Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds a :vuln_test option to BES, use it in the Android Webview Exploit #3934

Merged
merged 2 commits into from Oct 2, 2014
Merged

Adds a :vuln_test option to BES, use it in the Android Webview Exploit #3934

merged 2 commits into from Oct 2, 2014

Conversation

jvennix-r7
Copy link
Contributor

This attempts to add the :vuln_test functionality from BAP to the BES mixin. I've also added a :vuln_test_error key that allows printing a custom error message when the check fails.

Verification

  • get a shell with exploit/android/browser/webview_addjavascriptinterface on an affected version

  • browse to the exploit on a non-vulnerable version (Stock browser on anything 4.2 and up will work)

  • you should get two errors in msfconsole:

    [!] 192.168.0.4      webview_addjavascriptinterface - Exploit re
quirement(s) not met: vuln_test. For more info: http://r-7.co/PV
bcgx
[!] 192.168.0.4      webview_addjavascriptinterface - No vulnera
ble Java objects were found in this web context.

  • ensure you can get a shell with any other BES module (to ensure the absence of :vuln_test in BrowserRequirements does not cause the exploit to fail)

@jvennix-r7
Adds a :vuln_test option to BES, just like in BAP.
5a8eca8 
I needed this to run a custom JS check for the Android
webview vuln when the exploit is served straight
through BES. The check already existed when using BAP,
so I tried to preserve that syntax, and also added a
:vuln_test_error as an optional error message.

This commit also does some mild refactoring of un-
useful behavior in BES.
@jvennix-r7
Copy link
Contributor Author

This addresses Issue #3911.

@wchen-r7 wchen-r7 self-assigned this Oct 2, 2014
@wchen-r7
Copy link
Contributor

wchen-r7 commented Oct 2, 2014

Vulnerable android:

msf exploit(webview_addjavascriptinterface) > [*] Using URL: http://0.0.0.0:8080/joe2
[*]  Local IP: http://192.168.1.64:8080/joe2
[*] Server started.
[*] 192.168.1.83     webview_addjavascriptinterface - Gathering target information.
[*] 192.168.1.83     webview_addjavascriptinterface - Sending response HTML.
[*] 192.168.1.83     webview_addjavascriptinterface - Serving armle exploit...
[*] Sending stage (43586 bytes) to 192.168.1.83
[*] Meterpreter session 1 opened (192.168.1.64:4444 -> 192.168.1.83:52663) at 2014-10-02 14:02:06 -0500

non-vulnerable android:

msf exploit(webview_addjavascriptinterface) > [*] Using URL: http://0.0.0.0:8080/test
[*]  Local IP: http://192.168.1.64:8080/test
[*] Server started.
[*] 192.168.1.119    webview_addjavascriptinterface - Gathering target information.
[*] 192.168.1.119    webview_addjavascriptinterface - Sending response HTML.
[!] 192.168.1.119    webview_addjavascriptinterface - Exploit requirement(s) not met: vuln_test. For more info: http://r-7.co/PVbcgx
[!] 192.168.1.119    webview_addjavascriptinterface - No vulnerable Java objects were found in this web context

tried ie_cbutton_uaf:

msf exploit(ie_cbutton_uaf) > [*] Using URL: http://0.0.0.0:8080/GixWQfa
[*]  Local IP: http://192.168.1.64:8080/GixWQfa
[*] Server started.
[*] 192.168.1.64     ie_cbutton_uaf - Requesting: /GixWQfa
[*] 192.168.1.64     ie_cbutton_uaf - Target selected as: IE 8 on Windows XP SP3
[*] 192.168.1.64     ie_cbutton_uaf - Sending HTML...
[*] Sending stage (769536 bytes) to 192.168.1.64
[*] Meterpreter session 1 opened (192.168.1.64:4444 -> 192.168.1.64:51863) at 2014-10-02 16:29:02 -0500
[*] Session ID 1 (192.168.1.64:4444 -> 192.168.1.64:51863) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (508)
[*] Spawning notepad.exe process to migrate to

@wchen-r7 wchen-r7 merged commit 6571213 into rapid7:master Oct 2, 2014
wchen-r7 added a commit that referenced this pull request Oct 2, 2014
@wchen-r7
Land #3934 - New :vuln_test option to BES
6d7870a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
library module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvennix-r7 @wchen-r7