Awesome
addjsif
Metasploit Exploit Module (MITM) for the Android addJavascriptInterface Issue that plagues Ad network framworks in Android apps. For more information, check out "On the WebView addJavascriptInterface Saga" and refer to the references in the module itself.
Motivation:
This project was executed in order to bring more attention to the severity of this issue.
What is still needed:
More interface names per the list in the generate_getjsif method. These are the second (last) argument to the addJavascriptInterface function in the vulnerable WebView consumers. This will ensure the exploit works on the maximum number of vulnerable applications.
Directions for testing:
On your Metasploit host machine:
- Check-out the http-proxy branch (not yet merged):
$ git clone https://github.com/jduck/metasploit-framework.git -b http-proxy
NOTE: if you have an existing metasploit-framework checkout, you can download less data using the following commands instead:
$ git add remote jduck https://github.com/jduck/metasploit-framework.git
$ git fetch jduck
$ git checkout jduck/http-proxy
-
Create the modules/exploits/android/mitm/http directory inside the checkout.
-
Place the module in modules/exploits/android/mitm/http directory.
-
Run the exploit module using a configuration similar to that in the included addjsif-exploit.msfrc file.
$ msfconsole -nL -r addjsif-exploit.msfrc
On your Android test device:
-
Go to Settings->Wi-Fi
-
Long press an existing connected network or connect to the one where the Metasploit instance lives.
-
Choose "Modify Network" if you are using an existing connection
-
Scroll to the bottom (both connecting and modifying now)
-
Check the "Show advanced options" box
-
Scroll down to "Proxy settings"
-
Choose "Manual" from the drop-down
-
Scroll down to see the "Proxy hostname" and "Proxy port" fields
-
Enter the Metasploit instance's IP address
-
Enter the Metasploit module's SRVPORT (8081 in the included msfrc)
-
Utilize vulnerable applications
Known Issues:
The HTTP proxy code does not currently handle intercepting SSL traffic
Occasionally requests being transparently proxied may cause Metasploit to lag and stop responding. This can be fixed by:
msf > threads -K
msf > rexploit
The linux/armle/shell/reverse_tcp (staged payload) crashes on armv7