Initial commit

HOTP.js

@@ -0,0 +1,47 @@
+function hotp(key, counter) {
+    function SHA1(message) {
+        var m  = [], w  = [], r  = new String(), l  = message.length * 8, H  = [0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0];
+        for (var c = 0, l = 0; c < message.length; c++, l += 8)
+            m[l >>> 5] |= message.charCodeAt(c) << (24 - l % 32);
+        m[l >> 5] |= 0x80 << (24 - l % 32), m[((l + 64 >>> 9) << 4) + 15] = l;
+        for (var i = 0; i < m.length; i += 16) {
+            var a = H[0], b = H[1], c = H[2], d = H[3], e = H[4];
+            for (var j = 0; j < 80; j++) {
+                if (j < 16)  w[j] = m[i + j];
+                else {
+                    var n = w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16];
+                    w[j] = (n << 1) | (n >>> 31);
+                }
+                var t = ((a << 5) | (a >>> 27)) + e + (w[j] >>> 0) + (
+                         j < 20 ? (b & c | ~b & d) + 0x5A827999 : j < 40 ? (b ^ c ^ d) + 0x6ED9EBA1 :
+                         j < 60 ? (b & c | b & d | c & d) + 0x8F1BBCDC : (b ^ c ^ d) + 0xCA62C1D6);
+                e =  d, d = c, c = (b << 30) | (b >>> 2), b =  a, a =  t;
+            }
+            H[0] += a, H[1] += b, H[2] += c, H[3] += d, H[4] += e;
+        }
+		for (var b = 0; b < 20; b += 1) r += (String.fromCharCode((H[b >>> 2] >>> ((3 - b % 4) << 3)) & 0xFF));
+		return r;
+    };
+    function HMAC_SHA1(message, key) {
+        key = key.length > 64 ? SHA1(key) : key.padEnd(64, '\0');
+        var okey = new String(), ikey = new String();
+        for (var i = 0; i < 64; i++)
+            okey += String.fromCharCode(key.charCodeAt(i) ^ 0x5C), ikey += String.fromCharCode(key.charCodeAt(i) ^ 0x36);
+        var hmacbytes = SHA1(okey + SHA1(ikey + message));
+        return hmacbytes;
+    };
+    function formatCounter(counter) {
+        var hex = parseInt(counter).toString(16).padStart(16, '0'), str = new String();
+        for(var i = 0; i < hex.length; i += 2)
+            str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
+        return str;
+    }
+    function truncate(h) {
+        offset = h.charCodeAt(19) & 0xF;
+        return ((h.charCodeAt(offset++) & 0x7F) << 24 
+               | h.charCodeAt(offset++) << 16 
+               | h.charCodeAt(offset++) << 8 
+               | h.charCodeAt(offset++)).toString().slice(-6);
+    }
+    return truncate(HMAC_SHA1(formatCounter(counter), key));
+}

README.md

@@ -0,0 +1 @@
+Boiler AutoLogin

casLoginInjection.js

@@ -0,0 +1,21 @@
+window.onload=function(){
+    document.getElementById("boilerKeyLogo").innerHTML = "<button>Bypass BoilerKey, Login NOW</button>";
+    function processForm(e) {
+        e.preventDefault();
+        chrome.storage.sync.get(["counter", "alias", "pin", "key"], function(result) {
+            if(result.key && result.counter && result.alias && result.pin){
+                otp = hotp(result.key, result.counter);
+                document.getElementById("username").value = result.alias;
+                document.getElementById("password").value = result.pin + "," + otp;
+                chrome.storage.sync.set({"counter": parseInt(result.counter) + 1});
+                document.getElementsByName("submit")[0].click();
+            }else{
+                alert("Please complete auto login setup before continuing.");
+            }
+        });
+        return false;
+    }
+
+    var form = document.getElementById('boilerKeyLogo');
+    form.addEventListener("click", processForm);
+}

manifest.json

@@ -0,0 +1,17 @@
+{
+  "name": "Boiler AutoLogin",
+  "version": "0.1.0",
+  "description": "Bypass BoilerKey.",
+  "options_page": "options.html",
+  "permissions": [
+    "https://api-1b9bef70.duosecurity.com/",
+    "storage"
+  ],
+  "content_scripts": [
+    {
+      "matches": ["https://www.purdue.edu/apps/account/cas/login*"],
+      "js": ["HOTP.js", "casLoginInjection.js"]
+    }
+  ],
+  "manifest_version": 2
+}

options.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <script src="options.js"></script>
+  </head>
+  <body>
+    <h2>Settings</h2>
+    <form id="settings" method="post">
+    <label for="fname">Purdue Login: </label><br>
+    <input type="text" id="alias" name="alias" placeholder="pete123">@purdue.edu<br>
+    <label for="lname">BoilerKey PIN:</label><br>
+    <input type="password" id="pin" name="pin" placeholder="1234"><br>
+    <label for="lname">Duo Mobile Activation Code:</label><br>
+    <input type="text" id="activationCode" name="activationCode" placeholder="LoR3mIP5um"><br>
+    <label for="lname">HOTP Secret (Advanced):</label><br>
+    <input type="text" id="key" name="key"><br>
+    <label for="lname">HOTP Counter (Advanced):</label><br>
+    <input type="text" id="counter" name="counter"><br><br>
+    <input type="submit" value="submit">
+    </form>
+    <br><hr>
+  </body>
+</html>

options.js

@@ -0,0 +1,49 @@
+window.onload=function(){
+    var activationCode;
+    var form = document.getElementById('settings');
+    form.addEventListener("submit", processForm);
+    chrome.storage.sync.get(["alias", "pin", "activationCode", "key", "counter"], function(result) {
+        if(result.alias) document.getElementById("alias").value = result.alias;
+        if(result.pin) document.getElementById("pin").value = result.pin;
+        if(result.activationCode) document.getElementById("activationCode").value = activationCode = result.activationCode;
+        if(result.key) document.getElementById("key").value = result.key;
+        if(result.counter) document.getElementById("counter").value = result.counter;
+    });
+
+    function processForm(e) {
+        e.preventDefault();
+        chrome.storage.sync.set({   "alias": document.getElementById("alias").value, 
+                                    "pin": document.getElementById("pin").value, 
+                                    "activationCode": document.getElementById("activationCode").value, 
+                                    "key": document.getElementById("key").value, 
+                                    "counter": document.getElementById("counter").value
+                                }, function() {
+                                    if(activationCode != document.getElementById("activationCode").value){
+                                        activateDuoMobile(document.getElementById("activationCode").value);
+                                    }else{
+                                        alert("SAVED!");
+                                    }
+                                });
+        return true;
+    }
+
+    function activateDuoMobile(activationCode){
+        var data = "jailbroken=false&architecture=armv7&region=US&app_id=com.duosecurity.duomobile&full_disk_encryption=true&passcode_status=true&platform=Android&app_version=3.23.0&app_build_number=323001&version=8.1&manufacturer=unknown&language=en&model=Pixel C&security_patch_level=2018-12-01";
+        var xhr = new XMLHttpRequest();
+        xhr.addEventListener("readystatechange", function() {
+            if(this.readyState === 4) {
+                result = JSON.parse(this.responseText);
+                if(result["stat"] == "OK"){
+                    chrome.storage.sync.set({ "key": result["response"]["hotp_secret"], "counter": 10 });
+                    prompt("Success!", this.responseText);
+                }else{
+                    alert(this.responseText);
+                }
+            }
+        });
+        xhr.open("POST", "https://api-1b9bef70.duosecurity.com/push/v2/activation/" + activationCode);
+        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+        xhr.setRequestHeader("User-Agent'", "okhttp/2.7.5");
+        xhr.send(data);
+    }
+}