Android addJavascriptInterface meterpreter #3040

Closed
wants to merge 2 commits into
from

Projects

None yet

4 participants

@timwr
Collaborator
timwr commented Feb 26, 2014

The addjavascriptinterface returns a shell session, however it's not easy to upgrade that session to meterpreter without dropping a root exploit. After these changes it drops a JNI stager which loads a meterpreter session within the vulnerable application. The javapayload pr is here: rapid7/metasploit-javapayload#9

  • use exploit/android/browser/webview_addjavascriptinterface; exploit
  • navigate to the url on a vulnerable Android device/browser
  • a meterpreter session will be opened instead of a shell session
  • webcam_stream should work if the exploited app has camera permissions (most do)
@jvennix-r7

Awesome.

@wvu-r7
Collaborator
wvu-r7 commented Feb 26, 2014

This is great!

@wvu-r7
Collaborator
wvu-r7 commented Feb 26, 2014

Testing!

@infodox
infodox commented Feb 26, 2014

Out of curiosity, is the framework in place for local privesc exploits on Android devices?

@wvu-r7
Collaborator
wvu-r7 commented Feb 26, 2014

Working here in the emulator and a physical device!

@wvu-r7
Collaborator
wvu-r7 commented Feb 26, 2014

@infodox: Don't think so. Contributions welcome. :)

@wvu-r7
Collaborator
wvu-r7 commented Feb 26, 2014

Emulator:

meterpreter > sysinfo 
Computer    : localhost
OS          : Linux 2.6.29-gc497e41 (armv7l)
Meterpreter : java/java
meterpreter > 

Willing victim's phone:

meterpreter > sysinfo 
Computer    : localhost
OS          : Linux 3.0.16-Titanium-KISS-USB (armv7l)
Meterpreter : java/java
@wvu-r7
Collaborator
wvu-r7 commented Feb 26, 2014

getuid, record_mic, and webcam_* don't work in either case. I think @jlee-r7 got record_mic but not webcam_* working on @todb-r7's test device.

@jvennix-r7

@infodox I don't see why not, it can be added as a local exploit for the android platform. (modules/exploits/android/local/rootexploit.rb) And then ran like a post module.

@wvu-r7
Collaborator
wvu-r7 commented Feb 27, 2014

I remember now. @jlee-r7 was using Meterpreter directly, so he must have had the right permissions to use record_mic for that device. Thanks to @timwr and @jduck for explaining that the browser doesn't usually have camera/microphone permissions.

@jvennix-r7

Did some testing in emulator, this looks like a good step forward. The jni stager works well for me. A permission check in meterpreter would be nice (if that's possible without actually trying to capture from the webcam), but this at least has no stack traces. I'll do some more device testing today and comment if anything goes wrong.

We probably shouldn't land the bins from here (no offense @timwr, we have to be universally cautious about unverifiable binaries). So before this can land, I think we need a separate PR here, from whoever lands the webcam_stream PR on metasploit-javapayload. @timwr please remove the .jar/.so bins from this PR (although they were handy to test with). If you could squash them out of the git history that would be even better :)

@timwr
Collaborator
timwr commented Mar 7, 2014

hi guys, thanks for testing. I've removed the binaries from the history, no offence taken. It looks like Google Glass is the only device with camera permissions in the stock browser. If you test with an app which contains camera permissions (e.g http://www.appsapk.com/baidu-browser/) it should work too (on a real device or emulator with camera enabled). @jlee-r7 reported webcam_stream wasn't working on a Samsung Galaxy Rush, but I can't reproduce on any of my devices which makes it difficult to debug.

@timwr timwr closed this Mar 25, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment