriptInterface flaw. However, I think the payload delivery method is broken on Android devices running /system/bin/ash.
The article recommends this line for creating a payload to inject through malicious JavaScript:
Which will give you a one liner:
However, it does not appear that the /system/bin/sh (which is ash) appropriately accommodates octal escaping in this manner:
It looks like ash does not preserve the input data, leaving us with a 1 byte file (expected 6 bytes). Not to be discriminatory, ash doesn't preserve the input data for hex escaping either:
I'm testing this on an Android API15 emulator. Any thoughts on getting escaped binary content delivered to Android devices for Weasel deployment reliably?
Thanks,
-Josh
The text was updated successfully, but these errors were encountered: