Installing Userscripts
November 19, 2011So assume one can get an arbitrary executable to run on the user’s machine with full privileges using an exploit such as the one presented in the last post. What would you have to do to automatically install a userscript for the current browser?
Firefox (with GreaseMonkey extension)
Unfortunately, Firefox does not natively support userscripts and requires the GreaseMonkey extension to be installed. However, this browser extension is quite popular (3,657,735 daily users and 50+ million downloads) so we can assume a significant part of users will be affected. To install a userscript called puppet_hack, there are two steps required:
- Create the folder
puppet_hackinside the userscript folder in the located at:%AppData%\Mozilla\Firefox\Profiles\[user profile].default\gm_scriptsand drop your script inside it making sure it has the extension
.user.js(e.g. puppet_hack.user.js). - Add an entry into the
config.xmlfile in the userscript folder to register your script. One of the attributes required in the<script>tag is calleddependhash. Although this might look tricky to figure out how to generate, in fact one can just give any value to it and GreaseMonkey will overwrite it with a correct value when Firefox is opened. Moreover, it seems that ALL userscripts are given the samedependhashvalue, so we are not sure of its use. Accordingly, the entry inconfig.xmlto be added might look like:<Script filename="puppet_hack.user.js" name="Puppet Hack" namespace="http://example.com/" description="Puppet Hack Description" version="" enabled="false" runAt="document-end" basedir="puppet_hack" modified="100000000000" dependhash="aaaaaa" checkRemoteUpdates="false" updateAvailable="false" lastUpdateCheck="999999999999" installurl="http://example.com/x.user.js" updateurl="http://example.com/x.user.js"> <Include>http://*.*/*</Include> </Script>and after the next browser run, it would look like:
<Script filename="puppet_hack.user.js" name="Puppet Hack" namespace="http://example.com/" description="Puppet Hack Description" version="" enabled="false" runAt="document-end" basedir="puppet_hack" modified="1321401402839" dependhash="da39a3ee5e6b4b0d3255bfef95601890afd80709" checkRemoteUpdates="false" updateAvailable="false" lastUpdateCheck="999999999999" installurl="http://example.com/x.user.js" updateurl="http://example.com/x.user.js"> <Include>http://*.*/*</Include> </Script>
Opera
The most overlooked browser actually has integrated a userscript engine. Userscripts are easiest to install on Opera.
- Make sure the userscript folder is set, and the use of userscripts is enabled, including on
httpspages. For the common user, this might imply fiddling with the configuration panel. However, this can be done automatically by editing the Opera preferences file, conveniently stored ininiformat at:%AppData%\Opera\Opera\operaprefs.iniThe settings which have to be changed/added are:
User JavaScript File=[any directory on local drive (e.g. %AppData%\Opera\Opera\OperaScripts)] User JavaScript=1 Always Load User JavaScript=1 User JavaScript on HTTPS=1 - Next, all you have to do is copy the userscript in the selected folder, making sure it has a
.user.jsestension.
Google Chrome
Chrome is the trickiest to automatically install userscripts. Chrome must convert each userscript into a stand-alone browser extension. To do this, an extension hash is computed and used to name the folder where the extension is installed inside:
%UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Extensions
The extension folder must contain another folder corresponding to the version (e.g. 1.0_0) and inside it the userscript (named script.js) must be placed together with a manifest file (manifest.json) containing among other things, the URLs where the userscript is active and a key value we don’t know yet how to obtain (good thing that Chrome is open sourced!):
{
"content_scripts": [ {
"exclude_globs": [ ],
"include_globs": [ "http://*/*", https://*/*" ],
"js": [ "script.js" ],
"matches": [ "http://*/*", "https://*/*" ],
"run_at": "document_idle"
} ],
"converted_from_user_script": true,
"description": "Puppet Hack Description",
"key": "DiYAN8tnqM1jnyUv/Sij4c9KIVKZxOvGU/eQDWIE4Uk=",
"name": "Puppet Hack",
"version": "1.0"
}