Fixes issue/fix-google-phishing-module (#3073)

[kaitozaw]

Pull Request

Category

Bug

Feature/Issue Description

Q: Please give a brief summary of your feature/fix
A:
This PR fixes the Google phishing module failing on first run when executed via ARE. The module was generating runtime ReferenceError exceptions because required functions were not available in the execution context used by ARE and by inline event handlers.

Q: Give a technical rundown of what you have changed (if applicable)
A:
(1) Moved all module logic and helper functions inside beef.execute(function () { ... })
ARE can execute/evaluate only the beef.execute block (instead of evaluating the entire command.js file like normal UI module execution), so any functions defined outside the block may not exist at runtime, leading to “first run does nothing / second run works” behaviour.

(2)Exposed functions called by inline HTML event handlers to the global scope
The following changes were made because inline HTML event handlers (e.g. onclick="...") resolve function names from the global (window) scope:

• function clickedSubmitButton() => window.clickedSubmitButton = function ()
• function redirect() => window.redirect = function ()

(3)Replaced string-based setTimeout("...") usage with function references
The following changes were made to avoid string-based global evaluation and to ensure scheduled callbacks work correctly when functions are defined within beef.execute:

• setTimeout('logoutGoogle()', ...) => setTimeout(logoutGoogle, ...)
• setTimeout("redirect()", ...) => setTimeout(window.redirect, ...)

Test Cases

Q: Describe your test cases, what you have covered and if there are any use cases that still need addressing.
A:

1. Create beef/arerules/enabled/gmail_phishing.json

{
  "name": "Google Phishing",
  "author": "jking",
  "modules": [
    {
      "name": "gmail_phishing",
      "condition": null,
      "code": null,
      "options": {
        "xss_hook_url": "https://myaccount.google.com/",
        "logout_gmail_interval": 10000,
        "wait_seconds_before_redirect": 1000
      }
    }
  ],
  "execution_order": [0],
  "execution_delay": [0],
  "chain_mode": "sequential"
}

2. Start beef, open demo page and check if the Google phishing module is executed on first run. Also check if the module is executed correctly without the ARE.

[zinduolis]

It looks like there's a mix of indentation styles in this file now. The new code blocks use 2 spaces, while lines 42-44 (and the file originally) used tabs/4 spaces.

Looking at other modules (e.g., ajax_fingerprint/command.js, port_scanner/command.js), the project seems to consistently favor tabs (or 4 spaces).

Could you please update the indentation to match the rest of the file and project? Thanks

[zinduolis]

Verification Report

I verified this fix against Issue #3073 using the following test plan:

1. Reproduction (Master Branch)

• Created an ARE rule to trigger gmail_phishing automatically on hook.
• Result: The browser tab title changed to "Google Mail...", but the page content remained on the original hook page (Butcher demo). The module failed to fully execute.

2. Verification (PR Branch)

• Applied the changes from this PR.
• Restarted BeEF and re-hooked the browser.
• Result: Success. The page content immediately updated to the fake Gmail login screen, the title was correct, and the module functioned as expected.

Conclusion
This PR fixes the issue where the module would not execute properly when triggered via ARE.