Initial commit
This commit is contained in:
commit
703908309c
47
HOTP.js
Normal file
47
HOTP.js
Normal file
@ -0,0 +1,47 @@
|
||||
function hotp(key, counter) {
|
||||
function SHA1(message) {
|
||||
var m = [], w = [], r = new String(), l = message.length * 8, H = [0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0];
|
||||
for (var c = 0, l = 0; c < message.length; c++, l += 8)
|
||||
m[l >>> 5] |= message.charCodeAt(c) << (24 - l % 32);
|
||||
m[l >> 5] |= 0x80 << (24 - l % 32), m[((l + 64 >>> 9) << 4) + 15] = l;
|
||||
for (var i = 0; i < m.length; i += 16) {
|
||||
var a = H[0], b = H[1], c = H[2], d = H[3], e = H[4];
|
||||
for (var j = 0; j < 80; j++) {
|
||||
if (j < 16) w[j] = m[i + j];
|
||||
else {
|
||||
var n = w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16];
|
||||
w[j] = (n << 1) | (n >>> 31);
|
||||
}
|
||||
var t = ((a << 5) | (a >>> 27)) + e + (w[j] >>> 0) + (
|
||||
j < 20 ? (b & c | ~b & d) + 0x5A827999 : j < 40 ? (b ^ c ^ d) + 0x6ED9EBA1 :
|
||||
j < 60 ? (b & c | b & d | c & d) + 0x8F1BBCDC : (b ^ c ^ d) + 0xCA62C1D6);
|
||||
e = d, d = c, c = (b << 30) | (b >>> 2), b = a, a = t;
|
||||
}
|
||||
H[0] += a, H[1] += b, H[2] += c, H[3] += d, H[4] += e;
|
||||
}
|
||||
for (var b = 0; b < 20; b += 1) r += (String.fromCharCode((H[b >>> 2] >>> ((3 - b % 4) << 3)) & 0xFF));
|
||||
return r;
|
||||
};
|
||||
function HMAC_SHA1(message, key) {
|
||||
key = key.length > 64 ? SHA1(key) : key.padEnd(64, '\0');
|
||||
var okey = new String(), ikey = new String();
|
||||
for (var i = 0; i < 64; i++)
|
||||
okey += String.fromCharCode(key.charCodeAt(i) ^ 0x5C), ikey += String.fromCharCode(key.charCodeAt(i) ^ 0x36);
|
||||
var hmacbytes = SHA1(okey + SHA1(ikey + message));
|
||||
return hmacbytes;
|
||||
};
|
||||
function formatCounter(counter) {
|
||||
var hex = parseInt(counter).toString(16).padStart(16, '0'), str = new String();
|
||||
for(var i = 0; i < hex.length; i += 2)
|
||||
str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
|
||||
return str;
|
||||
}
|
||||
function truncate(h) {
|
||||
offset = h.charCodeAt(19) & 0xF;
|
||||
return ((h.charCodeAt(offset++) & 0x7F) << 24
|
||||
| h.charCodeAt(offset++) << 16
|
||||
| h.charCodeAt(offset++) << 8
|
||||
| h.charCodeAt(offset++)).toString().slice(-6);
|
||||
}
|
||||
return truncate(HMAC_SHA1(formatCounter(counter), key));
|
||||
}
|
21
casLoginInjection.js
Normal file
21
casLoginInjection.js
Normal file
@ -0,0 +1,21 @@
|
||||
window.onload=function(){
|
||||
document.getElementById("boilerKeyLogo").innerHTML = "<button>Bypass BoilerKey, Login NOW</button>";
|
||||
function processForm(e) {
|
||||
e.preventDefault();
|
||||
chrome.storage.sync.get(["counter", "alias", "pin", "key"], function(result) {
|
||||
if(result.key && result.counter && result.alias && result.pin){
|
||||
otp = hotp(result.key, result.counter);
|
||||
document.getElementById("username").value = result.alias;
|
||||
document.getElementById("password").value = result.pin + "," + otp;
|
||||
chrome.storage.sync.set({"counter": parseInt(result.counter) + 1});
|
||||
document.getElementsByName("submit")[0].click();
|
||||
}else{
|
||||
alert("Please complete auto login setup before continuing.");
|
||||
}
|
||||
});
|
||||
return false;
|
||||
}
|
||||
|
||||
var form = document.getElementById('boilerKeyLogo');
|
||||
form.addEventListener("click", processForm);
|
||||
}
|
17
manifest.json
Normal file
17
manifest.json
Normal file
@ -0,0 +1,17 @@
|
||||
{
|
||||
"name": "Boiler AutoLogin",
|
||||
"version": "0.1.0",
|
||||
"description": "Bypass BoilerKey.",
|
||||
"options_page": "options.html",
|
||||
"permissions": [
|
||||
"https://api-1b9bef70.duosecurity.com/",
|
||||
"storage"
|
||||
],
|
||||
"content_scripts": [
|
||||
{
|
||||
"matches": ["https://www.purdue.edu/apps/account/cas/login*"],
|
||||
"js": ["HOTP.js", "casLoginInjection.js"]
|
||||
}
|
||||
],
|
||||
"manifest_version": 2
|
||||
}
|
23
options.html
Normal file
23
options.html
Normal file
@ -0,0 +1,23 @@
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<script src="options.js"></script>
|
||||
</head>
|
||||
<body>
|
||||
<h2>Settings</h2>
|
||||
<form id="settings" method="post">
|
||||
<label for="fname">Purdue Login: </label><br>
|
||||
<input type="text" id="alias" name="alias" placeholder="pete123">@purdue.edu<br>
|
||||
<label for="lname">BoilerKey PIN:</label><br>
|
||||
<input type="password" id="pin" name="pin" placeholder="1234"><br>
|
||||
<label for="lname">Duo Mobile Activation Code:</label><br>
|
||||
<input type="text" id="activationCode" name="activationCode" placeholder="LoR3mIP5um"><br>
|
||||
<label for="lname">HOTP Secret (Advanced):</label><br>
|
||||
<input type="text" id="key" name="key"><br>
|
||||
<label for="lname">HOTP Counter (Advanced):</label><br>
|
||||
<input type="text" id="counter" name="counter"><br><br>
|
||||
<input type="submit" value="submit">
|
||||
</form>
|
||||
<br><hr>
|
||||
</body>
|
||||
</html>
|
49
options.js
Normal file
49
options.js
Normal file
@ -0,0 +1,49 @@
|
||||
window.onload=function(){
|
||||
var activationCode;
|
||||
var form = document.getElementById('settings');
|
||||
form.addEventListener("submit", processForm);
|
||||
chrome.storage.sync.get(["alias", "pin", "activationCode", "key", "counter"], function(result) {
|
||||
if(result.alias) document.getElementById("alias").value = result.alias;
|
||||
if(result.pin) document.getElementById("pin").value = result.pin;
|
||||
if(result.activationCode) document.getElementById("activationCode").value = activationCode = result.activationCode;
|
||||
if(result.key) document.getElementById("key").value = result.key;
|
||||
if(result.counter) document.getElementById("counter").value = result.counter;
|
||||
});
|
||||
|
||||
function processForm(e) {
|
||||
e.preventDefault();
|
||||
chrome.storage.sync.set({ "alias": document.getElementById("alias").value,
|
||||
"pin": document.getElementById("pin").value,
|
||||
"activationCode": document.getElementById("activationCode").value,
|
||||
"key": document.getElementById("key").value,
|
||||
"counter": document.getElementById("counter").value
|
||||
}, function() {
|
||||
if(activationCode != document.getElementById("activationCode").value){
|
||||
activateDuoMobile(document.getElementById("activationCode").value);
|
||||
}else{
|
||||
alert("SAVED!");
|
||||
}
|
||||
});
|
||||
return true;
|
||||
}
|
||||
|
||||
function activateDuoMobile(activationCode){
|
||||
var data = "jailbroken=false&architecture=armv7®ion=US&app_id=com.duosecurity.duomobile&full_disk_encryption=true&passcode_status=true&platform=Android&app_version=3.23.0&app_build_number=323001&version=8.1&manufacturer=unknown&language=en&model=Pixel C&security_patch_level=2018-12-01";
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.addEventListener("readystatechange", function() {
|
||||
if(this.readyState === 4) {
|
||||
result = JSON.parse(this.responseText);
|
||||
if(result["stat"] == "OK"){
|
||||
chrome.storage.sync.set({ "key": result["response"]["hotp_secret"], "counter": 10 });
|
||||
prompt("Success!", this.responseText);
|
||||
}else{
|
||||
alert(this.responseText);
|
||||
}
|
||||
}
|
||||
});
|
||||
xhr.open("POST", "https://api-1b9bef70.duosecurity.com/push/v2/activation/" + activationCode);
|
||||
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
|
||||
xhr.setRequestHeader("User-Agent'", "okhttp/2.7.5");
|
||||
xhr.send(data);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user