This module combines two vulnerabilities to achieve remote code
execution on affected Android devices. First, the module exploits
CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in
versions of Android's open source stock browser (the AOSP Browser) prior to
4.4. Second, the Google Play store's web interface fails to enforce a
X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be
targeted for script injection. As a result, this leads to remote code execution
through Google Play's remote installation feature, as any application available
on the Google Play store can be installed and launched on the user's device.
This module requires that the user is logged into Google with a vulnerable browser.
To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.
- Rafay Baloch
- joev <firstname.lastname@example.org>