This Metasploit module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Androids open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play stores web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Plays remote installation feature, as any application available on the Google Play store can be installed and launched on the users device. This Metasploit module requires that the user is logged into Google with a vulnerable browser. To list the activities in an APK, you can use aapt dump badging /path/to/app.apk.
328d1360b3bebdb1d86c00098a6491927d2bd65f1172897b674f5d8cc7695731
This Metasploit module exploits an unsafe intent URI scheme and directory traversal found in Android Mercury Browser version 3.2.3. The intent allows the attacker to invoke a private wifi manager activity, which starts a web server for Mercury on port 8888. The webserver also suffers a directory traversal that allows remote access to sensitive files. By default, this module will go after webviewCookiesChromium.db, webviewCookiesChromiumPrivate.db, webview.db, and bookmarks.db. But if this isnt enough, you can also specify the ADDITIONAL_FILES datastore option to collect more files.
42c6caf8a1093e6428f263ebc0ed216930afb756d1796e8f552f46a3d7e1ee90
This Metasploit module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Androids open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.
515d589ae7fa921c6c47ddf5fa3b3cc8aad06aec0fe62c65331d5cac2c574d51
Versions of Safari before 8.0.6, 7.1.6, and 6.2.6 are vulnerable to a "state management issue" that allows a browser window to be navigated to a file:// URL. By dropping and loading a malicious .webarchive file, an attacker can read arbitrary files, inject cross-domain Javascript, and silently install Safari extensions.
ec1e4e18a1e9d055c3ab49c1e568cfd98484e3ffe54d3a28caba066e8099b47f
A website that serves a JSONP endpoint that accepts a custom alphanumeric callback of 1200 chars can be abused to serve an encoded swf payload that steals the contents of a same-domain URL. Flash < 14.0.0.145 is required. This Metasploit module spins up a web server that, upon navigation from a user, attempts to abuse the specified JSONP endpoint URLs by stealing the response from GET requests to STEAL_URLS.
92e080f88fea448cf79daadcf325b642ed35659e502007b4093420f78d5d12d2
This Metasploit module steals the cookie, password, and autofill databases from the Browser application on AOSP 4.3 and below.
461f161dc15f2136e113fe628614a254fcbe8647f9473ac567fe7752ac4fa00a
In Androids stock AOSP Browser application and WebView component, the "open in new tab" functionality allows a file URL to be opened. On versions of Android before 4.4, the path to the sqlite cookie database could be specified. By saving a cookie containing a <script> tag and then loading the sqlite database into the browser as an HTML file, XSS can be achieved inside the cookie file, disclosing *all* cookies (HttpOnly or not) to an attacker.
70b3a8344e4fcf5439123086e568b9e7984fe8d61764dc191d64ca919125593d
This Metasploit module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot have X-Frame-Options or it will fail). You can also have your own custom JavaScript by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if you are behind NAT.
37a50587dbae737c3c34aae3bf793f8dca961d0813adb06f366e89505427010a
This Metasploit module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Androids open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option, which will cause a popup window to be used. This requires a click from the user and is much less stealthy, but is generally harmless-looking. By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this module also allows running arbitrary javascript in the context of the targeted URL. Some sample UXSS scripts are provided in data/exploits/uxss.
c310932b590c18e1c4846f4e90d57edda5909db4103dc3c5954aec52431efc71
A vulnerability exists in versions of OSX, iOS, and Windows Safari released before April 8, 2015 that allows the non-HTTPOnly cookies of any domain to be stolen.
4a33fb3750429fbc48b60b65f9266ada10b36414af7a3f3d44b49aac0e5a6e4f
Generates a .webarchive file for Mac OS X Safari that will attempt to inject cross-domain Javascript (UXSS), silently install a browser extension, collect user information, steal the cookie database, and steal arbitrary local files. When opened on the target machine the webarchive file must not have the quarantine attribute set, as this forces the webarchive to execute in a sandbox.
111b8b484280c1043940976e5d33858cc2c48891b75d23d8260fce63f84a668f
This Metasploit module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions released before 0.10.21 and 0.8.26. The attack sends many pipelined HTTP requests on a single connection, which causes unbounded memory allocation when the client does not read the responses.
3c4090a80e405ae048f982af0147a29882b5e2144d973004c4f00f0a9a827a7b
When Ruby attempts to convert a string representation of a large floating point decimal number to its floating point equivalent, a heap-based buffer overflow can be triggered. This Metasploit module has been tested successfully on a Ruby on Rails application using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application crashes with a segfault error. Other versions of Ruby are reported to be affected.
2d1198655520ca701328d30ac959c34844102b92bdc9874522f9945cc8f352d4
This Metasploit module exploits a Denial of Service (DoS) condition in Action View that requires a controller action. By sending a specially crafted content-type header to a Rails application, it is possible for it to store the invalid MIME type, and may eventually consume all memory if enough invalid MIMEs are given. Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.
ab51a5c69c973f0ef025d78468148691dba860bd658962c6483b09479bf2f021
This Metasploit module generates and hosts a 10MB single-round gzip file that decompresses to 10GB. Many applications will not implement a length limit check and will eat up all memory and eventually die. This can also be used to kill systems that download/parse content from a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc). A FILEPATH datastore option can also be provided to save the .gz bomb locally. Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value) will generate a 300 byte gzipped file that expands to 10GB.
109e4f8eeadf1369357dbe92b3e5259d38efad80b285a2816ecf206f401bce6e
sudo version 1.8.28 suffers from a security bypass vulnerability.
ec35a5c3501bc30592776b4e452cfc692b4f63c07d8cfcfbaac9a2658edd5f5a
This Metasploit module writes and spawns a native payload on an android device that is listening for adb debug messages.
2640ae56b805049663375ef5896d5d962a5262a64ccd23e5e08906e8bd85f1c9
In versions of Mac OS X before 10.11.1, the applescript:// URL scheme is provided, which opens the provided script in the Applescript Editor. Pressing cmd-R in the Editor executes the code without any additional confirmation from the user. By getting the user to press cmd-R in Safari, and by hooking the cmd-key keypress event, a user can be tricked into running arbitrary Applescript code. Gatekeeper should be disabled from Security and Privacy in order to avoid the unidentified Developer prompt.
9ce25e64b927af84c807e90aff34d53a6d9d3e37334d7f8087944eb2e190924f
This Metasploit module exploits the rootpipe vulnerability and bypasses Apple's initial fix for the issue by injecting code into a process with the 'admin.writeconfig' entitlement.
675bfb209258c4d794420d872c3ae4a648abbf5cb0e2af4ea23e9559348211b2
This Metasploit module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability.
c7380b4bd424349eceddb0191b851de4ff91a0a5afb8b3430ceffce5b834c992
In Apple OS X 10.10.4 and prior, the DYLD_PRINT_TO_FILE environment variable is used for redirecting logging data to a file instead of stderr. Due to a design error, this feature can be abused by a local attacker to write arbitrary files as root via restricted, SUID-root binaries.
5f8a24055c7eacceccce25d80da65ff0a662a967a7f926c2fe621369f5e41ae2
This Metasploit module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed Rootpipe. Tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root.
6e27a1e1f2bcf759b740ad9887024027c9c87f0045ced259f32d35e3a7522fe1
This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability.
13186b54048c8cc06f8faee910912cf899136fc7728d1db2115267711277790d
This Metasploit module generates a Javascript file that executes arbitrary code when an eval-based unpacker is run on it. Works against js-beautify's P_A_C_K_E_R unpacker.
194f0e7d20b41bd0f60332ef1dde95810fea4f44e8d6390c5cd8dd449d473c9b
A heap overflow in IOHIKeyboardMapper::parseKeyMapping allows kernel memory corruption in Mac OS X before 10.10. By abusing a bug in the IORegistry, kernel pointers can also be leaked, allowing a full kASLR bypass. Tested on Mavericks 10.9.5, and should work on previous versions. The issue has been patched silently in Yosemite.
11133f34a345562636b3137fbe3bb6e9f2ec2aa4045b1360d1b0885244f3d580