Home

Awesome

XSS ChEF - Chrome Extension Exploitation Framework

by Krzysztof Kotowicz ver 1.0

https://github.com/koto/xsschef

About

This is a Chrome Extension Exploitation Framework - think BeEF for Chrome extensions. Whenever you encounter a XSS vulnerability in Chrome extension, ChEF will ease the exploitation.

What can you actually do (when having appropriate permissions)?

Demo

See http://youtu.be/KmIG2EKLP2M for a demonstrational video. BeEF hooking: http://youtu.be/uonVWh0QO1A

Installation & usage

Setup CHeF server (on attacker's machine)

ChEF has three spearate backends to choose from: PHP/XHR, PHP/WebSockets and node.js/WebSockets version.

PHP

PHP backends require only a PHP and a HTTP server (Apache/nginx) for hosting attacker command & control center.

You can choose one of two flavours:

WebSockets (recommended) - requires launching a PHP WebSocket server that will listen on a separate TCP port. XHR - Legacy mode. Communication with hooked browsers has certain latency as it is based on XMLHttpRequest polling.

To install PHP version just download the files somewhere within your document root.

$ mv xsschef /var/www/

If you want to use XHR backend, you're done. If you want to use the WebSockets backend, additionally lauch a PHP WebSocket server:

$ php server.php [port=8080] [host=127.0.0.1] 2>log.txt

Node.js

Node.js version requires a node.js installation and is much faster as it is based on WebSockets protocol.

Installation:

$ npm install websocket
  // windows users: npm install websocket@1.0.3
  // see https://github.com/Worlize/WebSocket-Node/issues/28
$ npm install node-static
$ node server.js [chosen-tcp-port] 2>log.txt

Launch CHeF console (on attacker's machine)

Hook Chrome extension (on victim's)

First, you have to find a XSS vulnerability in a Google Chrome addon. I won't help you here. This is similar to looking for XSS in webpages, but totally different, as there are way more DOM based XSSes than reflected ones and the debugging is different.

Once you found a vulnerable extension, inject it with CheF hook script. See 'hook' menu item in console UI for the hook code.

ChEF ships with an exemplary XSS-able chrome addon in vulnerable_chrome_extension directory. Install this unpackaged extension (Tools, Extensions, Developer mode, load unpacked extension) in Chrome to test.

Exploit

Once code has been injected and run, a notification should be sent to console, so you can choose the hook by clicking on a 'choose hooked browser' icon on the left and start exploiting.

How does it work?

               ATTACKER                                VICTIM(S)

                                                                      +------------+
                                                                      |  tab 1     |
                                                             command  | http://..  |
                                                           +---------->            |
                                                           |          +------------+
                                                           |
   +------------+                              +-----------+-+
   |  console   |                              | addon w/XSS |  result+------------+
   |            |   +-------------+  (XHR/WS)  |             |<------+|  tab 2     |
   |            |+->| ChEF server |<----------+|             |+------>+ https://.. |
   |            |<-+|             |+---------->|  ChEF hook  |        |            |
   |            |   +-------------+            |             |        +------------+
   +------------+                              +-----------+-+
                                                           |
                                                           |          +------------+
                                                           |          |  tab 3     |
                                                           +----------> https://.. |
                                                                      |            |
                                                                      +------------+
                                                                      

Chrome addons usually have permissions to access inidividual tabs in the browser. They can also inject JS code into those tabs. So addons are theoretically cabable of doing a global XSS on any tab. When there is a exploitable XSS vulnerability within a Chrome addon, attacker (with ChEF server) can do exactly that.

Script injected into Chrome extension (ChEF hook served from a ChEF server) moves to extension background page and installs JS code into every tab it has access to. This JS code listens for various commands from the addon and responds to them. And ChEF-hooked addon receives commands and responds to them by connecting to CHeF server on attackers machine (using XMLHttpRequest or WebSockets connection). Attacker has also a nice web-based UI console to control this whole XSS-based botnet.

Exploitability requirements

Vulnerable extension needs to have:

To be able to read/write cookies, cookies permission is needed, though you can get non httpOnly cookies with eval(). To manipulate history, history permission is needed.

More info

XSS ChEF was demonstrated during Black Hat USA 2012 Advanced Chrome Extension Exploitation: Leveraging API powers for Better Evil workshops. There is more info about the workshops and XSS ChEF in the whitepaper

Licence

XSS ChEF - Chrome Extension Exploitation framework Copyright (C) 2012 Krzysztof Kotowicz - http://blog.kotowicz.net

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.