Ethical Hacking Tools Clipboardme – Tool to Grab and Inject Clipboard Content via Link

Clipboardme – Tool to Grab and Inject Clipboard Content via Link

Clipboardme is a pentester tool that may read and write content to the clipboard by just opening a link, utilizing async clipboard API. Browsers are implementing a brand new JavaScript API for asynchronous clipboard access to integrate copy and paste into web applications. It is a replacement for the synchronous exec Command-based copy & paste. Async Clipboard requests does not block the page whereas waiting the process, it is a improvement over sync requests in addition to simplifying events and aligning them with the Drag & Drop API.

How does Async Clipboard API work?

Copy: Writing Text to the Clipboard
Text will be silently and automatically copied to the clipboard by calling writeText(), with out requesting permission. Example:

<script>
navigator.clipboard.writeText('Malicious command to be copied');
</script>

Simple, huh?

How dangerous it may be if the user is satisfied to run the clipboard content?

A windows reverse shell will be made if a user type the next shortcut sequence after visiting the malicious web site generated by clipboardme: windows+x, p, ctrl + v. No want to hit enter, just persuade the target to run that “shortcut” for an attacker take control of a windows system. This scenario can occur when the target is meant to execute clipboard contents.

Paste: Reading Text from the Clipboard
Text will be read (requires permission) from the clipboard by calling readText(). Example:

<script>
navigator.clipboard.readText().then(clipText =>  document.write(clipText));
</script>

Users routinely copy sensitive information like passwords and personal details to the clipboard, which may then be read by any page. Clipboardme tool can create a HTTPS malicious page to grab that content.
To help prevent abuse, clipboard access is just allowed when a page is the active tab and over secured domains (https). Pages in active tabs can write to the clipboard with out requesting permission, however studying from the clipboard all the time requires permission.

Browser compatibility:
Chrome 66, Opera 53, Chrome for Android, Opera for Android

Requirements:

Legal disclaimer:
Usage of Clipboardme for attacking targets with out prior mutual consent is against the law. It’s the top user’s responsibility to obey all relevant local, state and federal legal guidelines. Developers assume no legal responsibility and will not be liable for any misuse or damage brought on by this program

Usage:

git clone https://github.com/thelinuxchoice/clipboardme
cd clipboardme
bash clipboardme.sh

Author: https://github.com/thelinuxchoice/clipboardme
Twitter: https://twitter.com/linux_choice

Read the license before utilizing any part from this code 🙂

LEAVE A REPLY

Please enter your comment!
Please enter your name here