Autopwn Every Android < 4.2 Device on Your Network Using BetterCap and the addJavascriptInterface Vulnerability.

Recently I’ve been playing with Android’s WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.

NOTE

The original title of this post was Autopwn every Android device on your network using BetterCap and the “addJavascriptInterface” vulnerability and some people pointed out it’s a misleading title since “every Android != every Android < 4.2“. I totally agree with them, it wasn’t intentional, the point of this post itself was not to show some uber 0day technique, but just to show how easy it is to use bettercap in order to exploit such type of vulnerabilities.

There’s an excellent post about this vulnerability, long story short, if there’s an app which is using a WebView UI control and it’s declaring a custom javascript interface for it like so:

you can inject some special javascript into that page and make that device execute any shell command you want.

In this post, I’d like to show how easy it is to automatically exploit every vulnerable device on your network using bettercap and for this purpose I’ve wrote the AndroidPwn transparent proxy module.

As you can see, you just need to activate it and specify a --command COMMAND command line argument and you’re ready to go.

Leave it running and it will automatically perform a Man-In-The-Middle attack on your network and execute the command(s) you’ve chosen on every single Android device it will find on the network.