The Android Exploit Mixin

This week, Rapid7's Joe Vennix refactored our tried and true methods for exploiting the addJavascriptInterface vulnerability, which happens to be present on a ton of consumer Android devices and Google Play store-approved apps, which means a couple things for Android exploit developers. First, there's now a testable library for adding new and exciting Android exploit techniques, which is nice from a developer standpoint.

Also, this refactoring enabled the creation of the Adobe PDF Reader version of the exploit. Yep, it turns out that Adobe's mobile app was vulnerable to the addJavascriptInterface issue until about mid-April of 2014. I wonder how many other apps with over a million downloads are exposed to this vulnerability?

If you're wondering the same thing, I suggest picking up the quite excellent Android Hacker's Handbook by Josh jduck Drake, Zach Lanier, Collin Mulliner, Pau Oliva Fora, Stephen A. Ridley, and Georg Wicherski. With this tome in hand, you can get down to the business of exploring Android as a target. We have a place to stash more exploit techniques now, we provided a functioning Meterpreter payload for Android devices, and many of the authors of the Handbook are already familiar with Metasploit module writing. With all these elements in place, I'm looking forward to a summer of Android exploits.

iPhone Meterpreter?

In other news, Metasploit contributor Anwar Mohamed has indicated that he's starting work on an iPhone version of Meterpreter, starting with a couple posts to the metasploit-hackers mailing list. If you're interested in helping out there, I'm sure he'd take it. After all, I don't want to give the impression that Metasploit is only interested in beating up on Android. We're happy to target pretty much any device that's hanging around on the Internet.

New Modules

In addition to the above-mentioned Android file format exploit, we have a new exploit for the Easy File Management Web Server, as well as a handy new scanner module which tests for the OpenSSL ChangeCipherSpec vulnerability announced a couple weeks ago, and a slew of other auxiliary modules. Check 'em out below:

Exploit modules

Auxiliary and post modules

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.